Last week at WordCamp OC, I gave a talk on Security for WooCommerce sites. As ecommerce sites are much more complex and typically handle sensitive data through digital payment transactions, there are a lot more points of potential security breach. The same goes for GDPR compliance: all of these extra information processing steps must be vetted and checked for security, transparency in responsible data handling and opt-ins to collection.
This article will walk you through the extra steps you must take to ensure GDPR compliance for your WooCommerce website.

GDPR Update: Where Are We Now?

The trickle of privacy policies to our email inboxes seem to have died down, and now the wait is on to see what’s going to happen as EU Data Protection Authorities (DPA) start executing their enforcement operations. Many companies have been contacted for breaches of the law, but so far we are yet to see any court cases. As with any new law that goes into effect, the first case will set a precedence of procedures and enforcement that will lead the way for all future cases.

The GDPR potentially affects every website no matter where they are located.

The US and Canada haven’t been sitting idly by, either: both are working on their own interpretations of the law for their own citizens. Notably, Canada has made updates to its background screening procedures, and some states in the US – like Colorado – are working on their own bills to address consumer personal information, breach notification and data security requirements. State departments, like travel and tourism which specifically target EU residents to encourage tourism in their state, are particularly attentive to these rulings but many parts of government are also affected.

In many cases, companies have decided to offer the same privacy protections to all customers – no matter where they live. But some worldwide communication practices like email marketing have taken a big hit, especially in the US. In complying with the “opt-in” requirement of the law, email newsletter subscribers are asked to manually opt back in to their mailing lists, but many subscribers are either ignoring the request, or taking this opportunity to unsubscribe, resulting in a huge loss for targeted advertising.

Extra Complexity for Ecommerce Sites

Any time you process money, it means business. If you run an ecommerce site, privacy and security shouldn’t be a new topic for you (I hope!). As a responsible business, it is already a requirement that your checkout process is PCI compliant, with secure processing and data storage procedures.

Some ecommerce-specific features that require special attention are user registration, product reviews, and of course payment processing. No matter what platform you use to process customer and order information, you need to ensure it is GDPR compliant.

Is Your WooCommerce Site Affected by GDPR Laws?

The answer: most likely! Any sites based in the EU are explicitly required to comply, and HAVE been complying since the law was introduced to EU-based businesses in May of 2016. The law that came into effect THIS may establishes its ruling over ALL online businesses that may interact with EU visitors, not just those based in the EU.

In short, if your business includes servicing customers in the EU, the GDPR law applies to you. If it includes gathering any type of information (including newsletter signups) from EU residents, the law applies to you.

General WordPress GDPR

A few weeks ago, we discussed the new features introduced into WordPress core to help facilitate GDPR compliance for site owners. These features include an opt-in for commenting, guide to creating a good privacy policy, and customer information export and deletion. Take a look at our blog post on WordPress GDPR features for a rundown of the simple steps you can take to build a foundation for your GDPR compliance!

GDPR in WooCommerce Core

Rather than work on WooCommerce-specific GDPR compliance changes, the WooCommerce team instead chose to direct their efforts into the WordPress core features, having a big hand in the user information export and deletion tools. These tools now include WooCommerce customer data, allowing you to export and delete all user site information at once. This doesn’t apply for EVERY plugin that collects user information, as some plugins store this information in custom tables or fields. Check with your plugin authors to find the data export process for each plugin.

Ecommerce GDPR Steps to Take

As with all websites, order to be GDPR compliant, you need to audit your WooCommerce website and marketing procedures to find your data collection points. In general, we mean: informing the user who you are, the data you are collecting, why you need it and what you are doing with it; explicit consent before collecting data from your visitors; and giving your customer the ability to download and delete their data from your site if they request doing so. Additionally, if a data breach of your site DOES happen, you are now required to notify your site visitors within 24 hours of discovering the breach.

So, what does this mean for WooCommerce sites? First, reacquaint yourself with your website! Every WooCommerce website uses different plugins, shipping procedures, etc., so there is no one-size-fits-all approach here. In order to figure out what YOUR solution looks like, let’s take a look at the aspects of a WooCommerce site and how they handle data collection. (Again, please double check this with your lawyer or a GDPR consultant for information on how the law specifically affects your business.)

WooCommerce Checkout and Payments Processing

Your checkout page will typically collect customer address, contact information, and credit card/payment information. This is standard and necessary for any products that need to be shipped to your customers, but digital product and subscription purchases are also included here.

You should include a link to your Terms and Conditions right in the checkout, so that users can review it before making a purchase. Your site should already have a terms and conditions section that outlines your shipping, refund, etc policies. This means you can simply add a link to your updated Privacy Policy right within your Terms and Conditions. If you don’t have Terms and Conditions information on your website, now is the time to create one. It will help you in more ways than just GDPR compliance!

WooCommerce My Account Page

WooCommerce ships with the option to include a “My Account” page site registration form with username and password, but it must be enabled in the WooCommerce settings (WordPress Dashboard > WooCommerce > Settings > Accounts and Privacy).

WooCommerce my account checkbox

Enable My Account creation in the WooCommerce Admin

Having a My Account page on your site is a great way to make checkouts easy for existing customers. It also can allow them to manage their orders, keep a review of everything they’ve ordered from you in the past, and keep a record of any reviews or testimonials they have given on your store. This definitely constitutes a data collection point, and users must now opt-in when you collect it.

First, remember to only collect the information from users that is required to run your business. If you will not be using it for client contact or account management, get rid of it. While WooCommerce doesn’t include an opt-in at the registration level. I imagine that this will be added into WooCommerce (or WordPress) core at some point, but for now you can easily add it with a PHP snippet in your functions file.

Additionally, your users must have access to seeing (and deleting) all information you have on them.

WooCommerce settings for controlling personal customer data erasure

While WordPress core now has built-in erasure for visitor data, there are additional settings in the WooCommerce configuration that allow you to customize that in greater detail. Specifically, do you want to erase personal data from orders after a user requests an account erasure? And how long will you to retain personal data information for inactive accounts, failed and completed orders, etc? These decisions are up to you, and they should be included in your Terms and Conditions. To set these details, navigate to WordPress Dashboard > WooCommerce > Settings > Accounts and Privacy.

Opt-In Forms

Ecommerce sites often get leads by encouraging visitors to sign up for newsletters, either through a site popup, section in the footer, or an automatic opt-in once the customer purchases a product. This is a very successful marketing tactic that gives you targeted advertising right to your potential and existing customers. Many sites also require visitors submit their email for whitepaper and tutorial downloads and on the contact form. There are a number of ways to ensure your users are opting in to this data collection.
Audit all of your opt-in forms. Turn off any automatic opt-ins you may be using on your site. Opt-in checkboxes can no longer even be checked by default: your user has to explicitly tick the boxes themselves.

Store Notice

You can add a store notice to your site from within the Customizer. This adds a bar to the bottom of your site to notify the visitor, and gives them an option to dismiss it. You can use this feature for your cookies notification, and include a link to your

Terms and Conditions page.

To enable the store notice, go to the WooCommerce settings page in the Customizer, add your text and check a box to enable the notice (WordPress Dashboard > Appearance > Customize > WooCommerce > Store notice).

Terms and Conditions, Privacy Policy Opt-In

WooCommerce includes a checkbox at the Checkout page requiring your customer to agree to your terms and conditions before checking out. To use this, navigate to the Customizer again, and select your Privacy Policy and Terms and Conditions pages you would like to link to (WordPress Dashboard > Appearance > Customize > WooCommerce > Store notice).
If you want to add some specific text to show on checkout, you can add this here as well.

Product Reviews

Studies have shown that people heavily rely on reviews by their peers when evaluating the purchase of a product, so many sites use them. However, this counts as personal data for the person writing the review, and they need to opt-in to its collection.

While you do have the option to allow users to leave anonymous reviews (reviews without logging into the site or identifying themselves in anyway), it’s recommended you enable reviews only for registered users of your site (WordPress Dashboard > WooCommerce > Settings > Products > General). These users will have already opted in to your privacy policy, so nothing more needs to be done to ensure GDPR compliance.

Third Party Plugins

Many WooCommerce sites use third-party plugins and services for everything from newsletter signup, to credit card processing. Review each plugin and service individually to be sure they are GDPR compliant. Ask yourself: Does this plugin collect, store, use, edit or in any way handle user personal data? Then it needs to comply.

To find out whether or not your plugin is compliant, check changelogs, email announcements and their website for information on GDPR updates and features. Follow their instructions to comply – in many cases it’s as simple as updating to the most recent version of the plugin. However, some services require more involved steps. Mailchimp, for example, now includes GDPR-friendly forms, and they have published an extensive writeup on GDPR compliance.
Once you have ensured compliance, be sure to add the plugin to your privacy policy, in a list of third parties that have access to user data.

Summary

To be sure, GDPR compliance is a change from most ecommerce sites’ normal workflows and functionality. And, as there have been no establishing precedents in the law yet, the whole area is sort of fuzzy for now, and every lawyer and GPO you consult will have somewhat varying recommendations. Do not let this dissuade you from working on compliance! If you follow the basic rules of the law, which really center upon protecting your customers and their private data, you will be in great shape to comply. And, as responsible store owners, it is already in our best interest to ensure our sites are secure and trustworthy. Taking these steps to ensure and display your GDPR compliance establishes you as a trusted and respected business on the web!