If you’re reading this, you’ve probably heard of this whole GDPR compliance thing and are wondering if it applies to your WP Simple Pay Pro payment forms, your WordPress site, and your Stripe account.
Let’s see if we can clear a few things up for you.
What Is GDPR Compliance?
On May 25, 2018, new regulations went into place within the EU that pertain to data collection.
In the simplest terms, what GDPR (General Data Protection Regulation) does is protect users from unauthorized data collection by requiring explicit consent. If data is being collected and stored, the individual providing the information needs to be aware of it and give permission before any action is taken.
Along with providing permission to collect data, the GDPR requires that users are able to request access to their data and have it removed if requested.
For more details, see this guide to the GDPR.
How to Make Your WP Simple Pay Pro Forms GDPR Compliant
Legal Disclaimer: These are simply recommendations to help you establish compliance with the GDPR and various EU laws. However, due to the dynamic nature of WordPress websites, no single plugin can offer 100% legal compliance. Please confirm this with legal counsel to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases. We are not lawyers and nothing on this website should be considered legal advice.
The easiest way to comply would be to add a required checkbox to any payment forms that need to be compliant. Adding a simple checkbox field that states something like “I consent to my submitted data being collected and stored.” should suffice.
You can do this by adding a checkbox field on the On-Page Form Display tab.
Just add your consent text to the Form Field Label and indicate that it’s a required field. By making it required you’ll know that every submission is compliant because without providing consent, the submission would not complete. Example:
Appearance to your site visitors:
Since the Form Field Label can accept HTML, you can alternatively add a link to your Terms page URL within it. Example:
Feel free to copy and paste this text as a starting point.
<a href="https://your-website.com.com/terms/" target="_blank">I agree/consent to...</a>
If you choose not to make the checkbox required, you can still verify that the customer ticked the checkbox when submitting the payment from within your Stripe dashboard. Just open the payment details and check that this custom checkbox field has the value of “on” (it will be omitted if left unchecked). See Viewing Custom Field Values in Stripe. Notice we specified the Stripe Metadata Label in both custom checkbox fields as well so these labels are passed on to Stripe.
How Customer Data is Stored Using WP Simple Pay
WP Simple Pay Pro is unique to other eCommerce and form builder plugins in that all collected customer data is stored with Stripe and not in your WordPress database. Stripe already has the tools in place for GDPR compliance as a service provider. In fact, they go even further to help their customers (you) understand GDPR in great detail.
If we ever add functionality to WP Simple Pay Pro to start storing customer data in your WordPress database, we’ll definitely notify our customers via email and provide a solution to comply.
Available Privacy Tools for WordPress
As of WordPress 4.9.6, WordPress core itself is now GDPR compliant. Privacy tools have been added so you can make sure your entire site is GDPR compliant, not just your payment forms. For more details:
- WordPress 4.9.6 Privacy and Maintenance Release Notes
- The Ultimate Guide to WordPress and GDPR Compliance – WPBeginner
To export or erase Stripe data from within your WordPress admin, we recommend Privacy WP. It is a WordPress plugin that works with your WordPress site to simplify the export/erasure process; just enter the API key from your Stripe account into Privacy WP. Then, when a customer requests their information, Privacy WP will “fetch” the customer’s information from Stripe for you using the privacy exporter in WordPress, version 4.9.6 or above, and assisting you in becoming more GDPR compliant.
Preventing Cookies from Saving/Initializing on your Homepage
By default, WP Simple Pay assigns every visitor a unique identifier to later display data necessary on the payment confirmation page. This identifier is a random number that does not contain any visitor information and is stored in a cookie in the visitor’s browser.
Some folks may wish to prevent cookies from getting saved/initialized to their homepage. This can be accomplished by adding a custom filter hook function.