Privacy Policy for WooCommerce
04 May 2020
If you've recently started an ecommerce business using WooCommerce, you're going to be focused on sales, suppliers, and investment. But you have other important duties too, such as complying with privacy law.
Every online business must post a Privacy Policy that lets customers know how and why they need to process personal information. Failing to publish a Privacy Policy makes your business appear amateurish, and puts you in breach of the law.
In this article, you'll learn how to create a basic Privacy Policy for a WooCommerce-powered store, and what extra information you'll need to comply with the privacy laws of some major markets.
- 1. Does My WooCommerce Store Need a Privacy Policy?
- 2. What Should I Include In My WooCommerce Store Privacy Policy?
- 2.1. How You Collect Personal Information
- 2.2. How You Use Personal Information
- 2.3. How You Use Cookies
- 2.4. Third Parties With Whom You Share Personal Information
- 2.5. Contact Information
- 2.6. Additional Information By Region
- 2.6.1. United States
- 2.6.2. European Union and United Kingdom
- 2.6.3. Canada
- 2.6.4. Other Locations
- 3. How to Create a Privacy Policy for Your Website
- 4. How to Display Your Privacy Policy
- 4.1. Website Footer
- 4.2. Checkout Screen
- 4.3. Newsletter Signup Form
- 5. Summary
Does My WooCommerce Store Need a Privacy Policy?
Yes, your WooCommerce-powered store needs a Privacy Policy.
As an ecommerce business, you need to collect and process the personal information of your customers, your potential customers, and the visitors to your website.
Therefore, you're required by law to post a Privacy Policy that explains how and why you collect and use personal information.
What Should I Include In My WooCommerce Store Privacy Policy?
Your Privacy Policy must meet the requirements of whatever privacy laws apply where your customers live. This can get a little complicated, particularly if you have customers in multiple regions.
First, we'll run through the basic information that every Privacy Policy should contain. Then we'll look at some additional region-specific clauses you might need to include as well.
How You Collect Personal Information
Your Privacy Policy should explain how you collect personal information. You can also use this section of your Privacy Policy to identify all the different types of personal information you collect.
There are probably two main ways in which you collect personal information:
- When your users provide it to you voluntarily (e.g. via order forms, emails, etc.)
- When you collect it automatically (e.g. via cookies and analytics tools)
You might also receive personal information from third parties, such as social media channels or subsidiary companies.
Your users provide the following types of personal information to you voluntarily:
- Name
- Email address
- Phone number
- Username
- Password
- Shipping address
- Payment card details
- Billing address
Here's an example from ecommerce store Boodles:
Boodles explains that people might provide their personal information via the following channels:
- Filling in forms
- Via telephone
- Attending events
- Visiting Boodle stores
- Registering to use the website
- Entering a competition or promotion
- Reporting a problem with the site
- Contacting Boodle
- Placing an order
In addition to the personal information your customers provide to you, there's also the personal information you automatically collect from visitors to your website. The means by which you collect this type of personal information might include:
- Cookies, pixels, and web beacons
- Analytics
- Crash reporting
The types of personal information you collect in this way might include:
- IP address
- Cookie ID
- Device ID
- Operating system
- Browser type
- Website or app usage information
- Location
- Referral information (i.e. the website the visitor came from)
Here's an example from PhotoBite:
You might be surprised to see some of these types of data listed as "personal information." However, personal information is defined very broadly, especially in places such as California, Canada, and the EU.
Therefore, you should use your Privacy Policy to disclose any type of information you're collecting from your customers.
How You Use Personal Information
You should only collect personal information if you have a specific reason for collecting it. Your Privacy Policy should explain how you use every type of personal information you collect.
The table below describes some typical activities of an ecommerce business, together with the types of personal information it might need to collect for these purposes.
| Some typical activities of an ecommerce business: | Types of personal information it might need to collect for these purposes: |
| Communicating with a customer about their order or their customer service queries: | Name, email address, phone number |
| Processing a customer's order: | Name, shipping address, billing address, payment card details |
| Advertising: | Cookie ID, email address |
| Improving your website or app: | Analytics data, e.g. website usage |
| For security and fraud prevention: | IP address, cookie data |
| Setting up an account: | Username, password |
Here's how clothing retailer River Island explains some of the ways in which it uses personal information:
How You Use Cookies
If you use cookies to deliver personalized advertising, you should offer a little more information about how and why you do this. Your Privacy Policy should explain:
- What cookies are
- Why you use them
- What types of cookies you use
- Whether you use tracking cookies that can log user activity on other websites
- How long each type of cookie you use will remain on your users' device
- How users can disable cookies
Here's how Mary's Meals explains why the company uses cookies:
Many businesses publish a separate Cookies Policy for this purpose. However, you can use a section in your main Privacy Policy if you prefer unless you're required by law to do otherwise.
Third Parties With Whom You Share Personal Information
Practically every business needs to share personal information or to allow other companies to collect personal information on its behalf.
If you run a WooCommerce store, it's likely that your customers' personal information will be processed by third parties such as Wordpress, WooCommerce, and Stripe (which processes payments on behalf of WooCommerce Payments).
Think about the WordPress plugins you use that also collect personal information. For example, if you use a Google Analytics plugin, such as MonsterInsights, you should mention both service providers in your Privacy Policy.
You might also share personal information with:
- Email marketing companies such as MailChimp
- Online survey companies such as SurveyMonkey
- Mail carriers such as FedEx
Here's a section of a Privacy Policy from Scandanavian Diamonds, a WooCommerce retailer:
The business lists Wordpress, WooCommerce, Google Analytics, and MonsterInsights among the third parties with which it shares personal information.
You should also provide links to the Privacy Policies of your third-party service providers.
Here's how jewelry retailer Eileen Gatt does this:
Note that you don't necessarily have to identify your third parties service providers by name. It may be sufficient to list the types of third parties with which you share personal information (e.g. "payment processors," "mail carriers").
Contact Information
You should provide contact details for your company in case visitors have any questions about your privacy practices.
Here's an example from Kefi:
Note that Kefi has set up a dedicated email address to deal with privacy queries. This helps the business demonstrate to its customers it's taking their privacy seriously.
Additional Information By Region
So far we've covered the basic information that every Privacy Policy should contain. Now we're going to look at some of the specific information required under the privacy laws of some major markets worldwide.
United States
If you have customers in the US, your main concern should be complying with that state privacy law of California, specifically the California Online Privacy Protection Act (CalOPPA).
CalOPPA applies to all commercial websites that are accessible in California.
Under CalOPPA, your Privacy Policy must:
- Identify the types of personal information you collect
- Identify the types of third parties with whom you share personal information
- If you allow your users to make changes or request access to their personal information, your Privacy Policy must explain how they can do this
- Explain how you will inform your users about any changes to your Privacy Policy
- Provide the effective date of your Privacy Policy
- Disclose how your website treats browser "Do Not Track" signals
- Disclose whether you use tracking cookies
Here's an example of how Medtronic discloses how its website treats "Do Not Track" signals:
California has several privacy laws that require businesses to publish a Privacy Policy, including:
- California "Online Eraser" Law
- California "Shine the Light" Law
- California Consumer Privacy Act (CCPA)
For more information about complying with all these laws, see our article Sample California Privacy Policy Template.
European Union and United Kingdom
The EU has the highest privacy standards in the world, and the UK still enforces them despite having left the EU.
If you have customers in the European Economic Area (the EEA, which includes all 27 EU countries plus Iceland, Liechtenstein, and Norway) or the UK, you must comply with the General Data Protection Regulation (GDPR).
Under the GDPR, your Privacy Policy must, at a minimum:
- Provide contact details for the "data controller" (your business)
- Identify the types of personal information you process
- Explain your purposes for processing personal information
- Identify the types of third parties with whom you share personal information
- Identify your lawful basis for processing personal information
- If you transfer personal information out of the EU, your Privacy Policy must explain what safeguards you apply
- Explain how long you store personal information
- Explain your users' rights under the GDPR, and how they can exercise them
- Provide contact details for the national Data Protection Authority in case your users want to make a complaint
Here's how Bowles & Wyer explains how users can make a complaint to the UK's Data Protection Authority, the Information Commissioner's Office (ICO):
Note that the business encourages users to make a direct complaint before going to the ICO. This is perfectly reasonable.
For more information, see our article GDPR Privacy Policy.
Canada
Canada's main private-sector privacy law is the Personal Information Protection and Electronic Documents Act (PIPEDA). If your business serves Canadian customers, you'll need to post a Privacy Policy that complies with PIPEDA.
PIPEDA requires that your Privacy Policy must, at a minimum:
- Provide contact details for whoever is responsible for managing privacy in your business
- Explain how users can access and rectify the personal information you hold about them
- Identify the types of personal information you process
- Explain how you use personal information
- Provide copies of any other relevant company policies
- Explain how you share personal information with third parties
Here's how Bayer Canada explains the right to access personal information under PIPEDA:
For more information, see our article Privacy Policy for Canada.
Other Locations
Here are some links to information about other regions in which a Privacy Policy is required:
Here's our guide to privacy laws by country to help you out.
How to Create a Privacy Policy for Your Website
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:
- Click on the "Privacy Policy Generator" button.
- At Step 1, select the Website option and click "Next step":
- Answer the questions about your website and click "Next step" when finished:
- Answer the questions about your business practices and click "Next step" when finished:
-
Enter your email address where you'd like your policy sent, select translation versions and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
Now that you have a compliant, detailed Privacy Policy, here's how you should display it to your customers.
How to Display Your Privacy Policy
To add your Privacy Policy to your WooCommerce store, simply post it on a page on your website as a link titled "Privacy Policy."
You'll need to link to your Privacy Policy whenever you collect personal information from your customers. Here are a few examples of when and where.
Website Footer
Make your Privacy Policy available on your website's footer alongside any other legal information, such as your Terms and Conditions.
Here's how Woocommerce-powered clothing retailer The Neighbourgoods does this:
Checkout Screen
It's important to link to your Privacy Policy at checkout when your customers are about to submit financial information and a mailing address.
Here's how the WooCommerce-powered website Spike Island does this:
Newsletter Signup Form
It's particularly important to make your Privacy Policy available when asking people to sign up to newsletters or direct marketing emails.
Here's how WooCommerce-powered website The Wellbeing Project does this:
Summary
Every ecommerce website requires a Privacy Policy, including your WooCommerce-powered store.
At a minimum, your Privacy Policy should provide details of:
- What personal information you collect and how you collect it
- How you use personal information
- How you use cookies
- How you share personal information with third parties (including Wordpress, WooCommerce, and Stripe)
- Contact information for whoever handles privacy within your company
Check the other legal requirements that might apply in your target markets.
Make sure you link your Privacy Policy:
- In your website's footer
- At checkout
- On your newsletter or direct marketing signup page
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.