To comply with the GDPR or General Data Protection Regulation which will come into force this 25th of May 2018 we have come up with a GDPR WooCommerce Checklist. One you can use to go through your website and or business setup to decide what you need to do. We will start with a general introduction and then move on to the checklist
Background
The GDPR has been in the making for a long time already. It was adapted in the EU parliament on April 2016 as a matter of fact. It was set up to protect the privacy of EU citizens and guarantee a proper way of dealing with personal data. And as stated above it will come into effect May 26th 2018. So you must have heard about it and wondered about it. And perhaps you have sorted things already. Still good to go through this article a bit too.
Parties Concerned
It applies to all business within the EU and to all businesses doing business with customers or partners within the EU that collect personal data from customers within the EU to be precise. What is personal data? Here from the horse’s mouth
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
So this means this new GDPR setup will be applicable to many businesses throughout the world. Many of us work with clients in the EU and collect data to identify clients. Especially if you run ecommerce like many of our customers who run WooCommerce. So therefore probably need to play ball here.
Non Compliance Fines
According to the source of the regulation, the EU, you might not want to not participate because:
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), …….
Each member state will set up its own supervisory authority to make sure these regulations are followed and will penalize those who do not. See also CodeinWP’s article on this.
Site Checklist
Here is a short summary or checklist first based on a WooCommerce article from December last year. One with some tweaks. And then some more details bits and pieces.
- Tell the user who you are, why you collect the data, for how long, and who receives it.
- Get a clear consent [when required] before collecting any data.
- No race, religion or sexual preference data can be stored
- No checkboxes asking for personal information can be checked in advance
- Let users access their data, and take it with them.
- Let users delete their data.
- Let users know if data breaches occur.
Privacy Policy and Terms & Conditions
You will need a privacy policy that clearly indicates what data you collect and how. The WooCommerce Point of Sale Plugin has a solid one. And decent terms and conditions as well. Do go through them and adjust them properly, preferably with your lawyer before using them on your own site though. Terms and conditions are important here as you are required to have certain security measures in place and these need to be reflected in the Terms & Conditions.
Useful Plugins
Based on the WordPress Plugins repo GDPR Tag I found a couple of useful plugins:
- Delete me plugin for the right to be forgotten. WP Tavern article mentioned it. NB Not tested yet by us yet
- WP GDPR Compliance Plugins (Aid) that helps with several contact forms as well as WooCommerce. FYI Some of the aid is just tips based on a checklist
- CookieBot , Responsive Cookie Consent or Cookie Consent – asking for consent to store cookie to collect cookie data based on interactions with visitor / customer
Delete Me Plugin
We are not using this one yet as removing someone is a big step. We will make sure clients will be deleted when they want to promptly and will remove inactive customers after an x amount of time. Like with all data, it should not be stored without need and so needs to be removed when an account is inactive for a long time or is requested to be removed. However, we are following the online blogging sphere for more information on this so may update details on the right to be forgotten.
WP GDPR Compliance Plugin
WP GDPR Compliance is an amazing plugin that will either set up the needed checkboxes and or texts when possible for (order) forms like Gravity Forms and …. WooCommerce order forms or will give you tips and or warnings how to do things. It will for example tell you add a consent box on order forms using their checklist:
Make sure you add a checkbox specifically asking the user of the form if they consent to you storing and using their personal information to ship the order. This cannot be the same checkbox as the Privacy Policy checkbox you should already have in place. The checkbox must be unchecked by default. Also mention if you will send or share the data with any 3rd-parties and which.
And you can activate this for WooCommerce:
This can be done for Gravity Forms and Contact Form 7 too. It also tells you to turn off Jetpack comments if you do. This as they do not seem to have an option to opt-in and understand they share some personal info commenting – See WP Tavern article on this. Once turned off you can add a consent checkbox with the plugin:
Cookie Bot vs Responsive Cookie Consent vs Cookie Consent
GDPR Compliance plugin does not help with the cookie banner most of you use already. A banner to ask for consent to use cookies. For that you can try Cookiebot. You will have to sign up though . If you do not want that you can use responsive cookie consent or Cookie Consent one. I prefer the latter one. No need to sign up for something extra and it is well maintained and used a lot. It also sets up a cookie explanation page.
Google Analytics and GDPR
You need to update your site’s Privacy Policy to cover all personal information that is being collected through your site. You also need to adjust your Google Analytics settings to comply with these new rules:
If you have a business established in the territory of a member state of the European Economic Area or Switzerland or you are otherwise subject to the territorial scope of the General Data Protection Regulation (GDPR), and if you have entered into a direct customer contract with Google to use Google Analytics, then you are eligible to accept the Google Ads Data Processing Terms. Learn more
You can also setup the period of time you store the data. See some details on howto at seroundtable.com .
26 months is set up automatically if you agreed with the new GDPR rules:
Jef makes a good point in the comments at SE Roundtable:
The point is… (Technically) With GDPR, you’re supposed to only keep user data you’re using. If you’re storing data about users, you have to have a good reason to keep it. Just having it in Google Analytics for “reporting purposes” isn’t a good enough reason either.
Obviously, they’re making these tools to hopefully take the heat off themselves, and thus reduce the risk across the board for their customers.
I think most medium sized companies can export the data they care about, anonymize it and/or aggregate it to the levels they need, and let Google handle the regular dumping of data they don’t need.
So you should keep data only if you have a good reason to use them and once that is done you should remove the data. Also you need to ask for consent so you need the cookie plugin to do this for you.
Article still developing ..