If there is a type of web page that collects and processes personal data of its users, those are online stores; It doesn’t matter which platform you have your ecommerce hosted on, every time a user makes a purchase, subscribes or leaves a comment, they are providing personal data that must be treated in accordance with data protection regulations.
So if you have a WooCommerce store you are obliged to comply with the RGPD and the LOPDGDD , even if your visitors only limit themselves to browsing the web and do not perform any other action (such as buying or subscribing to it), because the safest thing is that your WooCommerce store uses cookies, about which you must not only inform, but also obtain the consent of the users to use them.
Adapting your WooCommerce store to the RGPD will prevent you from receiving sanctions from the AEPD, but it will also give confidence to your users and buyers, who will see that your e-commerce complies with current regulations regarding data protection.
Steps to apply the RGPD if you use WooCommerce
As the owner of a WooCommerce store, you will be responsible for processing the personal data that you collect from your visitors and, therefore, you must comply with a series of requirements and obligations demanded by both the RGPD and the LOPDGDD as well as the LSSI-CE.
Specifically, you must inform your visitors, users or clients of what type of personal data you collect, how and for what purpose you collect this data and for how long you will keep it, in addition to having the necessary security measures to guarantee the protection of said data. (something that falls partly on WordPress and the WooCommerce plugin, but you should be familiar with it, if you don’t want to incur any violations).
Draft and link legal texts
The regulations require that all web pages, including online stores, have the legal texts written and linked, that is, the legal notice, the privacy policy and the cookie policy.
The purpose of these texts is to inform users of:
- Who is the owner of the store
- Who is responsible for the treatment (and the person in charge, if any)
- What personal data is collected, for what purpose, for how long it is kept
- Where and how users can exercise their ARSULIPO rights (access, rectification, deletion, limitation, portability and opposition)
- If your data will be transferred to third parties (including international data transfers)
All this information must be given clearly and in detail, in understandable language. In the cookie policy, in addition, all the cookies used by the WooCommerce store will be detailed, who is its owner and what purpose they have (as we explain in the cookie policy for WordPress ).
The legal texts will be on their own page or subpages and must be accessible from anywhere in the online store, so a link to them is usually placed in the footer, either by using the options that WordPress has for it or by resorting to a plugin . In addition, a link to the privacy policy should also be included in the store forms.
In the WordPress Settings menu we can create the page for the privacy policy, the cookie policy and the legal notice and then, through a widget, put the links where necessary.
Apart from these texts, another of the legal requirements of an online store is to have a page or subpage with the terms and conditions of the store, where users and customers are informed of everything related to the process of buying and selling the store. store; payment method, shipping method, returns, customer service or after-sales service, information on the right of withdrawal, etc.
To place the terms and conditions in WooCommerce you will first have to create a new page in WordPress, in which you will write all the relevant information. Then, from the plugin options menu, you will have to go to “Settings> Advanced> Terms and Conditions” and choose the page you have created for them.
Once this is done, when a customer arrives at the purchase process, a checkbox will appear with the message “I have read and accept the terms and conditions” (or similar), with a link to them. This checkbox must be unchecked, since the customer must mark it to expressly accept the terms and conditions and be able to place the order.
Configure privacy options
In WooCommerce it is possible to configure the privacy options of the privacy policy, such as whether personal data from orders should be kept or deleted or how long personal data is kept. In addition, it also allows you to display the reduced version of the privacy policy in the user registration and in the completion of a purchase.
This can be done in the WooCommerce menu, under “Settings > Accounts & Privacy”.
Configure the forms according to the RGPD
Your WooCommerce store will use different types of forms, such as user registration, purchase or comments or product ratings. All of them collect personal data and, therefore, it is necessary that they comply with the requirements of the RGPD.
A summarized version of the privacy policy must appear in the forms, a link to it, as well as to the cookie policy and an unmarked checkbox so that the user can accept the privacy policy when completing the form and sending it. We can do this from the WooCommerce account and privacy settings. Being able to block the execution of an order, until the user accepts both the privacy policy and the terms and conditions.
To adapt the contact forms in WordPress and, therefore, in WooCommerce, we can use privacy policy plugins for WordPress that are compatible with this plugin, which will facilitate the configuration of the RGPD elements of these forms.
Obtain consent to send commercial communications
If you want to send commercial communications to the customers of your WooCommerce store and do so in accordance with the RGPD, the LOPDGDD and the LSSI-CE, you must obtain the express consent of the users to do so. This also applies to newsletters and any other type of communication that is not legitimized by the commercial relationship that has been established (such as a call from the after-sales service that has previously been requested).
The consent to be able to send commercial communications is collected through a form not very different from those of the previous point, so it must contain an unmarked checkbox for the user to accept the privacy policy, a link to it and, in the event that an email marketing service is used, specify it and include a link to its privacy policy.
As with the other forms, you can use a plugin to comply with the RGPD in WordPress.
The cookie notice or cookie notice must appear whenever a new user enters your online store or when they have deleted the cookies after a previous visit. These code files are installed in the user’s browser and collect different types of personal data, so it is necessary not only to report them, but also to obtain express consent for their use (except in the case of technical cookies).
The different cookie plugins for WordPress will make it much easier for us to create and configure the cookie notice, but it is essential to make sure that they block cookies until the user accepts or rejects them, in which case they will not be installed. In addition, we must allow the user to configure them as they wish, that is, activate or deactivate them according to their privacy preferences, something that, in addition, they can do at any time (that is, they can accept some cookies and then revoke their consent whenever they want). ).
All the cookies used by the online store will be listed in the cookie notice; it can be done in a more or less detailed way, for example, all cookies can be listed or grouped into “technical cookies, advertising cookies, analytical cookies, etc.”; In any case, a link to the cookie policy will be included, where all the cookies used by the electronic store will be collected, with all their detailed information.
The plugins you use must also be GDPR compliant
Finally, if you use plugins in your WooCommerce store, you should also make sure that they comply with the GDPR requirements, because some of them collect and store personal data of your users and customers automatically.
To do this, you must check what personal data the plugins that you may have installed in your online store collect, what they are stored for and for how long and if a third party will have access to them. As far as possible, you should configure the privacy management settings of the plugin so that it does not collect personal data that is not necessary or that may be sensitive and the retention time, so that this data is automatically deleted. In addition, you must inform about it in the privacy policy of the store.
If you use a plugin that does not allow you to configure the privacy management options according to the RGPD in your WooCommerce store, we recommend that you remove it.