To comply with the GDPR or General Data Protection Regulation which will come into force this 25th of May 2018 we have come up with a GDPR WooCommerce Checklist. One you can use to go through your website and or business setup to decide what you need to do. We will start with a general introduction and then move on to the checklist
The GDPR has been in the making for a long time already. It was adapted in the EU parliament on April 2016 as a matter of fact. It was set up to protect the privacy of EU citizens and guarantee a proper way of dealing with personal data. And as stated above it will come into effect May 26th 2018. So you must have heard about it and wondered about it. And perhaps you have sorted things already. Still good to go through this article a bit too.
It applies to all business within the EU and to all businesses doing business with customers or partners within the EU that collect personal data from customers within the EU to be precise. What is personal data? Here from the horse’s mouth
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
So this means this new GDPR setup will be applicable to many businesses throughout the world. Many of us work with clients in the EU and collect data to identify clients. Especially if you run ecommerce like many of our customers who run WooCommerce. So therefore probably need to play ball here.
Non Compliance Fines
According to the source of the regulation, the EU, you might not want to not participate because:
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), …….
Each member state will set up its own supervisory authority to make sure these regulations are followed and will penalize those who do not. See also CodeinWP’s article on this.
Here is a short summary or checklist first based on a WooCommerce article from December last year. One with some tweaks. And then some more details bits and pieces.
- Tell the user who you are, why you collect the data, for how long, and who receives it.
- Get a clear consent [when required] before collecting any data.
- No race, religion or sexual preference data can be stored
- No checkboxes asking for personal information can be checked in advance
- Let users access their data, and take it with them.
- Let users delete their data.
- Let users know if data breaches occur.
Based on the WordPress Plugins repo GDPR Tag I found a couple of useful plugins:
- Delete me plugin for the right to be forgotten. WP Tavern article mentioned it. NB Not tested yet by us yet
- WP GDPR Compliance Plugins (Aid) that helps with several contact forms as well as WooCommerce. FYI Some of the aid is just tips based on a checklist
- CookieBot , Responsive Cookie Consent or Cookie Consent – asking for consent to store cookie to collect cookie data based on interactions with visitor / customer
Delete Me Plugin
We are not using this one yet as removing someone is a big step. We will make sure clients will be deleted when they want to promptly and will remove inactive customers after an x amount of time. Like with all data, it should not be stored without need and so needs to be removed when an account is inactive for a long time or is requested to be removed. However, we are following the online blogging sphere for more information on this so may update details on the right to be forgotten.
WP GDPR Compliance Plugin
WP GDPR Compliance is an amazing plugin that will either set up the needed checkboxes and or texts when possible for (order) forms like Gravity Forms and …. WooCommerce order forms or will give you tips and or warnings how to do things. It will for example tell you add a consent box on order forms using their checklist:
And you can activate this for WooCommerce:
This can be done for Gravity Forms and Contact Form 7 too. It also tells you to turn off Jetpack comments if you do. This as they do not seem to have an option to opt-in and understand they share some personal info commenting – See WP Tavern article on this. Once turned off you can add a consent checkbox with the plugin:
Cookie Bot vs Responsive Cookie Consent vs Cookie Consent
Google Analytics and GDPR
If you have a business established in the territory of a member state of the European Economic Area or Switzerland or you are otherwise subject to the territorial scope of the General Data Protection Regulation (GDPR), and if you have entered into a direct customer contract with Google to use Google Analytics, then you are eligible to accept the Google Ads Data Processing Terms. Learn more
You can also setup the period of time you store the data. See some details on howto at seroundtable.com .
26 months is set up automatically if you agreed with the new GDPR rules:
Jef makes a good point in the comments at SE Roundtable:
The point is… (Technically) With GDPR, you’re supposed to only keep user data you’re using. If you’re storing data about users, you have to have a good reason to keep it. Just having it in Google Analytics for “reporting purposes” isn’t a good enough reason either.
Obviously, they’re making these tools to hopefully take the heat off themselves, and thus reduce the risk across the board for their customers.
I think most medium sized companies can export the data they care about, anonymize it and/or aggregate it to the levels they need, and let Google handle the regular dumping of data they don’t need.
So you should keep data only if you have a good reason to use them and once that is done you should remove the data. Also you need to ask for consent so you need the cookie plugin to do this for you.
Article still developing ..