The GDPR: Right to Erasure Requests

Sometimes. a customer wants to remove their digital footprint from the Internet. Maybe they were the victim of identity theft, suffered online harassment, or just want reduce their online presence. Whatever the reason, store owners who collect data from EU residents can expect to receive “Right to Erasure” requests under the GDPR.

As with Right of Access requests, the data a person can expect to be erased includes the obvious — name, address, phone number — and the less obvious, like tracking numbers and VAT IDs. 

One significant difference is that Right to Erasure requests are more like a right to request erasure. As a business owner, you probably need to keep some data for a limited time to comply with contractual obligations and protect yourself, like keeping tracking IDs to defend against shipping disputes or keeping VAT information for tax audits. Before you get your first request, it’s important to know what personal customer data you need to store, and to include this in your privacy policy and terms and conditions.

When you’re ready to fulfill a Right to Erasure request, the good news is that — as with Right to Access requestsWordPress 4.9.6 and WooCommerce 3.4 have tools to help.

Right to Erasure tool in WordPress core
There’s a new tool for responding to Right to Erasure requests in WordPress 4.9.6

Before You Get Your First Request

Here, you’ll also want to start with test orders to understand what data you collect, and develop a standard procedure for responding to requests. Your procedure should include:

  • How you will confirm the person’s identity: Only an authorized person can request erasure.
  • Where you will obtain the data. Some data will be available using the new tools in WordPress and WooCommerce. Some plugins store data separately, and you might have other online systems separate from your WordPress/WooCommerce store where you input data.

Not sure you know all the places data might be stored? This is where a test order is handy; you’ll be able to see what plugins are automatically providing data using the new WordPress export tool. Note all the plugins you don’t see in the export tool; you’ll have to erase data from these plugins separately.

In WooCommerce, new settings help you control and limit automatic erasure of customers’ personal data.  You can find them under WooCommerce → Settings → Accounts and Privacy. Here, you can control:

  • How long inactive accounts are preserved.
  • How long pending, failed, or cancelled orders are preserved.
  • How long completed orders are preserved.

You can also control some Right to Erasure-related settings, like:

  • Whether personal data in orders should be removed.
  • Whether access to downloads should be rescinded.

When That First Request Comes In

As with Right of Access requests, start by confirming the identity of the person making the request before you touch their personal data. 

A new WordPress page under Tools → Erase Personal Data lets you send a confirmation request to the customer’s email (or via their username). Type their email address in the box provided and hit “Send Request”:

While you’re waiting for the customer to confirm, you’ll see the request displayed as “Pending.”

Example of the email a user receives when you send a request to confirm identity in response to a Right to Erasure request
Example of the email a user receives when you send a request to confirm identity in response to a Right to Erasure request

After they click the link, you’ll see that status switch to “Confirmed”:

Confirmed!
Confirmed!

Once their identity is confirmed, click the Erase Personal Data button, and the software will start scrubbing away. WordPress, WooCommerce, and many extensions work together to erase a person’s personal data. If a plugin needs to retain a bit of personal data for whatever reason, it will be displayed to you at the end of the erasure process.

If the person has a user account on your site, the request will also include a link to start the “Delete User” process — the same one that is in WordPress core already. Hold off on this at first; you might want to preserve their account depending on whether any plugins you use return a message about items “retained” during the erasure process.

An example of the type of message you might see after requesting to erase user data
An example of the type of message you might see after requesting to erase user data

Again, don’t forget that this only covers plugins that hook into the new WordPress personal data erasure tool — you may need to manually remove personal data collected by other plugins or services to be in full compliance with the Right to Erasure request.

Next up? Notifying Customers of a Breach of their Data

Take a look at our tools and resources on GDPR
Kevin Bates Avatar

About

30 comments

  1. Thanks a lot for this update. I really liked your inputs.

    Sarvesh Arora
    maio 18, 2018
  2. I don’t have the accounts and privacy tab in WooCommerce mentioned during this article, mines displays an account tab and doesn’t allow me the controls mentioned in this article. How do I access this?

    Andrew George
    maio 19, 2018
  3. This data will oftentimes also be backed up to other places by 3rd party plugins or by the webhost itself. Does the user’s data have to be deleted from those places as well?

    Lucy Beer
    maio 22, 2018
    • Hi Lucy!

      We can’t give specific legal advice, but store owners may want to ask third parties they work with what they recommend regarding right to erasure requests and may wish to consult with an attorney about whether or not they should also ask those third parties to assist with right to erasure requests they receive.

      Cheers…

      Allen Snook
      maio 24, 2018
  4. We believe that you do have to remove data from database backups.

    So this it not about third parties at all and what they do.

    Most sites has multiple database backups taken as part of standard business processing. If you are affected by a request, it is unlikely your business can simply delete all backups. So you need a tool to remove the data.

    And, yes while it might be a plugin that takes the backup, WooCommerce is being naive in their response on this one. A backup is a backup. How it is done is irrelevant. It still results in a standard database backup file. Any tool to remove data from a database should also remove it was any designated backups.

    BRKLYNWEB
    maio 24, 2018
    • I do not see it as WooCommerce being “naive”, as they rightly say, they are not giving legal advice.

      When you say ” Any tool to remove data from a database should also remove it was any designated backups” I think it is you that is being naive, how is that even possible?

      My backups are created by software out of the control of WooCommerce, the backup is then copied to another server which WooCommerce can not access.

      I do not see this as a big issue as long as you back up regularly and try and use the most recent back up, should a need arise. I am not expecting to be inundated with deletion requests. I am also unsure how long data should be kept for fraud prevention etc…

      XTCLocal
      maio 27, 2018
  5. Thanks For sharing GDPR Erasure Requests. I am running many sites which come’s under GDPR. I have seen GDPR post, which is published on this site. It’s Mandatory to add GDPR Privacy Policy Page.

    arya stark
    maio 28, 2018
  6. Hello Woo Team,

    Can you please fix the share button as it is not working for me.

    Thanks & Regards,
    Abdullah

    mrabdullahramzan
    maio 29, 2018
  7. Hello! I’m happy that you made a patch for woocommerce 3.4 but in one of my website I have woocommerce 2.6.4 that I can’t upgrade. There’s something I can do to be gdpr compliance without upgrading to the latest version?

    thanks!

    lorenzo
    maio 31, 2018
  8. Hi there,

    But HOW the user will ask you to erase the data..? or access them or whatever..?

    I mean were in the site exist this option..??

    Demetris
    junho 7, 2018
  9. nice

    ApksDoz
    junho 10, 2018
  10. Thanks for detail information about GDPR. As a webmaster, I think everyone should read this post.
    When will they going to implement it outside the Europ?

    Nathan
    junho 10, 2018
  11. Hi, what about the account itself. its removed the address details and order details with the setting enabled however the name and email address used to create the account in the first place (these 2 combined bits of data would be classed as personal data) are still in the system and the user can therefore still log in and see this.

    Should this not remove the name on the account as well as anonymise or delete the users account in its entirety?

    Thanks

    Steve

    Steve
    junho 11, 2018
  12. great article
    very informative when i read this very helpful for me
    thanks for it

    Uk Tv Now
    junho 12, 2018
  13. This is the best article ever. Thanks for sharing !

    Ayan Arora
    junho 22, 2018
  14. nice website. the great website ever. keep it up !

    voot bigg boss 11 episode
    junho 22, 2018
  15. This is the best content. thanks for sharing articles !

    bigg boss 12 episode
    junho 22, 2018
  16. Nice article great

    The Sims 4 seasons
    junho 23, 2018
  17. Nice website

    Tekken 7
    junho 23, 2018
  18. Thank you for share best information

    God of war 4
    junho 23, 2018
  19. Information Post <3

    Daniyal
    junho 26, 2018
  20. Informative and helpful article. Thanks for this great content sharing. Keep on.

    KBTricks
    junho 26, 2018
  21. thanks for sharing with us.nice and informative articles.

    tech updates
    junho 27, 2018
  22. Nice article. It is very useful. Thank u for sharing awesome content.

    Ayan Arora
    julho 4, 2018
  23. Thank you dear Allen. This was really helpful. Short and simple to understand.

    Nich
    julho 6, 2018
    • I agree with you. This helped me a lot to understand GDPR,

      Best Dash Cam
      julho 7, 2018
  24. Understanding DGRP is really difficult for people like me. But Allen you made it really simple. Thanks for your guidance.

    StepUp.io
    julho 7, 2018
  25. Thanks a lot for this. This saved a lot of time.

    Lynette Yerby
    julho 11, 2018
  26. Nice article thank you for share

    heet
    julho 12, 2018

Stay up to date with WooCommerce emails

View our privacy policy. You can unsubscribe anytime.

Subscribing...

There was an error subscribing; please try again later.

Thanks for subscribing!
Emails will be sent to

You're already subscribed!
Emails are sent to

Use of your personal data
We and our partners process your personal data (such as browsing data, IP Addresses, cookie information, and other unique identifiers) based on your consent and/or our legitimate interest to optimize our website, marketing activities, and your user experience.