There's a lot to do when you set up your WooCommerce store. However, you shouldn't let creating a Privacy Policy fall by the wayside.
It's essential that your shop has a well-drafted Privacy Policy to ensure you comply with the law, limit your risk and maintain the trust of your customers.
Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.
- Click on the "Free Privacy Policy Generator" button, located at the top of the website.
- Select where your Privacy Policy will be used:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- Continue with building your Privacy Policy while answering on questions from our wizard:
-
Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.
That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.
- 1. What is a Privacy Policy?
- 2. Why Your WooCommerce Store Needs a Privacy Policy
- 2.1. Collection of Personal Data
- 2.2. Laws Affecting Your Store
- 2.3. Build Trust and Limit Your Risk
- 3. What You Should Include in Your Privacy Policy
- 3.1. What Personal Information Your Store Collects, and How
- 3.2. How Long Personal Data is Stored
- 3.3. How Personal Data is Used
- 3.4. Information Shared with Third Parties
- 3.5. How Personal Data is Protected
- 3.6. Use of Cookies
- 3.7. User Rights
- 3.8. Do Not Track (DNT) Clause for California Users
- 3.9. Payment Processing and Third Party Processors
- 3.10. Contact Information
- 4. Where to Display Your Privacy Policy and How to Get Agreement For it
- 4.1. Website Footer
- 4.2. Account Sign-up Page
- 4.3. Checkout Page
- 5. Summary
What is a Privacy Policy?
A Privacy Policy sets out the way a website collects, uses, stores and shares personal data.
Personal data is anything that could possibly be used to identify an individual. This includes but isn't by any means limited to names, email addresses, home addresses, telephone numbers, date of birth, payment information and even IP addresses.
Privacy Policies also inform users what control they have over the data the website collects, for example, their rights to edit or delete held data.
Why Your WooCommerce Store Needs a Privacy Policy
Collection of Personal Data
Your WooCommerce store will inevitably collect personal information from customers. This could be in the form of billing and shipping details, as well as email addresses and IP addresses.
If your store uses third party payment processors (who collect data on your behalf) it's important to explain this in your Privacy Policy.
It is a legal requirement to have a Privacy Policy if you collect personal data from users.
Laws Affecting Your Store
Here's a brief overview of laws that may affect your shop:
The GDPR was enacted by the EU, however it does not only apply to businesses within the EU. The GDPR affects all e-commerce shops which sell goods and services to EU customers - even if the store is based outside of the EU.
If your WooCommerce store processes or collects the personal data of EU residents, the GDPR applies to you.
The GDPR states that personal data should be secured and kept up to date. The regulation also requires companies to be transparent about how and why they use the data. In other words, you need a Privacy Policy.
Additionally, the regulation gives consumers rights over the way their data is processed.
CalOPPA from California applies even when businesses have no physical presence in California. If your WooCommerce store is collecting personal data from Californian residents you need to ensure you comply with CalOPPA.
Basically, if any of your store's users live in California, this law applies to you.
CalOPPA states that you must have a distinctive link to your Privacy Policy. This means the policy should be a separate document or page and not be concealed in another page.
Along with the GDPR, CalOPPA is one of the strictest privacy laws in the World.
In Canada, PIPEDA requires businesses who collect consumer data to have clear and accessible Privacy Policies.
PIPEDA applies to your WooCommerce shop if you sell goods or services to Canadian customers.
As a store owner, it's your responsibility to ensure your WooCommerce shop meets the legal requirements of the countries your shoppers live in.
All of the above laws require any business that processes personal data to have a Privacy Policy, which should be well-drafted and easy for customers to find.
Build Trust and Limit Your Risk
A Privacy Policy will help to avoid misunderstandings. However, if a dispute does occur, your Policy can help to limit your risk - particularly if a customer takes your WooCommerce shop to court over an issue concerning their personal data.
It's true that a Privacy Policy creates a legal safety net, but it's so much more than that.
It's also an opportunity to build trust with your customers and exceed their expectations by emphasizing how you keep personal data secure.
What You Should Include in Your Privacy Policy
Your Privacy Policy should include what personal data you collect, how you use the data, how you will keep the data secure, if you share any of the data with third parties, the customer's rights regarding the data you collect and how users can contact you with any questions or complaints.
This can be broken down into the following clauses:
What Personal Information Your Store Collects, and How
An ideal way to start your Privacy Policy is to explain what personal data your store collects and how you collect it. Make sure you include all of the types of data you collect as this transparency will help protect you in the event of a dispute.
WooCommerce shop Wool Couture explains what types of personal information the retailer collects in this clause:
Similarly, retailer Henry J Socks explains what types of personal data the store collects. It also discloses to users how their data is collected:
The store goes on to make a distinction between data that customers freely provide and data that is collected automatically by the site.
For example, if a customer emails your shop they have voluntarily provided you with their email address. Whereas a user's IP address is likely to be automatically collected as soon as they access your store's page:
French retailer Minipop advises users what the store collects, coupled with a brief explanation of why. For example, the store collects data about the products that the shopper's view so that it is able to customize the shoppers experience.
The store also advises what personal information it requests customer's to provide and why:
How Long Personal Data is Stored
The purpose of this clause is to inform users how long you will keep their personal information and the reasons for retaining it.
Chuckling Goat advises how long personal data is usually stored for. The store states that customer's data will be kept for a 'reasonable period of time' after customers stop using the services. The shop also advises that data on the shop's 'prospect database' will never be retained for longer than 3 years:
Henry J Socks does not specify an exact time frame, but the shop says it will hold data for as long as is necessary or until the user requests that their data is deleted:
Wool Couture offer a simple and easy to understand clause which advises how long it stores personal data:
How Personal Data is Used
It's a legal requirement to tell shoppers how you are using their personal data.
Magna-Tiles provides a straightforward list of the ways the store uses personal information. The list format makes the clause easier to read and understand:
Similarly, UK-based WooCommerce store Earthbound provides users with a list of how the store uses information. The shop also includes a brief sentence on retention periods since there is no separate clause about this:
Information Shared with Third Parties
As a WooCommerce store owner, it's likely that you share some information with third party payment processors. There may also be other third parties who can access your shoppers personal data. It's important to advise your customers who their data is shared with and why.
The third parties probably have their own Privacy Policies explaining how personal data is processed. It's a good idea to provide a link to these policies so that your users can access them easily should they wish to.
You should also inform users whether or not you sell their personal information.
Wool Couture's Privacy Policy does not name any specific third parties, but the retailer reassures shoppers that their data will only be shared with trusted suppliers:
Earthbound starts by advising customers that the company doesn't sell or rent personal information to third parties.
The WooCommerce store goes on to explain that information will be passed to third parties working on the store's behalf - such as payment processors:
Nordic Ware offers a short and simple clause to explain what is shared with third parties. The store states personal data is only disclosed if the user consents or the disclosure is required by law:
How Personal Data is Protected
It's essential that your WooCommerce store has a method of keeping shopper's data secure. Your methods should be explained in your Privacy Policy, even just in brief.
Clothing retailer Friend of Franki explains that internal and external access to personal information is restricted and only shared on a 'need to know' basis:
Strandberg Guitars informs users that the store aims to encrypt personal data to prevent it being misused:
Skincare shop Sodashi has a thorough security clause which details how the store keeps personal data safe. The shop advises that all personal information is encrypted by secure server software.
Part of this clause also attempts to limit the store's liability by explaining that 'no transmission over the Internet or storage of information on servers...can be guaranteed to be absolutely secure':
Use of Cookies
Cookies are small data files that websites use to store bits of information about users in between visits. They are commonly used to personalize and improve a user's experience - but they can also be used for targeted advertising.
A cookie clause is important to include if your WooCommerce store uses cookies and does not have a separate Cookies Policy. Even if your store does have a separate Cookies Policy, it's still a good idea to include a brief cookies clause in your Privacy Policy, coupled with a link to your Cookies Policy.
This clause is crucial if your shop sells to any EU citizens because the EU Cookies Directive makes it a legal requirement to disclose the use of cookies to customers. This law also states that you must give users the right to refuse cookies.
WooCommerce store Good Dye Young explains that the store uses cookies to personalize shopper's experiences. The retailer makes it clear that the user has the ability to accept or decline cookies:
Wool Couture explains that the shop uses cookies to monitor how many times a shopper visits the website, traffic data and see what pages they use. This enables the store to personalize the user's experience and build a profile of users.
The final paragraph of the clause tells users that they have the choice to accept or decline cookies.
However, the store warns users that some features won't function as well without cookies:
Department of Coffee's Privacy Policy explains what cookies are, how they're used and how shoppers can prevent the use of cookies:
User Rights
Your Privacy Policy should contain a clause informing users of their rights.
The GDPR gives users rights over their personal data. These include: the right to access information, withdraw consent, delete data, correct inaccurate information, object to processing, restrict processing, as well as the right to data portability. Users also have rights relating to their data being used for profiling and automatic decision making.
Yubico advises users of all of these rights and informs customers that they can file a complaint if they believe their personal data has been processed in a way that doesn't comply with the law:
Wool Couture use a list format to inform users of their rights:
Department of Coffee has an extremely thorough section on user rights in the store's Privacy Policy. The sub-clauses go into great detail about each individual user right and the laws granting each right. For example, this is the shop's clause on the right to erasure:
Do Not Track (DNT) Clause for California Users
Some users change the settings on their browsers to opt-out of companies tracking their online behavior - this is known as 'Do Not Track.'
If your WooCommerce store sells to residents of California it's a legal requirement under CalOPPA to have a DNT disclosure clause.
CalOPPA states that this clause must advise users how your website responds to users making DNT requests via their browser and whether or not your website abides by the DNT setting.
It's important to note that websites are not required to respond to DNT requests or to meet the demands of the request. However, websites are required to notify users of the same.
Matt D'Avella states that the company does follow DNT signals when the user enables them:
Contrastingly, Clearsale states that the company does not abide by DNT signals:
Payment Processing and Third Party Processors
Sodashi explains that various third party payment processors are used to process customer's payments. The store advises who the third parties are and informs the user that they are redirected to the third party site for payment. Once this has happened, the user is governed by the policies of the third party:
Minipop's Privacy Policy contains a short clause advising that the store uses Paypal and Stripe to process payments.
Helpfully, the WooCommerce shop provides users with links to both third parties Privacy Policies:
Contact Information
This clause simply needs to state how users can contact you if they have any queries.
Strandberg Guitars provides the store's postal address, email address and telephone number:
Magna-Tiles provides the stores email address and telephone number:
Where to Display Your Privacy Policy and How to Get Agreement For it
There are a few ways to display your Privacy Policy and it's best to combine them. You also need to make sure that people have agreed to your Privacy Policy.
Website Footer
This is an ideal place to display your Privacy Policy as website users expect to find legal policies here and all users are able to access these links. However, you shouldn't solely rely on footer links since customers do not have to consent to them.
Here is an example of a footer link by Henry J Socks:
Account Sign-up Page
If you require users to create an account you should place a link to your Privacy Policy on the sign-up page. This ensures anyone signing up sees your Privacy Policy and can access it if they wish.
You can also take this opportunity to get customers to agree to the terms in your legal policies.The best way of gaining consent from users is via the 'clickwrap' method.
Clickwrap requires users to complete an action - such as ticking an "I agree" box - to confirm they consent to your terms.
Amazon links its Privacy Policy on the sign-up page. The company uses the clickwrap method to gain customer consent:
Checkout Page
Displaying your Privacy Policy at checkout is a great way to make sure all customers see the Policy. This is also an ideal place to use a checkbox agreement.
Henry J Socks uses a tick box agreement at checkout which ensures customers have agreed to the shop's Terms and Condition. The same format can be used with your Privacy Policy:
Summary
Overall, a Privacy Policy is essential for your WooCommerce store as it is a legal requirement for any website that processes personal data.
Once you have created a Privacy Policy you need to make sure users actually consent to it as this will help to protect you in a legal dispute.
The favored way to gain consent from users is via the clickwrap method, which usually requires users to check a box stating they agree to the site's policies.