The Complete Guide to GDPR Compliance in WooCommerce
TLDR
- If you process data from EU site visitors and customers, then your WooCommerce store needs to be GDPR-compliant.
- In this article we discuss the major steps you need to follow in order to be compliant with GDPR legislation, although you should still consult with your lawyer as regulations may vary from country to country.
- WooCommerce is not GDPR-compliant by default, but it does have important settings that will help. For example, you can export and erase data as per customer requests.
- As a WooCommerce store owner, you'll want to track your customer behavior to gain insights about how to optimize your store. We'll show you how to do this with Pixel Manager for WooCommerce.
Do you run a website and want to know how to make your WooCommerce store GDPR-compliant?
If you process data from EU site visitors, then you need to be on top of GDPR legislation. Your WooCommerce store won't be compliant out of the box, although it's entirely possible to make your site GDPR-compliant.
In this post, we will explore how you can follow GDPR regulations as a WooCommerce store owner, while still collecting valuable data from customers legally. We'll discuss everything: from what settings you need to change in default WooCommerce, to which plugins you need to ensure you're fully compliant.
What is GDPR?
The General Data Protection Regulation (GDPR) is a data protection law that was introduced by the European Union in April 2016 and first came into effect on May 25, 2018. This set of regulations applies to all companies and providers that collect and process data from individuals residing in the EU, regardless of where the company is based.
The goal of GDPR is to give website visitors control over which personal data they want to share and impose strict rules on how companies can handle and process this information.
You've probably come across GDPR alerts on most (if not all) new websites you've visited. In some cases, they take the shape of popups or overlays that obstruct the content. Other times, these notifications are shown as footer bars.
GDPR requires you to tell your website visitors exactly what information you will be collecting (geographical data, IP address, user registration info, etc.) and why. This information is collected via Preference Cookies, Statistics Cookies, and Marketing Cookies, and site visitors can now give consent or deny consent to have this information collected. These options are usually represented with two buttons; one to accept these cookies and one to reject them.
There are a few other considerations you need to consider to follow GDPR. For example, EU residents also have the right to demand a copy of all data you have about them, ask you to correct any errors in that data, and demand you remove all personal information you have about them from your databases. As a website owner, you are also required to notify customers if their data is compromised in any way.
Why is GDPR important for WooCommerce sites?
As a WooCommerce website owner, collecting customer data is likely a core part of your business. There are many advantages to learning more (and storing information) about your visitors. For instance:
- When customers purchase from your store, you store details about the customer, such as their name, email, and physical address,.
- You're likely e already using some way of tracking how your customers are landing on your site and what actions they take once there. A common way to do this is to add a tracking pixel that connects your site to your Google Analytics account and any similar platforms you use (we'll go through this in more detail soon).
- The data you collect through cookies can also let you learn more about your customers and give you ideas on how to optimize your site to increase conversions.
This data lets you learn more about your customers and how you can optimize your site to increase conversions, but you need to respect the law as you risk getting fined otherwise. Therefore, as a WooCommerce store owner, you need to know how to stay GDPR-compliant and only collect data from customers who consent.
So, with all this in mind, let's now look at how you can make your WooCommerce store GDPR-compliant.
Setting up a Consent Management Platform on your site
A Consent Management Platform (or CMP) is a system you can use to ensure you're following GDPR law for handling your cookies. If you're using WooCommerce, your CMP of choice will likely be a plugin. Using a plugin can actually simplify your WooCommerce GDPR compliance considerably because you will be able to:
- Easily display a cookie banner with all relevant information about the essential and non-essential cookies you track and ask your users for consent to follow their behavior.
- Monitor certain cookies when consent is given and block other cookies when approval is denied.
- Store your users' consent information, which tells you how many users agreed to have their behavior tracked.
There are many excellent CMP plugins you can use to ensure your WooCommerce follows regulations. Some examples include GDPR Cookie Compliance by The Moove Agency, Cookiebot, and Borlabs Cookie.
Using a GDPR-compliant pixel tracker
Adding a pixel tracker to your website integrates your WooCommerce store with any analytics platform or ad platforms you might be using, such as Google Analytics or Google Ads. The pixel actually records all events that happen in your browser, so what this does is give you more specific information about where your users are coming from and what actions they take once they visit your site.
To be GDPR-compliant, you can only track events for consenting visitors (i.e., customers who allow you to track non-essential cookies). Some pixel-tracking solutions ignore cookie consent, so using these plugins is technically illegal from a GDPR standpoint.
If you want a pixel tracker tool that works within this legislation, you should try Pixel Manager for WooCommerce. This plugin is not only the most accurate pixel tracker available for WooCommerce, but it's also fully compliant with GDPR guidelines and other privacy laws.
Pixel Manager for WooCommerce and integrate with all the major analytics and ads platforms, including Google Ads, Google Analytics, Meta (Facebook), Hotjar, Microsoft Ads, Twitter Ads, Pinterest Ads, Snapchat Ads, and TikTok Ads. This is very important because you will stay GDPR-compliant no matter what platform you use.
The plugin also has several built-in consent management features. For example, you can set the plugin to use Implicit Consent Mode (tracking everything until consent is denied) or Explicit Consent Mode (not tracking anything until consent is given).
If visitors deny consent, no cookies are stored. Instead:
- If Google Consent Mode is enabled, Google tags will send pings that communicate minimal information about the user's activity (more on this below)
- Only the browser tags managed by the Pixel Manager will send data.
- Server-to-server tags will only send anonymized purchase data.
Pixel Manager for WooCommerce also integrates with Google Consent Mode. If Google Consent Mode is enabled, Google tags can send pings that communicate minimal information about the user's activity even when they reject cookies. The data will be less accurate than normal, although it's better than no tracking at all.
Google markets this as a GDPR-compliant way of tracking visitors without cookies, although the data is less accurate than normal. However, every store owner should assess this for themselves as regulations vary from country to country.
The Pixel Manager for WooCommerce plugin doesn't include a cookie banner, but it integrates with all the major Cookie Management Platforms. If you're a more advanced WordPress user, you'll also be happy to know Pixel Manager comes with a Cookie Consent API you can use to implement your own custom-made cookie banner.
Setting up a privacy policy page
If you want to follow GDPR legislation, you will need to add a Privacy Policy page to your WooCommerce store owner. This page should include information on the following:
- What data your store collects, and why
- What it does with the data
- Who you share this data with (e.g. payment methods)
- How customers can access their data
- How long you keep customer data for
Since the WordPress 4.9.6 update, you can assign any page on your site to be your Privacy Policy page, or you can create a new page from scratch. To set up your Privacy Policy page, you just need to go to WP Admin → Settings → Privacy and choose the option you prefer. Here are a few good considerations for a compliant Privacy Policy page:
- Make sure the text is well-written and easy to understand.
- Include all plugins and integrations that are going to be storing user data and specify whether they send information outside the EU.
- Explain why you're collecting data by detailing, for example, whether you do it to ship a product, send email updates on an order status, etc.
- Explain how users can get a copy of their data or request its deletion.
The last point is quite important, so let's go through a few data deletion considerations in a little more detail.
Granting customers access to their personal data
One of the requirements of GDPR is Right of Access requests, and one easy way of enabling this is to include a contact form on your store. You can set up a contact form on your site using a plugin like Contact Form 7 or Gravity Forms.
The newer versions of WordPress have an Export Personal Data tool which might come in handy because it also lets you export data for customers who request access. However, any plugins or systems you use to collect the information will need to be compatible with this tool. It's fine if you use any plugins that store data elsewhere as long as you can export data from the plugin when required.
When customers request to access their data, you should always:
- Send them a confirmation request using the Export Personal Data tool to verify their identity.
- Share a link to their report, or download the file yourself and send it to them directly.
Erasing customers' personal data when requested
Before we delve into this section, note that the Right to be Forgotten doesn't always apply under GDPR regulations. For example, if you are required to keep customer data to comply with legal obligations such as declaring tax, then you are not obliged to erase a customer's data because agencies might request it.
WordPress has an Erase Personal Data tool that you can use for your Right to Erasure requests. You can access it by going to Tools → Erase Personal Data. This tool is compatible with any of the in-built WordPress and WooCommerce methods for collecting data, including their official extensions.
When a user asks to have their data erased (again, you will ideally need a contact form for this), all you need to do is go to the tool and send a confirmation request to the user. Once they confirm, click the 'Erase Personal Data' button.
You can also go to WooCommerce → Settings → Accounts and Privacy to have complete control over:
- How long inactive accounts are preserved.
- How long pending, failed, or canceled orders are preserved.
- How long completed orders are preserved.
Inform customers of security breaches
The last important consideration for complying with GDPR is its clause on Security Breaches. According to the legislation, you have a duty to ensure your WooCommerce site remains as secure as possible. So, for your WooCommerce store to be truly compliant, you should always have a security plugin like Jetpack installed on your WordPress site.
If you do have a breach, you are bound by law to inform all customers whose data you're storing about it within 72 hours. An excellent way to do this is by using a tool that can send mass emails, like Mailchimp or MailPoet.
Set up your GDPR-compliant WooCommerce store today
If your WooCommerce store collects data about EU customers in any way, having a GDPR-friendly site is not just advisable - it's mandatory.
Dealing with GDPR regulations can feel a little daunting at first, but It is possible to follow a few simple steps to create a compliant WooCommerce site. Default settings in WordPress make this easier, and there are plenty of plugins that help as well.
As a WooCommerce store owner, you should still care about your customer behavior, so you can understand what products they purchase and why - and make predictions for what to offer next! The good news is that you can still track conversions in a legal way.
Pixel Manager for WooCommerce is the best solution if you want to have accurate and GDPR-compliant conversion tracking. The plugin integrates with major analytics and ad platforms so you can track conversions legally no matter where your customers are coming from. Pixel Manager for WooCommerce also has in-built consent management features and integrates with major CMPs as well.
If you want to keep your WooCommerce store GDPR-compliant while still tracking your customer behavior, try out Pixel Manager for WooCommerce today.