As everyone knows, the deadline for implementing the GDPR was May 25, 2018. Since then, all online stores that have not adapted to the new general European rules should face severe financial penalties. For new e-commerce stores and for latecomers from the whole industry, we have prepared a short guide on what should be implemented in stores operating on WooCommerce. The following tips are only a guide to necessary changes but to adapt your store to legal regulations, it is worth consulting a qualified consultant/lawyer.

General news regarding GDPR

In order to be compliant with the GDPR, companies must conduct an audit of their WooCommerce website and marketing procedures. It is worth remembering that these regulations affect companies both in the EU and outside. Any non-EU company dealing with EU clients will have to adapt to the GDPR.

To achieve full compliance with the end of May 2018, companies using WooCommerce must:

• inform the user who they are, what data they collect, why they collect data, how long they store it, and what third parties will receive it.
• obtain clear consent before receiving any data
• allow users to access their data
• allow users to download their data
• allow users to delete their data
• inform users if there has been a data breach.

If companies do not strictly follow these rules, they risk a fine of up to EUR 20 million or 4% of the company’s annual turnover worldwide (depending on which of these penalties will be higher).

Changes will affect things like:

• WooCommerce terms and conditions (order page)
• WooCommerce privacy policy (order page)
• Registration of WooCommerce users (My Account page)
• Abandon WooCommerce cart (checkout page)
• Opinions about WooCommerce products (page of a single product)
• WordPress comments (Blog pages)
• WordPress and WooCommerce application forms (newsletter, etc.)
• WordPress contact forms (Contact page, widgets, etc.)
• WooCommerce analytics
• WordPress and WooCommerce plugins and APIs (payments, email marketing, etc.)
• Notifications of security breaches

Once we have read the basic information, we can now go to the main part, i.e. the activities that we must do:

WooCommerce terms and conditions

The terms and conditions include the legal terms and conditions that bind the customer to your company.

To-do list:

• Create a page with information if you do not have it (you can use the ads generator and get acquainted with popular websites with e-commerce materials.)
• Add a new GDPR paragraph to your Terms and Conditions that lead to the privacy policy page
• Use the WooCommerce Checkout settings to add a checkbox to the checkout page

WooCommerce privacy policy

The privacy policy page requires many editing and copywriting. In addition, on the order page and other places, such as contact forms and application forms, you must display the consent message for the privacy policy.

With respect to the content of the privacy policy, you must inform the user about the data you collect, store and use.

To-do list:

• Create a Privacy Policy page on your own or with the WP generator.
• Add who – what – how – why – when to the privacy policy
• Display a link to the privacy policy in the footer
• Use the WooCommerce snippet to display the privacy policy on the cash register page

Registration of WooCommerce users

The “My Account” page of WooCommerce has a registration form with a username and password if you have enabled it previously in the WooCommerce settings.

To-do list:

• Check if you have your WooCommerce account registration enabled
• If so, add the privacy policy checkbox to the registration form using the WooCommerce snippet

Abandoning the WooCommerce cart

Plugins to abandon the cart collect e-mail addresses without permission. In fact, when a user is on the checkout page and enters her email address without filling out the payment, she did not have time to select and accept the Terms and read the privacy policy. This is contrary to the GDPR, which requires explicit consent (ie marking the box).

WooCommerce product reviews

The opinions contain personal data for which you need the user’s consent. A good way to avoid this “consent” is to allow only logged in customers who bought a product to leave feedback.

To-do list:

• Check the box “Reviews can be left only by verified owners” in the WooCommerce settings

WordPress comments

If your pages and posts in WordPress have comments enabled, another issue appears regarding compliance with the GDPR. Users are usually asked to provide their name, email address and website URL along with the message without having to register an account.

To-do list:

• Use the default WordPress comments or choose the WordPress Comments plug-in compatible with the GDPR
• Make sure that the privacy policy check box is displayed before users post a comment

WordPress and WooCommerce consent forms

A consent form is a contact form in which users enter their name and e-mail address (usually) to join their email marketing list (or contact database).

To-do list:

• Audit all consent forms
• Check that your consent form / bulletin / email marketing service provider has a GDPR solution
• Make sure that the privacy policy check box is displayed before users report

WordPress contact forms

Many of us use Contact Form 7, Ninja Forms, Gravity Forms on such sites as Contact or other WordPress websites. These forms now require consent to the privacy policy.

To-do list:

• Add the Privacy policy to all contact forms checkbox
• If the contact form will store personal data in the database and/or is associated with email marketing software, you must inform users why and where you store data

WooCommerce analytics

While using Google Analytics, you capture user data and use cookies without permission. The same applies to Google AdWords or similar solutions.

To-do list:

• Use only reliable GDPR-compatible tracking software
• Ask software providers how they handle compliance with the GDPR rules
• Add information to your Privacy Policy that deals with your tracking data

WordPress and WooCommerce plugins

It is worth making sure that every plugin that somehow uses customer data meets the conditions of the GDPR. These are the reliability of the plug and the readiness of plug to the GDPR. It is also worth remembering to add the manufacturer of the plug-in as third parties to whom you provide data in the Privacy Policy.

To-do list:

• Choose the plugs compatible with the GDPR
• Discard the plugs that are not compatible with the GDPR

WordPress and Woocommerce APIs

API (Application Programming Interface) is simply a “piece of code” that allows access to external software without leaving your site.

To-do list:

• Control all your APIs
• Discard non-GDPR APIs
• Add APIs to your privacy policy

Security breach notifications

According to the GDPR, if data is violated on your site, you should immediately inform the users affected by the violation. The notification must be sent within 72 hours.

To-do list:

• Secure your WordPress / WooCommerce website
• Subscribe all software vendors / third-party APIs to be aware of any data breach that affects users
• Reduce the amount of unnecessary stored data.
• Establish a contingency plan in case of data breach.

Consent from current WooCommerce customers / subscribers

You must re-contact all existing subscribers, customers and users and ask them for “active” consent, as well as an indication of how to download, delete or access your personal data.

Follow the steps outlined above for your WooCommerce website by consulting a lawyer whether you live in the EU or not. If you are not going to seek help from a lawyer, at least make sure that all your plugins and APIs are compatible with the GDPR. You must, of course, write a new privacy policy, because there are the most changes in this field.