Use WooCommerce DSGVO compliant | decareto

Created 21. March 2023

WooCommerce is a WordPress plugin that allows easy creation of online stores and is one of the most popular WordPress plugins in this field. Online stores can be customized in various ways, with many features and without any programming skills at all.

However, the plugin does not comply 100% with the EU General Data Protection Regulation (DSGVO) in itself and without further work. 

Which cookies WooCommerce sets, which customer data is stored and how you can use WooCommerce DSGVO compliant, we explain in the following article.

Which cookies does WooCommerce set for visitors?

WooCommerce sets a total of four cookies for visitors to a website, these are different session cookies, or session cookies. The cookies are: woocommerce_cart_hash, store_notice, woocommerce_recently_viewed, woocommerce_items_in_cart and wp_woocoommerce_session_.


The cookie "woocommerce_cart_hash" is set to detect changes in the shopping cart. With the help of the cookie, these changes are stored in the shopping cart. Due to the fact that this cookie is a session cookie, the cookie is deleted when the browser is closed by the user. 


"store_notice" allows you to store the hiding of store messages. With Woocommerce you can display messages to the visitor, personalize them and decide where, on which page you want to put this message.

If the visitor decides to hide this message, a cookie is set so that the message is not displayed again. However, since this is also a session cookie, the hiding is only stored for one session. Accordingly, the cookie is deleted as soon as the user closes the browser.


The "woocommerce_recently_viewed" cookie is used to enable the WooCommerce widget. This widget shows the user the products they have recently viewed. Just like the cookies before, this cookie is limited to one session only. 


Similar to "woocommerce_cart_hash", the "woocommerce_items_in_cart" cookie is also used. It detects and stores the products that have been moved to the shopping cart by the user, detects changes and stores them as well. Here, too, the time of storage is limited to the respective session. 


The "wp_woocommerce_session" cookie contains a unique identifier code for each customer. With this code, WooCommerce can find the respective shopping cart data in the database faster. Unlike previous cookies, this cookie has a duration of 2 days and is deleted only then.

What data does WooCommerce store?

WooCommerce stores the following data:

  • full name
  • E-mail address
  • address
  • Payment information
  • IP address
  • Browser information
  • Time of the website visit

This data and information is deleted after the purpose of storage has ended, that is, when the data is no longer needed by WooCommerce for the stated purpose. 

Visitors to a WooCommerce website have the right, in accordance with the EU General Data Protection Regulation, to view the data collected, insist that the data be deleted, or refuse further storage and processing of the data.

How to ensure a DSGVO-compliant use of WooCommerce?

Create a privacy policy

In order to create a privacy-compliant website, you need to have a complete and detailed privacy policy, which you must provide in a clearly visible way for all visitors. 

If you use WooCommerce for your online store, you need to list all the information about it in your privacy policy. Here, it is important to explain what WooCommerce is, why you decided to use WooCommerce on your website and what data is stored, for how long and where. You also need to inform users about their rights. 

In addition, any information about shipping service providers (e.g. DHL) and payment service providers (e.g. PayPal) that store visitors' personal data must be listed in the privacy policy. This is particularly important if data is passed on to service providers from third countries such as the USA. 

Data collection and cookie setting only with legal basis 

All user data may only be collected with a legal basis. The same applies to the use of cookies - they require the consent of visitors. 

You can control the consent for the cookies via the cookie banner of your website. In the banner, list all the cookies your WooCommerce website sets and let your visitors decide which ones they agree with and which ones they want to reject.

This applies to WooCommerce cookies as well as any tracking, analytics, tool or plugin cookies.

You preferably obtain consent for data collection via a checkbox. By "ticking" the checkbox, users agree to the privacy policy and at the same time to the collection, storage and further processing of data. Users must of course be instructed about this. 

Minimize data collection

When collecting data, data minimization in accordance with Article 5, paragraph c) of the DSGVO must be observed. This means that only the data that is needed for the stated purpose may be collected. The amount of data collected must be appropriate for the purpose.

Data collection occurs on a website in the following situations:

  • when using the contact form
  • when registering for the newsletter
  • during check-out (when placing an order)
  • during customer registration
  • during product evaluations
  • at the comment function

Concluding an AV contract

If you pass on (personal) data on your website to third parties who store and process this data, you must conclude an order processing agreement with the respective service providers. 

This AV contract states in writing that data must be stored and processed by all parties in a data protection-compliant manner. A DSGVO-compliant handling of user data should thus be ensured. 

AV contracts should be concluded, for example, with the web hosting provider, with shipping and payment service providers, with owners of tracking or analysis tools and with newsletter hosters. 

Activate double opt-in procedure

If you ...

... send company-related e-mail advertising,

... send a newsletter to your subscribers,

... offer your visitors the opportunity to open a customer account,

you should do so using a double opt-in process. 

Double opt-in procedure means that after successful registration the user is sent a mail with a confirmation link. By clicking on this link, the user accepts receipt of the advertising or newsletter or the opening of the customer account. Double opt-in therefore means "double consent". 

Set deletion periods

WooCommerce allows you to set deletion periods or retention periods for certain data. Please note that this feature is not preset and needs to be customized by you. 

Nevertheless, make sure that deadlines are also met and that the data is actually deleted after the deadline. 

Add checkboxes

At the latest during check-out, you should add a checkbox to confirm that you have read your T&Cs. 

You can also add checkboxes at check-out or data collection that users can click if they want to receive company-related advertising or a newsletter. If they don't click these two boxes, you may not send them ads or add them to your newsletter mailing list.

Supplement with DSGVO plugins like German Market.

Since 2012, the German DSGVO plugin German Market by Automattic has been available as a store extension for WooCommerce. German Market enables the DSGVO-compliant use of WooCommerce in Germany and throughout the EU. 

The paid WordPress plugin ensures a legally compliant design of an online store and the DSGVO-compliant handling of user data. For example, legal texts, invoices or delivery bills can be created in just a few steps.

Are you using WooCommerce in a data protection-compliant way?

With the above tips, you should check whether you are using WooCommerce in a data protection-compliant manner. If you don't, it can lead to penalties or warnings. Since WooCommerce is a US company, you need to take extra care to follow the rules of the DSGVO.

If you are not sure whether you are using WooCommerce DSGVO compliant on your website, try our DSGVO scanner from decareto. We will scan your website, including subpages, for data protection compliance for you. 

With decareto, you can be sure that the lawful setting of cookies, the data protection-compliant provision of forms, the DSGVO-compliant embedding of videos, and the proper use of plugins and tools are guaranteed.

If you have further questions about how to integrate WooCommerce DSGVO compliant correctly, you can also arrange a non-binding consultation with us via our website. We look forward to your inquiry!

Author: Eckhard Schneider

Back to overview