WooCommerce GDPR and Customer Data: What You Actually Have to Do (and What’s Optional)

GDPR is one of those topics that generates more anxiety in WooCommerce communities than almost any other. Store owners read a headline about a €20 million fine, immediately start worrying about every cookie they use, and either overcorrect with consent popups everywhere or freeze up entirely and avoid the whole subject.

Neither response is useful. GDPR has real requirements, some of which are routinely ignored by small stores that should know better. But it also has a structure that, once you understand it, becomes manageable. The core question is not “did I collect data?” — you definitely did — but “do I have a legitimate reason to use it, and am I treating it honestly?”

This guide is focused on what WooCommerce store owners specifically need to understand. It covers the data WooCommerce collects by default, the consent requirements around marketing emails, what to actually do when someone asks you to delete their account, and how a behavioral-scoring plugin like TrustLens fits into a compliant architecture. It doesn’t cover every edge case in EU data law, because that’s what solicitors are for.

Before We Start: This Is Not Legal Advice

GDPR compliance depends on your specific business, your jurisdiction (the regulation applies to EEA residents regardless of where your store is based), your data processing practices, and decisions that are ultimately legal and organizational, not technical.

This post explains how WooCommerce and the plugins discussed here behave mechanically, and what the regulation generally requires at a conceptual level. It doesn’t constitute legal advice. If you process significant volumes of EU/EEA customer data, or if you have specific concerns about your compliance posture, speak with a qualified legal professional who understands data protection law.

Who GDPR Applies To (and the Honest Answer on Threshold)

GDPR applies to any organisation that processes personal data of individuals in the European Union or European Economic Area, regardless of where the organisation itself is based. If you sell to customers in Germany, France, Poland, or anywhere in the EEA — and you collect their names, addresses, or email addresses — GDPR applies to you, whether your store runs from Kansas, Toronto, or Sydney.

There is no formal “small business” exemption, though some of the more burdensome obligations (like appointing a Data Protection Officer) apply only above certain thresholds of processing volume. Small stores that occasionally sell to EEA customers are technically within scope, but the practical enforcement risk is concentrated on organisations processing large volumes of data or handling sensitive data categories.

That said, the practical obligations — having a privacy policy, being transparent about what you collect, honoring subject access and erasure requests — are reasonable expectations that most customers have of any credible online store, regardless of geography. Meeting them is good practice independently of where your customers are.

What WooCommerce Stores by Default

WooCommerce collects personal data as a natural result of processing orders. Understanding what it stores is the baseline for any GDPR conversation, because you can only fulfill subject access or erasure requests if you know what you actually have.

When a customer places an order, WooCommerce stores:

• Name (billing and shipping)
• Email address
• Phone number (if collected)
• Billing address
• Shipping address
• Order history (items, amounts, dates, statuses)
• IP address at the time of the order
• Customer note (if entered at checkout)

For registered accounts, WooCommerce also stores the information above as part of the user profile, plus login credentials (stored as a hashed password — WordPress never stores plaintext passwords). The customer’s full order history is linked to their account.

WooCommerce does not store full payment card details. Payment processing is handled by your gateway (Stripe, PayPal, WooPayments, etc.), which has its own data processing obligations. What WooCommerce stores is the transaction record — amount, status, gateway used — not the card number.

WooCommerce’s built-in privacy tools

WooCommerce ships with a set of privacy tools that integrate directly with WordPress’s personal data export and erasure system. You can find them under Tools → Export Personal Data and Tools → Erase Personal Data in your WordPress admin. These tools let you respond to subject access and erasure requests using the standard WordPress interface — more on this in the right-to-access and right-to-erasure sections below.

WooCommerce also includes an anonymization feature for older orders. When you erase a customer’s account data, you can configure whether old completed orders are anonymized (the personal data is replaced with placeholder text) rather than deleted. This matters for accounting and order record purposes, as covered in the retention section.

Lawful Basis: You Probably Don’t Need Consent for Orders

GDPR requires a “lawful basis” for every type of data processing you do. There are six possible bases, and the one that trips people up most often is confusing “we need consent for everything” with how the regulation actually works.

For processing order data — collecting a customer’s name, address, email, and payment information to fulfill a purchase — your lawful basis is almost certainly performance of a contract. The customer entered into a transaction with you, and processing their personal data is necessary to deliver what they paid for. You do not need to ask for separate consent to use a customer’s shipping address to ship their order.

For fraud prevention purposes, the applicable basis is likely legitimate interests — your legitimate interest in detecting and preventing fraudulent activity, balanced against the customer’s interests and rights. Behavioral scoring of the kind TrustLens performs (analyzing order patterns to identify abuse) falls into this category. It is a proportionate, minimized approach to a genuine business risk.

The basis that most small stores misapply is consent. Consent under GDPR must be freely given, specific, informed, and unambiguous. It cannot be bundled into terms and conditions or be a condition of purchase. This makes consent a relatively demanding legal basis — and it’s one you generally shouldn’t rely on for core operations. Save it for things that genuinely are optional from the customer’s perspective, like subscribing to a marketing newsletter.

Email Marketing and Discount Campaigns: Where Consent Is Required

The line between transactional emails (which don’t require marketing consent) and promotional emails (which do) is where most WooCommerce stores get this wrong.

Transactional emails are covered by your contract basis. Order confirmation, shipping notification, refund confirmation, password reset — these are service communications the customer expects as part of the transaction. You don’t need separate consent to send them.

Promotional emails require a separate legal basis. If you want to send a discount campaign email, a newsletter, a “we miss you” win-back promotion, or a sale announcement to a customer who bought from you six months ago, that is marketing. In the UK and EU, this is additionally governed by the Privacy and Electronic Communications Regulations (PECR in the UK, the ePrivacy Directive in the EU), which require either specific consent or the “soft opt-in” exception.

The soft opt-in (also known as the “existing customer exemption”) allows you to send marketing emails to existing customers about similar products or services without fresh consent, provided you gave them a clear opportunity to opt out when you collected their email (at checkout), and you include an unsubscribe mechanism in every message. It does not apply to new contacts, to B2B contacts in all jurisdictions, or to customers in countries where their national law doesn’t recognize this exemption.

Checkbox placement matters

If you collect marketing consent at checkout, the consent checkbox must be:

• Unticked by default (pre-ticked checkboxes are not valid GDPR consent)
• Separate from any terms and conditions acceptance
• Clearly labeled with what the customer is consenting to
• Genuinely optional — they can complete the purchase without ticking it

WooCommerce doesn’t add a marketing consent checkbox by default. You’ll typically add one through your email marketing plugin (most major ESPs have WooCommerce integrations that handle this) or via a plugin specifically designed for checkout consent management.

Your Privacy Policy: The Five Things It Must Cover

GDPR’s transparency requirements — Article 13 and 14 — mean customers must be able to find out, without having to ask, what you collect and why. Your privacy policy is the primary vehicle for this. A privacy policy that says “we take your privacy seriously” and nothing else doesn’t meet this standard.

The essentials for a WooCommerce store’s privacy policy:

1. What personal data you collect — names, email addresses, order history, IP addresses, browser fingerprints if you use fraud detection, and anything added by third-party plugins.
2. Why you collect it and what the lawful basis is — fulfilling orders (contract), fraud prevention (legitimate interests), marketing (consent or soft opt-in), analytics (legitimate interests or consent depending on the method).
3. Who you share it with — your payment processor (Stripe, PayPal, etc.), your email provider, your hosting provider, your analytics tool, and any other third party that receives customer data. Each processor should be named.
4. How long you retain data — order records are typically retained for the length of your legal accounting obligations (often 6–7 years in many jurisdictions). Marketing data should be retained only as long as consent is valid or the customer relationship is active.
5. How customers can exercise their rights — a clear contact mechanism (email address or form) for subject access requests and erasure requests, and what the timescale for response is (GDPR requires a response within one month).

WordPress ships with a privacy policy template that gives you a solid starting point. Find it under Settings → Privacy. It includes placeholder text for WooCommerce data processing and for common third-party services. Fill in the blanks honestly — don’t just publish the template as-is without updating it to reflect your actual practices.

Right to Erasure: What It Means in Practice

The right to erasure (sometimes called the “right to be forgotten”) is probably the GDPR right that causes the most practical anxiety for store owners. A customer emails you and asks you to delete all their data. What do you actually have to do?

The honest answer is: more than nothing, but less than everything.

GDPR’s right to erasure is not absolute. Article 17 lists several conditions under which you can decline an erasure request or partially comply. The most relevant for WooCommerce stores is the exemption for legal obligations — if you are legally required to retain data (for example, order records you need for tax purposes), you don’t have to delete it to satisfy an erasure request. You do have to erase everything that isn’t covered by a legal retention basis.

In practice, for most WooCommerce stores, handling an erasure request looks like this:

• Anonymize or delete the customer’s personal data from their user account — name, contact details, addresses, password.
• Retain the order records for your legal accounting obligations, but anonymize the personal data within them (replacing the name and address with placeholder text while preserving the order amount, date, and status).
• Unsubscribe the customer from any marketing lists and delete their data from your ESP.
• Delete or anonymize any fraud-detection or analytics data that has no legal basis for retention beyond the customer relationship.

WooCommerce’s built-in erasure tool (Tools → Erase Personal Data) handles the first two points automatically. It anonymizes order records by default while retaining the commercial data. What it doesn’t do automatically is clean up data in third-party plugins — each plugin that processes personal data needs its own erasure integration.

The 30-day response window

GDPR requires you to respond to an erasure request within one calendar month. You don’t have to complete the erasure within a month (though you should act promptly), but you must acknowledge the request, confirm the requestor’s identity, and tell them what you’re doing within that window. In practice, for a small WooCommerce store, the erasure itself should take an afternoon — not a month.

Right to Access: Responding to Data Requests

A Subject Access Request (SAR) asks you to provide a copy of all personal data you hold about the requestor, along with information about why you hold it and who you’ve shared it with. Again, WooCommerce’s built-in export tool (Tools → Export Personal Data) handles most of this automatically.

The export tool generates a report covering the customer’s account information, their order history, and any data added by plugins that have registered their own data exporters. You send this report to the customer. The same 30-day response window applies.

If you receive a SAR, verify the requestor’s identity before responding. You don’t want to accidentally send one customer’s personal data to someone else who claims to be them. A simple email verification (sending the export to the email address on file and asking the requestor to confirm from that address) is usually sufficient for low-risk cases.

Where Behavioral-Scoring Data Fits: TrustLens and GDPR

WooCommerce store owners who use behavioral fraud detection sometimes worry that analyzing customer behavior to assign a risk score creates additional GDPR complexity. This is a reasonable thing to think about, and the answer depends on how the tool is architected.

TrustLens — Webstepper’s fraud-prevention plugin — is designed with data minimization and local processing as architectural principles. Understanding how it handles data is useful as a concrete example of how fraud detection can be built with GDPR compatibility in mind.

What TrustLens stores and how

TrustLens works entirely inside your WordPress installation. It does not send customer data to an external service or to the plugin developer. All behavioral data — order counts, refund rates, coupon patterns, shipping address patterns — stays in custom database tables on your own server.

Customer records in TrustLens’s database contain a plaintext email address alongside an HMAC-SHA256 hash of that address. The hash is computed using your WordPress site’s authentication secret key as the keying material (via wp_salt('auth')), which means the hash is non-portable — a hash computed on your site can’t be reversed and can’t be matched against a hash from another site. The plaintext email is retained for operational use (admin interface display, email notifications, CSV exports), and it is included in the erasure process.

Linked-account fingerprints — the hashes of shipping addresses, phone numbers, IP addresses, payment methods, and device user agents used for fraud-ring detection — are stored only in hashed form. The raw values never reach the database. This means a data export of TrustLens data contains fingerprint hashes that can’t be reversed to the original identifier, which significantly reduces the sensitivity of that data under GDPR’s pseudonymization framework.

TrustLens’s GDPR privacy tools

TrustLens registers its own exporter and eraser with WordPress’s personal data export and erasure system. This means when you process a Subject Access Request or erasure request through Tools → Export Personal Data or Tools → Erase Personal Data, TrustLens responds automatically.

The data export includes the customer’s trust score, risk segment, behavioral event log, trust signals, category statistics, linked-account fingerprint hashes, and (if Pro automation rules are active) automation action logs. This is the complete record TrustLens holds about that customer, presented in a format suitable for providing to a subject access requestor.

The erasure handler deletes the customer’s records from all TrustLens tables: the customer profile, events, signals, category statistics, fingerprints, and automation logs. The deletion uses the customer’s email hash as the lookup key, so it’s scoped precisely to that customer’s data and does not affect other customers who may share a fingerprint type.

For a deeper technical walkthrough of how TrustLens handles hashing and linked-account detection from a privacy standpoint, the post on TrustLens linked-account detection and how it works without storing personal data covers the mechanism in detail.

The lawful basis for fraud scoring

Behavioral fraud scoring is typically justified under legitimate interests. You have a legitimate business interest in detecting fraudulent orders, return abuse, and coupon misuse. That interest needs to be balanced against the customer’s rights and expectations. The factors that support legitimate interests as the basis here:

• The processing uses data the customer provided as part of a commercial relationship
• It is minimized to what’s necessary to detect abuse patterns
• No automated decisions with significant legal effects are made solely by the scoring system — TrustLens Free never auto-blocks anyone; you review and decide
• The data is held locally, not shared with third parties by default

If you use TrustLens Pro’s automation rules to automatically block customers based on their trust score, that introduces considerations around automated decision-making (Article 22 of GDPR), which requires that affected individuals have the right to seek human review of automated decisions. Your privacy policy should mention that behavioral scoring informs operational decisions, and the mechanism for requesting review should be accessible — in practice, your customer service email.

Data Retention: How Long You Can Keep What

GDPR’s storage limitation principle says you can only keep personal data for as long as necessary for the purpose it was collected. In practice, this means different types of data have different retention periods:

The retention periods above are guidance, not legal prescription. Your specific obligations depend on your jurisdiction’s accounting and tax requirements. In the UK, HMRC requires records to be kept for at least 6 years from the end of the accounting period. In many EU member states, the obligation is similar. Whatever the period, document your retention policy and apply it consistently.

Third-Party Processors: Payment Gateways, Email, Analytics

Under GDPR, any company that processes personal data on your behalf is a “data processor,” and you need a Data Processing Agreement (DPA) with each of them. This sounds more intimidating than it is in practice — most major service providers publish a standard DPA that you accept as part of their terms of service.

The processors most WooCommerce stores need to document:

• Payment gateways — Stripe, PayPal, WooPayments, and others all publish DPAs. Stripe and PayPal, for example, have published standard DPAs that you agree to as part of their merchant terms. Check your gateway’s legal documents to confirm.
• Email marketing providers — Mailchimp, Klaviyo, ActiveCampaign, ConvertKit, and similar ESPs all provide DPAs. You typically find these in your account’s legal or privacy settings.
• Hosting provider — Your hosting provider stores your WordPress database, which contains customer data. Check whether they offer a DPA or equivalent (most reputable providers do).
• Analytics — Google Analytics, Fathom, Plausible, and others have different approaches to GDPR. Some tools (particularly privacy-first analytics like Fathom and Plausible) are designed to avoid personal data collection entirely, which simplifies compliance. Google Analytics 4 requires additional configuration and a DPA to comply with GDPR, and some EU data protection authorities have issued opinions about its use.

For tools that run entirely inside your WordPress installation — including TrustLens and Smart Cycle Discounts — no DPA is required because data doesn’t leave your server. The plugin developer never receives your customer data.

A Practical GDPR Checklist for WooCommerce

Frequently Asked Questions

Do I need a cookie banner for my WooCommerce store?

Probably, but it depends on what cookies you use. Strictly necessary cookies — the session cookie that powers WooCommerce’s cart, for example — don’t require consent. Cookies used for analytics (Google Analytics), advertising, or social media tracking do require consent under the ePrivacy Directive (the UK’s PECR equivalent). If you’re running a clean WooCommerce store with no tracking pixels and privacy-first analytics, you may not need a full consent management platform. If you’re using Google Analytics and retargeting pixels, you do.

Does WooCommerce’s built-in erasure tool delete everything?

It handles WooCommerce core data and any plugin that has registered with WordPress’s erasure API. WooCommerce core anonymizes order records (replacing personal data with placeholder text) rather than deleting them, which is appropriate when you need to retain order records for accounting purposes. Plugins that store additional personal data need to register their own eraser — TrustLens does this, and it deletes all TrustLens-held data for the customer when an erasure request is processed. Check whether your other plugins have erasure integrations, particularly ESP connectors and analytics tools.

What is the soft opt-in and does it apply to my store?

The soft opt-in (existing customer exemption) allows you to send marketing emails to existing customers about similar products without fresh opt-in consent, provided you gave them a clear chance to opt out when you first collected their email and you include an unsubscribe link in every marketing email. It applies in the UK under PECR and in EU member states that have implemented the ePrivacy Directive, but the exact implementation varies by country. It doesn’t apply to new contacts who haven’t bought from you, and it doesn’t apply universally across all EU jurisdictions. If you’re running a discount email campaign to past customers, the soft opt-in likely covers it — but check your specific market’s requirements, and always include an unsubscribe mechanism.

Can I keep customer order data forever for my own records?

You can retain order records for the duration of your legal accounting obligation (typically 6–7 years in most jurisdictions), but you should anonymize the personal data within those records once the customer relationship ends or an erasure request is received. What you need for accounting purposes is the commercial data — amounts, dates, products — not the customer’s name and address. WooCommerce’s anonymization tool handles this automatically when you process an erasure request.

If I use TrustLens to score customers, am I making automated decisions about them?

The scoring itself is automated — TrustLens calculates a 0–100 trust score from behavioral signals without human intervention. However, in TrustLens Free, no automated action is taken based on that score: the plugin surfaces information for your review, and you decide what to do. This is an important distinction under GDPR’s Article 22, which applies to “solely automated” decisions that produce significant legal effects. When a human reviews the score before taking action (blocking, allowlisting, adjusting an order), that human-in-the-loop step means the decision isn’t solely automated. If you use TrustLens Pro’s automation rules to automatically block customers, your privacy policy should describe this and include a mechanism for customers to request human review.

My store is based outside the EU. Does GDPR still apply to me?

If you have customers in the EU or EEA and you offer goods or services to them, GDPR applies regardless of where your business is based. The regulation’s scope (Article 3) covers any organisation that processes data of EU residents, not just organisations established in the EU. Enforcement is more complex for non-EU businesses, but the obligations are real. Many non-EU stores take the pragmatic view that meeting GDPR standards is good practice anyway, and that the reputational cost of a publicized data breach or complaint is worth avoiding.

How do I handle a customer who asks me to delete their account and all their data?

Verify their identity first (confirm the request is coming from the email address on file). Then use WordPress Tools → Erase Personal Data to process the request. This handles WooCommerce core and any plugin with an erasure integration. Also remove them from your email marketing lists and any other external systems. Retain anonymized order records if you have a legal accounting obligation for those transactions — you don’t have to delete the financial record, just the personal data within it. Respond to confirm the erasure has been done within 30 days of the request.

For stores handling significant volumes of EU customer data, consider publishing a clear data erasure policy that explains this process, so customers know what to expect before they ask.