How to Use WooCommerce GDPR Features for Better Compliance

Header image for WooCommerce GDPR Features article

Last updated - February 24, 2020

We have published an article to help you understand WooCommerce GDPR compliance requirements. As you probably know by now, if your customers include citizens of the EU, you are bound to adhere to the guidelines specified in the GDPR. With the latest updates, WordPress and WooCommerce has come up with features to help their users comply to these regulations more easily. In this article, we will look into some of the latest WooCommerce GDPR features that would help your store prepare execute the guidelines better.

The latest update of WordPress 4.9.6, and WooCommerce 3.4.1 have features that will help you comply to these requirements with less hassles.

To Comply with “Right to Access”

According to the GDPR, your users can demand access to their information stored in your server. It is important to be able to retrieve these data, when you receive a request from a user. Let’s see what specific options do WordPress and WooCommerce have in this regard.

Exporting personal data of users

The latest version of WordPress comes with an option to export personal data associated with a user’s email id to an HTML file.

It will help you add…

  • Personal data from user meta/ user data to personal data export
  • Personal data from comments to personal data export
  • Attachments to the personal data export file

And, it will also help you package personal data into a file.

Adding to this, WooCommerce has provided the following data to be ready for export.

  • The address and account information of a customer.
  • Orders linked to a specific email ID.
  • Download permissions and logs associated with the specific email address.

Managing the export of personal data

On your WordPress navigation panel, you will find the new settings to Export Personal Data (Tools > Export Personal Data).

When you click Export Personal Data, you will find a new screen where you can request a particular user’s data to be exported.

When you enter the email id of the user, the process of export will be initiated. However, one challenge here is to verify that the request from the user is authentic. For this, WordPress will send a verification email to that ID for confirmation. At this time, the status of the request will be ‘Pending’ and in the Next steps column, you will see ‘Waiting for confirmation’.

screenshot of export personal data settings for WooCommerce GDPR features article.
When you receive a request from a user requesting access for their personal information, you can initiate the process from the Export personal data section.

At the same time, the user will receive a mail to verify the request.

The user has to click the link that they find in the email.

To make sure the request for personal data is authentic, the user has to click on the link, which will confirm on the WordPress site.

Once the user click the link to verify, they will see a screen like below:

This screen is what users will see when they verify their request by clicking the link.

Now, on your WordPress Admin dashboard, you will see the status has changed for the user who has verified.

You will see the status has changed to ‘Confirmed’, and there is a new button ‘Email Data’.
Sending the data to the user

When you click the Email Data button, WordPress will send a mail to the user with a link of their file and personal data. And, you will see that the status and Next steps column has changed to ‘Confirmed’ and ‘Email sent’ respectively.

The email with the personal data has been sent to the requested user.

The user will receive an email that will look like the below screenshot.

The user will receive an email with a link of the export file.

When they click the link, an HTML file is downloaded, which looks like the below screenshot:

This way a user on your site can easily access the personal information stored on your site.

Now, the button has changed to ‘Remove Request’, which will simply remove the request to export personal data.

Once the user has accessed the file, you can remove the request from the site.

And, if this is a WooCommerce customer, the file will look like this:

WooCommerce specific data is included when a WooCommerce customer requests to Export Personal Data.

The site admin can manually download the personal data file by hovering the cursor over the requester email id, by clicking ‘Download personal data’ option.

The site administrator can manually download the personal data of a user by hovering the mouse over the email ID and clicking the download option.

Erasing the data of a user

Just like the data access request, a user can ask you to delete their data. The new WordPress and WooCommerce versions have options for that too.

Navigate to Tools > Erase Personal Data.

The verification process is similar to what you have seen above.

However, for a WooCommerce store, you may need to keep some information of your users for tax and other legal compliance aspects. For this, WooCommerce has provided a few options which you can choose.

You can find these options at WooCommerce > Settings > Accounts & Privacy.

Some aspects of personal data, such as those in the orders won’t be deleted by default.

In a scenario, where you manually delete a user, you will be also removing addresses, payment tokens and orders too. The orders are converted to guest orders. You can choose the ‘Remove personal data’ option from the bulk action drop-down too, to make an order anonymous.

You can select an order and manually remove personal data from it too.

Here is an article that talks more about WooCommerce user management, if you are looking for some actionable tips.

Setting a timeline for data retention

One of the clever strategies that you can adopt to ensure GDPR compliance would be to reduce the time you retain personal data that is not really useful. WooCommerce provides good options to deal with this too. Go to WooCommerce > Settings > Accounts and Privacy to set the time periods for these settings.

You can clear cancelled, failed and pending orders in a specified time. You can periodically clear Completed Orders too, which will become anonymous, so your sales statistics won’t be affected. Similarly, you can delete inactive accounts, which has been never logged into or has not made any orders.

You may find some useful tips for WooCommerce order management here.

You can decide how long you want to retain certain personal information that is not really useful to your store.

Customizing Checkout fields

Furthermore, you can reduce the amount of private data that you collect by customizing the checkout fields too.

Go to Appearance > Customize > WooCommerce and change the display options of the optional fields. You will find an option to keep optional fields hidden.

Also, you can add a snippet of your Privacy Policy along with a link of the page on your checkout page.

You can also change the text of the Terms and conditions checkbox.

You will find options to change both these from the Account and Privacy tab too.

If you want to know more about customizing WooCommerce checkout fields, here is an article that can help you.

Assistance in creating your Privacy Policy Page

The new versions of WordPress and WooCommerce help you in creating a privacy policy as well. You can find this on your WordPress navigation panel – Settings > Privacy.

Here you can click the Create New button to add a new page for Privacy Policy. WooCommerce adds some helpful content to this page to help you start with the policy. In fact, it will prompt you to fill the details required to be included so as to comply with the GDPR.

WooCommerce has also made changes not to keep any unnecessary personal information in log files.

Conclusion

Overall, the latest updates of WordPress and WooCommerce provide you with quite a lot of handy options to ensure GDPR compliance. These options can be really helpful for online store owners who are overwhelmed by requirements of the GDPR. The new features would help store owners to provide right to access and right to erasure features to their customers. And, there is a good process to verify the authenticity of any data access or erasure requests. Moreover, you will find help to reduce the amount of data collected as well as determining the time period for data retention. Hope this article has helped you understand the latest WooCommerce GDPR features that will help you comply with the regulations better.

Further reading

LEAVE A REPLY