You may have heard about a new privacy regulations that’s had the internet and online business world a flurry with activity with regards to the GDPR. So what exactly is the GDPR ? How does this relate to WordPress and WooCommerce ? Is WC Vendors Ready ?
Please note this is just for information purposes and you should consult your lawyers for how to best approach this for you and your business moving forward.
What is the GDPR ?
The General Data Protection Regulation or GDPR for short is a regulation introduced in the European Union that governs the use and storage of private information. It is set to go into effect on the 25th of May and governs how you as a business use and store personal information of your customers that are EU citizens. The regulation is a heavy document at 88 pages that addresses all aspects of personal information regarding the EU and its citizens. This regulation sets out to replace the 1995 predecessor with regards to what governs and protects privacy of those situated in the EU.
GDPR is a regulation, not a directive. And without going into details that means it’s not just an advice, it’s the law. This is very important to the Union and you’ve really got to pay attention to it.
The EU has provided a handy set of information graphics to outline exactly what the GDPR is and how it works. You can find this information here : http://ec.europa.eu/justice/smedataprotect/index_en.htm
The folks over at Privacy Perfect have created a great 1 page inf graphic that you can download from their website.
What are the rights GDPR stands for?
The following individual rights are those provided by GDPR:
- Right to be informed [Chapter #3; Art. 12]
- Right of access [Chapter #3; Art. 15]
- Right to rectification [Chapter #3; Art. 16]
- Right to erasure [Chapter #3; Art. 17]
- Right to restrict processing [Chapter #3; Art. 18]
- Right to data portability [Chapter #3; Art. 20]
- Right to object [Chapter #3; Art. 21]
How does this relate to WordPress and WooCommerce ?
First you need to ask yourself does your WordPress and WooCommerce store need to be compliant with the GDPR ? The likely answer is yes, it probably will need to be compliant. How can you tell if you need to be compliant?
If your WordPress and WooCommerce site collects personal information from EU users then it needs to be compliant. Any and all websites that collect and store personal information from individuals and citizens of the European Union then it falls within the jurisdiction of the GDPR.
What is Personal Data ?
From the regulation
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
For a WooCommerce store the following would fall under personal data
- Profile photos
- Phone number
- Bank Details
- IP Address
- Device IDs ( mobile and tables, browser information )
How do you get your site GDPR ready?
The short answer is to implement a set of procedures that ensures that data collected, stored and protected as outlined in the regulation. You also need to have procedures in place to handle the following
- Data breaches
- Data portability
- Data erasure
This is a great first step in ensuring that your site is on the right path as the main aspect of the GDPR ensuring the security of personal information. This is only part of the process for storing information as you also need to consider how you collect the information in the first place.
This will mean that you’ll need to change all your form defaults for signup’s so that they must explicitly tick to subscribe or to have their information used in any way. You need to clearly ask the customer for consent to use their information.
WordPress 4.9.6 and WooCommerce 3.4
WordPress 4.9.6 and WooCommerce 3.4 include new features to assist with your GDPR procedures and policies and include the following
Personal data exporter
This feature provides the ability for personal information to be exported to a HTML file. WooCommerce adds to this information.
The requests table shown above is included to ensure the requests are genuine with a confirmation email being sent to the user to verify this request. The verification flow works like this
- Add an email address or username.
- The user is notified via email with a confirmation link.
- The confirmation link is used and the request is marked “confirmed”.
- Admin triggers an email to the user which contains a link to download their personal data.
What does the personal data information look like ?
WooCommerce adds to this exporter and includes
- Customer address/account information
- Orders associated with the given email address
- Download permissions and logs associated with the given email address
Personal Data Eraser
Just like the exporter the eraser allows you to verify the requests are legitimately from the users before you execute the data deletion. It uses the same process as the export system for verification flow.
This becomes a little more complicated when you are running an eCommerce store as you need to keep records for other reasons/laws. Such as for tax reasons or financial reasons. WooCommerce 3.4 introduces some options to the exporter that make some of the data optional.
These settings are off by default.
On top of the erasure options WooCommerce also includes clean up routines for when you manually delete a user from the system (from the users screen)>
- Payment tokens
- Orders (are converted into guest orders)
You can also manually anonymize orders in bulk for a user under the order actions on the orders screen. This will keep the order financial information in place but remove the user data associated with it.
Data Retention Settings
To reduce the amount of personal information that WooCommerce collects and stores, WooCommerce 3.4 provides options for you to define how long you retain that data before its no longer needed for processing an order.
You can find these settings under WooCommerce > Settings > Accounts and Privacy
- Failed, pending, and canceled orders which get cleaned up will be moved to the trash.
- Completed orders which get cleaned up will be anonymized so sales stats are unaffected.
- Inactive accounts will be deleted. An inactive account is one which has not been logged in to, or which has not placed orders, for the specified time.
If you enable these settings then the cleanup will be triggered in a daily cron job and removed. There will be an upgrade routine added in WooCommerce 3.4 that will add an account last active time.
Checkout page options
Further to reducing personal information gathering there are new customizer options to disable or make fields optional.
- Company name
- Address line 2
Why collect this information if you’re not going to use it?
- Account registration form
- Checkout form
WooCommerce has also addressed how and what it logs within core and its payment gateways. Stripping out any personal information that was used in logs before. They have also included a new log rotation system that will automatically delete the logs after 30 days.
What about WC Vendors?
WC Vendors relies on both WordPress and WooCommerce for storing information about vendors and customers. Any information related to vendors and customers are stored in the user table and as such is available to both
- Data requests
- Data erasure
Commission information does not store anything beyond the vendors ID and order number along with the financial information and already removes any links if the orders or users are deleted.This means that your procedures you have in place for a WooCommerce and WordPress store will help to ensure that you are meeting the requirements of the GDPR.
WC Vendors Free
WC Vendors free includes a set of Capabilities under WC Vendors > Orders to disable the display of customer information to the vendors. This allows you to restrict the sharing of this information beyond what is necessary with the vendors.
This information will be stripped from the following areas
- WordPress Admin Orders Screen
- All emails to vendors
- Vendor Dashboard order details
WC Vendors Pro
WC Vendors Pro includes a complete front end dashboard for vendors which removes their need to access the WordPress Dashboard. With this in mind there are several other areas that data is collected and displayed to vendors.
The order capabilities in free automatically apply to the front end dashboard in pro removing the display and sharing of customer information with the vendors. This includes
- Orders table
- Orders details
- WordPress Admin Orders Screen
- All emails to vendors
You can also disable their ability to view the order details.
Sign up and settings forms
Starting with WC Vendors 1.5.0 and above there are new options that allow you to hide fields on the sign up and settings fields if you dont require them. This will help with reducing the collection of personal information. By simply ticking the hide boxes the fields will be removed from the form. These settings are identical for the Settings and Signup forms.
If you require help with creating and updating your terms of service and your privacy policies, I found some tools that could be of assistance.
That is a lot of information to digest and that is only touching the surface on what the GDPR is. These new strict regulations that govern the collection and storage of personal data for websites particularly WordPress and WooCommerce. It is important to understand these regulations and to ensure that your website and by that extension your business is complying with these new regulations. You should seek legal advice as to what is relevant to you and your business.