WooCommerce GDPR compliance — a practical guide

This guide is general educational information, not legal advice. Whether your store is compliant depends on your full setup. Consult a qualified adviser for your situation.

GDPR compliance for a WooCommerce store comes down to a few practices: collect only the data you need, get proper consent for anything beyond fulfilling the order, keep that consent unbundled from accepting the terms, and honour subject rights like access and erasure. WooCommerce gives you export and erase tools, but it does not make a store compliant by itself — your privacy policy, your data processors and your configuration all matter. This guide explains the parts you control at checkout; it is educational, not legal advice.

What GDPR actually asks of a store

GDPR is broad, but for a typical WooCommerce store the day-to-day obligations are manageable. The recurring themes are: have a lawful basis for the data you hold, collect only what you need, be transparent about it, get valid consent where consent is the basis, and let people exercise their rights. Fulfilling an order is usually its own lawful basis; marketing to that person afterwards generally needs consent.

Data minimisation at checkout

Every field you collect is data you must justify and protect. A checkout that asks for a company name, a second phone number and a date of birth “just in case” is collecting data it does not need. Trim the checkout to what the order actually requires; a field editor that lets you remove fields is a privacy tool as much as a UX one.

Consent done properly: Article 7(2)

The consent rule that catches most stores is bundling. GDPR Article 7(2) requires that where a consent request is part of a declaration covering other matters, it is clearly distinguishable from them [VERIFY: quote the exact Article 7(2) text + EDPB guidance at publish]. In plain terms: do not roll “I accept the terms” and “send me marketing” into one checkbox. The marketing opt-in should be separate, and not pre-ticked.

It also helps to record what was consented to — which version of your policy applied at the time — so you can demonstrate the consent later, which Article 7(1) effectively asks of you.

Subject rights: access and erasure

People can ask what data you hold and ask you to delete it. WooCommerce includes personal-data export and erase tools that cover the order data it manages. Make sure any checkout add-ons store their data in a way those tools can reach, so an erasure request does not leave records stranded in a plugin’s own tables.

Privacy-respecting records

Storing raw IP addresses against consent records is more personal data than you usually need. A salted hash of the IP keeps a verifiable record without retaining the raw identifier — a small change that reduces what you hold.

How Asteris Cart helps

The GDPR Consent module is built around these practices: an unbundled marketing opt-in separate from the terms, shown to customers detected in the EU, EEA or UK, recorded with the policy version that applied, with salted hashed IPs and support for WooCommerce’s export and erase tools. The reasoning, and the limits of what software can do here, are in the wedge essay. How Asteris Cart handles Article 7 → · See pricing →

Software gives you the mechanism; it cannot give you a legal opinion about your store. For that, talk to a qualified adviser.

FAQ

Does WooCommerce handle GDPR for me? It provides export and erase tools, but it does not make a store compliant on its own.

What is an unbundled consent at checkout? A marketing opt-in that is a separate checkbox from accepting the terms, and not pre-ticked, per Article 7(2).

Is this guide legal advice? No. It is general educational information; consult a qualified adviser.

Sources