The GDPR: Right to Erasure Requests

Written by Kevin Bates on May 16, 2018 Blog, News, Sell Online.

Sometimes. a customer wants to remove their digital footprint from the Internet. Maybe they were the victim of identity theft, suffered online harassment, or just want reduce their online presence. Whatever the reason, store owners who collect data from EU residents can expect to receive “Right to Erasure” requests under the GDPR.

As with Right of Access requests, the data a person can expect to be erased includes the obvious — name, address, phone number — and the less obvious, like tracking numbers and VAT IDs. 

One significant difference is that Right to Erasure requests are more like a right to request erasure. As a business owner, you probably need to keep some data for a limited time to comply with contractual obligations and protect yourself, like keeping tracking IDs to defend against shipping disputes or keeping VAT information for tax audits. Before you get your first request, it’s important to know what personal customer data you need to store, and to include this in your privacy policy and terms and conditions.

When you’re ready to fulfill a Right to Erasure request, the good news is that — as with Right to Access requestsWordPress 4.9.6 and WooCommerce 3.4 have tools to help.

Right to Erasure tool in WordPress core
There’s a new tool for responding to Right to Erasure requests in WordPress 4.9.6

Before You Get Your First Request

Here, you’ll also want to start with test orders to understand what data you collect, and develop a standard procedure for responding to requests. Your procedure should include:

  • How you will confirm the person’s identity: Only an authorized person can request erasure.
  • Where you will obtain the data. Some data will be available using the new tools in WordPress and WooCommerce. Some plugins store data separately, and you might have other online systems separate from your WordPress/WooCommerce store where you input data.

Not sure you know all the places data might be stored? This is where a test order is handy; you’ll be able to see what plugins are automatically providing data using the new WordPress export tool. Note all the plugins you don’t see in the export tool; you’ll have to erase data from these plugins separately.

In WooCommerce, new settings help you control and limit automatic erasure of customers’ personal data.  You can find them under WooCommerce → Settings → Accounts and Privacy. Here, you can control:

  • How long inactive accounts are preserved.
  • How long pending, failed, or cancelled orders are preserved.
  • How long completed orders are preserved.

You can also control some Right to Erasure-related settings, like:

  • Whether personal data in orders should be removed.
  • Whether access to downloads should be rescinded.

When That First Request Comes In

As with Right of Access requests, start by confirming the identity of the person making the request before you touch their personal data. 

A new WordPress page under Tools → Erase Personal Data lets you send a confirmation request to the customer’s email (or via their username). Type their email address in the box provided and hit “Send Request”:

While you’re waiting for the customer to confirm, you’ll see the request displayed as “Pending.”

Example of the email a user receives when you send a request to confirm identity in response to a Right to Erasure request
Example of the email a user receives when you send a request to confirm identity in response to a Right to Erasure request

After they click the link, you’ll see that status switch to “Confirmed”:

Confirmed!
Confirmed!

Once their identity is confirmed, click the Erase Personal Data button, and the software will start scrubbing away. WordPress, WooCommerce, and many extensions work together to erase a person’s personal data. If a plugin needs to retain a bit of personal data for whatever reason, it will be displayed to you at the end of the erasure process.

If the person has a user account on your site, the request will also include a link to start the “Delete User” process — the same one that is in WordPress core already. Hold off on this at first; you might want to preserve their account depending on whether any plugins you use return a message about items “retained” during the erasure process.

An example of the type of message you might see after requesting to erase user data
An example of the type of message you might see after requesting to erase user data

Again, don’t forget that this only covers plugins that hook into the new WordPress personal data erasure tool — you may need to manually remove personal data collected by other plugins or services to be in full compliance with the Right to Erasure request.

Next up? Notifying Customers of a Breach of their Data

Take a look at our tools and resources on GDPR

30 Responses

  1. Sarvesh Arora
    May 18, 2018 at 3:51 pm #

    Thanks a lot for this update. I really liked your inputs.

  2. Andrew George
    May 19, 2018 at 2:05 am #

    I don’t have the accounts and privacy tab in WooCommerce mentioned during this article, mines displays an account tab and doesn’t allow me the controls mentioned in this article. How do I access this?

  3. Lucy Beer
    May 22, 2018 at 9:16 am #

    This data will oftentimes also be backed up to other places by 3rd party plugins or by the webhost itself. Does the user’s data have to be deleted from those places as well?

    • Allen Snook
      May 24, 2018 at 1:18 am #

      Hi Lucy!

      We can’t give specific legal advice, but store owners may want to ask third parties they work with what they recommend regarding right to erasure requests and may wish to consult with an attorney about whether or not they should also ask those third parties to assist with right to erasure requests they receive.

      Cheers…

  4. BRKLYNWEB
    May 24, 2018 at 7:59 pm #

    We believe that you do have to remove data from database backups.

    So this it not about third parties at all and what they do.

    Most sites has multiple database backups taken as part of standard business processing. If you are affected by a request, it is unlikely your business can simply delete all backups. So you need a tool to remove the data.

    And, yes while it might be a plugin that takes the backup, WooCommerce is being naive in their response on this one. A backup is a backup. How it is done is irrelevant. It still results in a standard database backup file. Any tool to remove data from a database should also remove it was any designated backups.

    • XTCLocal
      May 27, 2018 at 7:32 pm #

      I do not see it as WooCommerce being “naive”, as they rightly say, they are not giving legal advice.

      When you say ” Any tool to remove data from a database should also remove it was any designated backups” I think it is you that is being naive, how is that even possible?

      My backups are created by software out of the control of WooCommerce, the backup is then copied to another server which WooCommerce can not access.

      I do not see this as a big issue as long as you back up regularly and try and use the most recent back up, should a need arise. I am not expecting to be inundated with deletion requests. I am also unsure how long data should be kept for fraud prevention etc…

  5. arya stark
    May 28, 2018 at 7:47 am #

    Thanks For sharing GDPR Erasure Requests. I am running many sites which come’s under GDPR. I have seen GDPR post, which is published on this site. It’s Mandatory to add GDPR Privacy Policy Page.

  6. mrabdullahramzan
    May 29, 2018 at 11:06 pm #

    Hello Woo Team,

    Can you please fix the share button as it is not working for me.

    Thanks & Regards,
    Abdullah

  7. lorenzo
    May 31, 2018 at 5:23 pm #

    Hello! I’m happy that you made a patch for woocommerce 3.4 but in one of my website I have woocommerce 2.6.4 that I can’t upgrade. There’s something I can do to be gdpr compliance without upgrading to the latest version?

    thanks!

  8. Demetris
    June 7, 2018 at 7:27 pm #

    Hi there,

    But HOW the user will ask you to erase the data..? or access them or whatever..?

    I mean were in the site exist this option..??

  9. ApksDoz
    June 10, 2018 at 12:55 pm #

    nice

  10. Nathan
    June 10, 2018 at 2:22 pm #

    Thanks for detail information about GDPR. As a webmaster, I think everyone should read this post.
    When will they going to implement it outside the Europ?

  11. Steve
    June 11, 2018 at 10:14 am #

    Hi, what about the account itself. its removed the address details and order details with the setting enabled however the name and email address used to create the account in the first place (these 2 combined bits of data would be classed as personal data) are still in the system and the user can therefore still log in and see this.

    Should this not remove the name on the account as well as anonymise or delete the users account in its entirety?

    Thanks

    Steve

  12. Uk Tv Now
    June 12, 2018 at 9:18 pm #

    great article
    very informative when i read this very helpful for me
    thanks for it

  13. Ayan Arora
    June 22, 2018 at 11:45 am #

    This is the best article ever. Thanks for sharing !

  14. voot bigg boss 11 episode
    June 22, 2018 at 11:48 am #

    nice website. the great website ever. keep it up !

  15. bigg boss 12 episode
    June 22, 2018 at 11:49 am #

    This is the best content. thanks for sharing articles !

  16. The Sims 4 seasons
    June 23, 2018 at 8:38 am #

    Nice article great

  17. Tekken 7
    June 23, 2018 at 8:38 am #

    Nice website

  18. God of war 4
    June 23, 2018 at 8:39 am #

    Thank you for share best information

  19. Daniyal
    June 26, 2018 at 6:19 am #

    Information Post <3

  20. KBTricks
    June 26, 2018 at 3:52 pm #

    Informative and helpful article. Thanks for this great content sharing. Keep on.

  21. tech updates
    June 27, 2018 at 8:55 am #

    thanks for sharing with us.nice and informative articles.

  22. Ayan Arora
    July 4, 2018 at 8:30 am #

    Nice article. It is very useful. Thank u for sharing awesome content.

  23. Nich
    July 6, 2018 at 7:06 pm #

    Thank you dear Allen. This was really helpful. Short and simple to understand.

    • Best Dash Cam
      July 7, 2018 at 3:54 pm #

      I agree with you. This helped me a lot to understand GDPR,

  24. StepUp.io
    July 7, 2018 at 3:39 pm #

    Understanding DGRP is really difficult for people like me. But Allen you made it really simple. Thanks for your guidance.

  25. Lynette Yerby
    July 11, 2018 at 9:10 pm #

    Thanks a lot for this. This saved a lot of time.

  26. heet
    July 12, 2018 at 12:22 pm #

    Nice article thank you for share