Re-post from the  blog

Getting your business prepared for the GDPR is no small task, and it doesn’t end when the law takes effect on May 25th.

Step one: to get ready for the GDPR, May 25th and beyond, you’ll want to designate an employee to oversee compliance efforts and update your privacy policy. These aren’t just legal requirements — they also lay a good foundation for ongoing compliance and they can impact sales.

Put Someone in Charge of Data

Data Protection Officer is a formal role required by the GDPR. If you’re a one-person shop this falls to you, so you’ll need to set aside some time to stay on top of compliance. Whether it is you or one of your employees, you must designate someone to take charge of your business’ data protection strategy and compliance, and:

  • Decide how customers should make privacy-specific requests. This is via a contact form on your site or through a special email address (e.g., [email protected]).
  • Update your privacy policy with how you use and store data, and why. The GDPR requires you to disclose data information. Can you collect less personal data? How long does your business need to retain records for state/provincial/federal taxes? When and how do you back up, and ultimately destroy customer and order records? For WordPress and WooCommerce, this includes reviewing the data practices of plugins and services your store relies on. All this information should be published as your Privacy Policy.
  • Prepare for and respond to right to erasure / of access requests. Customers can request that you delete their data, and you’re required to comply.
  • Prepare for and respond to security breaches. The GDPR requires you to disclose breaches to your customers promptly.
  • Keep attuned to future changes in privacy laws that might affect your business.

How to Update to Your Privacy Policy

In addition to being a GDPR requirement, a well-written easily understood privacy policy can help close sales with increasingly privacy-conscious consumers. Pulling together a privacy policy for your WooCommerce store involves a bit of research, a bit of writing, and a commitment to revisit the policy from time to time.

Starting with WordPress 4.9.6, you’ll be able to create or designate a page on your site as your store’s privacy policy.  You’ll find this new feature in WP Admin > Settings > Privacy:


If you are creating a privacy policy page for the first time, WordPress will provide a template to get you started. Generally speaking, a good privacy policy answers the following questions:

1. What data does this store collect about me?

Start by “self-testing” your own store and noting of all the fields (required or optional)where customers are prompted to enter information or make selections. Note the obvious personal data like name and address, along with anything else you collect from them when they check out or become a registered user on your site.

Next, look at the less explicit tools, like cookies or analytics, that your site uses. Examine what plugins you have installed and reviewed their private information. Does a plugin send data outside the country or perhaps the European Union? That’s another thing you’ll need to disclose to customers.

Take advantage of the new tools in WordPress to see privacy updates from active plugins: starting with WordPress 4.9.6, plugins can register privacy information with WordPress itself, and you’ll see that information a special box near the editor when you are editing your privacy policy page in wp-admin. WordPress itself will also provide information on the information it collects from visitors to your sites, like comments and cookies.

The new privacy information box makes it possible to copy and paste privacy information from WordPress and plugins directly into your privacy policy, where you can edit it to the particulars of your store. However, since much depends on the specific settings you use and how plugins interact with one another, you’ll want to review and edit that text to make sure it’s right for your store.

If a plugin doesn’t provide privacy information you can visit the developer’s website or contact them directly and ask them about what data their plugin collects from visitors to your site, if any, and what they do with it.

2. What does this store do with my data and why?

After you know what you’re collecting, you’ll need to note why you’re collecting it.

Explanations for much of the data you collect are simple: you need their address to ship them a product, or you need their email address to update them on their order status.

If you’re collecting any personal data that you don’t actually need to fulfill an order, you’ll want to explain why to your customer and give them a means to opt out of that sort of “processing” (see “Checkboxes aren’t the only way” below).

3. Who does this store share my data with?

Here, a bit of sleuthing is involved — you’ll want to review how the data you collect is used. A few types of plugins are more likely to share data:

  • Payment gateways often share data with the payment provider to process the payment.
  • Shipping extensions often share data with shipping providers to calculate shipping rates or print shipping labels.
  • Marketing and analytics extensions often share data to add customers to lists or analyze their behavior.

Essentially, if a plugin connects to an external service, they’re likely sharing some type of data with that service. You’ll want to review the privacy policies of these services to make sure they align with your privacy priorities.

4. How long does this store keep my data?

There are lots of reasons to retain records, including if a charge is disputed by a customer, for tax audition, or for other legal concerns. While laws like the GDPR have “right to erasure,” you are not required erase records you need for these other aspects of your business.

That said, your privacy policy, alongside your terms and conditions page, should make it clear to customers how long you retain their personal data and why.

5. How can I access, update, or delete the collected data?

In addition to knowing what you’re doing with personal data, customers need to know how they can update their data, including:

  • Getting a copy of their data
  • Updating their data
  • Deleting their data

Your privacy policy should give customers clear instructions on how to reach you or your designated privacy person with these of requests. If you allow your customers to edit some of their own information, for example under My Account, you can mention that here as well.

Checkboxes aren’t the only way

Under the GDPR, there are multiple legal approaches to handling personal data. Your privacy policy should state under which basis you are doing each kind of processing of personal data. The ones most applicable to eCommerce sites include:

  • Consent: The user explicitly gives their consent to a specific kind of processing of their personal data (e.g., consent to participate in market research performed by a third party).
  • Contractual necessity: The processing of the personal data is required to fulfill a contract (e.g., ship their order).
  • Compliance with legal obligations: The processing of the personal data is required for legal reasons (e.g., a VAT Tax ID).
  • Legitimate interests: The processing of the personal data is a legitimate, expected behavior of a business (e.g., follow up emails after they’ve placed their order with other products they may be interested in).

Take building your privacy policy one step at a time

That’s a long list, we know! Tackle it step-by-step, and don’t worry about creating a perfect privacy policy on day one. Keeping your privacy policy fresh and up-to-date, especially as you add plugins — or plugins add features — will be an ongoing activity just like any other business maintenance you do.


Source: ALLEN SNOOK for WooCommerce Blog