GDPR compliance information for WooCommerce and WordPress sites

Firstly, you shouldn’t trust any other source than the GDPR law itself. Try to find answers to your questions from the actual law document. This post is just a collection of information and links to help you understand how GDPR affects your WooCommerce site.

I recommend the Privacy by Design approach to GDPR.

WordPress GDPR compatibility

WordPress core development team is currently developing features that will make it easier for website administrators to offer users the privacy controls and data usage information required by the General Data Protection Regulation.

It’s a good idea to only collect the data you need, and preserve it for as long as you really need to.

How GDPR affects user experience?

In my opinion, adopting GDPR should not affect the end user’s experience. I recommend not using tracking that needs users’s consent. Just track less (and anonymously) and your users will be happier.

How is Automattic preparing for GDPR?

How to obtain consent?

Consent to different types of data collection, tracking or marketing cannot be bundled. Consent to each type of data collection and use must be asked separately. Customer’s opt-in steps need to be logged, so that there’s proof about the customer agreeing to the use of personal data.

WordPress plugins to make your site GDPR compliant

Just installing GDPR plugins or using WordPress/WooCommerce core privacy features alone is not enough. You will need to document all the services that capture data and make that information available to all your visitors. Write a blog post about it, just to be as transparent as possible. However, there are several plugins that make it easier for you to tell about data tracking and obtain tracking consent.

Answer these questions in your privacy statement

  • What data are you collecting and how it is used?
  • How can customers get their data removed?
  • How long are you retaining the data?
  • How and where customer data is saved?
  • How customer data is protected?
  • Document your data erasing process, in case your customer wants to be forgotten (remove personal data from your registry).
  • How will you inform about a data breach?

In case of data breach

If user data is breached or compromised, you will need to inform authorities and your customers about the breach within 72 hours.

How have social media services taken GDPR into account?

What should I do about Google Analytics?

Google Analytics tracking should be as anonymous as possible, to make it easy for the user to agree to tracking.

GDPR guides