WooCommerce 3.4 & GDPR Compliance

GDPR or EU General Data Protection Regulation will be applied this May 25, 2018. As we know, this has much effects on WordPress site owner and developer, especially for ecommerce site.

As the result, WooCommerce developer has been updating WooCommerce 3.4 to comply with GDPR. In this article, we will see the WooCommerce 3.4 GDPR features.

From May 25, WooCommerce also needs to meet all the requirements of GDPR. Luckily, most of those features are now ready in WordPress 4.9.6 (beta), and WooCommerce core is also updated and scheduled to release on May 23rd.

Personal data exporter

From WordPress 4.9.6 , we can export personal data with an email address to an HTML file. Thanks to that, WooCommerce 3.4 also add to the generated export file, exporting the following data:

• Customer address/account information
• Orders associated with the given email address
• Download permissions and logs associated with the given email address

 

Export personal data via email

WooCommerce allows users to export personal data via email with a request table and confirmation email. With these ones, it will be easier for us to verify the request.  This flow consists of the steps as below:

1. Add an email address or username.
2. The user is notified via email with a confirmation link.
3. The confirmation link is used and the request is marked “confirmed”.
4. Admin triggers an email with a link to download personal data.

Export personal data manually

In addition, admin can manually generate data files then download it. The file itself is a simple HTML file, zipped.

Personal data eraser

WooCommerce also enables us to easer personal data. For this process, it’s the same to the data exporter. The eraser lets us verify requests before fulfilling theme.

It can be slightly more complicated with stores to keep data for other reasons, such as tax compliance or compliance with other laws. Therefore, WooCommerce includes the erasure routines optional and these settings are off by default.

In addition, you can delete a user manually. There are cleanup functions that you can remove the the following data along with the user:

• Payment tokens
• Addresses
• Orders (are converted into guest orders)

And if you need to manually anonymise orders in bulk for a user you can search for them in admin and use the new “remove personal data” bulk action:

As the result, it keeps the order around, but removes all personal data and converts the order into a guest order.

Personal data retention settings

WooCommerce 3.4 also allows to define how long we want to retain data that is no longer needed for order processing.  This will help us reduce the amount of stored personal data,

We can configure this in WooCommerce > Settings > Account and privacy in the Dashboard.

• Failed, pending, and canceled orders which get cleaned up will be moved to the trash.
• Completed orders which get cleaned up will be anonymized so sales stats are unaffected.
• Inactive accounts will be deleted.

Taking advantage of this feature, we can enable this option then cleanup will run via a daily cron job. Inactive accounts are tracked using meta data, and only subscribers/customer accounts are removed. After we update to WooCommerce 3.4, the routine will set all account las active times at this time.

Checkout page display options

One of the best way to meet GDPR requirements is reduce the amount of personal data stored in our website. From the new version, there are options for us to turn off some optional fields.

Also, we can now change the terms and conditions checkbox text to meet your needs:

We can configure these options in the Customizer following Appearance > Customizer > Checkout and see the live preview before publishing the changes.

Privacy policy page

In addtion to the privacy page setting and mechanism for plugins to suggest content in WordPress 4.9.6, WooCommerce adds some suggested content of it’s own.

Privacy policy snippets

WooCommerce enable us to define a privacy policy page, and now you can link to that page if neccessary. WooCommerce will output notices and links to the privacy policy in two locations:

1. Account registration form
2. Checkout form

The notice in the case of the checkout is shown above the place order button automatically:

Both notices can be customised in WooCommerce > Settings > Accounts and privacy  or the Customiser.

Changes to log files

In the new version, WooCommerce Team also made some changes in the logging system in core, as well as revised what data gets logged.

• The team has done an audit of our usage of logs and removed any unnecessary personal information from the logs. Notably:
  • Webhook logs no longer log the webhook body and response unless WP_DEBUG mode is turned on.
  • PayPal debug logging no longer logs the personal data sent to PayPal and masks it out.
  • For PayPal specifically, payer email/name is no longer logged within order meta.
• When PayPal debugging logging is turned off, the logs are purged.
• Logs will now rotate daily, and log files will be deleted after 30 days by default.

These changes apply to both file based logging, and database based logging, which are both options within WooCommerce core.

Wrapping Up

Above are all new GDPR features in WooCommerce 3.4. All of them are available when you are working with both WooCommerce 3.4 and WordPress 4.9.6. Luckily, both of them will be released before May 25, 2018. For more detail information, you can check here and here.

Our team also have planned to update our WordPress themes  to latest WordPress , WooCommerce and other plugins to meet all requirements of GDPR.