Are you the operator of an online shop? Then you are certainly already familiar with the legal hurdles – especially with regard to cookies. Making your own online shop legally compliant without much effort and thus avoiding warnings from competitors and high fines – that’s certainly also your dream.
But unfortunately, the whole thing is not so easy to implement in reality because the General Data Protection Regulation (GDPR) does not stop at online shops and WooCommerce – on the contrary. And maybe that’s exactly the reason why you’ve landed here with us 😉
We’ll make your dream come true a little bit in this article, as we explain which cookies WooCommerce uses and how you can manage them according to the GDPR.
WooCommerce – what is it?
WooCommerce is a plugin developed specifically for WordPress that allows the creation of online shops. For many shop owners it is a real blessing, because programming skills are only optional and not primarily required.
The shop plugin is definitely the most popular in its field, with several million active installations. The e-commerce plugin is eminently modifiable and customisable. Products can be created and managed in abundance.
In principle, WooCommerce is free of charge. In order for the developers to earn a penny or two for their work, there are paid extensions to the basic version.
In addition, the functions of the WordPress plugin are designed to be very intuitive and beginner-friendly. These include:
- Create products and filter categories
- Use of vouchers and discounts on products
- Specification of weight, size, material, colours, etc.
- Shipping settings
- Payment settings (PayPal, credit card, cheque, etc.)
- Create customer accounts
Roughly summarised, web cookies are small data packets packed with user data – such as the IP address, language and personal search settings.
Cookies are stored on the device of the respective visitor when he or she visits a website. When the website is called up again, the information about the user stored in the cookie is automatically used by the website. Thus, the visitor does not have to set the language of the website again, for example.
The topic of “cookies” is quite multifaceted. Detailed information about cookies on the internet, different types of cookies, the difference between first and third party cookies are summarised in separate articles.
You can also read in the respective articles what you, as a website operator, must observe with regard to data protection.
WooCommerce, as an online shopping system, sets cookies to provide your website visitors with common online shopping features. Keep in mind that only WooCommerce itself, but also add-ons for WooCommerce can set cookies, for which you may need to obtain consent. Since we do not know which add-ons you use exactly, we can only discuss below which cookies WooCommerce itself sets.
The cookies mentioned below are HTTP cookies, unless otherwise stated.
wc_cart_hash_* (als lokales Speicherobjekt)
- This cookie is a so-called session cookie. This type of cookie expires as soon as the browser is closed.
- The cookie helps WooCommerce to save changes to data in the shopping cart.
- The duration, type and purpose of this cookie is the same as the previous one. (
- It stores which products are in the shopping cart
- This cookie contains a code for each individual customer. Thus, WooCommerce knows where the shopping cart data can be found in the database for each customer.
- The lifetime of this cookie is two days in the default settings.
- This WooCommerce cookie is again a session cookie. With the help of this cookie, a widget can be displayed that allows you to view recently viewed products.
- This session cookie is responsible for avoiding asking again after hiding a shop message
According to their information, these WooCommerce cookies do not store any personal data. However, according to the ePrivacy Directive in the EU, whether personal data is stored is irrelevant to whether you need consent to set the cookies.
- This cookie, which has a lifetime of two days, allows the shop administrator to reject suggestions for their own shop in the WordPress dashboard.
- With a life span of 1 year, this cookie is definitely the most durable.
- This cookie is responsible for storing the number of rejected proposals from WooCommerce in the WordPress backend.
- This session cookie is responsible for storing randomly generated pseudonymous IDs. The IDs are only used within the dashboard area (
/wp-admin) and are used to track the use of WooCommerce – if activated.
Is WooCommerce compliant with the GDPR?
Since high fines can be imposed in the event of data protection violations, the question of data protection compliance when using WooCommerce is justified. In the following, we therefore take a closer look at the data protection compliance of the e-commerce plugin.
🇺🇸 Data transmission to the USA: No problem!
The WooCommerce headquarters are located in San Francisco, USA. The USA is considered an unsafe third country in the EU with a poor level of data protection – especially after the end of the Privacy Shield (agreement between the USA and EU to regulate data protection). Therefore, data transfer to the USA is generally only permitted with the opt-in consent of the shop visitor.
But that’s not a problem in the case of WooCommerce. Because WooCommerce is a WordPress plugin that is completely installed in your WordPress website. All data is executed on your webspace – and not in a cloud that is possibly operated by the WooCommerce manufacturer company.
This means that if you do not explicitly activate the corresponding features, no data is forwarded by WooCommerce to the USA and processed there. So, we have one less issue than with alternative systems like Shopify!
⚖️ No adaptation to country-specific legal requirements
In terms of the USA, however, there is another problem: WooCommerce is primarily designed for the US market. Thus, for example, the plugin does not meet the requirements of the EU data protection regulations applicable in the Federal Republic of Germany. As a result, the shop newcomer is usually not aware of which legal pages are required, such as the general terms and conditions and the data protection declaration, consent when ordering or cookie notices.
The Germanized for WooCommerce extension is intended to remedy this.
Just like WooCommerce, the extension tailored for the German market is also free in the basic version. With more than 80,000 active installations, the plugin is equally popular. Among other things, the shop extension covers the following criteria:
- Sample texts for legal texts (e.g. general terms and conditions, cancellation policy)
- Shipping settings (e.g. delivery times, shipping service provider)
- Calculation of taxes
- Multi-level checkout
With this, you can solve many legal risks when operating a WooCommerce online shop in or for Germany in one fell swoop!
✅ Double-Opt-in function
The Germanized for WooCommerce extension offers a double opt-in function when creating a customer account. This means that the customer receives an email with a confirmation link when registering. Clicking on the link activates the account. This is how the GDPR likes it 😉
But the shop plugin also covers other GDPR-compliant functions such as the deletion of personal data at the customer’s request, the anonymisation of orders and the simple creation of data extracts.
For more important criteria you should cover, see our article on the usefulness of privacy statement generators.
How to use WooCommerce in a GDPR-compliant way
You think that’s all? The applicable data protection laws have even more requirements in store for you!
🤝 Order processing contract
The purpose of commissioned processing (formerly: commissioned data processing) is that website operators who use the services of external companies – which carry out the processing of user data on their behalf – contractually stipulate that this processing by the external companies is carried out in a manner that complies with data protection law.
In summary, an order processing contract regulates the data protection-compliant handling of customer data.
In some countries it is even necessary to create a data protection concept and to define and appoint data protection officers. The European Commission’s website can help you with this.
In any case, you should conclude a processing contract with your web hosting provider, because their servers process data for you on your webspace. It is also advisable to conclude an order processing contract if you use Google Analytics, for example. But shipping service providers also usually need access to customer data. Therefore, check which services require such an agreement. As a rule, these providers already offer standard contracts that you only need to sign.
The basis for the order processing contract is Article 28 of the GDPR.
As a shop owner, you are certainly extremely interested in tracking valuable data about your visitors to optimise your shop on the basis of this data. In the course of this, you have certainly already flirted with the Google Analytics analysis tool. Or perhaps you would like to integrate a fancy Google Maps map.
But unfortunately, data protection also throws a spanner in the works here because as soon as personal data are involved, things get tricky (which Google of course likes to collect). As a rule, the collection, processing and storage of such data may not take place without the active and informed consent of the visitor. This happens, for example, when tracking tools are used in your WooCommerce shop.
Incidentally, the same also applies to the Google Analytics plugin MonsterInsights. Which is why it – just like Google Analytics – is only supposedly compliant with the GDPR. In our article on the privacy-compliant use of MonsterInsights, we tell you how you can integrate Google Analytics in a privacy-compliant way and with a pleasant interface.
The quickest and easiest way to implement such an opt-in procedure is with the help of a cookie consent tool, such as Real Cookie Banner for WordPress. Real Cookie Banner already takes care of the tedious setup of the WooCommerce service, so you can set it up easily cheesy within a few clicks.
Without much work, you can use your GDPR-compliant cookie banner for your WooCommerce shop, obtain, manage and document opt-in consents to set non-essential cookies.