An Introduction to GDPR Compliance for WooCommerce Stores

Written by Hannah Swain on December 20, 2017 Blog.

Europe’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 – is your shop ready?

What is GDPR and what does it have to do with you?

I attended WordCamp Manchester and WordCamp Stockholm in the last months, and they had one thing in common: Lots of questions about GDPR. I heard a number of discussions around what WooCommerce site owners needed to do, and if they were ready for GDPR.

To help our WooCommerce site owners get ready for the GDPR, we wanted to provide some information about the regulation, along with our GDPR plans at WooCommerce.

On 25th May 2018, the GDPR enacted by the EU will come into effect.

Source: GDPR Countdown Clock

Stronger rules on data protection from May 2018 mean citizens have more control over their data.

There’s a great infographic breaking down the different components. The GDPR for WordPress site includes a summary of site owners’ obligations in regards to collecting data related to EU citizens, which we’ve listed below:

  • Tell the user who you are, why you collect the data, for how long, and who receives it.
  • Get a clear consent [when required] before collecting any data.
  • Let users access their data, and take it with them.
  • Let users delete their data.
  • Let users know if data breaches occur.

Each of these bullet points is subject to many caveats, exceptions, and degrees of how much you need to do, but they do serve as a good starting point.

What do you need to know or do as a WooCommerce shop owner?

First, read up and do your research. Each WooCommerce site uses a different set of plugins, has a different flow for shipping, etc., so there isn’t a one-size-fits-all approach. You’ll need to know what you need to do for your specific site. This post is an introduction to help guide you in the right direction — it isn’t meant to be all-inclusive and we are unable to provide legal advice.

If you sell any products to customers based in the EU, or have EU visitors to your site, you’ll need to make sure your site complies with GDPR.

Your site can be considered GDPR-compliant, depending on how you’ve set it up. Code in WP has put together a breakdown of how the GDPR affects WordPress sites.

It’s also up to you as the site owner to communicate how your customers’ information is being used — it’s more of a communication and process question, rather than something that can be solved with technology.

You may need to update your privacy policy to explain how your site complies with GDPR.

What resources are there available to help you?

GDPR affects every site that operates in the EU — there are lots of resources to assist you further. This list should get you started, but it’s not meant to be comprehensive.

How is Automattic applying GDPR?

As a company that works with users in the EU, Automattic and all of its sites, including, also need to be compliant with GDPR.

We published Automattic and the General Data Protection Regulation (GDPR) that shares information about the regulation and our plans for implementing them for Automattic’s products and services. In short, we’re currently working to add features to enhance user choice and bring more transparency to our practices around the collection, storage, and use of your data. We expect that Automattic products and services will be in compliance with GDPR requirements by May 2018.

We’ll continue to post more information as we launch new features to enhance user privacy and data choice ahead of May 2018, and beyond.