GDPR (General Data Protection Regulation in Europe) is a new e-privacy law that came into effect in May 2018. With this strict law, if you fail to get compliant, you’re becoming prone to a fine of up to €20 million or 4% of your annual global turnover.
Quick Disclaimer: We are not a legal specialist for all websites using WooCommerce, so if you are unsure about how GDPR interprets in your specific circumstances, please seek professional legal consultation.
GDPR guides are vague and in quite a grey area. Had you read the full text of GDPR, you might be even more confused due to those legal jargons.
Fear not! Because today’s article is going to boil it down to 10 steps that can help you make sure your business and website are compliant with those regulations.
Especially, I’ll show you the best practices in marketing procedures for WordPress WooCommerce websites.
Let’s get it started!
Organize all personal data you have on people
Since GDPR was made to allow people to take back control of their private data, you need to think seriously about data.
What is personal data? Well, it is information that could be used to identify a person, including but not limited to name, birthday, email, phone number, IP address, username, password, and cookies.
These data can be from your employees, suppliers, customers and website visitors.
You can define data areas including website, mobile app, physical stores, employees, recruiting, manufacturing facility, etc. Keeping people’s data organized in a systematic fashion can help you in two ways.
When a user asks you what information you have on him and he requests to access that information, you can provide him in a prompt manner. Besides, if you were ever to be investigated by a GDPR official, this well-prepared taxonomy helps you present it and defend yourself as accurately as possible.
So the next step for you is cookie consent notification.
Display cookie notification and opt-in
GDPR now specifies that cookie is no more implied consent. It’s advisable that your website displays a clear opt-in so that your visitors can click to acknowledge your cookie policy and show they are happy with that.
There are several plugins from WordPress.org to help you do that by showing a full-width text or HTML banner on the top or bottom of your web pages.
This message can contain the link to your site’s Terms and Conditions page. Remember that you have to add a GDPR paragraph to this page and links to Privacy Policy page.
Write a descriptive cookie policy
One more thing you have to include in the aforementioned notification is the very link to your Cookie Policy page, in which you specify what cookies you collect, why you collect it, for how long you retain it and which third parties receive it.
Those 3rd parties can be Google Analytics, Facebook Pixel, Linkedin cookies and other display advertising platforms.
If your site happens to have multiple cookies, which is quite conventional, don’t bundle your cookies. Literally, you can’t show multiple boxed ticked at once. You have to break down your marketing conditions and allow the user to tick individual boxes.
Update a full-fledged privacy policy
In this section, you need to explain to people how you collect and store their data, what you use to do it, and how they can get in touch with you. It could be via email, phone number, contact form, or request form by which they can exercise their rights, such as to request deletion of their own data free of charge.
Then navigate to WordPress Dashboard > WooCommerce > Settings > Advanced > Terms and Conditions > Select your updated Privacy Policy page.
In this step, displaying a checkbox would be optional. You might just add a confirmation sentence in the WooCommerce checkout page just like this:
“I’ve read and accept the terms & conditions.”
Or more specifically:
“Your personal data will be used to process your order, support your experience throughout this website, and for other purposes described in our privacy policy.”
Below is how the checkbox might appear on the Cart page.
Assure visitors their connection is secure with SSL (Secure Socket Layer)
The SSL protocol determines variables of the encryption for both the link and the data being transmitted. That’s how it helps secure millions of peoples’ data on the Internet every day.
Users don’t make payments via websites without SSL certificate. Even if you don’t take payments, it’s still best practice to have an SSL certificate.
Use double opt-in OR opt-in forms without pre-ticked boxed
You have 2 options for opt-in confirmation here.
The first one is using double opt-in, which means to provide a way for users to confirm their consent. Positively, users get an email through their inbox that says Click this link/button to be part of the mailing list.
Otherwise, you can have a tick box next to a contact form or newsletter submission box. This check box must be actively ticked by the users themselves. This applies to other methods of collecting data in person as well. By asking people to sign or tick on the paper sheet, you have evidence that they are happy with your collecting and storing their filled information.
Make sure your email service provider has a GDPR policy
You might use third party lead capture software to enhace your customer base such as Pipedrive, EngageBay, WPForms, OptinMonster, Thrive Leads, etc.
You don’t want it when someone sends you an email to complain about the unnecessary stored data. So you need to discuss these terms with your service providers to make sure your website is also covered by them.
Take an example of MailChimp for WooCommerce. When you’re using their service, your website passes private data to MailChimp storage thanks to MailChimp API.
So for any services you might use, take into consideration what APIs you use, what data is sent and whether or not their APIs are GDPR friendly.
Establish time limits to erase or review the data stored
For WooCommerce stores, saving customer order history, payment processing details, delivery address, contact details, etc. is required. Among of which, invoices could be kept for the longest time.
Be it data collected from a plugin, from your user’s chosen payment gateways or manually stored by you, your company/ornanization shouldn’t keep the data for too long. The storage duration depends on your purposes for each kind of data.
Last but not least, don’t collect abundant data without actually using it for any auditing, accounting or supporting purposes.
Some Final Words
You don’t have to struggle to comply with GDPR.
I hope this article can improve your organization and website privacy practices.
If you’re using WooCommerce plugins such as WooCommerce User registration, WooCommerce Cart Abandonment, WooCommerce product reviews/comments/analytics, etc. and find it difficult to configure the plugins accordingly, just leave a comment.
We can get back to you with best practices, or some other store owner might have the most applicable answer for you.