There's a lot to do when you set up your WooCommerce store. However, you shouldn't let creating a Privacy Policy fall by the wayside.

It's essential that your shop has a well-drafted Privacy Policy to ensure you comply with the law, limit your risk and maintain the trust of your customers.


What is a Privacy Policy?

A Privacy Policy sets out the way a website collects, uses, stores and shares personal data.

Personal data is anything that could possibly be used to identify an individual. This includes but isn't by any means limited to names, email addresses, home addresses, telephone numbers, date of birth, payment information and even IP addresses.

Privacy Policies also inform users what control they have over the data the website collects, for example, their rights to edit or delete held data.

Why Your WooCommerce Store Needs a Privacy Policy

Why Your WooCommerce Store Needs a Privacy Policy

Collection of Personal Data

Your WooCommerce store will inevitably collect personal information from customers. This could be in the form of billing and shipping details, as well as email addresses and IP addresses.

If your store uses third party payment processors (who collect data on your behalf) it's important to explain this in your Privacy Policy.

It is a legal requirement to have a Privacy Policy if you collect personal data from users.

Laws Affecting Your Store

Here's a brief overview of laws that may affect your shop:

The GDPR was enacted by the EU, however it does not only apply to businesses within the EU. The GDPR affects all e-commerce shops which sell goods and services to EU customers - even if the store is based outside of the EU.

If your WooCommerce store processes or collects the personal data of EU residents, the GDPR applies to you.

The GDPR states that personal data should be secured and kept up to date. The regulation also requires companies to be transparent about how and why they use the data. In other words, you need a Privacy Policy.

Additionally, the regulation gives consumers rights over the way their data is processed.

CalOPPA from California applies even when businesses have no physical presence in California. If your WooCommerce store is collecting personal data from Californian residents you need to ensure you comply with CalOPPA.

Basically, if any of your store's users live in California, this law applies to you.

CalOPPA states that you must have a distinctive link to your Privacy Policy. This means the policy should be a separate document or page and not be concealed in another page.

Along with the GDPR, CalOPPA is one of the strictest privacy laws in the World.

In Canada, PIPEDA requires businesses who collect consumer data to have clear and accessible Privacy Policies.

PIPEDA applies to your WooCommerce shop if you sell goods or services to Canadian customers.

As a store owner, it's your responsibility to ensure your WooCommerce shop meets the legal requirements of the countries your shoppers live in.

All of the above laws require any business that processes personal data to have a Privacy Policy, which should be well-drafted and easy for customers to find.

Build Trust and Limit Your Risk

A Privacy Policy will help to avoid misunderstandings. However, if a dispute does occur, your Policy can help to limit your risk - particularly if a customer takes your WooCommerce shop to court over an issue concerning their personal data.

It's true that a Privacy Policy creates a legal safety net, but it's so much more than that.

It's also an opportunity to build trust with your customers and exceed their expectations by emphasizing how you keep personal data secure.

What You Should Include in Your Privacy Policy

What You Should Include in Your Privacy Policy

Your Privacy Policy should include what personal data you collect, how you use the data, how you will keep the data secure, if you share any of the data with third parties, the customer's rights regarding the data you collect and how users can contact you with any questions or complaints.

This can be broken down into the following clauses:

What Personal Information Your Store Collects, and How

An ideal way to start your Privacy Policy is to explain what personal data your store collects and how you collect it. Make sure you include all of the types of data you collect as this transparency will help protect you in the event of a dispute.

WooCommerce shop Wool Couture explains what types of personal information the retailer collects in this clause:

Wool Couture Privacy Policy: What Information do we collect clause

Similarly, retailer Henry J Socks explains what types of personal data the store collects. It also discloses to users how their data is collected:

Henry J Socks Privacy Policy: Data Collected and How we Collect Data clauses

The store goes on to make a distinction between data that customers freely provide and data that is collected automatically by the site.

For example, if a customer emails your shop they have voluntarily provided you with their email address. Whereas a user's IP address is likely to be automatically collected as soon as they access your store's page:

Henry J Socks Privacy Policy: Data given to us by you and Data collected automatically clauses

French retailer Minipop advises users what the store collects, coupled with a brief explanation of why. For example, the store collects data about the products that the shopper's view so that it is able to customize the shoppers experience.

The store also advises what personal information it requests customer's to provide and why:

Minipop Privacy Policy: Using WooCommerce clause

How Long Personal Data is Stored

The purpose of this clause is to inform users how long you will keep their personal information and the reasons for retaining it.

Chuckling Goat advises how long personal data is usually stored for. The store states that customer's data will be kept for a 'reasonable period of time' after customers stop using the services. The shop also advises that data on the shop's 'prospect database' will never be retained for longer than 3 years:

Chuckling Goat Privacy and Cookies: Data retention clause

Henry J Socks does not specify an exact time frame, but the shop says it will hold data for as long as is necessary or until the user requests that their data is deleted:

Henry J Socks Privacy Policy: Data retention clause

Wool Couture offer a simple and easy to understand clause which advises how long it stores personal data:

Wool Couture Privacy Policy: Retention Periods clause

How Personal Data is Used

It's a legal requirement to tell shoppers how you are using their personal data.

Magna-Tiles provides a straightforward list of the ways the store uses personal information. The list format makes the clause easier to read and understand:

Magna-Tiles Privacy Policy: Information Use clause

Similarly, UK-based WooCommerce store Earthbound provides users with a list of how the store uses information. The shop also includes a brief sentence on retention periods since there is no separate clause about this:

Earthbound Privacy Policy: How information is used clause

Information Shared with Third Parties

As a WooCommerce store owner, it's likely that you share some information with third party payment processors. There may also be other third parties who can access your shoppers personal data. It's important to advise your customers who their data is shared with and why.

The third parties probably have their own Privacy Policies explaining how personal data is processed. It's a good idea to provide a link to these policies so that your users can access them easily should they wish to.

You should also inform users whether or not you sell their personal information.

Wool Couture's Privacy Policy does not name any specific third parties, but the retailer reassures shoppers that their data will only be shared with trusted suppliers:

Wool Couture Privacy Policy: Who do we share your personal information with clause

Earthbound starts by advising customers that the company doesn't sell or rent personal information to third parties.

The WooCommerce store goes on to explain that information will be passed to third parties working on the store's behalf - such as payment processors:

Earthbound Privacy Policy: Who has access to your information clause

Nordic Ware offers a short and simple clause to explain what is shared with third parties. The store states personal data is only disclosed if the user consents or the disclosure is required by law:

Nordic Ware Privacy Policy: Disclosure of personal information clause

How Personal Data is Protected

It's essential that your WooCommerce store has a method of keeping shopper's data secure. Your methods should be explained in your Privacy Policy, even just in brief.

Clothing retailer Friend of Franki explains that internal and external access to personal information is restricted and only shared on a 'need to know' basis:

Friend of Franki Privacy Policy: Security of Personal Information clause

Strandberg Guitars informs users that the store aims to encrypt personal data to prevent it being misused:

Strandberg Guitars Privacy Policy: Security clause

Skincare shop Sodashi has a thorough security clause which details how the store keeps personal data safe. The shop advises that all personal information is encrypted by secure server software.

Part of this clause also attempts to limit the store's liability by explaining that 'no transmission over the Internet or storage of information on servers...can be guaranteed to be absolutely secure':

Sodashi Skincare Privacy Statement: Security clause

Use of Cookies

Cookies are small data files that websites use to store bits of information about users in between visits. They are commonly used to personalize and improve a user's experience - but they can also be used for targeted advertising.

A cookie clause is important to include if your WooCommerce store uses cookies and does not have a separate Cookies Policy. Even if your store does have a separate Cookies Policy, it's still a good idea to include a brief cookies clause in your Privacy Policy, coupled with a link to your Cookies Policy.

This clause is crucial if your shop sells to any EU citizens because the EU Cookies Directive makes it a legal requirement to disclose the use of cookies to customers. This law also states that you must give users the right to refuse cookies.

WooCommerce store Good Dye Young explains that the store uses cookies to personalize shopper's experiences. The retailer makes it clear that the user has the ability to accept or decline cookies:

Good Dye Young Privacy Policy: Use of Cookies clause

Wool Couture explains that the shop uses cookies to monitor how many times a shopper visits the website, traffic data and see what pages they use. This enables the store to personalize the user's experience and build a profile of users.

The final paragraph of the clause tells users that they have the choice to accept or decline cookies.

However, the store warns users that some features won't function as well without cookies:

Wook Couture Privacy Policy: Use of Cookies clause

Department of Coffee's Privacy Policy explains what cookies are, how they're used and how shoppers can prevent the use of cookies:

Department of Coffee Privacy Policy: Cookies clause

User Rights

Your Privacy Policy should contain a clause informing users of their rights.

The GDPR gives users rights over their personal data. These include: the right to access information, withdraw consent, delete data, correct inaccurate information, object to processing, restrict processing, as well as the right to data portability. Users also have rights relating to their data being used for profiling and automatic decision making.

Yubico advises users of all of these rights and informs customers that they can file a complaint if they believe their personal data has been processed in a way that doesn't comply with the law:

Yubico Privacy Notice: Your Rights and the Right to File a Complaint clause

Wool Couture use a list format to inform users of their rights:

Wool Couture Privacy Policy: GDPR Rights clause

Department of Coffee has an extremely thorough section on user rights in the store's Privacy Policy. The sub-clauses go into great detail about each individual user right and the laws granting each right. For example, this is the shop's clause on the right to erasure:

Department of Coffee Privacy Policy: Right to erasure clause

Do Not Track (DNT) Clause for California Users

Some users change the settings on their browsers to opt-out of companies tracking their online behavior - this is known as 'Do Not Track.'

If your WooCommerce store sells to residents of California it's a legal requirement under CalOPPA to have a DNT disclosure clause.

CalOPPA states that this clause must advise users how your website responds to users making DNT requests via their browser and whether or not your website abides by the DNT setting.

It's important to note that websites are not required to respond to DNT requests or to meet the demands of the request. However, websites are required to notify users of the same.

Matt D'Avella states that the company does follow DNT signals when the user enables them:

Matt DAvella Privacy Policy: DNT clause

Contrastingly, Clearsale states that the company does not abide by DNT signals:

Clearsale Privacy Policy: DNT CalOPPA clause

Payment Processing and Third Party Processors

Sodashi explains that various third party payment processors are used to process customer's payments. The store advises who the third parties are and informs the user that they are redirected to the third party site for payment. Once this has happened, the user is governed by the policies of the third party:

Sodashi Skincare Privacy Statement: Payment and third-party services clause

Minipop's Privacy Policy contains a short clause advising that the store uses Paypal and Stripe to process payments.

Helpfully, the WooCommerce shop provides users with links to both third parties Privacy Policies:

Minipop Privacy Policy: Payments clause

Contact Information

This clause simply needs to state how users can contact you if they have any queries.

Strandberg Guitars provides the store's postal address, email address and telephone number:

Strandberg Guitars Privacy Policy: Contact clause

Magna-Tiles provides the stores email address and telephone number:

Magna-Tiles Privacy Policy: Contact Information clause

How to Create a Privacy Policy

FreePrivacyPolicy: Privacy Policy Generator - Steps How to Create Privacy Policy

Our Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display.

  1. Start the Free Privacy Policy Generator, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Add your website or app information:
  7. FreePrivacyPolicy: Privacy Policy Generator - Add your website or app information - Step 3

  8. Answer a few questions about what information you collect from your users:
  9. FreePrivacyPolicy: Privacy Policy Generator -  What information you collect - Step 4

  10. Select options for how your users can contact you:
  11. FreePrivacyPolicy: Privacy Policy Generator - How your users can contact - Step 5

  12. Select whether or not you wish to create a Professional Privacy Policy that would include wording for GDPR and CalOPPA:
  13. FreePrivacyPolicy: Privacy Policy Generator - Select what Privacy Policy you want to create - Step 6

  14. Enter your email address where you'd like your new Privacy Policy sent:
  15. FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 7

  16. Click Create Privacy Policy and you're done. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.
  17. FreePrivacyPolicy: Privacy Policy Generator - Copy or link to your hosted Privacy Policy - Step 8


Where to Display Your Privacy Policy and How to Get Agreement For it

Where to Display Your Privacy Policy and How to Get Agreement For it

There are a few ways to display your Privacy Policy and it's best to combine them. You also need to make sure that people have agreed to your Privacy Policy.

This is an ideal place to display your Privacy Policy as website users expect to find legal policies here and all users are able to access these links. However, you shouldn't solely rely on footer links since customers do not have to consent to them.

Here is an example of a footer link by Henry J Socks:

Henry J Socks website footer with Cookies and Privacy link highlighted

Account Sign-up Page

If you require users to create an account you should place a link to your Privacy Policy on the sign-up page. This ensures anyone signing up sees your Privacy Policy and can access it if they wish.

You can also take this opportunity to get customers to agree to the terms in your legal policies.The best way of gaining consent from users is via the 'clickwrap' method.

Clickwrap requires users to complete an action - such as ticking an "I agree" box - to confirm they consent to your terms.

Amazon links its Privacy Policy on the sign-up page. The company uses the clickwrap method to gain customer consent:

Amazon Create Account form with Conditions of Use and Privacy Notice highlighted

Checkout Page

Displaying your Privacy Policy at checkout is a great way to make sure all customers see the Policy. This is also an ideal place to use a checkbox agreement.

Henry J Socks uses a tick box agreement at checkout which ensures customers have agreed to the shop's Terms and Condition. The same format can be used with your Privacy Policy:

Henry J Socks Complete Order button with Agree to Terms and Conditions checkbox

Summary

Overall, a Privacy Policy is essential for your WooCommerce store as it is a legal requirement for any website that processes personal data.

Once you have created a Privacy Policy you need to make sure users actually consent to it as this will help to protect you in a legal dispute.

The favored way to gain consent from users is via the clickwrap method, which usually requires users to check a box stating they agree to the site's policies.