Close this search box.
Close this search box.

WooCommerce and the GDPR

What is GDPR?

The General Data Protection Regulation (GDPR) standardizes data protection law across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information (PII).

From 25 May 2018 every website collecting data from EU citizens must meet the GDPR requirements.

Step 1: Upgrade your WordPress and WooCommerce

First of all, make sure that you upgrade your WordPress to version 4.9.6 and your WooCommerce to 3.4. These versions include the GDPR tools.

Step 2: Update your Privacy Policy and Terms and Conditions

Your Privacy Policy is where you tell visitors to your website or mobile app about how you collect, store, share, and use their personal information, and what personal information you are collecting, storing, sharing and using.

You must also disclose the data collection practices of any third parties that you allow to collect data through your website or mobile app.

Your Terms of Service should spell out everything else that visitors need to know about what is required of them when using your website or mobile app, as well as any disclaimers you want to add.

When a user agrees to your Terms of Service, the agreement works as a binding agreement between the website or mobile app operator and the user.

Step 3: Show a cookie notice at your site

To do so, you can use the Cookie Notice for GDPR.

Step 4: Adjust contact form plugins like Contact Form 7 & Gravity Forms to GDPR

According to the GDPR, sending a form presumes the sender’s consent. The definition for data not only comprises the personal IP, but also the email address and the content per se. An opt-in to confirm prior consent for data storage can be implemented by adding an Acceptance Checkbox for Contact Form 7 and by using the free plugin WP GDPR Compliance for Gravity Forms.

Step 5: Mailchimp newsletter marketing

In case you haven’t done it by now, start using double-opt-in immediately! The double-opt-in procedure requires the email receiver to explicitly click on a link in a confirmation mail after the first registration. Only then the person is added to the mailing list. This ensures that nobody can sign up for a newsletter on your behalf and the registration is actually approved by you. The confirmation mail is not allowed to contain advertisement or any other content.

Can we just send an email to our database with an updated privacy policy giving them the option to opt out if the don’t want to continue receiving communications?

The simple answer is no. The problem is that consent requires “clear affirmative action” and, therefore, failing to withdraw consent is not the same as giving consent.

Step 5.1: Set Up Your GDPR-Friendly Signup Form

To use GDPR fields on your signup forms, enable them for each list that collects or contains personal data from EU citizens, then edit them to reflect your marketing practices.

Enable GDPR Fields


Step 5.2: Segment Your List By Marketing Permissions

After you’ve set up your marketing permission checkboxes, segment your list to make sure you send your campaign only to the people who have given consent through your signup form.

To create and save a segment in your list, follow these steps.

  1. Navigate to the Lists page.
  2. Click the name of the list you want to work with. Your GDPR lists will have a badge next to the list name.
  3. Click Create A Segment.
  4. In the dropdowns set Marketing Permissions is Email.
  5.  Click Preview Segment to view the contacts that match your conditions. You will probably see zero contacts, since this is the first time you setup your form.
  6. Click Save as segment.
  7. In the Save Segment pop-up modal, type in a name for your segment (eg. GDPR consent), and click Save. Make sure the Auto-Update box is checked. This will update your segment each time new contacts join.

Step 5.3: Send your future email campaigns only to the appropriate segment

In the to section of your future email campaigns, just make sure that you select the list segment from step 3.2 (in our case the GDPR consent segment).

Learning Resources