GDPR Updates: AutomateWoo 4.0 & Refer A Friend 2.0

You are probably already aware of the European Union’s General Data Protection Regulation (GDPR) which comes into effect on May 25th. If not, it’s worth checking out the European Commission’s Data Protection page and WooCommerce’s GDPR info before reading this post.

We have been working on a number of changes to AutomateWoo and Refer A Friend that will help you comply with the new regulations. However, compliance is not as simple as updating your plugins; in most cases some action will be required. In this post, I’ll go through what has changed and what actions we suggest you take.

Marketing opt-in

The biggest addition to AutomateWoo 4.0 is the new ability to require customers to opt-in before they receive marketing communications. Previously, the only option was to allow customers to opt-out but in order to comply with GDPR we recommend you use this new opt-in mode. If you have workflows that are transactional, such as order or subscription notifications, you can exclude these from requiring opt-in by checking the ‘Is transactional?’ checkbox when editing the workflow.

• Can I keep using opt-out mode? Yes! Updating to 4.0 won’t automatically switch your site to opt-in mode.

When using opt-in mode, you can enable checkboxes on the checkout and account signup forms to allow customers to opt-in.

We have also built a new communication preferences page and account tab which allows customers to opt-out at any time via their account area. This page is also used when a customer clicks on the unsubscribe link in the footer. Customers are not required to login in order to unsubscribe.

You can control the display of the account area, checkboxes and any text in the plugin settings. Please review these options after updating to AutomateWoo 4.0. Also please note that you may need to update WordPress 4.9.6 and WooCommerce 3.4 in order to use some of these features.

Please note that after switching to ‘Opt-in mode’, current customers will not be automatically opted in. Non-transactional workflows will stop sending emails and SMS until customers choose to opt-in. We have added a tool to import opt-ins which means it’s possible to import a list of consented emails to AutomateWoo.

Session tracking cookie consent

AutomateWoo’s session tracking uses cookies to remember customers when they are not signed in. GDPR introduces tougher requirements for cookies where implied consent may no longer be enough and users must have the option to opt-out of certain cookies.

AutomateWoo 4.0 adds the option to require cookie consent before session cookies are set, but we haven’t built a cookie consent tool into the plugin. This means you need to find your own solution such as a cookie consent plugin for WordPress. Depending on how the consent plugin works you may be able to integrate it with AutomateWoo by specifying the cookie name in settings. However, some solutions will require custom code. Please contact us if you need any help with this.

Updating your privacy policy

GDPR requires your site to have a privacy policy and WordPress 4.9.6 has added a great new tool to help you create one. We’ve integrated with the new WordPress Privacy Policy Guide and added notes and suggested text for AutomateWoo and Refer A Friend. For more info on this new WordPress feature and GDPR requirements, check out this tutorial from WooCommerce.

Personal data exporter and eraser

GDPR also means that EU residents have the right to request access and erasure of their personal data. WordPress 4.9.6 adds a tool for admins to handle these requests and we have added support for this in AutomateWoo and Refer A Friend. This means when you export an individual’s data, any data from our plugins will be automatically appended to the file. When erasing an individual’s data, some items may be retained such as workflow logs and referral records, but any personally identifiable data will be removed.

Guest data and pre-submit capturing

Another requirement of GDPR is that consent is given before personal data is stored. Since the pre-submit capture feature of AutomateWoo allowed storing data before consent was given, we have built a tool to erase all guest data for guests that haven’t placed a successful order. We have also reduced the amount of guest data stored by AutomateWoo by removing some fields that were not in use.

Please note that due to GDPR, pre-submit capturing will be switched off after updating to AutomateWoo 4.0. You can choose to turn it on again if you wish.

• What about abandoned cart emails? It is still possible to send these without pre-submit data capture, but the user must first either create an account, place an order or opt in on the communication signup page. We recommend only sending to users who opt-in to receive marketing communication.

Anonymizing invited emails – Refer A Friend

Apart from the data access, data eraser and privacy policy integrations, there was only one other change required in Refer A Friend. Because GDPR requires consent before personal data is stored, all emails in the referral invites list need to be anonymized. To do this, simply enable the Anonymize invited email data setting and all past and future emails stored here will be anonymized.

As always, your feedback on these changes is welcome. Best of luck in getting compliant with GDPR!