- 2.1. Collection of Personal Data
- 2.2. Laws Affecting Your Store
- 2.3. Build Trust and Limit Your Risk
- 3.1. What Personal Information Your Store Collects, and How
- 3.2. How Long Personal Data is Stored
- 3.3. How Personal Data is Used
- 3.4. Information Shared with Third Parties
- 3.5. How Personal Data is Protected
- 3.7. User Rights
- 3.8. Do Not Track (DNT) Clause for California Users
- 3.9. Payment Processing and Third Party Processors
- 3.10. Contact Information
- 5.1. Website Footer
- 5.2. Account Sign-up Page
- 5.3. Checkout Page
- 6. Summary
Personal data is anything that could possibly be used to identify an individual. This includes but isn't by any means limited to names, email addresses, home addresses, telephone numbers, date of birth, payment information and even IP addresses.
Privacy Policies also inform users what control they have over the data the website collects, for example, their rights to edit or delete held data.
Collection of Personal Data
Your WooCommerce store will inevitably collect personal information from customers. This could be in the form of billing and shipping details, as well as email addresses and IP addresses.
Laws Affecting Your Store
Here's a brief overview of laws that may affect your shop:
The GDPR was enacted by the EU, however it does not only apply to businesses within the EU. The GDPR affects all e-commerce shops which sell goods and services to EU customers - even if the store is based outside of the EU.
If your WooCommerce store processes or collects the personal data of EU residents, the GDPR applies to you.
Additionally, the regulation gives consumers rights over the way their data is processed.
CalOPPA from California applies even when businesses have no physical presence in California. If your WooCommerce store is collecting personal data from Californian residents you need to ensure you comply with CalOPPA.
Basically, if any of your store's users live in California, this law applies to you.
Along with the GDPR, CalOPPA is one of the strictest privacy laws in the World.
In Canada, PIPEDA requires businesses who collect consumer data to have clear and accessible Privacy Policies.
PIPEDA applies to your WooCommerce shop if you sell goods or services to Canadian customers.
As a store owner, it's your responsibility to ensure your WooCommerce shop meets the legal requirements of the countries your shoppers live in.
Build Trust and Limit Your Risk
It's also an opportunity to build trust with your customers and exceed their expectations by emphasizing how you keep personal data secure.
This can be broken down into the following clauses:
What Personal Information Your Store Collects, and How
WooCommerce shop Wool Couture explains what types of personal information the retailer collects in this clause:
Similarly, retailer Henry J Socks explains what types of personal data the store collects. It also discloses to users how their data is collected:
The store goes on to make a distinction between data that customers freely provide and data that is collected automatically by the site.
For example, if a customer emails your shop they have voluntarily provided you with their email address. Whereas a user's IP address is likely to be automatically collected as soon as they access your store's page:
French retailer Minipop advises users what the store collects, coupled with a brief explanation of why. For example, the store collects data about the products that the shopper's view so that it is able to customize the shoppers experience.
The store also advises what personal information it requests customer's to provide and why:
How Long Personal Data is Stored
The purpose of this clause is to inform users how long you will keep their personal information and the reasons for retaining it.
Chuckling Goat advises how long personal data is usually stored for. The store states that customer's data will be kept for a 'reasonable period of time' after customers stop using the services. The shop also advises that data on the shop's 'prospect database' will never be retained for longer than 3 years:
Henry J Socks does not specify an exact time frame, but the shop says it will hold data for as long as is necessary or until the user requests that their data is deleted:
Wool Couture offer a simple and easy to understand clause which advises how long it stores personal data:
How Personal Data is Used
It's a legal requirement to tell shoppers how you are using their personal data.
Magna-Tiles provides a straightforward list of the ways the store uses personal information. The list format makes the clause easier to read and understand:
Similarly, UK-based WooCommerce store Earthbound provides users with a list of how the store uses information. The shop also includes a brief sentence on retention periods since there is no separate clause about this:
Information Shared with Third Parties
As a WooCommerce store owner, it's likely that you share some information with third party payment processors. There may also be other third parties who can access your shoppers personal data. It's important to advise your customers who their data is shared with and why.
The third parties probably have their own Privacy Policies explaining how personal data is processed. It's a good idea to provide a link to these policies so that your users can access them easily should they wish to.
You should also inform users whether or not you sell their personal information.
Earthbound starts by advising customers that the company doesn't sell or rent personal information to third parties.
The WooCommerce store goes on to explain that information will be passed to third parties working on the store's behalf - such as payment processors:
Nordic Ware offers a short and simple clause to explain what is shared with third parties. The store states personal data is only disclosed if the user consents or the disclosure is required by law:
How Personal Data is Protected
Clothing retailer Friend of Franki explains that internal and external access to personal information is restricted and only shared on a 'need to know' basis:
Strandberg Guitars informs users that the store aims to encrypt personal data to prevent it being misused:
Skincare shop Sodashi has a thorough security clause which details how the store keeps personal data safe. The shop advises that all personal information is encrypted by secure server software.
Part of this clause also attempts to limit the store's liability by explaining that 'no transmission over the Internet or storage of information on servers...can be guaranteed to be absolutely secure':
Cookies are small data files that websites use to store bits of information about users in between visits. They are commonly used to personalize and improve a user's experience - but they can also be used for targeted advertising.
The final paragraph of the clause tells users that they have the choice to accept or decline cookies.
However, the store warns users that some features won't function as well without cookies:
The GDPR gives users rights over their personal data. These include: the right to access information, withdraw consent, delete data, correct inaccurate information, object to processing, restrict processing, as well as the right to data portability. Users also have rights relating to their data being used for profiling and automatic decision making.
Yubico advises users of all of these rights and informs customers that they can file a complaint if they believe their personal data has been processed in a way that doesn't comply with the law:
Wool Couture use a list format to inform users of their rights:
Do Not Track (DNT) Clause for California Users
Some users change the settings on their browsers to opt-out of companies tracking their online behavior - this is known as 'Do Not Track.'
If your WooCommerce store sells to residents of California it's a legal requirement under CalOPPA to have a DNT disclosure clause.
CalOPPA states that this clause must advise users how your website responds to users making DNT requests via their browser and whether or not your website abides by the DNT setting.
It's important to note that websites are not required to respond to DNT requests or to meet the demands of the request. However, websites are required to notify users of the same.
Matt D'Avella states that the company does follow DNT signals when the user enables them:
Contrastingly, Clearsale states that the company does not abide by DNT signals:
Payment Processing and Third Party Processors
Sodashi explains that various third party payment processors are used to process customer's payments. The store advises who the third parties are and informs the user that they are redirected to the third party site for payment. Once this has happened, the user is governed by the policies of the third party:
Helpfully, the WooCommerce shop provides users with links to both third parties Privacy Policies:
This clause simply needs to state how users can contact you if they have any queries.
Strandberg Guitars provides the store's postal address, email address and telephone number:
Magna-Tiles provides the stores email address and telephone number:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
Here is an example of a footer link by Henry J Socks:
Account Sign-up Page
You can also take this opportunity to get customers to agree to the terms in your legal policies.The best way of gaining consent from users is via the 'clickwrap' method.
Clickwrap requires users to complete an action - such as ticking an "I agree" box - to confirm they consent to your terms.
The favored way to gain consent from users is via the clickwrap method, which usually requires users to check a box stating they agree to the site's policies.