If you sell to EU residents, this law applies to you — even if you aren’t in the EU. Fines for non-compliance will be substantial and can be levied on businesses both in and outside the EU.
What is the GDPR and how does this affect my business and website?
The GDPR is a new law that concerns itself with the handling of personal data of European Union (EU) residents. It takes effect on May 25, 2018.
Over two years in the making, the GDPR is intended to give EU residents more visibility and control over their personal data: how websites, including eCommerce websites, collect data; who they share it with; and what tracking technologies monitor them across the Internet. There is no doubt that other countries will follow suit so you might as well look at updating your Privacy Statement now to stay ahead of the game.
The new law requires stores to inform their customers about what information they collect, store, and share, and establishes specific rules about the kind of consent required before stores can collect personal data. That means that stores will be asking for consent more explicitly, and detailing their use of personal data more specifically in their privacy policies.
In addition to clearer notices and privacy policies, the GDPR also gives EU residents powerful new rights such as the Right of Access, Right to Rectification, and Right to Erasure.
That means that EU residents will be able to:
The GDPR also gives EU residents the right to find out if their personal data has been compromised. Stores will need to notify customers if their personal data is stolen in a breach, and do so in a timely manner.
GDPR isn’t about all information—the new rights for EU residents specifically apply to Personal Data.
Personal Data means anything that can identify a person, either on its own or combined with other data. Examples include a person’s:
Basically, if you can use a piece of data to identify an EU resident, or combine it with other data to identify them—that’s personal data.
We’ll unpack this over the remainder of this series, which will cover:
In addition to being a GDPR requirement, a well-written, easily understood privacy policy can help close sales with increasingly privacy-conscious consumers. Pulling together a privacy policy for your WooCommerce store involves a bit of research, a bit of writing, and a commitment to revisit the policy from time to time.
Starting with WordPress 4.9.6, you’ll be able to create or designate a page on your site as your store’s privacy policy. If you don’t already have WordPress running, if you are on Joomla or another CMS, talk to us about getting your site converted to WordPress or about how we can help create your privacy policy enabling you to be compliant. If you are already on WordPress, you’ll find this new feature in WP Admin > Settings > Privacy:
Start by “self-testing” your own store and noting of all the fields (required or optional)where customers are prompted to enter information or make selections. Note the obvious personal data like name and address, along with anything else you collect from them when they check out or become a registered user on your site.
Next, look at the less explicit tools, like cookies or analytics, that your site uses. Examine what plugins you have installed and review their privacy information.Does a plugin send data outside the country or perhaps the European Union? That’s another thing you’ll need to disclose to customers.
Take advantage of the new tools in WordPress to see privacy updates from active plugins: starting with WordPress 4.9.6, plugins can register privacy information with WordPress itself, and you’ll see that information a special box near the editor when you are editing your privacy policy page in wp-admin. WordPress itself will also provide information on the information it collects from visitors to your site, like comments and cookies.
The new privacy information box makes it possible to copy and paste privacy information from WordPress and plugins directly into your privacy policy, where you can edit it to the particulars of your store. However, since much depends on the specific settings you use and how plugins interact with one another, you’ll want to review and edit that text to make sure it’s right for your store.
If a plugin doesn’t provide privacy information you can visit the developer’s website or contact them directly and ask them about what data their plugin collects from visitors to your site, if any, and what they do with it.
After you know what you’re collecting, you’ll need to note why you’re collecting it.
Explanations for much of the data you collect are simple: you need their address to ship them a product, or you need their email address to update them on their order status.
If you’re collecting any personal data that you don’t actually need to fulfill an order, you’ll want to explain why to your customer and give them a means to opt out of that sort of “processing” (see “Checkboxes aren’t the only way” below).
Here, a bit of sleuthing is involved — you’ll want to review how they data you collect is used. A few types of plugins are more likely to share data:
Essentially, if a plugin connects to an external service, they’re likely sharing some type of data with that service. You’ll want to review the privacy policies of these services to make sure they align with your privacy priorities.
There are lots of reasons to retain records, including if a charge is disputed by a customer, for tax audition, or for other legal concerns. While laws like the GDPR have “right to erasure,” you are not required erase records you need for these other aspects of your business.
That said, your privacy policy, alongside your terms and conditions page, should make it clear to customers how long you retain their personal data and why.
In addition to knowing what you’re doing with personal data, customers need to know how they can update their data, including:
Your privacy policy should give customers clear instructions on how to reach you or your designated privacy person with these of requests. If you allow your customers to edit some of their own information, for example under My Account, you can mention that here as well.
Checkboxes aren’t the only way
Under the GDPR, there are multiple legal approaches to handling personal data. Your privacy policy should state under which basis you are doing each kind of processing of personal data. The ones most applicable to eCommerce sites include:
That’s a long list, we know! Tackle it step-by-step, and don’t worry about creating a perfect privacy policy on day one. Keeping your privacy policy fresh and up-to-date, especially as you add plugins — or plugins add features — will be a ongoing activity just like any other business maintenance you do.
You probably know someone who’s requested their data from one of the big social media platforms. It can be staggering to see all the detail in one of these data “dumps”!
If your store collects data from EU residents, you can expect to start receiving “Right of Access” requests under the GDPR.
An EU resident has a right to a copy of all the data you’ve collected about him or her, ideally in an electronic format. This includes information like name, address, and phone number, along with less obvious things like shipment tracking numbers or VAT IDs. Thankfully, WordPress 4.9.6, WooCommerce 3.4, and many WooCommerce extensions automate the legwork Right of Access requests require — we’ll walk you through the process.
To start, do a few test orders with your store to understand what data you collect and develop a standard procedure for responding to requests. Your procedure should include:
Not sure you know all the places data might be stored? Do a test order at your store and use it to flesh out your procedure. You’ll be able to see what plugins are automatically providing data using the new WordPress export tool — and what plugins are conspicuously absent. Note all the plugins you don’t see in the export tool; you’ll have to get their data separately.
1. Confirm identity of the requester
Confirm the identity of the person making the request before you export their personal data. WordPress has a new page under Tools → Export Personal Data where you can send a confirmation request to the customer’s email address (or via their username, if they’re a registered user on your site).
To send the request, type their email address in the box provided and hit “Send Request.” They’ll receive an email with a confirmation link, which they’ll use to confirm the request.
While you’re waiting for the customer to confirm, you’ll see the request displayed as “Pending.” Once they click the link, the status switches to “Confirmed”.
2. Export data
WordPress, WooCommerce, and many extensions work together to assemble an “export” file containing a person’s personal data. You can either send the customer a link to the file— it’s good for three days — or download their file yourself. The latter is useful if you need to combine the export file with sources of data from other plugins to get a complete picture.
After you’ve downloaded or emailed the file, the request will be marked “Completed.” You can leave the completed request alone or use bulk actions to remove it, depending on how you want to log compliance with the law.
Curious to know what a download might look like? Voila:
What About Repeated or Nuisance Requests?
If you find yourself facing multiple requests from the same customer, you are permitted under the law to assess a reasonable fee. That’s something else you should consider as you draw your “right to access” procedures together.
We’ve covered the importance of putting someone in charge of privacy, how to build a policy, and how to prepare for Right of Access request.
Sometimes. a customer wants to remove their digital footprint from the Internet. Maybe they were the victim of identity theft, suffered online harassment, or just want reduce their online presence. Whatever the reason, store owners who collect data from EU residents can expect to receive “Right to Erasure” requests under the GDPR.
As with Right of Access requests, the data a person can expect to be erased includes the obvious — name, address, phone number — and the less obvious, like tracking numbers and VAT IDs.
One significant difference is that Right to Erasure requests are more like a right to requesterasure. As a business owner, you probably need to keep some data for a limited time to comply with contractual obligations and protect yourself, like keeping tracking IDs to defend against shipping disputes or keeping VAT information for tax audits. Before you get your first request, it’s important to know what personal customer data you need to store, and to include this in your privacy policy and terms and conditions.
When you’re ready to fulfill a Right to Erasure request, the good news is that — as with Right to Access requests — WordPress 4.9.6 and WooCommerce 3.4 have tools to help.
Before You Get Your First Request
Here, you’ll also want to start with test orders to understand what data you collect, and develop a standard procedure for responding to requests. Your procedure should include:
Not sure you know all the places data might be stored? This is where a test order is handy; you’ll be able to see what plugins are automatically providing data using the new WordPress export tool. Note all the plugins you don’t see in the export tool; you’ll have to erase data from these plugins separately.
In WooCommerce, new settings help you control and limit automatic erasure of customers’ personal data. You can find them under WooCommerce → Settings → Accounts and Privacy. Here, you can control:
You can also control some Right to Erasure-related settings, like:
As with Right of Access requests, start by confirming the identity of the person making the request before you touch their personal data.
A new WordPress page under Tools → Erase Personal Data lets you send a confirmation request to the customer’s email (or via their username). Type their email address in the box provided and hit “Send Request”.
While you’re waiting for the customer to confirm, you’ll see the request displayed as “Pending.”
After they click the link, you’ll see that status switch to “Confirmed”.
Once their identity is confirmed, click the Erase Personal Data button, and the software will start scrubbing away. WordPress, WooCommerce, and many extensions work together to erase a person’s personal data. If a plugin needs to retain a bit of personal data for whatever reason, it will be displayed to you at the end of the erasure process.
If the person has a user account on your site, the request will also include a link to start the “Delete User” process — the same one that is in WordPress core already. Hold off on this at first; you might want to preserve their account depending on whether any plugins you use return a message about items “retained” during the erasure process.
Again, don’t forget that this only covers plugins that hook into the new WordPress personal data erasure tool — you may need to manually remove personal data collected by other plugins or services to be in full compliance with the Right to Erasure request.
Google blacklists around 10,000 websites every day for malware, removing them from search results — and more importantly, malware can infiltrate customer data and expose your customers (and you!) to fraud and identity theft. Security breaches are a serious business.
To raise the bar on how companies respond to security issues, the GDPR introduces new rules governing what merchants must do when an EU resident’s data is exposed in a breach.
One of the continuing responsibilities of your “designated Data Protection Officer” is to ensure that your site is as secure as possible, which includes:
You need plan outlining what do if you do get hacked. At minimum, your checklist should include:
You might need professional help for some of these, particularly finding and removing the hack, might require professional help — decide who you’ll call in advance, so you’re not scrambling. If you have a big customer database, having a contact plan is a also good idea that will save you some stress.
Hopefully, your store will never be breached! These steps should help reduce your risk , or the severity of any breach that does happen. In the worst-case scenario, a solid plan in place for dealing with the breach and informing your customers will reduce the fallout for everyone involved.
The GDPR is only the latest law designed to shift the balance of power back to consumers — it builds on older laws like the UK’s DPA. And it won’t be the last; store owners can expect updates to the GDPR, and similar laws will be enacted in other countries. Keeping abreast of these laws and which ones apply to you is an ongoing responsibility.
Whoever is charged with keeping an eye on privacy matters for you will need to make sure your store’s privacy policy stays fresh, especially as you add, update, or remove plugins and third-party services. Plugins will also update their privacy declarations, as they evolve to use personal data in new ways. Stores will need to keep on top of requests and security and data retention on an ongoing basis. Data security is as much a part of day-to-day work as tracking inventory and sales.