Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
WooCommerce is the most widely deployed e-commerce platform in Europe, an open-source plugin for WordPress published by Automattic. It is fully self-hosted, so all customer and order data stays on the merchant infrastructure. WooCommerce sets only strictly necessary first-party cookies for cart and checkout flow; analytics, marketing and most third-party integrations are opt-in via additional plugins.
WooCommerce is an open source e-commerce plugin for WordPress launched in 2011 and now developed by Automattic. It powers an estimated 30 percent of online stores worldwide and is the dominant platform for European SMEs that already run WordPress. Because WooCommerce is a self hosted plugin rather than a SaaS, the merchant remains in full control of where the data lives and which third party integrations are loaded.
By default WooCommerce sets a small set of strictly necessary first party cookies: woocommerce_cart_hash, woocommerce_items_in_cart, wp_woocommerce_session_*. These cookies persist the cart, the customer session and the checkout flow. Customer accounts, orders and addresses are stored in the WordPress database. The optional WooCommerce Analytics module reads order data already in the database without sending it externally. Marketing emails, abandoned cart recovery and external analytics require dedicated plugins that the merchant chooses.
The strictly necessary cookies are exempt from consent under Art. 5(3) ePrivacy. Customer accounts and orders rely on contract performance (Art. 6(1)(b) GDPR). Marketing communications, abandoned cart automation, profiling and any third party tracker added through plugins (Google Analytics, Meta Pixel, TikTok Pixel, etc.) require freely given consent (Art. 6(1)(a)).
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
WooCommerce does not transfer data anywhere by itself. The actual transfer surface depends on the hosting provider, the CDN, the email service, the payment processor and any analytics or marketing plugin. To stay inside the EEA, choose an EU host (e.g. Hetzner, OVHcloud, Infomaniak, Scaleway), favour EU based plugins and document the residency of every external integration.
Install a consent platform (Complianz, CookieYes, OneTrust) that blocks marketing and analytics scripts before opt-in. Use the WooCommerce privacy settings to configure data retention and the predefined privacy notice template. Sign DPAs with your host, payment processor and any plugin vendor that processes personal data. Audit installed plugins regularly. Provide a documented process for data subject requests using the built-in WordPress export and erase tools.
Websites using WooCommerce must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for standard WooCommerce stores. It becomes relevant when the store processes special category data, very large customer volumes, or extensive behavioural profiling through analytics and marketing plugins.
Sample consent text
This online store runs on WooCommerce. Cart and checkout cookies are strictly necessary. Analytics, advertising and marketing scripts are loaded only after you give consent in our cookie banner.
Third-party domains contacted
woocommerce.comwoo.comapi.woocommerce.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| woocommerce_cart_hash | first_party | Session | Strictly necessary cookie that stores a hash of the cart contents so the storefront can quickly detect when the cart changes. |
| woocommerce_items_in_cart | first_party | Session | Strictly necessary cookie that stores the number of items in the cart, used to update the mini cart and checkout summary. |
| wp_woocommerce_session_* | first_party | 48 hours | Strictly necessary cookie that stores a unique customer session identifier so cart and checkout data persist between page loads. |
| woocommerce_recently_viewed | first_party | Session | Optional cookie that stores recently viewed products to power related-product widgets in some themes. |
WooCommerce uses cookies for user preferences — inform visitors with a consent banner.
By default WooCommerce sets only strictly necessary first party cookies: woocommerce_cart_hash and woocommerce_items_in_cart (session, store the cart state) and wp_woocommerce_session_* (48 hours, persist the customer session). woocommerce_recently_viewed is sometimes set by themes. Customer accounts and orders are stored in the WordPress database, not in cookies. Any analytics, marketing or social cookies come from extra plugins, not from WooCommerce itself.
No banner is required for the WooCommerce cart and checkout cookies because they are strictly necessary under Art. 5(3) ePrivacy. You do need consent for any third party tracker added by a plugin (Google Analytics, Meta Pixel, TikTok Pixel, abandoned cart automation, customer reviews widgets, social plugins, etc.). Configure your CMP to block those scripts before opt-in.
Order processing, account creation and shipment fulfilment rely on contract performance (Art. 6(1)(b) GDPR). Tax and accounting retention rely on legal obligation (Art. 6(1)(c)). Marketing emails, newsletter subscriptions, abandoned cart recovery and any analytics or advertising integration require consent (Art. 6(1)(a)). Strictly necessary cookies rely on Art. 5(3) ePrivacy.
WooCommerce itself does not transfer data anywhere. Whether your store transfers customer data outside the EEA depends on the hosting provider, the CDN, the email service, the payment processor and any third party plugin you install. Document the location of every external service in your records of processing.
A standalone WooCommerce store with standard products typically does not require a DPIA. A DPIA is recommended when you process special category data (health, biometric, political opinions), very large customer volumes or extensive behavioural profiling through marketing and analytics plugins.
Pick an EU host. Install a CMP that blocks marketing and analytics scripts before opt-in. Use the WooCommerce privacy settings to configure data retention and the predefined privacy notice template. Sign DPAs with your host, payment processor and every plugin vendor. Audit installed plugins quarterly. Use the built-in WordPress export and erase tools to handle data subject requests.
EU-based open source alternatives include PrestaShop (France), Sylius (France) and Shopware (Germany). Hosted EU SaaS options include Lightspeed eCom (Belgium) and Wix Stores (Israel based but with EU hosting). The privacy result depends mostly on the hosting and integrations selected.
List the strictly necessary WooCommerce cookies (woocommerce_cart_hash, woocommerce_items_in_cart, wp_woocommerce_session_*, woocommerce_recently_viewed) with name, purpose, duration and category. Add every cookie introduced by your theme, payment, shipping, analytics and marketing plugins. Document the consent mechanism and the third party processors involved.