If you are a WooCommerce store owner, making your WooCommerce website GDPR compliant is very crucial if you still want to stay in business. GDPR stands for General Data Protection Regulation, which is a new standard adopted by EU.
Due to lots of controversies and scandals, the global community is concerned of data safety and security more than ever before. GDPR is a step forward to ensure user privacy and security, that has been far too long remained exposed.
So, like it or not, GDPR is here to stay, and you need to play by its rules unless you want to get rid of your European visitors.
The new guidelines will be in work from 25th of May, and it is better to make your website GDPR compliant before the deadline. EU has given the website owners enough time to adapt themselves to the new regulations.
Also, the team behind WooCommerce has updated some new features in WooCommerce 3.4 to make the platform GDPR compliant.
You need to understand what GDPR standards are, and how your WooCommerce website can comply with that. Many website owners are living in perpetual fear of losing the charm and flexibility of their site due to the implementation of the new regulations, but it is highly unlikely that GDPR will mess with your website.
In this article, I would like to clear some confusion up, so that you can understand what WooCommerce GDPR compliance really looks like, and how you can adapt to the new regulations.
Why Do You Need This
As I have already said, like it or not, you have to make yourWooCommerce website GDPR compliant to continue being able to do business with EU clients.
No one is going to put a gun on your head and tell you to comply. But the primary objective of GDPR is to provide data protection to the users. As a result, you might not even know how you can get sued, if a visitor complains.
Everyone has understood the importance and making their website to comply. If you are not doing that as well, then you are falling behind.
On top of that, I believe that it is just a single step towards more regulations.
Data protection and data security have become a severe issue over the last few years and even tech giants like Google, Apple and Facebook were heavily criticized for their fragile policies about data protection of their users.
It is high time you get ready for further hard and fast regulations, and make your site prepared.
How is GDPR Relevant to Business?
You might find it ridiculous that your website needs to care about user data protection, despite not being a social media website. But the thing is, every single site that requires information from the users’ side has data to protect.
For example, you might need people to open independent accounts on your website to make purchases. While opening those accounts, people will be asked their names, email addresses, home addresses, credit card numbers and some other information as well. There is nothing wrong with it; we all do that for verification. But the key here is the protection of that information.
There are many other ways through which a WordPress website can collect user data. Many plugins exist that require user information; also forms, comments, feedback, contact forms security solutions and many other aspects might need user data to function correctly.
And due to the recent scandals, users no longer feel secured enough while sharing data with any website, let alone WooCommerce. This means, if your site is not GDPR compliant, your business might suffer due to reputational loss as well.
What is needed to be done?
To make sure that your website complies with GDPR benchmarks, you might need to do quite a few modifications. Probably you are already maintaining those, but a re-check won’t hurt.
Define Terms and Conditions Properly
You can do two things for this purpose.
First, you might have an independent page, defining the terms and conditions of use. Many website owners are already doing it.
And secondly, you can provide links to terms and conditions when the user is opening his/her account. In general, this is done through checkboxes, to know if the user agrees to the terms and condition. With that checkbox, link to your paragraph about ToS can be added.
For doing it in WooCommerce, just go to WooCommerce > Settings > Checkout > Terms and Conditions > Select a Page.
It’s no secret that websites do business based on the information the users give. For example, if you show someone advertisements, you might do it based upon their interests you have guessed from their data, if you show them featured products, you do that based upon the product pages they have already visited.
This might look harmless, but some people might not like it if you do it without letting them know. You need to define the reasons behind collecting the information from the users and let them know about it. Also, inform them about the duration you hold that information for.
Let your user know your data processing methods and notify them about the bodies that have access to their information.
Only Collect Necessary Information on User Registration
WooCommerce “My account” page has a registration form with username and password. You can enable this from the WooCommerce settings (See the Screenshot). This is the basic framework of the registration page your users will get when they visit your website.
WordPress Dashboard > WooCommerce > Settings > Accounts > Enable customer registration on the “My account” page.
If you collect unnecessary information and due to data breaches that information is stolen, you will suffer from massive backlash from the users.
I don’t think there is any need to collect information right now that you think would be useful in the future. Only collect information when you need them, not for the future.
You can go to Data retention settings to define how long you want to retain data that is no longer needed for order processing.
Give User Flexibility
You can’t tie the hands of your users, and tell them to agree with all of the regulations and policies of your website, and put them in an all or nothing situation.
A user might agree with most of the privacy policies your website has, but not with all of them. Make sure you are okay with it.
Create different fields for different policies, and give the user options. If the user doesn’t want to give consent to a particular part of the policy, let it be. If you’re going to tie your users’ hands up, you are going against GDPR compliance.
In WooCommerce 3.4 users can generate an export file, exporting the following data:
- Customer address/account information
- Orders associated with the given email address
- Download permissions and logs related to the provided email address
And they can also request you to delete their data stored by you. So you have to keep in mind about this.
Beware of Cart Abandonment
If you are using these plugins, then you might find yourself in trouble. These particular plugins gather the email addresses of the clients without their consent. As per the discussions above, this is against GDPR standards.
It is being heard that the most of the developers of such plugins are already working on the issue and trying to make their plugins GDPR compliant. But you can do something meanwhile to mitigate this.
If you don’t find this useful, then adding multiple step checkout patterns can be an option. But in that case, you might have to compromise the number of sales you would have made without a complicated procedure.
Take Reviews From Registered User
For avoiding complex and problematic issues regarding consent regarding user reviews, only allow the registered and verified users to add reviews to your site.
I do understand that this might lead to fewer numbers of reviews on your site. But for playing by GDPR rules, you can’t but avoid that.
Audit Contact Forms
Adding contact forms in all kinds of business websites is really necessary. The customers might have different questions about your services or products.
However, contact forms also require some information from the users as well. Make it flexible. If the users are not okay with revealing their identity while contacting you, respect that and keep an option that allows the user to send you messages anonymously.
Give User Option for Withdrawing Consent
For decades, the traditional practice among website owners was, asking the user for permission while they are opening an account on their website, and then entirely forgetting about it. It led to a belief that, if you agree to a website’s policies and structure at the beginning, you have consented to those standards for your entire life.
Which is not true, apparently.
Using opt-in and opt-out forms can bring that flexibility.
Notify The User About Data Breaches
This is very crucial. Even the most secured of websites might suffer from data breaches. In the vast majority of instances, when this happens, the website owners are too afraid to let the users know about it.
They fear that the website will suffer a reputational loss and the users will stop using it. But according to GDPR guidelines, the users have every right to be informed about a data breach, as their personal information can be stolen from your site due to the violations.
The rules say, “you are bound to inform the users within 72 hours of a data breach.” There are many plugins available that can help you to do that quickly. But you should have a process and procedure regarding the users about the breaches as well.
You need to previously state how the users will be catered to in times of data breaches, and you should make it clear to the users beforehand. Thus, the users will know what steps the website will be taking regarding data breaches.
Get Tricky with Opt-in Forms
The forms that are used to take the names along with email addresses from the users for marketing purpose are known as opt-in forms. Many marketers used to force the users to go through this to make their marketing campaign more effective.
However, new GDPR standards will not allow that. To market your products this way, you have to take the users consent.
All types of automatic opt-in forms should be removed.
Moreover, in those opt-in forms, you should state how the users’ email and name will be used for marketing purposes.
Use GDPR Compliant Analytics Software
To avoid complexities regarding this, you can check the providers’ GDPR policy, as they are the party who is collecting the information. Google analytics has already done some modifications.
Now you can determine how long the data can be stored on their servers, and when the deadline ends the information will automatically be deleted.
Moreover, you can explicitly delete individual data as per your wishes if that is assessed through Google Analytics. Data processor policies are also being updated. I would like to suggest you use reliable analytic tools.
Become Aware of Application Programming Interface
API refers to the code which allows one to use external software from the website. Basically, what API does is data connection.
There are different types of APIs for different purposes. But as it is related to data transfer and connection, GDPR comes to play as well. Find out the kinds of APIs that are GDPR complaint and developed by renowned developers.
If you come this far, I think you are ready to follow all of the steps mentioned above and procedure to make GDOR compliant WooCommerce Website so that you avoid legal complexities that will hurt your WooCoonnerce website both in the long term and short term.
We are offering a free checklist so you can work on the compliance efficiently. Click Here to download the list.