An Introduction to GDPR Compliance for WooCommerce Stores

Written by Hannah Swain on December 20, 2017 Blog.

Europe’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 – is your shop ready?

WooCommerce and the GDPR - get resources and tools

What is GDPR and what does it have to do with you?

I attended WordCamp Manchester and WordCamp Stockholm in the last few months, and they had one thing in common: lots of questions about GDPR. I heard a number of discussions around what WooCommerce site owners needed to do, and if they were ready for GDPR.

To help our WooCommerce site owners get ready for the GDPR, we wanted to provide some information about the regulation, along with our GDPR plans at WooCommerce.

On 25th May 2018, the GDPR enacted by the EU will come into effect.

Stronger rules on data protection from May 2018 mean citizens have more control over their data.

There’s a great infographic breaking down the different components. The GDPR for WordPress site includes a summary of site owners’ obligations in regards to collecting data related to EU citizens, which we’ve listed below:

  • Tell the user who you are, why you collect the data, for how long, and who receives it.
  • Get a clear consent [when required] before collecting any data.
  • Let users access their data, and take it with them.
  • Let users delete their data.
  • Let users know if data breaches occur.

Each of these bullet points is subject to many caveats, exceptions, and degrees of how much you need to do, but they do serve as a good starting point.

What do you need to know or do as a WooCommerce shop owner?

First, read up and do your research. Each WooCommerce site uses a different set of plugins, has a different flow for shipping, etc., so there isn’t a one-size-fits-all approach. You’ll need to know what you need to do for your specific site. This post is an introduction to help guide you in the right direction — it isn’t meant to be all-inclusive and we are unable to provide legal advice.

If you sell any products to customers based in the EU, or have EU visitors to your site, you’ll need to make sure your site complies with GDPR.

Your site can be considered GDPR-compliant, depending on how you’ve set it up. Code in WP has put together a breakdown of how the GDPR affects WordPress sites.  

It’s also up to you as the site owner to communicate how your customers’ information is being used — it’s more of a communication and process question, rather than something that can be solved with technology.

You may need to update your privacy policy to explain how your site complies with GDPR.

What resources are there available to help you?

GDPR affects every site that operates in the EU — there are lots of resources to assist you further. This list should get you started, but it’s not meant to be comprehensive.

How is Automattic applying GDPR?

As a company that works with users in the EU, Automattic and all of its sites, including, also need to be compliant with GDPR.

We published Automattic and the General Data Protection Regulation (GDPR) that shares information about the regulation and our plans for implementing them for Automattic’s products and services. In short, we’re currently working to add features to enhance user choice and bring more transparency to our practices around the collection, storage, and use of your data. We expect that Automattic products and services will be in compliance with GDPR requirements by May 2018.

We’ll continue to post more information as we launch new features to enhance user privacy and data choice ahead of May 2018, and beyond.

Take a look at our tools and resources on GDPR

10 Responses

  1. Faraz
    December 28, 2017 at 9:08 pm #

    Is it applicable for wordpress blogs who don’t use any registration ?

    We use email subscription by permission ? Is GDPR applicable to everybody who has visitors from Europe ?


    • Valentina Thorner
      January 2, 2018 at 10:25 am #

      GDPR is applicable to everybody who collects data from visitors from the EU. If your visitors only read your blog / site, you don’t need to do anything, however, if they sign up for a newsletter, then you need to add some information to your Terms and Conditions. It then depends on the service you use for your email subscription. Often, the data is not stored on your WordPress blog, but on the email server. Most companies (like Mailchimp) include an unsubscribe link into all of your messages, so customers can delete themselves from the list at any time – just make sure to use double opt-in (as in: users need to confirm that they really do want to get on that list).

  2. Johnny Ringo
    December 28, 2017 at 11:46 pm #

    I do have customers that purchase from our website in the UK.

    However, how can they legally enforce what the standards for website owners in other countries?

    I am in the United States.

    For example, let’s say 20 countries decide to enact standards and laws. Let’s say some conflict. And, often times many of us are not even going to know about the laws.

    I can understand if this is a requirement for businesses that are located IN the UK, but how are they going to enforce on this countries that do not reside in the UK?

    This is a slippery slope for business owners, as it’s hard enough to comply with the ever increasing laws/regulations in our own country, let alone having to try to attempt to keep up with regulations from other countries as well.

    This is a slippery slope of pure insanity.

    • Michael
      December 29, 2017 at 2:08 am #

      In ‘theory’ you’re supposed to.

      In reality, there’s no way they can enforce the rules for every business that has a few EU customers every now and then, especially if your business is based in the US.

      Same as in theory, you’re supposed to charge VAT for each EU transaction and remit that to the EU country of the purchaser (as if a small business can do that).

      If a large proportion of your customers were EU based, then maybe I’d worry about it, it’d be something you need to do (same as Automattic).

      My non legal view is, I wouldn’t worry about it being a US business with very little EU customers. Of course the correct stance is, well you’re supposed to. The laws will be written to prevent companies like Amazon, saying, we’ll we operate outside the EU, hence don’t have to do it. It’s protecting EU citizens from big data collection.

      • Tom
        December 29, 2017 at 11:04 pm #

        Not following the GDPR rules is breaking the law and is a crime. There are plenty of international systems for prosecutinging law breakers in other countries. It is also easier than you would think.

        EU has discretion to issue warnings or overlook violations. If you deal with 99% non EU information and a few EU people slip in and you are not compliant they are not likely to seek any punishment.

        If you are doing high volume sales and intentionally targeting EU residents/citizens, you may be subject to penalties. Do not assume this cannot be enforced outside of the EU. It is not true. Some companies will be required to have a legal representative in the EU if they are large enough.

  3. Julian Clayton
    December 29, 2017 at 11:01 am #

    GDPR grants to EU citizens rights to their personal data. Personal data is any data which enables an individual to be identified. These regulations replace a patchwork of inadequate and inconsistent national laws currently applied across EU countries. It is likely that for the US an update of the existing EU-US Privacy Shield framework will extend to GDPR requirements.

    GDPR places significant obligations on any organisation which handles EU citizen’s personal date, wherever in the world the organisation is located.

    The link further up this post suggesting what you should do as a website owner, is good.

    Unless their non-compliance is particularly severe, it is unlikely small non-EU organisations will be exposed to penalties as a result of GDPR, but large organisations will be in the EU’s sights – as they have been recently with respect to anti-trust (2017 Google fine – €2.4bn).

    Brexit will not affect UK’s adoption of GDPR

  4. Charlotte
    December 30, 2017 at 2:13 am #

    Although GDPR is a pain as a store owner, I welcome this as an EU citizen. It’s easy to loose sight of how badly our privacy is invaded as individuals when we’re responsible for a store but I’m certain all of us have far more to gain from this than we have to loose.

  5. sachin khanna
    December 31, 2017 at 5:07 pm #

    Excellent article really clarifies it all thanks. Can’t seem to find any practical tips for web developers out there to comply, about what we actually need to physically do! It seems quite simple really now, despite all the scaremongering out there!

    • Hannah Swain
      January 2, 2018 at 10:41 am #

      > Can’t seem to find any practical tips for web developers out there to comply, about what we actually need to physically do!

      It’s not so much a specific block of code that needs to be added, but a mentality and approach for handling information. I recommend keeping an eye on the GDPR for WordPress project, that is setting up a plugin standard:

    • Alice
      January 3, 2018 at 6:26 pm #

      I recently found this article which gives a few pointers about where to start:
      (Their privacy policy is worth checking out too).