The GDPR and You, the WooCommerce Store Owner

Written by Kevin Bates on May 15, 2018 Blog, News, Sell Online.

Whether you’ve had a WooCommerce store for a long time or are in the earliest stages of an eCommerce endeavor, you’re probably  wondering what you need to do about this new European law—the General Data Protection Regulation (GDPR).

Our six-part series on Getting Ready for the GDPR explores the ins and outs of the law and how it applies to you, a WooCommerce store owner. Let’s get oriented with a few common questions and answers.

What is the GDPR, exactly?

The GDPR is a new law that concerns itself with the handling of personal data of European Union (EU) residents. It takes effect on May 25, 2018.

Over two years in the making, the GDPR is intended to give EU residents more visibility and control over their personal data: how websites, including eCommerce websites, collect data; who they share it with; and what tracking technologies monitor them across the Internet.

If you sell to EU residents, this law applies to you — even if you aren’t in the EU. Fines for non-compliance will be substantial and can be levied on businesses both in and outside the EU.

What new privacy-related rights does the GDPR gives EU residents?

The new law requires stores to inform their customers about what information they collect, store, and share, and establishes specific rules about the kind of consent required before stores can collect personal data. That means that stores will be asking for consent more explicitly, and detailing their use of personal data more specifically in their privacy policies.

In addition to clearer notices and privacy policies, the GDPR also gives EU residents powerful new rights such as the Right of Access, Right to Rectification, and Right to Erasure.

That means that EU residents will be able to:

  • Demand a copy of all the data you have about them.
  • Demand any errors in the data be corrected.
  • Request the removal of all personal data.  

The GDPR also gives EU residents the right to find out if their personal data has been compromised. Stores will need to notify customers if their personal data is stolen in a breach, and do so in a timely manner.

What’s Personal Data, Exactly?

GDPR isn’t about all information—the new rights for EU residents specifically apply to Personal Data.

Personal Data means anything that can identify a person, either on its own or combined with other data. Examples include a person’s:

  • Name
  • Physical address or email address
  • Phone number
  • Last four credit card digits
  • Shipping tracking numbers ( these are unique to an order, and thus to a person)
  • IP address

Basically, if you can use a piece of data to identify an EU resident, or combine it with other data to identify them—that’s personal data.

What Should I Be Doing Right Now?

We’ll unpack this over the remainder of this series, which will cover:

  • Why you need to put someone in charge of privacy. You’ll want to designate someone to lead this effort. Iif you’re a one-person shop, that’ll be you.
  • What constitutes a GDPR-acceptable Privacy Policy. You need to disclose how and why you collect personal data, how long it is retained, and who it is shared with. With WordPress and WooCommerce, you also need to consider how plugins and services your store uses affect customer privacy.
  • How to respond to Right of Access and Right to Erasure requests. There are some helpful new personal data export tools coming to WordPress and WooCommerce.
  • What to do in case of a security breach. No one wants this to happen, but preparing for this worst case scenario is part of your privacy responsibility under the GDPR.

The GDPR will be a fair bit of work for most online merchants, but this Getting Ready for the GDPR series will help you navigate this new way of handling personal data efficiently and effectively.

Take a look at our tools and resources on GDPR

23 Responses

  1. Luke
    May 15, 2018 at 3:44 pm #

    Hi, GDPR is all everyone is talking about at the moment, and I am, unfortunately based in the UK, so it definitely affects me and my clients.

    It’s great news about the the data export tools that are coming to WordPress and WooCommerce, but the deadline of the 25th May is looming, are they going to be out in time? 😬

    Looking forward to anything that makes GDPR easier though 🙂

    • Gareth Allison
      May 15, 2018 at 4:25 pm #

      Hey Luke, thanks for reading.

      WooCommerce 3.4 is scheduled for 23 May 2018, so will be out before GDPR takes effect. Check out this post on our developer blog for more details.

  2. Kostas Nicolacopoulos
    May 15, 2018 at 9:38 pm #

    In the article you mention:
    > If you sell to EU residents, this law applies to you — even if you aren’t in the EU.

    Correct me if I’m wrong, but the law still applies to you, even if your shop doesn’t sell to EU residents

    Even if EU residents can’t buy from your store, their personal information will be collected if they:

    – Visit your site (their IP address is logged by analytics software and trackers)
    – Send you a message using a contact form (their name and email address is kept in the database)
    – Write a comment (name, e-mail and IP address is stored in the database)
    – Subscribe to your newsletter (e-mail address is sent to your email service provider)

    In other words even if your store or site doesn’t target EU residents, you will still need to comply with GDPR.

    Looking forward to reading the rest of the posts in the series.

    • Marina Pape
      May 16, 2018 at 12:12 pm #

      Yep, correct! Even if an EU resident doesn’t transact, a site can still be collecting personal data in various ways. Thanks for stating that so clearly 🙂

    • Ben Greenwood
      May 16, 2018 at 2:52 pm #

      Surely as you don’t operate as a business in the EU and you are based outside the EU you aren’t required to comply with EU law and you aren’t responsible for what EU residents do.

      I’m FAIRLY sure GDPR only applies to businesses based or operating in the EU. So as long as you do neither, even if you inadvertently collect EU personal data, you aren’t required to comply.

      Or am I wrong?

      • Ilse
        May 16, 2018 at 3:33 pm #

        You are wrong. Sorry. GDPR has a very long arm. Will they find a small website or business – not sure, but are you willing to take the chance of having your site/business shut down? While GDPR is complicated and a thorough pain in the butt, it’s not that hard to comply. Using services that comply is a big step in the right direction.

      • vrdesigns
        May 16, 2018 at 5:07 pm #

        “I’m FAIRLY sure GDPR only applies to businesses based or operating in the EU.”

        Unfortunately GDPR applies to personal data that belongs to EU citizens.

        Who gathers this data, and where they are based is irrelevant. It affects businesses, government and even meals on wheels voluntary services.

        Anyone who has/uses some personal data on an EU citizen must comply with the GDPR.

      • Nina
        May 18, 2018 at 6:26 pm #

        I live in The Netherlands and have 2 companies. This is how I understand it, if you have a company outside the EU and you don’t have anything to do with citizens from the EU, meaning you don’t have a marketing plan that includes citizens from the EU, or something like that. And I stumble upon your website because i’m browsing the web this does not apply to you.

        This website explains it well I think https://www.google.nl/amp/s/www.forbes.com/sites/forbestechcouncil/2017/12/04/yes-the-gdpr-will-affect-your-u-s-based-business/amp/

  3. Chris
    May 17, 2018 at 9:56 pm #

    What I don’t understand is how the EU is able to prosecute business based in countries in which it has no jurisdiction? Surely national governments must protect their citizens and businesses from being prosecuted by another country, or in this case, organisation? The EU is not in charge of the internet and I think the world needs to tell it that.

    • Adrian
      May 18, 2018 at 3:00 am #

      Then maybe you should move your business to a country that has no economic relations/partnerships with the EU. Otherwise if you want to do business in the international environment, you abide by the rules.

      • David
        May 18, 2018 at 6:40 pm #

        You haven’t answered his question. How, specifically, does the EU prosecute non-EU citizens in other countries for not complying with EU law?

        • Adrian
          May 19, 2018 at 11:10 pm #

          EU has different partnerships and accords with US and other individual states or world organizations. Through those partnerships it can reach companies and organizations that are out of it’s teritorial jurisdiction.

          • David
            May 21, 2018 at 2:13 pm #

            But what “partnerships and accords”? Name them. What specific legislation makes Americans, or Canadians, or Brazilians, etc. subject to EU law?

          • Adrian
            May 21, 2018 at 8:17 pm #

            I’m curious David, do you know how to use Google?

            Here’s a link for you and if you want more info go study Law or something.

            https://community.spiceworks.com/topic/2007530-how-the-eu-can-fine-us-companies-for-violating-gdpr

          • David
            May 23, 2018 at 4:54 pm #

            It seems Google is only as useful as your willingness to read:

            “While we don’t yet have U.S.-EU negotiated civil enforcement mechanisms for the GDPR (and it is unknown whether we ever will), there is still the application of international law and potential cooperation agreements between U.S. and EU law enforcement agencies, which have been increasing in recent years.”

            Translation: There is no specific mechanism for enforcement against U.S. companies without a physical presence in the EU. But, hey, there’s “potential cooperation” so they’re totally working on it… and it will drag out in court for decades.

    • David
      May 18, 2018 at 6:45 pm #

      I’d like to know this too.

    • Jamee
      May 23, 2018 at 2:51 pm #

      Interestingly enough, I’m sure I read somewhere (in the hundreds of articles I’ve read understanding all of this) that countries outside of the EU were allowed to have a say/comment on the regulations (because of the impact it would have on companies/business operating outside of the EU).

      I could be completely wrong about this, but I don’t think only EU countries were involved in the writing of the regulations. Ironically too, it’s actually suspected that the ripple effect of this is only going to be positive on a lot of people who live outside of the EU.

  4. Mark
    May 21, 2018 at 7:08 am #

    Why doesn’t woocommerce do something simple and practical such as adding a privacy checkbox as at least an option on the account creation function in the woocommerce store?

    • Mark
      May 21, 2018 at 9:08 am #

      It seems that v3.4 due for release on 23 May will have these checkboxes for registration and checkout (and ability to access permission histories associated with checkboxes). Excellent.

  5. Vu Nguyen
    May 22, 2018 at 5:25 am #

    Is that only affect on Eu and US area? Do I need to implement new policy when I doing ecommerce on Asia area ?

  6. Nigel Streeter
    May 23, 2018 at 12:32 pm #

    Just to add more fuel to the fire…
    It is my understanding that it also applies to non-EU citizens while visiting an EU country – for example, as US citizen while in Paris – and also an EU citizen while visiting a non-EU country.
    So if a citizen from France staying in a hotel in Brazil orders a pizza online from a local shop, that shop has to comply with GDPR!
    However, it is also my understanding (based on a response to an information request to my local MEP here in the UK) that should someone send you an email, or indeed complete an online Contact Form, requesting a product, or service, or maybe just making an enquiry, provided their personally identifiable information is NOT used for any other purpose, then this is NOT covered by GDPR.
    I quote:

    “Dear Mr Streeter,
    Thank you very much for your email regarding the GDPR, which will come into effect on 25 May.
    With regards to the example you gave, i.e. responding to an unsolicited enquiry requesting a brochure or piece of information, you will not need to ask for consent if you solely wish to fulfil the request in the email.
    If, however, you wish to process the data associated with that enquiry for business or other purposes, then you will need a legal basis for this and would therefore have to ask for the person’s consent for such processing.
    I hope this makes sense, but if you have any further questions, please do not hesitate to get in touch. Additionally, I have also attached a GDPR fact sheet on the matter.

    Yours sincerely,

    Dan Dalton MEP.”

  7. Steve
    May 23, 2018 at 6:06 pm #

    I haven’t seen any mention of how this will affect woocommerce cookies yet. As i understand it GDPR requires an opt out for cookies – with an equivalent service from the website regardless. But Woocommerce require cookies for the basket functionality right? So… how does that work?

  8. Shanty
    May 24, 2018 at 5:22 am #

    Hi

    We are looking for some professional help for installing WooCommerce on tongkatali.org in general, as well as dealing with privacy policy issues.