WooCommerce 3.4 GDPR features

Last month we blogged about the way we were approaching GDPR in WooCommerce. We’re happy to be able to say that most of these features are now ready in WordPress 4.9.6 (beta), and we’ve finished our work in WooCommerce core also.

This post summarises the changes and features you’ll find in our 3.4 release scheduled to drop May 23rd.

Personal data exporter

WordPress 4.9.6 includes both the ability to export personal data associated with an email address to a HTML file. WooCommerce 3.4 will add to the generated export file, exporting the following data:

  • Customer address/account information
  • Orders associated with the given email address
  • Download permissions and logs associated with the given email address

To ensure requests are genuine, 4.9.6 includes a requests table and confirmation email to verify the request. The verification flow consists of the following steps:

  1. Add an email address or username.
  2. The user is notified via email with a confirmation link.
  3. The confirmation link is used and the request is marked “confirmed”.
  4. Admin triggers an email to the user which contains a link to download their personal data.
Slack - A8C 2018-05-03 18-20-52.png
Export requests table

 

Personal data files can also be manually generated by the admin and downloaded. The file itself is a simple HTML file, zipped.

Slack - A8C 2018-05-02 15-47-00.png
A sample export file

 

WordPress exports it’s own data in the same way, so things such as media files, posts, and comments/reviews are also taken care of!

Personal data eraser

Like the exporter, the eraser allows you to verify requests are legitimate before fulfilling them. It uses the same verification/email/requests system as the exporter.

 

Remove Personal Data ‹ WordPress — WordPress 2018-05-02 15-50-56.png

We understand this can be slightly more complicated with stores because you may need to keep data for other reasons, such as tax compliance or compliance with other laws.

With that in mind, we have made some of our erasure routines optional:

WooCommerce settings ‹ WordPress — WordPress 2018-05-02 15-53-02.png

 

These settings are off by default.

Additionally, if you ever delete a user manually, we’ve improved our cleanup functions so that the following data is removed along with the user:

  • Payment tokens
  • Addresses
  • Orders (are converted into guest orders)

And if you need to manually anonymise orders in bulk for a user you can search for them in admin and use the new “remove personal data” bulk action:

Monosnap 2018-05-02 15-56-46.png

 

This keeps the order around, but removes all personal data and converts the order into a guest order.

Data retention settings

To help reduce the amount of personal data that’s stored, WooCommerce 3.4 allows you to define how long you want to retain data that is no longer needed for order processing:

 

Slack - A8C 2018-05-02 15-10-17.png

These settings are found in WooCommerce > Settings > Accounts and privacy.

  • Failed, pending, and canceled orders which get cleaned up will be moved to the trash.
  • Completed orders which get cleaned up will be anonymized so sales stats are unaffected.
  • Inactive accounts will be deleted. An inactive account is one which has not been logged in to, or which has not placed orders, for the specified time.

If enabled, cleanup will run via a daily cron job. Inactive accounts are tracked using meta data, and only subscribers/customer accounts are removed. An upgrade routine will set all account last active times to the time you updated to 3.4.

Checkout page display options

To reduce the amount of personal data stored you can turn off some optional fields you may not require for processing.

Customize: Checkout – WordPress 2018-05-02 14-45-13.png

 

Additionally, you can now change the terms and conditions checkbox text to meet your needs:

Slack - A8C 2018-05-02 14-47-09.png

 

Both of these options can be found in the Customiser (Appearance > Customizer > WooCommerce > Checkout) and the preview is live so you can see what effects these changes will have on your checkout before hitting publish.

Privacy policy page

WordPress 4.9.6 includes a privacy page setting as well as a mechanism for plugins to suggest content. WooCommerce adds some suggested content of it’s own.

Edit Page ‹ WordPress — WordPress 2018-05-02 15-07-08.png

 

Other plugins can do the same which should allow you to piece together a policy which applies to your users.

Privacy policy snippets

If you define a privacy policy page, it’s useful to be able to link to that page where needed. WooCommerce will output notices and links to the privacy policy in two locations:

  1. Account registration form
  2. Checkout form

The notice in the case of the checkout is shown above the place order button automatically:

Slack - A8C 2018-05-02 14-52-38.png

 

Both notices can be customised in WooCommerce > Settings > Accounts and privacy or the Customiser.

Slack - A8C 2018-05-02 14-51-19.png

 

Changes to log files

We’ve made some changes to our logging system in core, as well as revised what data gets logged.

  • We’ve done an audit of our usage of logs in WooCommerce and removed any unnecessary personal information from the logs. Notably:
    • Webhook logs no longer log the webhook body and response unless WP_DEBUG mode is turned on. This avoids personal information sent with webhooks being logged to the server.
    • PayPal debug logging no longer logs the personal data sent to PayPal and masks it out. The setting itself now includes a disclaimer that it should be used for debug purposes only and should be disabled when complete.
    • For PayPal specifically, payer email/name is no longer logged within order meta – this information can be found using the transaction ID and visiting the PayPal website instead.
  • When PayPal debugging logging is turned off, the logs are purged.
  • Logs will now rotate daily, and log files will be deleted after 30 days by default. A filter can be used (woocommerce_logger_days_to_retain_logs) to extend this if needed. The cleanup is performed using a cron job.

These changes apply to both file based logging, and database based logging, which are both options within WooCommerce core.

Closing comments…

The above features will require both WooCommerce 3.4 and WordPress 4.9.6. Both will be released before the May 25th GDPR deadline. If you’re interested in testing WooCommerce 3.4, see our beta announcement here.

Thanks for testing!

 

48 responses to “WooCommerce 3.4 GDPR features”

  1. That’s an impressive amount of work! Is there any documentation anywhere on how to hook into WP’s “data export” facility, so that other plugins can include/append any data that they’re storing in the output?

    1. simbahosting Avatar
      simbahosting

      Anyone else who is interested in this… here: https://github.com/AffiliateWP/AffiliateWP/issues/2660

  2. That’s brilliant work – thanks Mike and everyone at WooCommerce & WordPress! I really like the privacy policy page builder and the data retention setup. Great that you’re thinking ahead to what people would ask for.

  3. guurtkok Avatar
    guurtkok

    Thank you!! This is great work. However, I still do think there is an issue not resolved: Under GDPR you can collect data from customers without their permission if these data is needed to fulfill the deal. Name, address etc are clearly needed. IP address is not. Yet woocommerce automatically collects the IP address of a customer. Can this be switched off?

    1. IP address is collected for fraud prevention (does billing match IP?), sometimes passed to gateways and sometimes a requirement when selling digital downloads. If specified in your privacy policy this should be just as valid as the other data collected and is all only used for processing. Check with a lawyer if unsure.

    2. guurtkok Avatar
      guurtkok

      Thank you!

  4. Guys, everything looks fantastic! As an European citizen and very close to this new regulation, I would like to remind you that accordingly GDPR rules, the customers have to give their explicit consent for taking and manage their privacy data. That means that the Privacy policy snippets must have checkboxes for this consent, not only plain message with link to Privacy policy. And I think this will be very useful for the store owners. Otherwise, it’s very likely these snippets not to be used and shop owners to look for some kind of workaround for adding checkboxes. Thank you for your great work!

    1. We’ve been advised that a checkbox is not required because the customer is placing an order and the data is required for processing. You will need extra checkboxes if you intend to use data for other purposes.

      You should of course check with a lawyer too. We’ve been working with our legal department 🙂

      Fwiw 3.4 includes some extra hooks in the terms template so more can be inserted with custom code, if needed.

      1. Yes, if you follow this logic – it’s not possible to process an order without given consent but in my opinion and professional business and developer experience, in more than 95% of the cases the Privacy policy document is one in general with all the necessary information about all kind of types personal data that is collected.
        So, if customers place an order and they are just informed about the policy, some of them may not be want to give fully consent for everything in that policy. The checkbox can make it clear and undisputed.
        What do you think, is it possible for you just to add an option button for the shop owners to choose if there is or not a checkbox in the snippet? Just like an option. Extra hooks are great but with this kind of option you will make it more easy and possible for not coders to make it through these changes. It’s really a big change that take a lot of time and expenses for every business in Europe, especially if it’s a micro or small company.
        Thank you for you answer and help!

        1. I think it would be best to not include a checkbox in this case, based in the feedback we’ve received. If it’s an option it’s going to make it tougher for users to know it they actually need it, which we don’t believe they will. Remember there is also the TOS checkbox if you have other policies to disclose, and marketing plugins should add their own in addition.

          > we wouldn’t recommend taking the approach of having users opt into privacy policies. Privacy policies are disclosure documents required by law. Users “opt in” by using the service. So, you can certainly provide prominent notice and even acknowledgments of receipt, but they shouldn’t be an opt-in. Under GDPR in particular, an opt-in could be read as consent, and most of the practices described in a privacy policy don’t and shouldn’t rely on consent 

          Recommend you chat to a lawyer of your own of course 🙂

          1. Mike, thank you!
            I see your point. Of course, lawyers opinion and position are very important, so every shop owner has to talk with its legal team. And again – great work with GDPR changes! Looking forward for the update.

      2. Hello again,
        I talked to my lawyer and with some other lawyers as well. I quote their opinion: There must be a check box, so with it the clients can give their explicit consent to process their data when place orders. No implicit or implied consent do not work and it will contrary to the law. Although they submit their data by themselves, there must be a clue that they have agreed with it, know what they have given their data for, that they can withdraw it, be forgotten, and so on.
        What do you think? After all, is it possible to add this checkbox? Because if you do not do this, that means every developer has to do it by himself for every existing project and for the new ones as well.
        It has always been there this type of checkbox in other web platforms like Opencart in example. So, I think there is nothing confusing for customers and for shop owners.
        Thank you for your great work!

        1. That seems to be what the policy is for. There are plugins to add checkboxes if you insist on including one – and again, we’ve been advised not to include one as this is a contract. Disclaimer again, ianal 🙂

          1. Thank you for your answer, Mike! I just wanted to provide you this opinions. Thanks!

  5. Hi Mike! It all looks good except for this:

    For PayPal specifically, payer email/name is no longer logged within order meta – this information can be found using the transaction ID and visiting the PayPal website instead.

    This information has been really useful in the order meta, since it helps determine potential fraud. Why are you removing it? Can you make it opt in? Making a sale as a vendor also entails protecting ourselves from fraud so having this information on hand as meta is only positive.

    1. Why is it needed when it’s stored PayPal side?

      1. simbahosting Avatar
        simbahosting

        Probably not “needed”, but it is convenient. Not all shop managers have access to a company’s PayPal account. How about using the PayPal API to download it “on demand”, so that it’s not stored in WooCommerce, but is still accessible there?

        1. Maybe you can explain why you’d need to look this up. I’m not sure I understand it’s importance if IPN validation is successful.

          1. Hi Mike, I didn’t see your replies. Having the PayPal payee name and email address logged is useful because PayPal accounts are sometimes hijacked. We used to receive fraudulent orders from Indonesia previously. We also received legit orders from Indonesia. The difference between them was that the fraudulent ones had wildly different PayPal email and name, billing name and email and shipping details. Seeing this level of detail helped us a lot. Having them in one place (the order which they pertain to, as much information as possible is useful here) without having to visit an external site was helpful.

  6. Love you hard workers for this!

  7. If a user wants their data deleted – what data is considered “personal data”? I assume name, email, address, etc. Anything else?
    I’m curious on things like address. Is it possible (or already done) to erase a street address and keep city, state, zip, country?

    1. IP, email, address and the main ones. When we anonymize we remove all data. The eraser class is filterable however.

  8. simbahosting Avatar
    simbahosting

    The “Register” form on the “My Account” page – I think that needs at least a link to a site’s privacy policy so that people can consent to how their data will be processed. Are there any plans to add this in WC?

    1. This already includes a notice and is shown in the screenshots above (settings page).

      1. simbahosting Avatar
        simbahosting

        Quite so – I looked twice, but was going too fast. My apologies.

  9. Charlotte Cook Avatar
    Charlotte Cook

    Very useful, thank you.
    When will the new version of WP be released so that we can start to implement these changes?

    1. Should be today – may 17th.

  10. Gingeralfie Avatar
    Gingeralfie

    Any news about the Stipe / Apple Pay integration with Woo? It is issuing third-party cookies on indvidual product pages before consent can be given and whether or not the site viewer intends to purchase…

    1. Not much you can do to prevent that if you choose to use Stripe. Sounds like a cookie policy and banner may be needed. I’m not following stripe – just core so I don’t have much information to share on that 🙂

  11. ccastanedag Avatar
    ccastanedag

    Amazing tools and improvements guys! Can’t wait to download it
    I have a question: Is it possible to display the “Privacy Policy Snippet” just for European visitors and hide for other non-EU countries?
    Thanks

    1. We don’t offer that option. Policy applies to all, so giving all users that same text and treatment makes sense?

      It could be made to use address or geolocation, but I wouldn’t want to add that without more user feedback post launch.

      Thanks

  12. Peter Dirksen Avatar
    Peter Dirksen

    I am rather disappointed. Was hoping for an out of the box working solution whereby customers at least could request the deletion of their data themselves in the WC customers panel.
    All the talk the last weeks led me to believe that there was a lot to come. Frankly I am not impressed, everything is hidden away in menu structures, there is no documentation at all.
    Also I was led to believe that every plugin would add automatically to the privacy statement, that is not the case.
    I had expected much more from the WooCommerce team, it is not that they did not have time or anything. It has been known for a long time now that the European union would come up with this crap.

    1. We’ve been pretty open in previous posts what was coming. The features you mention are coming in WordPress itself over the next few releases and are logged on the WordPress issue tracker.

      Thanks

  13. David Avatar

    Hello,

    Is not possible to show another checkbox to accept Privacy Policy like it does for TOS? GDPR makes this mandatory. Right now, Woocommerce only shows it as an informative text, but it’s mandatory that the user check and confirm it…

    http://prntscr.com/jlyf8p

    Thanks

  14. cruiseback Avatar
    cruiseback

    Great work, we just got the update today and now we are more or less compliant with GDPR, one day before the deadline.
    One question though, if we have set our “Retain completed orders” threshold to 2 years, but we have orders ranging back from 2012, when will Woocommerce start to anonymize those orders older than 2 years?

    1. When the cron job runs those will be cleared, so soon I imagine.

      1. cruiseback Avatar
        cruiseback

        Thanks, that will be interesting to monitor

  15. Hello,

    thank you for your work!

    I updated everything but I can’t find an option to set up a required checkbox at the checkout in the customizer. Where do I set this up?

    1. There is only a terms and conditions checkboxes. If you set the ‘terms’ page option it will be shown. Thats not new in 3.4.

  16. Hi

    How does the user ask for an account to be deleted or request data? I see nothing to ask this in the account area of the user?

    This could become an admin nightmare so is an option available to allow the user to request or delete data without the store owners involvement?

    1. An automated solution is being considered in WordPress core.

      For now you can use a contact form plugin, or regular email link, both explained in your privacy policy doc.

  17. Implementing such an awesome feature like this demonstrates how WooCommerce is number one!

  18. When you delete customer data using the “Personal data eraser”, do you also delete it from Paypal as it has also been transferred there?

    1. It’s not possible to affect 3rd party data like that. The user would need to contact paypal and read the PayPal privacy policy. You should explain that in your own policies.

  19. I love the work you guys at WC are doing, and you have certainly helped a great deal with regard to GDPR, which, I am personally very grateful for. GDPR was very daunting, nut, you guys have made it less so. I have been following all of the GDPR discussions prior to 25th May closely, and your posts have been incredibly informative. Thank you and keep up the incredible work

  20. life15great Avatar
    life15great

    This GDPR series is much appreciated! A question – in the privacy policy, rather than including the text that plugins you’re using have provided, can we just include a link to their privacy policies? It seems unreasonable to have to stay up to date with our plugins’ policy changes – how will we know they have changed, and what specifically has changed so that this isn’t an administrative nightmare?

    1. This is something WordPress must facilitate. It is ultimately your responsibility as the site owner however.

Leave a Reply

Your email address will not be published. Required fields are marked *