Towards Making Your WooCommerce Store GDPR-Ready

Do you target European markets for your online sales? If so, you are obliged to comply with the General Data Protection Regulation (GDPR) enforced by the European Union. Perhaps even if you don’t sell any products to the European residents, you can’t just blindly believe that you are not going to have EU visitors to your site. Therefore, if you run an online business store, you must ensure that it is GDPR-ready.

Now, let me draw your attention to the key highlights of GDPR and help you understand how to make your WooCommerce store GDPR-compliant.

What is GDPR?

The General Data Protection Regulation has taken effect on 25 May 2018. The regulation gives ultimate protection over the personal data and privacy of the EU citizens.

If you’re offering physical or digital products/services to the European residents, or if your website expects to get EU traffic, you must have to comply with the GDPR. It is not necessary that any e-commerce business has to be physically located in the EU to be subject to the GDPR.

And those who violate the provisions of the GDPR can be fined up to €20 million or 4% of their global annual turnover of the prior financial year.

Why GDPR compliance?

GDPR comprises a set of rules enforced to make sure that users (specifically EU citizens) across the globe have greater control over their personal data they share with businesses. If you are an online retailer managing the EU-based customer data or serving a global audience, you need to pay attention to all the subtleties of the GDPR.

In simple terms; ensure your online store conforms to all the data privacy guidelines specified in GDPR. This shows that you value the data and privacy of your consumers, and that’s certainly a great way to build customer trust.

GDPR compliance for your WooCommerce store

As you perhaps know, data privacy and online security is a growing concern for all netizens across the globe.

Your WooCommerce store would gather user data in different ways. The data collection may occur through user registration, payment gateways, checkout/contact forms, analytics inputs, surveys, comments, plugins/extensions, and much more.

So as a responsible store owner, you may need to address the data privacy issues related to your store and take necessary steps to protect your customers’ personal information against data breaches.

The European Union’s GDPR standards help you secure the data and privacy of your website users. The GDPR demands you to disclose the mode of user data collection and the exact purpose of it. You must also inform users about the data sharing and retention policies of your store.

Hence, you would have to update your privacy policy in order to give users a detailed overview of the collection and usage of their personal information. Also, the GDPR requires you to make sure you always obtain the consent of your website visitors before gathering or processing any form of their data.

GDPR compliance: Key guidelines

Before proceeding to make your WooCommerce store GDPR-compliant, you’d want to have a look-see at the following guidelines that outline the major GDPR requirements. Here it goes!

  • Collect and store only the user data that is relevant to your business.

  • Inform the users about the reasons for the collection of their personal information, how long their data will be retained, who all will have access to their information, etc.

  • Get the users’ consent regarding any data that you are going to collect from them. Most importantly, let it be their choice to decide whether they want to provide the consent or not.

  • Give users the right to access their data at any time.

  • Allow users to withdraw the consent they have given to your website to store data.

  • Enable users to delete their data permanently from your site.

  • Send notifications to the users about any possible potential data breaches.

click here to see the detailed checklist for GDPR compliance.

Gear up to get your WooCommerce store GDPR-ready!

1. Keep your WooCommerce store updated

Always ensure you run your online store on an updated WooCommerce platform. The latest versions of WordPress and WooCommerce have developed features to make your store GDPR-compliant.

Note:
Always keep a working backup of your website before testing updates. Also ensure you test updates on a development site prior to updating your live site.

2. Secure your WooCommerce store

Keeping your store safe from hackers and cyber criminals is the next big step for achieving GDPR compliance. Though there are several security factors to consider, the most crucial is to update your WooCommerce store to use HTTPS. You’ll need to configure SSL certification on your website in order to use HTTPS.
WooCommerce store gdpr-ready - Update to HTTPS

3. Include a “Terms and Conditions” page

A Terms and Conditions page comprising a policy set based on your payments, shipping, refund, etc. is a must for your WooCommerce store to comply with the GDPR. Your Terms and Conditions section can also be included on your store’s checkout page, so that you’ll be able to make users review and agree to your terms and conditions before they make a purchase. And therefore, the “T&C” factor acts as a legal business agreement between you and your customer.

Here’s how you can create and add your Terms and Conditions to your WooCommerce store.

    Step 1: Sign in to your WordPress account > From the dashboard screen, head on to Pages > Add New.
    Add new WordPress page
    Step 2: Create a Terms and Conditions document > Publish the page.
    WooCommerce Terms and Conditions Page creation
    Step 3: To add your Terms and Conditions on your checkout page, navigate to Appearance > Customize.
    Add Terms and Conditions to WooCommerce checkout
    Step 4: Select WooCommerce > Checkout.
    WooCommerce - Appearance WooCommerce - Appearance - Checkout
    Step 5: From Terms and conditions page, select the Terms and Conditions document that you have created > Click Publish. Add Terms and Conditions to WooCommerce checkout page

4. Create a “Privacy Policy” page

A Privacy Policy page is mandatory for your WooCommerce site. You should create a privacy policy that clearly informs your website users about all the steps that you have taken to ensure GDPR compliance.

When creating your privacy page, ensure you specify what kind of data is collected from users. Also, you need to point out all other specifications like the reasons for data collection, your policies of data storage and sharing, etc.

Now, have a look at the following steps that describe how to create and add a privacy policy page in WooCommerce.

    Step 1: Sign in to your WordPress account > From the dashboard screen, head on to Pages > Add New.
    Add new WordPress page
    Step 2: Create a Privacy Policy document > Publish the page.
    WooCommerce Privacy Policy document
    Step 3: Now, go to WooCommerce > Settings > Accounts & Privacy.
    WooCommerce Privacy Policy Page - Add to WooCommerce
    Step 4: Scroll down to Privacy page under Privacy Policy > Click Select a page > Choose the Privacy Policy page that you have created.
    Add Privacy Policy page to WooCommerce
    Step 5: Step 5: Scroll down and click Save changes to save the settings.

5. Add a cookie policy page to your store

Does your WooCommerce store use any type of cookies to track user behavior? Then you are actually collecting the personal data of users. And you’re not supposed to use them unless you make users aware of all the cookies you use to obtain their personal information.

There are so many WooCommerce plugins that allow you to create your own Cookie Policy page. But not all complies with the GDPR laws. GDPR Cookie Consent is the leading, most flexible WooCommerce plugin that you wouldn’t want to miss. This cookie consent solution helps you comply with the GDPR requirements without a hitch.
GDPR Cookie Consent Plugin
This powerful plugin comes with a Policy generator that makes the creation of a cookie policy page a breeze. Also, it allows you to add and manage multiple cookies, make cookies necessary/non-necessary, customize cookie banners, and more. On upgrading the GDPR Cookie Consent plugin to the premium version, you’d be able to have much more amazing features and cookie settings.


You could also use CookieYes to make your WooCommerce store comply with the GDPR requirements. "CookieYes" is an easy-to-use GDPR cookie consent solution that lets you create a cookie consent banner and manage the user consent for your store. Also, the solution helps you install cookie banners on your website in a matter of minutes.

6. Show cookie notification pop-ups

If your website uses cookies to gather personal information of users, you should inform users about them. then you will have to show a cookie notification banner as a popup notice to all your website visitors during their first-ever visit.

You could make use of plugins or the “Store Notice” feature of WooCommerce to add cookie banners to your store.

The WooCommerce Store Notice is basically designed to add a site-wide message to be shown to your website visitors. It also includes an option to dismiss the message. Thus, the “Store Notice” can also be ideally used as cookie notification banners. But remember, this feature would not help you block the cookies that are being used without users’ consent.

To enable "Store Notice":

    Step 1: Sign in to your WordPress account > From the dashboard screen, go to Appearance > Customize.
    Customize Appearance in Woocommerce
    Step 2: Select WooCommerce > Store Notice > Check the Enable store notice option > Click Publish.
    WooCommerce - Appearance WooCommerce Store Notice

7. Make the “My account” page GDPR-compliant

WooCommerce allows user registrations on the My account page. Customers would want to create an account because they can seamlessly manage their checkouts, monitor their current orders, view the details of previous orders, see the list of their reviews and ratings they have given for the products on your store, and assess all their other core activities.

To enable “My account” registrations:

    Step 1: Sign in to your WordPress account > From the dashboard screen, go to WooCommerce > Settings > click Accounts & Privacy > Check the Allow customers to create an account on the “My account” page option.
    WooCommerce My Account page
    Step 2: Scroll down and click Save changes to save the settings.

    Step 3: Now, navigate to Pages > Add New > Create a “My Account” page.

    Step 4: Insert the shortcode [woocommerce_my_account] to show up the user account page.
    WooCommerce My Account Shortcode

When you enable WooCommerce “My account” registrations, you’re going to deal with the users’ personal data. So in order to comply with the GDPR, you must allow users to opt-in whenever you collect their data. But unfortunately, WooCommerce does not include default opt-in options at the registration level.

However, you can add a privacy policy checkbox field to your user registration form with the help of plugins or custom codes.

Follow the steps below to add a code snippet to the functions.php file in your theme.

    Step 1: Sign in to your WordPress account > From the dashboard screen, go to Appearance > Theme Editor.
    WooCommerce Theme Editor
    Step 2: Now from the Theme Files section, select Theme Functions (functions.php).
    WooCommerce Theme functions
    Step 3: Add the code snippet > Click Update File.

    Sample Code:
    add_action('woocommerce_register_form', 'mystore_add_registration_privacy_policy', 12);
    function mystore_add_registration_privacy_policy() {
    woocommerce_form_field('privacy_policy_reg', array(
    'type' => 'checkbox',
    'class' => array('form-row privacy'),
    'label_class' => array('woocommerce-form_label woocommerce-form_label-for-checkbox checkbox'),
    'input_class' => array('woocommerce-form_input woocommerce-form_input-checkbox input-checkbox'),
    'required' => true,
    'label' => 'I\'ve read and accept the <
    a href="https://example/mystore/privacy-policy/"
    >Privacy Policy</a>',));
    }
    // Show error if user does not tick
    add_filter('woocommerce_registration_errors', 'mystore_validate_privacy_registration', 10, 3);
    function mystore_validate_privacy_registration($errors, $username, $email) {
    if (! is_checkout()) {
    if (! (int) isset( $_POST['privacy_policy_reg'])) {
    $errors->add('privacy_policy_reg_error', _('Privacy Policy consent is required!', 'woocommerce' ) );
    }
    }
    return $errors;
    }

Have a look at the user registration page before adding the above section of code. WooCommerce My Account Registration page without privacy policy checkbox
Now after adding the above code snippet to the functions.php file, the registration page would look like; WooCommerce My Account Registration page

8. Create GDPR-compliant opt-in forms

An opt-in form enables you to fetch the details like name, e-mail etc. of your customers, so you could add them to your email marketing database. The opt-in strategies help you grow your email marketing list thereby letting you reach the right audience at the right time. Always ensure you create an opt-in form that complies with the GDPR requirements. A plugin like Mailchimp certainly helps you create GDPR-friendly forms.

In order to achieve GDPR compliance, you have to display your privacy policy checkbox before letting users opt-in. Also make sure that your opt-in checkboxes are not checked by default. Instead, give users the complete freedom to tick the consent boxes themselves.

Your opt-in form should not include fields that ask for irrelevant customer details. And inform the users why you collect their personal data.

For example: When you specify "Enter your email address to receive our newsletters, special offers and discount coupons.", the users are more likely to provide their info because here the purpose is quite clear.

Make sure you also let the users know about the ways to opt-out forms.

Note: Even if your existing customers have already consented to receive emails from you prior to the GDPR, you will still have to get consent from them once again.

9. Make sure all your third-party plugins are GDPR-ready

You’d definitely be using various third-party plugins and services on your WooCommerce store — mostly for payment processing, cart abandonment recovery, newsletter subscriptions, creating contact/opt-in forms, fetching analytics data, etc. So it is important to keep in mind, if any of your plugins process or store your customers’ personal data in any manner, it has to compulsorily comply with the GDPR requirements.

Therefore, it’s high time to do a plugin audit in order to find out whether your user data management plugins are GDPR-ready.

In order to check whether a plugin complies with the GDPR, consider checking the plugin's changelog, release notes, email announcements, etc. Most importantly, check the plugin’s website information to identify the evidence for its GDPR compliance. And keenly follow their guidelines to make your WooCommerce store comply with the GDPR.

In most of the cases, you’d be able to ensure the GDPR compliance of a plugin just by updating it to its latest version.

If you find any plugin that does not comply with the GDPR, the best thing you can do is to replace it with another similar plugin that is GDPR-compliant.

MailChimp, MonsterInsights, OptinMonster, etc. are some examples of WooCommerce plugins that have taken measures to make their services GDPR-compliant.

Note: After ensuring all your third-party plugins that manage user data complies with the GDPR, make sure you specify these plugins in your privacy policy.

10. Encourage only registered users to review your products and services

When purchasing a product from your store, a vast majority of people rely on the reviews posted by their fellow customers. Therefore, you should always ask your customers to rate your products and leave reviews after they’ve made a purchase from your store.

Undeniably, customer reviews contain personal information. Hence, it is obvious that you need to get the users’ consent before letting them rate or review your products. Obtaining their consent is important in achieving GDPR compliance.

WooCommerce offers an option to allow only “verified customers” to leave reviews. You can consider the registered users of your store as verified customers. And as the registered users might have already consented to your privacy policy, you can definitely ask them for reviews without any worries.

Following are the steps to enable reviews only for verified users;

    Step 1: Sign in to your WordPress account > From the dashboard screen, go to WooCommerce > Settings

    Step 2: Select Products > Under Reviews, check the Reviews can only be left by “verified owners” option.

    Step 3: Now click Save changes to save the settings.
WooCommerce Product Reviews

11. Build a data breach response plan for your store

Data breaches and identity thefts has become increasingly common in today’s digital age. According to the GDPR, you must allow your website visitors to know how you respond to a data breach and what type of data protection procedures you have in place. Also, you have to create and maintain an appropriate data breach response plan in order to make your store GDPR-compliant.

Conclusion

The GDPR has been making continuous efforts to protect the personal data and privacy of each individual across the EU member states. So as a WooCommerce store owner, it is now your turn to reshape your business policies to best comply with the GDPR standards.

However, getting your online store GDPR-ready is not going to happen in a jiffy. You will have to stay focused on a lot of key considerations as described above. While preparing your store for GDPR compliance, you’re in fact building customer confidence and trust naturally. This, in turn, helps you increase your customer base and thus grow your business at a rapid pace.




Disclaimer:
This article is intended to be used for informational purposes only and does not constitute any form of legal advice. You shall seek a subject matter expert or your own attorney for any legal advice on getting your WooCommerce store fully GDPR-compliant.