The GDPR: Privacy Policy Requirements

Written by Kevin Bates on May 15, 2018 Blog, News, Sell Online.

Getting your business prepared for the GDPR is no small task, and it doesn’t end when the law takes effect on May 25th.

Step one: to get ready for the GDPR, May 25th and beyond, you’ll want to designate an employee to oversee compliance efforts and update your privacy policy. These aren’t just legal requirements — they also lay a good foundation for ongoing compliance and they can impact sales.

Put Someone in Charge of Data

Data Protection Officer is a formal role required by the GDPR. If you’re a one-person shop this falls to you, so you’ll need to set aside some time to stay on top of compliance. Whether it is you or one of your employees, you must designate someone to take charge of your business’ data protection strategy and compliance, and:

  • Decide how customers should make privacy-specific requests. This be via a contact form on your site or through a special email address (e.g., privacy@example.com).
  • Update your privacy policy with how you use and store data, and why. The GDPR requires you to disclose data information. Can you collect less personal data? How long does your business need to retain records for state/provincial/federal taxes? When and how do you backup, and ultimately destroy, customer and order records? For WordPress and WooCommerce, this includes reviewing the data practices of plugins and services your store relies on. All this information should be published as your Privacy Policy.
  • Prepare for and respond to right to erasure / of access requests. Customers can request that you delete their data, and you’re required to comply.
  • Prepare for and respond to security breaches. The GDPR requires you to disclose breaches to your customers promptly.
  • Keep attuned to future changes in privacy laws that might affect your business.

How to Update to Your Privacy Policy

In addition to being a GDPR requirement, a well-written, easily understood privacy policy can help close sales with increasingly privacy-conscious consumers. Pulling together a privacy policy for your WooCommerce store involves a bit of research, a bit of writing, and a commitment to revisit the policy from time to time.

Starting with WordPress 4.9.6, you’ll be able to create or designate a page on your site as your store’s privacy policy.  You’ll find this new feature in WP Admin > Settings > Privacy: 

Privacy Settings in wp-admin

If you are creating a privacy policy page for the first time, WordPress will provide a template to get you started. Generally speaking, a good privacy policy answers the following questions:

1. What data does this store collect about me?

Start by “self-testing” your own store and noting of all the fields (required or optional) where customers are prompted to enter information or make selections. Note the obvious personal data like name and address, along with anything else you collect from them when they check out or become a registered user on your site.

Next, look at the less explicit tools, like cookies or analytics, that your site uses. Examine what plugins you have installed and review their privacy information.Does a plugin send data outside the country or perhaps the European Union? That’s another thing you’ll need to disclose to customers.

Take advantage of the new tools in WordPress to see privacy updates from active plugins: starting with WordPress 4.9.6, plugins can register privacy information with WordPress itself, and you’ll see that information a special box near the editor when you are editing your privacy policy page in wp-admin. WordPress itself will also provide information on the information it collects from visitors to your site, like comments and cookies.

The new privacy information box makes it possible to copy and paste privacy information from WordPress and plugins directly into your privacy policy, where you can edit it to the particulars of your store. However, since much depends on the specific settings you use and how plugins interact with one another, you’ll want to review and edit that text to make sure it’s right for your store.

If a plugin doesn’t provide privacy information you can visit the developer’s website or contact them directly and ask them about what data their plugin collects from visitors to your site, if any, and what they do with it.

2. What does this store do with my data and why?

After you know what you’re collecting, you’ll need to note why you’re collecting it.

Explanations for much of the data you collect are simple: you need their address to ship them a product, or you need their email address to update them on their order status.

If you’re collecting any personal data that you don’t actually need to fulfill an order, you’ll want to explain why to your customer and give them a means to opt out of that sort of “processing” (see “Checkboxes aren’t the only way” below).

3. Who does this store share my data with?

Here, a bit of sleuthing is involved — you’ll want to review how they data you collect is used. A few types of plugins are more likely to share data:

  • Payment gateways often share data with the payment provider to process the payment.
  • Shipping extensions often share data with shipping providers to calculate shipping rates or print shipping labels.
  • Marketing and analytics extensions often share data to add customers to lists or analyze their behavior.

Essentially, if a plugin connects to an external service, they’re likely sharing some type of data with that service. You’ll want to review the privacy policies of these services to make sure they align with your privacy priorities.  

Using an extension from the Woo.com marketplace? Find out exactly how our extensions — including payment and shipping gateways — use and store data.

4. How long does this store keep my data?

There are lots of reasons to retain records, including if a charge is disputed by a customer, for tax audition, or for other legal concerns. While laws like the GDPR have “right to erasure,” you are not required erase records you need for these other aspects of your business.

That said, your privacy policy, alongside your terms and conditions page, should make it clear to customers how long you retain their personal data and why.

5. How can I access, update, or delete the collected data?

In addition to knowing what you’re doing with personal data, customers need to know how they can update their data, including:

  • Getting a copy of their data
  • Updating their data
  • Deleting their data

Your privacy policy should give customers clear instructions on how to reach you or your designated privacy person with these of requests. If you allow your customers to edit some of their own information, for example under My Account, you can mention that here as well.

Checkboxes aren’t the only way

Under the GDPR, there are multiple legal approaches to handling personal data. Your privacy policy should state under which basis you are doing each kind of processing of personal data. The ones most applicable to eCommerce sites include:

  • Consent: The user explicitly gives their consent to a specific kind of processing of their personal data (e.g., consent to participate in market research performed by a third party).
  • Contractual necessity: The processing of the personal data is required to fulfill a contract (e.g., ship their order).
  • Compliance with legal obligations: The processing of the personal data is required for legal reasons (e.g., a VAT Tax ID).
  • Legitimate interests: The processing of the personal data is a legitimate, expected behavior of a business (e.g., follow up emails after they’ve placed their order with other products they may be interested in).

Take building your privacy policy one step at a time

That’s a long list, we know! Tackle it step-by-step, and don’t worry about creating a perfect privacy policy on day one. Keeping your privacy policy fresh and up-to-date, especially as you add plugins — or plugins add features — will be a ongoing activity just like any other business maintenance you do.

Next up? The long and short of Right of Access requests.

Take a look at our tools and resources on GDPR

10 Responses

  1. Amila Dilan
    May 17, 2018 at 12:07 pm #

    Hi Allen,
    Thank you for the informative article. I’m also preparing to GDPR compliance my website. When WordPress 4.9.6 stable release?
    Thanks.

  2. patnaharanand
    May 18, 2018 at 5:47 pm #

    I think someone needs me

  3. Jenna
    May 18, 2018 at 9:03 pm #

    I’ve just upgraded to WP 4.9.6 and I’m not seeing either of these things, “…plugins can register privacy information with WordPress itself, and you’ll see that information a special box near the editor when you are editing your privacy policy page in wp-admin. WordPress itself will also provide information on the information it collects from visitors to your site, like comments and cookies.” Any tips on where to look?

    • IWRCstore
      May 22, 2018 at 1:14 am #

      I am also looking for the box where I might find plug in specific privacy info. Perhaps none of the plug ins I have use this? Could you share a generic screenshot of it so I know if its not applicable or if I’m not looking in the correct spot.

    • Allen Snook
      May 24, 2018 at 1:08 am #

      Hi Jenna!

      In wp-admin, look under Settings for a new item, Privacy – in there you can create a privacy policy page (or designate one if you already have one.)

      Then, when you are editing that page, you’ll see a box with further instructions.

      Cheers!

  4. Pikki
    May 20, 2018 at 10:10 am #

    I too am looking for these features mentioned.

  5. J Scott
    May 22, 2018 at 9:34 pm #

    Trying to download personal data or send the email and I’m getting this error:

    An error occurred while attempting to export personal data.
    Unable to generate export file. ZipArchive not available.

    Any help?

    • Allen Snook
      May 24, 2018 at 1:10 am #

      Hi J Scott!

      Most, but not all, hosts support the ZIP generator, ZipArchive, on which the export feature depends. Please ask your host if they’ll enable ZipArchive for you.

      Cheers!

  6. melohyt
    May 24, 2018 at 12:43 pm #

    Hi, thanks for the document it´s very useful. When I upgraded to woocommerce 3.4.0 I saw a template for the privacy policy, it is a different one from the wordpress template, is it correct? I cannot find it now in my dashboard… Can someone let me know where can I find it? Thank you!