Do I need to disclose WooCommerce in my privacy policy?

Yes. WooCommerce collects and processes customer personal data including names, addresses, email addresses, order history, and IP addresses. Because you are the data controller (not Automattic), you must transparently disclose what data WooCommerce collects, how it's used, and how long it's retained. This is required under GDPR, CCPA, and similar privacy laws.

What specific data does WooCommerce collect?

WooCommerce collects customer information (name, email, address), order data (products purchased, quantities, order dates), IP addresses, and browser information. If you integrate a payment gateway, additional payment information may be collected—though PCI-DSS compliance typically prevents storing full card numbers. User behavior on product pages and checkout processes is also logged.

Does WooCommerce require a cookie consent banner?

Yes, under GDPR and ePrivacy regulations. WooCommerce uses cookies like woocommerce_cart_hash and woocommerce_items_in_cart to maintain session state. While these are classified as strictly necessary, you should still disclose their use in your privacy policy and cookie banner, and obtain explicit consent for any non-essential tracking cookies.

Who processes WooCommerce data and where is it stored?

As a self-hosted plugin, you are the sole data controller and processor. WooCommerce (owned by Automattic Inc., United States) provides the software but does not access your customer data unless you separately integrate Jetpack or Automattic services. Data is stored on your web server's location. You must separately disclose any third-party payment gateways, analytics tools, or email providers that access WooCommerce data.

E-commerce

Privacy policy clauses for WooCommerce

WooCommerce is a self-hosted WordPress e-commerce plugin that enables websites to sell products and services online. Website owners install and manage WooCommerce directly on their servers, making them the primary data controller responsible for customer information, orders, and payment details.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data WooCommerce collects

Your privacy policy must disclose each of the following data types when you use WooCommerce.

Customer info

Order data

Payment info

IP address

When does WooCommerce trigger privacy obligations?

Installation & Immediate Data Flows

The moment WooCommerce is activated on your WordPress site, you become the sole data controller for all customer information collected during checkout and order processing. This includes:

–Customer names, email addresses, billing/shipping addresses
–Order history and purchase amounts
–IP addresses (logged by WordPress/WooCommerce by default)

Common compliance pitfalls

Cookie	Duration	Category	Purpose
woocommerce_cart_hash	session	strictly necessary	Cart identification
woocommerce_items_in_cart	session	strictly necessary	Cart state

Pitfall 1: No Separate DPA with Payment Processor

The mistake: WooCommerce operators often assume the payment gateway (Stripe, PayPal, Square) automatically handles GDPR compliance. They add WooCommerce and a payment plugin, but never sign or review a Data Processing Agreement with the processor.

Why it happens with WooCommerce: Payment gateways are add-on plugins; operators treat them as "included" rather than third-party processors requiring formal contracts under GDPR Article 28. The payment processor becomes a Data Processor on your behalf, and you are jointly liable if a DPA is missing.

Consequence: GDPR fines up to €10 million or 2% of annual turnover (Article 83). Regulators (e.g., ICO, CNIL) consistently cite missing DPAs as a top violation. In practice: payment processor may suspend your account if you cannot produce a signed DPA during an audit.

---

Pitfall 2: Retaining Customer Data Indefinitely

The mistake: WooCommerce stores all orders, customer email addresses, and billing info in the WordPress database by default. Operators often do not set or document a data retention policy, leaving records in the database for years after the customer relationship ends.

Why it happens with WooCommerce: There is no built-in, user-friendly data deletion tool in WooCommerce's core. Operators assume "more data is safer" or forget to implement a retention schedule.

Consequence: GDPR Article 17 grants customers a right to erasure ("right to be forgotten"). If a customer requests deletion and you cannot comply, you face regulatory action. Additionally, GDPR Article 5(1)(e) requires data to be kept "no longer than necessary." Retaining customer data for 7+ years without a documented business reason violates this principle. Fines: €10 million or 2% of turnover (Article 83).

---

Pitfall 3: Misconfigured Consent Banner or Missing Cookie Disclosures

The mistake: Operators install a cookie consent plugin but either:

1. Pre-tick "Accept All" or hide the reject button (non-compliant with GDPR Article 7 and ePrivacy Directive Article 5(3)).

2. Fail to disclose WooCommerce's strictly necessary cookies separately, lumping them with marketing cookies.

3. Forget to link to the payment processor's cookie policy.

Why it happens with WooCommerce: The plugin ecosystem is fragmented. Consent banners (Cookiebot, OneTrust, etc.) are optional add-ons, so operators may use a generic banner not tuned to WooCommerce's specific cookies.

Consequence: GDPR enforcement. The ePrivacy Directive Article 5(3) requires informed, granular consent. If a customer cannot easily reject non-essential cookies, you are non-compliant. EDPB Guidelines 05/2020 on consent clarify: pre-ticking boxes or hiding opt-out is illegal. Regulators view this as a top-priority violation. Fines: up to €10 million or 2% of turnover.

Privacy policy clauses for WooCommerce

What data WooCommerce collects

When does WooCommerce trigger privacy obligations?

Installation & Immediate Data Flows

Regulatory Triggers

First Concrete Step

Where data goes

Cookies set by WooCommerce

Common compliance pitfalls

Pitfall 1: No Separate DPA with Payment Processor

Pitfall 2: Retaining Customer Data Indefinitely

Pitfall 3: Misconfigured Consent Banner or Missing Cookie Disclosures

Legal note

Sample privacy policy clause

What regulators look for

Primary Audit Focus

Frequently asked questions

Do I need to disclose WooCommerce in my privacy policy?

What specific data does WooCommerce collect?

Does WooCommerce require a cookie consent banner?

Who processes WooCommerce data and where is it stored?

Don't ship without Bandit.