WooCommerce and GDPR: the complete compliance guide

TL;DR: WooCommerce sets cookies by default that require GDPR-compliant consent before activation. Without a proper Consent Management Platform (CMP), your store risks fines from the ICO (UK) or EDPB supervisory authorities. This guide covers which cookies need consent, how to configure compliance, and the most common mistakes to avoid.

Which WooCommerce Cookies Require Consent?

WooCommerce sets several types of cookies on visitor browsers. Some are strictly necessary, but others require explicit consent under GDPR:

1. woocommerce_cart_hash (session) - strictly necessary, no consent required
2. woocommerce_items_in_cart (session) - strictly necessary, no consent required
3. _wc_session_ (session) - strictly necessary, no consent required
4. woocommerce_recently_viewed - functional/analytics, consent required
5. _ga, _gid (Google Analytics) - analytics, consent required
6. _fbp (Facebook Pixel) - marketing, consent required
7. Affiliate tracking cookies - marketing, consent required

When Is Consent Required on WooCommerce?

Under GDPR Article 6 and the ePrivacy Directive, consent is required before setting any non-essential cookie. For WooCommerce stores, this means:

1. Before loading Google Analytics or any tracking pixel
2. Before storing behavioral or preference data beyond the shopping cart
3. Before any third-party script that sets cookies on behalf of advertisers
4. Before affiliate or referral tracking cookies are written
5. Before any A/B testing or personalization cookies are activated

How to Make Your WooCommerce Store GDPR-Compliant

Follow these five steps to bring your WooCommerce store into full compliance:

1. Audit all cookies: use a scanner tool to list every cookie set on your site before and after consent
2. Implement a Consent Management Platform (CMP): integrate a CMP that supports Google Consent Mode v2 and blocks non-essential scripts until consent is given
3. Configure Google Consent Mode v2: set the four consent parameters (analytics_storage, ad_storage, ad_user_data, ad_personalization) via your CMP before the gtag snippet fires
4. Update your privacy policy and cookie notice: clearly list all cookies, their purpose, and retention period
5. Test the consent flow: verify that declining consent actually prevents cookies from being set using browser developer tools

Common Mistakes on WooCommerce Stores

Pre-ticked consent boxes. GDPR Article 7(2) explicitly prohibits pre-ticked boxes. Consent must be an active, unambiguous affirmative action.

Bundled consent for all purposes. Visitors must be able to consent separately for analytics, marketing, and functional cookies. Bundling all into one checkbox violates the specificity requirement.

Consent banners that do not block scripts. Showing a banner without actually blocking the cookies underneath it provides no legal protection. The CMP must intercept script execution.

No renewal of consent. EDPB guidelines recommend renewing consent at least every 12 months, or sooner if the cookie policy changes.

Ignoring the reject-all path. The ICO (UK) requires that rejecting cookies be as easy as accepting them. A prominent 'Reject All' button must be present on the first layer.

WooCommerce GDPR Compliance Checklist

1. Scan your store for all cookies (first-party and third-party)
2. Identify which cookies are strictly necessary vs. non-essential
3. Install and configure a GDPR-compliant CMP
4. Implement Google Consent Mode v2 with all four parameters
5. Verify scripts are actually blocked when consent is declined
6. Add a visible 'Reject All' button on the first consent layer
7. Update your privacy policy with a full cookie list
8. Set consent renewal reminders (at least annually)
9. Test consent flows on mobile and desktop browsers
10. Document consent records to demonstrate compliance to regulators

Conclusion

GDPR compliance for WooCommerce is not optional. The ICO and EDPB have issued substantial fines for cookie consent violations. A properly configured CMP protects your business and builds customer trust.

Scan your WooCommerce store for free to identify which cookies need consent: Free WooCommerce Cookie Scan