Ok, we all know that the EU General Data Protection Regulation (GDPR) will come into force on the 25th May 2018.
So the main question is: what changes do we need to make on our WooCommerce website to become compliant? And another important query might be: how does GDPR affect non-European WooCommerce websites?
In this article, I will tell you EXACTLY what you need to do. There are a million articles and plugins on WordPress GDPR compliance, but there is no “ultimate” blog that tells you what you should be doing.
If you don’t know what GDPR is or need a good refresher, read Wikipedia’s GDPR page or the “Introduction to GDPR Compliance for WooCommerce Stores” on the official WooCommerce blog.
Many blogs I’ve read and WordCamp events I’ve attended didn’t really give me the answers I needed. I don’t particularly care about GDPR itself, I just want to know what I need to do on my WooCommerce website.
So, let’s see what changes you’re required to make.
Please note: I’m not a lawyer and cannot guarantee this article is going to make you 100% compliant – make sure to assess your GDPR compliance with a qualified consultant.
WooCommerce GDPR Compliance: Summary
In order to be GDPR compliant, you will need to audit your WooCommerce website and marketing procedures.
Please note: EU GDPR will affect businesses both inside and outside of the EU. Any non-EU company dealing with EU customers will have to comply with the GDPR.
To achieve full compliance by the end of May 2018, WooCommerce businesses will need to:
- Tell the user who you are, what data you collect, why you collect the data, for how long you retain it and which third parties receive it (if any)
- Get a clear consent before collecting any data
- Let users access their data
- Let users download their data
- Let users delete their data
- Let users know if a data breach has occurred
If you don’t strictly adhere to these rules, you will eventually get fined up to €20 million or 4% of your worldwide annual turnover, whichever is greater…
Now, this is good to know, but actually the most important question is: what changes am I required to do on my WordPress/WooCommerce website?
Well, with my goal being translating GDPR in plain English and in “WordPressian” (a new language I just created), the 6 rules outlined above will have implications on:
- WooCommerce Terms & Conditions (Checkout page)
- WooCommerce Privacy Policy (Checkout page)
- WooCommerce User registration (My Account page)
- WooCommerce Cart Abandonment (Checkout page)
- WooCommerce product reviews (Single Product page)
- WordPress comments (Blog pages)
- WordPress & WooCommerce opt-in forms (Newsletter, Lead magnets, etc.)
- WordPress contact forms (Contact Us page, widgets, etc.)
- WooCommerce analytics (Google Analytics, Metorik, etc.)
- WordPress and WooCommerce Plugins & APIs (Payments, Email marketing, etc.)
- Breach notifications
That’s quite a lot of work… but given I have to do it for Business Bloomer, why not sharing it with you too? So, here are the 12 GDPR compliance steps I’m going to take and the same ones you, as a WooCommerce store owner, should work on.
Once again, please double check this with a lawyer or a GDPR consultant as I’m neither of the two.
A Quick Note re: Upcoming WordPress & WooCommerce GDPR Changes
The WooCommerce team is working hard to implement data removal and data export for a given customer (see status on GitHub), so we won’t need to worry about that part. They are possibly going to add these new functionalities to the “My Account” tabs.
Also, the WooCommerce development team posted an article on April 10th called “How we’re tackling GDPR in WooCommerce core” which I recommend you to read. They confirm they’re working on releasing some improvements to the Checkout Page (mostly in regard to T&C and Privacy Policy).
Finally, WordPress itself is also working on new functionalities (here are the completed GDPR tasks) such as:
- Privacy Policy generator 🙂
- Comment Form opt-ins
- Helper functions to anonymize data
GDPR Compliance Step 1: WooCommerce Terms & Conditions
Based on Quora’s article, “What is the difference between Privacy Policy and Terms and Conditions?“, the Privacy Policy is to inform the user about the data you gather, while the Terms and Conditions (also called T&C, Terms of Service or ToS) include the legal terms and rules that bind the customer to your business.
Therefore, while the biggest changes will need to be done on your Privacy Policy (as well as showing this everywhere, see following section), you should also amend your T&C page in regard to the new GDPR terminology and the gathering of customer data from the WooCommerce checkout.
In my opinion, it’s simply sufficient to add a paragraph to your ToS that links to the revised Privacy Policy and therefore the whole personal data usage document.
If you have no T&C page at all, you can use some of the online generators (google “terms and conditions generator” or “terms and conditions template”), use a premium service like iUbenda, or alternatively take a look at T&C pages on popular ecommerce websites to get some inspiration 🙂
Needless to say – you definitely need a T&C page now and also a checkout checkbox that users must click (it cannot be “checked” by default).
Thankfully you can do that from the WooCommerce settings (WordPress Dashboard > WooCommerce > Settings > Advanced > Page Setup > Terms and Conditions > Select a Page):
Once this is done, the WooCommerce checkout will show a checkbox on the checkout page with default text and a link to the T&C page you selected in the previous step:
To-do list:
- Create a T&C page if you have none (you can use a T&C generator or take a look at popular ecommerce T&C pages – remember to refine the document for your specific legal agreements and have it revised by a lawyer)
- Add a new GDPR paragraph to your T&C that links to your Privacy Policy page
- Use the WooCommerce Checkout Settings to add a checkbox to the Checkout page
GDPR Compliance Step 2: WooCommerce Privacy Policy
The Privacy Policy page is the one that requires a lot of editing and copywriting. On top of this, we will need to show the Privacy Policy opt-in message on the checkout page and other places, such as contact forms and opt-in forms (see following sections).
In regard to the Privacy Policy page content, you must inform the user about the data you collect, store and use.
Once again, the suggestion here is to take a look at reliable ecommerce websites Privacy Policy pages and see how they’re approaching the new GDPR rules.
Surely, you will need to cover the following:
- who you are (company, address, etc)
- what data you collect (IP addresses, name, email, phone, address, etc)
- for what reason you collect the data (invoicing, tracking, email communication, etc)
- for how long you retain it (e.g. you keep invoices for 6 years for accounting purposes)
- which third parties receive it (MailChimp, Google, CRM, etc)
- how to download data (either automatically or by emailing the Data Protection Officer)
- how to delete data (either automatically or by emailing the Data Protection Officer)
- how to get in touch with you for data-related issues (the contact details of the assigned Data Protection Officer, probably you)
Please note: WordPress is working on a Privacy Policy document generator, so if I were you I would wait a little longer ad use their upcoming functionality (it will be added to the “Tools” menu in the dashboard) to save time.
Now that you’ve written your Privacy Policy, you need to show this on every page of the website (a link in the footer would do) and – on top of that – a privacy policy checkbox on any opt-ins, user registration forms and checkout forms.
Based on the useful comments I received on this article, users need to actively “check” or “agree” to the Privacy Policy (exactly in the same way people do so with your T&C) so you must show a checkbox (and you cannot pre-select that checkbox by default).
So, how do you add a “Privacy Policy” checkbox on the checkout page? Well, in this case you can add a second checkbox, on top of the default “I’ve read and accept the terms & conditions”.
This second checkbox might say something like “I’ve read and accept the Privacy Policy” (or a more user-friendly label such as “Your personal data will help us create your account and to support your user experience throughout this website. Please read and accept our Privacy Policy document, where you can find for more information on how we use your personal data”). You can use a simple WooCommerce snippet to add another checkbox to the checkout, including validation in case this is not checked by the customer.
So, this concludes the Privacy Policy work.
To-do list:
- Create a Privacy Policy page if you have none or wait for WordPress to release their PP generator
- Add who – what – how – why – when to Privacy Policy
- Display link to Privacy Policy in the footer
- Use a WooCommerce snippet to display the Privacy Policy on the checkout page
GDPR Compliance Step 3: WooCommerce User Registration
Ok, now that you got a little more familiar with the GDPR, we’ll fly through the next WooCommerce website changes.
The WooCommerce “My Account” page has a registration form with username and password, if you’ve enabled this from the WooCommerce settings (WordPress Dashboard > WooCommerce > Settings > Accounts & Privacy > Enable customer registration on the “My account” page):
As this is personal data, we need to show the Privacy Policy checkbox on the frontend, similarly to what we’ve done on the checkout page.
Also remember to only collect information you strictly require to run your business (more in a following section).
Here’s a snippet that allows you to add content on the WooCommerce My Account Register form – however, you will need to change “hook” and instead of using “woocommerce_register_form_start” you could try with “woocommerce_register_form_end” so that your HTML checkbox can be positioned below the register button (NEW! Here’s the working snippet to add Privacy Policy consent: https://businessbloomer.com/woocommerce-add-privacy-policy-consent-my-account-registration/).
To-do list:
- Double check if you have enabled WooCommerce My Account registrations
- If yes, add a Privacy Policy checkbox to the registration form with a WooCommerce snippet
GDPR Compliance Step 4: WooCommerce Cart Abandonment
This is a huge, super important, heavily affected WooCommerce functionality. Cart Abandonment plugins collect email addresses without consent. In fact, when a user is on the checkout page and enters her email address without completing the payment, she had “no time” to tick & accept the Terms and Conditions and read the Privacy Policy.
This is against the GDPR, which requires explicit consent (i.e. ticking a box).
Hopefully, the major Cart Abandonment plugins (YITH and Jilt) are already working on this and will provide you with a workaround to comply with GDPR.
Either way – I fear we might need to add a privacy policy link or – even worse – a checkbox below the WooCommerce Checkout billing email address field.
Here’s how I imagine it:
In order to add that HTML content, I simply edited the “billing_email” checkout field label by using a default WooCommerce filter. If you want to give it a go, follow this WooCommerce tutorial: https://docs.woocommerce.com/document/tutorial-customising-checkout-fields-using-actions-and-filters/#section-2
An other alternative, could be to enable a “multi-step” checkout (though, that’s terrible for your conversion rate) where you only collect an email address in the first step and give users a checkout for consent. Only then, you move to step #2 and make them complete the checkout.
Or you could “disable guest checkouts” from the WooCommerce settings. Once again, a terrible idea for your sales conversion rate, but a very good one indeed for GDPR… In this way users will be required to create an account in order to proceed to checkout – and you can therefore use your Cart Abandonment strategies with no hassle.
To-do list:
- Ask WooCommerce Cart Abandonment plugin developers how they are going to implement GDPR compliance
GDPR Compliance Step 5: WooCommerce Product Reviews
Ah, product reviews! In ecommerce, they really matter, don’t they?
Of course, reviews contain personal data. You got it, you need user consent.
A good way to avoid this “consent” is to only allow logged in customers who purchased the product to leave a review (under WordPress Dashboard > WooCommerce > Settings > Products > General > Reviews can only be left by “verified owners”):
This is a nice compromise. Customers will have already opted-in to your T&C and Privacy Policy, so nothing will need to be added to the product review form if they’re logged in.
If you allow reviews from non-logged-in, non-purchaser users, that’s another story. Not sure why you’d do that, but in this case you’ll need to add the Privacy Policy checkbox to the product review form.
Simple as that 🙂
To-do list:
- Tick the “Reviews can only be left by “verified owners”” checkbox in the WooCommerce settings
GDPR Compliance Step 6: WordPress Comments
If your WordPress pages and posts have comments enabled, here comes another GDPR compliance problem.
Users are usually prompted to enter their name, email address and website URL together with their message without the need to register an account (this happens on Business Bloomer for example, but maybe in your case you might force user registration in which case you’re GDPR compliant in regard to WordPress comments by default).
This information (which also includes the user IP address and cookies to “remember” the user comment input fields if she wants to submit a second comment) is then stored within the WordPress Dashboard (Comments), WordPress single pages and single posts (Edit Post > Comments) and of course in your WordPress Database.
Once again this is pretty simple – you will need to add a Privacy Policy consent message in the “Leave a comment” form and a “cookies opt-out”.
I use the default WordPress Comments and they are working on making the comment form UX smoother and GDPR-friendly.
To-do list:
- Use the default WordPress Comments (GDPR updates coming soon) or select a GDPR-compliant WordPress Comments plugin
- Make sure to display the Privacy Policy checkbox before users submit a comment
GDPR Compliance Step 7: WordPress & WooCommerce Opt-in Forms
An opt-in form is a contact form where users enter their name and email address (usually) to join your email marketing list (or database of contacts).
First of all, you must remove all automatic opt-ins on your site. All checkboxes must be not checked by default (a “checked” checkbox by default cannot imply acceptance).
Besides, are you passing those email addresses to sub-companies or other partners? Hopefully not…
Either way, users must:
- consent
- know why their personal data is needed (“Enter your email address to receive our weekly newsletter“)
- give you only relevant information (to join your newsletter you don’t need to ask for the date of birth… unless you want to send them a gift on their birthday! In this case, you’ve got to make it clear WHY you want that personal piece of data
- know how to delete/download the data at any time
- know how to opt-out
Usually, an opt-in form is tied to a specific software e.g. Mailchimp. In this case, Mailchimp should be providing you the “revised”, GDRP-compliant opt-in form in an upcoming plugin release.
Whoever you send that email address to, make sure they are reliable (Mailchimp, ConvertKit, Aweber, etc.) and that they are actively working on HELPING you being GDPR-ready.
To-do list:
- Audit all your opt-in forms
- See if your opt-in form / newsletter / email marketing provider has a GDPR solution
- Make sure to display the Privacy Policy checkbox before users opt-in
GDPR Compliance Step 8: WordPress Contact Forms
Many of us use Contact Form 7, Ninja Forms, Gravity Forms etc. on our Contact Us pages and other WordPress pages.
These forms now require Privacy Policy consent.
Simply put, you should add a checkbox (very easy with any of the above plugins) close to the “Submit” button, to make sure users are agreeing to your Privacy Policy.
To add an “acceptance checkbox” to Contact Form 7, for example, look at https://contactform7.com/acceptance-checkbox/
To-do list:
- Add Privacy Policy checkbox to all your contact forms
- If the contact form is going to store personal data in a database and/or is tied to an email marketing software, you need to tell your users why and where you’re storing data
GDPR Compliance Step 9: WooCommerce Analytics
I wrote a big article last week on advanced WooCommerce tracking. Whether you use Google Analytics, Metorik, or both, you’re capturing user data and using cookies without consent. Same applies to Google AdWords, Facebook pixels and similar.
The best thing to do in this case is to check each provider’s GDPR policy, because THEY are collecting the data and not YOU. You’re just passing data to THEM: “Under the GDPR, if you use Google Analytics, then Google is your Data Processor. Your organization is the Data Controller since you control which data is sent to Google Analytics“.
According to Google Analytics Team (they sent an email to all account holders on April 11th 2018):
- GDPR requires your attention and action even if your users are not based in the European Economic Area (EEA)
- They introduced granular data retention controls that allow you to manage how long your user and event data is held on our servers. Google Analytics will automatically delete user and event data that is older than the retention period you select
- Before May 25, Google Analytics will also introduce a new user deletion tool that allows you to delete all data associated with an individual user (e.g. site visitor) from your Google Analytics properties
- GA remain committed to providing features for customizable cookie settings, privacy controls, data sharing settings, data deletion on account termination, and IP anonymization
- They are also updating their policies as Data Processors
Indeed, I just found this new section in my GA account:
Also, if you use Metorik for tracking and reporting, then take a look at their “Metorik & GDPR” article where you will find detailed information.
To-do list:
- Only use reliable, GDPR-compliant tracking software
- Ask software providers how they’re handling GDPR compliance
- Add to your Privacy Policy who handles your tracking data
GDPR Compliance Step 10: WordPress and WooCommerce Plugins
This is a very important section, but I won’t keep you here for too long.
It’s very easy.
Does plugin _____ either get, read, store, use, edit, handle, access user personal data?
Simply ask yourself this question for each plugin.
If the answer is yes:
- make sure it’s a reliable plugin
- make sure they are GDPR ready
- make sure to add the plugin to the list of “third parties” that get access to user data in your Privacy Policy
If the answer is no:
- are you 100% sure?
- really, really sure?
- good then, you don’t need to do anything
The beauty of GDPR is that the WordPress ecosystem will improve exponentially in regard to data handling, security, transparency.
Who knew GDPR was actually a good thing!
To-do list:
- Ask yourself the “magic” GDPR question about each plugin and theme
- Select GDPR-compliant plugins
- Discard non-GDPR-compliant plugins
GDPR Compliance Step 11: WordPress and WooCommerce APIs
We already mentioned this before, but “API” cover a lot of different applications. But first, what the heck is an API (in plain English pleaseeee)?
An API (Application Programming Interface) is basically “a piece of code” that allows you to access an external software without ever leaving your website.
API is used for transmitting data between two parties. A good analogy is to think about a bus traveling from one city to another, back and forth, moving people between the two points (data). Another good one (allow me to be a little Italian about it!) is to think about API as a waiter that takes your pizza order and lets the kitchen know what toppings you want 🙂 Either way, an API is a “data connector” – private data might be passed from your website to another software and viceversa, hence GDPR applies.
Examples:
- users can join your Mailchimp list without ever leaving your website, thanks to Mailchimp API
- users can checkout with Stripe without ever leaving your site, thanks to Stripe API
- and so on…
Facebook, Twitter, any kind of third party software give you APIs. These APIs connect your WooCommerce store to the outside world, passing data to it – possibly private, personal user data.
As long as you know:
- what APIs you use
- what data is sent
- if the API is GDPR compliant
…then you’re good to go. As usual, you have to add to your Privacy Policy the detailed list of APIs that handle user data.
To-do list:
- Audit all your APIs
- Discard non-GDPR-compliant APIs
- Add APIs to your Privacy Policy
GDPR Compliance Step 12: Breach Notifications
Under the GDPR, if your website experiences a data breach this needs to be immediately communicated to those users affected by the breach. A notification must be sent within 72 hours.
What’s a data breach by the way?
Well, this occurs when personal information is passed to:
- an unauthorized data processor or subcontractor
- a non-GDPR compliant body
- a third party without the knowledge of the data subject
- a hacker
On top of this, you will need to have a security data breach response plan and process in place.
To-do list:
- Secure your WordPress/WooCommerce website please!
- Subscribe to all your third-party software / API providers so that you can become aware as soon as a data breach that affects your users occurs
- Reduce the amount of data you store. Brilliant workaround, isn’t it?
- Have a data breach emergency plan
(NEW!) GDPR Compliance Step 13: Consent From Existing WooCommerce Customers / Subscribers
One of you brought this up, so I did some research in regard to GDPR, WooCommerce and whether the new privacy changes should be retroactive or not.
Well, at the same time, I got several emails from various websites I’m subscribed to – asking me to accept their new T&C and Privacy Policy.
You can see where I’m going: GDPR is also retroactive. You must re-contact all your existing subscribers, customers, users, and ask them to actively give you “consent” as well as telling them how to download, delete or access their personal data.
It seems, however, it really all depends on how you captured the user data pre-GDPR:
- Consent was provided, and asked in a GDPR compliant fashion
- Consent was provided, but asked in a not compliant GDPR fashion
- Consent was not provided
If you are within 2) or 3) you have two choices:
- Email existing users asking them to consent to your new policy
- Delete existing users (oh, it has been done already!)
You can use your email marketing platform to reach out to your existing customers/subscribers if you imported your WordPress users into it at the time.
Otherwise you can download the WooCommerce “customers” with an export/import plugin, or even use an app called Metorik to reach out to your customer database.
Marketing Stuff You Can’t Do Any Longer
We’ve seen so far what you should work on… but what about those “gray area” strategies some people have been using so far on their WordPress/WooCommerce websites?
Well, this needs to stop:
- Sending unsolicited emails (no more buying email lists please)
- Sending emails unless the shopper has opted in (hello, cart abandonment…)
- Sending unsolicited text messages (you need consent for this too)
- Doing any kind of “shady” marketing
Hopefully you haven’t been doing any of this – nothing has changed. The only difference is that you will now be fined. I love GDPR 🙂
GDPR Compliance for WooCommerce: Wrapping Up
GDPR is not simple and is somewhat a gray area.
If you have experience within EU with digital sales, VAT, cookie laws and so on – you already know this is madness. Each accountant thinks this differently.
And you can expect the same with GDPR. Each lawyer, company, user will think this differently. Interpretations will be completely contrasting.
So, instead of waiting… please take action!
Complete steps 1-12 for your WooCommerce website and get some legal advice, no matter if you’re based in EU or not. Or at least make sure to use only GPDR-compliant plugins and APIs, and write that Privacy Policy you’ve been postponing it for the last 20 years…
If you want to contribute to this post, give me useful links, correct any unlawful thing I might have written, please use the comment area below.
Here are documents you can gt some inspiration from:
- Business Bloomer Terms and Conditions
- Business Bloomer Privacy Policy (coming soon)
Good luck with GDPR!
Great article, do you have recommendations about an initial cookie banner before loading the website? As far as I understood it you would need to get consent from the user BEFORE loading the page (and saving cookies therefore).
How does one achieve this without going into coding a custom code into your php to show a popup before loading the rest of the page?
Yes, there are plugins for that. Honestly speaking, though, not even Amazon does that, so I don’t think it’s really a requirement
I don’t seem to have the ‘Checkout’ tab in my Woocommerce Settings
You’re right! It’s in the Advanced tab now
The more I browse your site, the more impressed I am with your content! Once again, an article that is really going to help me grow and learn as an online businesswoman. Thanks! – Jessica
Cheers!
Hi
I’ve just released my first WordPress plugin)
It’s a cookie consent notice banner that helps with GDPR compliance.
Please take a look
https://wordpress.org/plugins/cookie-notice-and-consent-banner/
Nice
Very helpful article.
I think the link of step 3 should be https://businessbloomer.com/woocommerce-add-privacy-policy-consent-my-account-registration/
Thanks Mikel 🙂
Great steps for Woocommerce website to comply with GDPR.
Thanks 🙂
Hello Rodolfo Melogli,
Thanks for great article this is really helpful for me.
Also i have a question for checkout guest account.
Right now, when you add a product to the cart, then in the check out you can fill all the fields with your information but without a wordpress login. There is a simple option to create an account but is optional.
But how can i give the user to option for select account i.e user can select they place order as account or guest.
like i put two select box for when user select as guest then he didn’t need to enter password other wise create the account in site and place order.
can you please guide on me in right way.
Thanks & regard
Rohit vaghasiya
Hi Rohit – thanks so much for your comment! There must be a plugin that allows users to choose between “guest checkout” and “login only checkout” but I don’t remember its name at the moment. Sorry 🙂
Hi again Rodolfo, and everyone reading this!
I am now a month into implementing GDPR into my woocommerce webshop… getting more and more frustrated.
Being by nature perfectionist, i have started deep research on what do i need to do be fully GDPR compliant and i have started implementing one by one thing… but the deeper i dig the more problems i discover and all those problems need GDPR compliance solution…
This article summarizes it very well but at the end, what have i learned?
EVERY single law advising website has its own view of “how” to do things, even though most of them copy/paste GDPR law and present it quite clear. Ok, by this time i know what the law is and what it means but to actually fully understand HOW to implement it and be fully compliant is far far from being clear.
If you only use woocommerce plugin and only that one, thats a bit easier, but adding anything else and being compliant is just mind bending…
Take contact form for example: I have “your email” and “your message” field, yet i need a checkbox for “i accept privacy policy…” before someone can contact me?! Someone actually wants to contact me and to get a reply or an answer, and how do they do that if they do not enter any contact details… then what happens with those details? my web host has it, my gmail account has it… how can i guarantee that those person’s email address is “safe” and protected? Am i sharing that email in a way i am not aware of? IS it really safe from the moment it has been typed in into my form?
Consent on newsletter subscription, double, triple… opt-in? Maybe its just me but we are not talking about a kidney transplant here, you see subscription field, you want to receive newsletter, you subscribe and get option to unsubscribe… Its not like i am asking for social security number… its a simple email newsletter for God’s sake!
Cookie policy? ok, WP and WC use cookies but how do i know what cookies my website uses? Do i need to list them all? Should there be a way for site visitors to “reject” use of cookies? Is there a way to really disable all cookies and would user then be able to have any use of the website he’s visiting?
Abandoned cart? OK, i can live without this, only other option seems to be adding like 5 checkboxes at the top of checkout page, making my entire website now full of checkboxes, whatever you click on its: “oh wait, there’s another checkbox i have to tick”…
At the end, as with ANY audit, if a website is to be audited, i think that there is NO WAY anyone would be fully compliant. Sure, we can, and have to try to implement things but to be honest, what i would like to do the most is to have a single popup once the website is accessed, and you would have to agree to everything (like 32 checkboxes) just to be able to open and access the website.
We collect various personal data, there are some plugins and third party services collecting it as well, if you want to use our website, you would need to give a clear consent to this. 🙂
Yes, you can see my frustration here, but the more i dig into this the more i am sure i will never be 100% compliant. So now, closing my business not to worry about anyone’s personal data or going insane with every potential “security hole” that my website has…
Cheers,
Alek
Thanks for your feedback Aleks, I understand your frustration 🙁
Thank you so very much!
your article is the best i have found so far and helped me a lot!
Thank you so much Orit 🙂
Grazie Rodolfo,
This is one of the best guides I read so far about GDPR!
One note on Google Analytics: my understanding is that if data is anonymized, there’s no need to ask for consent before tracking.
This helps to keep the statistics working fine and useful.
What do you think?
Thanks
Daniele
Thanks Daniele! Not sure about GA – try ask them 🙂
Hi Rodolfo,
Many thanks for this great article, helps a lot to people like me, small online shop owners who struggle to comply with GDPR.
Now, i do have one specific question on email newsletter signup and GDPR… I am using Mailchimp and i see now they have GDPR fields on some of the forms, thats great and i went to make a new GDPR form.
Now, this is important: I am using signup for for periodic (5-6 times a year) email newsletter about new products, sales, promotions… so basically simple newsletter on my products.
“Options” field on mailchimp GDPR forms are check-boxes, ok, so i create a checkbox that says “yes i want to receive newsletter from you”… but then on signup form, user can simply enter email and click on :subscribe” without checking that checkbox, signup successful…
So, they have subscribed to my newsletter without ever checking that box…
From what you wrote:
– consent
*** isn’t it already consent if someone voluntarily insert their email in a form that says “enter your email to get periodic email newsletter from us”?
– know why their personal data is needed (“Enter your email address to receive our weekly newsletter“)
**** from above, they already know why we “need” their email… for sending them periodic email newsletter
– give you only relevant information (to join your newsletter you don’t need to ask for the date of birth… unless you want to send them a gift on their birthday! In this case, you’ve got to make it clear WHY you want that personal piece of data
*** email only of course
– know how to delete/download the data at any time
*** described in mailchimp confirmation email, they can always opt out or delete email from a list
The main question here is, isn’t it enough of a CLEAR consent the fact alone that my form says “please insert your email to receive occasional email newsletter from us”? Then users voluntarily and knowingly insert their email as they want to receive my newsletter… is this enough or i do need “GDPR” form
Many thanks and keep up the great work!
Alek
Hey Alek, thanks so much for your message. I can’t answer this as I’m not a lawyer – I have no idea and I’m not sure what the solution is in your specific case. Try asking Mailchimp support maybe? Sorry 🙂
I’d say you need the checkbox. I suspect that plenty of people see where to enter their email address and may not read the accompanying text, whereas if the tick a box, they need to read the text to know what they are agreeing to – explicitly.
I’m not a lawyer either btw!
Hi Alex and Rodolfo
I have the same question which may be answered here: https://codelight.eu/wordpress-gdpr-framework/knowledge-base/do-my-newsletter-signup-forms-need-a-consent-checkbox/
Short answer no, but note the long answer. However, I wonder if the long answer is solved by changing your “to receive occasional email newsletter from us” to something like “to receive occasional email newsletter from us full of great tips and special offers”. In other words being more specific about newsletter content and that it includes marketing.
The other approach is to replace your on-site signup form (name, email) with a Subscribe button and then link to a MailChimp GDPR signup form – See here: https://www.youtube.com/watch?v=3_hdGLmHutk
However, contrary to the video I think you only need one Marketing Permission option (email) and then you explain in the MailChimp form text that your emails contain offers as well as advice.
I’m now trying to decide which approach to take for my site, (which is under construction and now delayed thanks to GDPR), so would love to hear what others think of these approaches.
Many thanks to Rodolfo – your post is a great help!
Dave (who most definitely is not a lawyer)
Hey Rodolfo!
I see Woo’s solution for the Registration privacy policy is just text with a link and no checkbox. Is this sufficient? Or should there be a checkbox no matter what?
Thanks a bunch!
P.S. Or is it enough to say “I accept the privacy policy” WITHOUT a bunch of text explaining what the data is used for?
Hey Sharon, it depends what use you make of those registration fields. It could be a “legitimate” use of personal data as this is necessary to buy your products for example – in that case it seems you need no checkbox. But if you use that data for other uses, such as email marketing, promotional material, etc, then maybe you need a checkbox 🙂
Thanks for getting back to me, Rodolfo! (I can’t seem to reply under your last comment so I’ll just clarify my question here.)
I have checkboxes on all of my opt-in Forms that say, “I’ve read and agree to TNC’s Privacy Policy.” Do I need to include a thorough explanation of why I’m collecting information AND this checkbox? Or is a checkbox with this short statement enough?
And if this is not something you’d rather get into, I totally understand! 🙂
Thanks again!
Not 100% sure, but once again if you’re making a legitimate use of Personal Data then you just need a link to your Privacy Policy on your T&C page (MAYBE :D)
In new wordpress 4.9.6 we have new tools but where are the consents from users ?
Hey Pankoszyk! I think you can add a cookie consent with a Jetpack widget, contact form checkboxes with your contact form plugin, WooCommerce privacy policy opt-ins with https://businessbloomer.com/woocommerce-additional-acceptance-checkbox-checkout/ and https://businessbloomer.com/woocommerce-add-privacy-policy-consent-my-account-registration/ – hope this helps 🙂
I wish I could hug you, Rodolfo.
This post–and all of the side-posts–are fantastic and have helped so much.
Thank you for blazing the way through the GDPR–and making it a whole lot easier for the rest of us.
Thanks for your amazing feedback Sharon 🙂
Hi Rodolfo, great post! When the Privacy policy example will be available?
Thanks Mike! Here’s my new PP: https://businessbloomer.com/privacy-policy/
Hi Rodolfo!!! as usual GREAT POST!
Wordpress now have released the 4.9.6 and woocommerce just released the 3.4 with imnportant changes in the privacy management…. nos we have the erase and download tool … but, is seems they are only for the admin users… how we can expose them in the my-account page of a “simple” buyer account?
Hey Angelo, thanks for your comment! I’m not sure if WooCommerce is going to work on this soon, I would wait a little to avoid wasting coding time 🙂
Jilt is betting on the “Legitimate Interest” clause: https://jilt.com/gdpr/
Interesting, thanks for pointing that out Ewout!
A very helpful GDPR guide. But don’t forget to tell people that they (like you) should be documenting all of the steps that were taken to evaluate and improve the organization/website privacy practices. This will help you with the Article 30 requirement as well as the overall accountability principle.
Thanks a million Rob 🙂
Hi RodolFo, stunning post! You helped me a lot! Just a question, I can retrieve the list of api’s that actually carry personal data? thnak you
Grazie Marzia 🙂 I have no idea, sorry! Hopefully someone reading this comment can help?
I have seen several blogs and Facebook posts mention your article. And I see why. What a great source of info! Thanks!
That being said, I would love to understand better what to do with cookies. Do I need specific consent for using them? Do I need to mention the use of cookies in the Privacy Policy? If so, how specific should it be?
And I also wonder if my current way of working is still allowed: my shop requires registration to see prices and to order products. On the registration form I make specific mention that upon registration their automatically sign up for my newsletter. But I currently don’t have a specific opt-in for the newsletter. Is this ok?
Final question: I see quite some mention elsewhere about the double opt-in is needed to collect evidence that you have specific consent for user registration and newsletter sign up. Is this really needed?
Hey Ludo, thanks for your comment! I’ll try to help you based on my personal (not legal) opinion:
– Double opt-in: not required
– Auto-registration to newsletter: gray area… at least add to ToS and Privacy Policy. Provide easy opt-out
– Cookies consent: add info to Privacy Policy
Hi Rodolfo,
Thank you for the reply. It is really helpful to get your take on this.
Regarding the cookies:
I came across this article: https://www.itgovernance.eu/blog/en/how-the-gdpr-affects-cookie-policies. It states that explicit consent is needed before you may use cookies.
This seems to be confirmed by this site: https://www.cookiechoices.org/intl/en/ [from an email from Google on the GDPR].
That last site includes some suggestions for tools to add cookie control. Interesting is to see that some take a different approach. CIVIC disables the cookies until consent is given. Cookiebot seems to have cookies enabled by default with the option to opt-out. The latter doesn’t seem in line with the GDPR demanding that users actively opt-in.
Anyways, I am getting the strong impression that more is needed than just adding info on the cookies in the Privacy Policy.
Excellent, thanks Ludo!
This is a great blog post. Thank you Rodolfo!
A quick clarification question if I may: if someone makes a purchase, are we no longer permitted to send them “welcome” emails UNLESS they specifically opt into this?
That seems to go against a positive on-boarding experience…
Hey Jason, thanks for your comment! I’m sure you are allowed as they are paid customers and your welcome email is pertinent to the purchase. Also, they accepted your Privacy Policy, therefore they know what they can do with that email marketing sequence. Hope this helps 🙂
What sucks most about this? I go on holiday on the 23rd!
I wish WordPress, WooCommerce, Facebook Google and these other so-called unicorns had planned a month ahead instead of leaving it until the last few days to add these features.
David, thanks for your comment! And that’s a good point, mostly in regard to WordPress/WooCommerce. I believe Facebook and co. already updated all their policies, while WordPress/Woo are “about” to release their GDPR fixes. I’m sure there will be a “window” to get GDPR compliant, mostly for us small businesses… let’s hope those fixes are bug-free anyway!
Hello Rodolfo,
thank you very much for your excellent tutorials, they really help me a lot (they’re clear and very well written).
I have a question about WooCommerce and GDPR and it’s a thing that’s been “bugging” me long before the new Privacy rule,..
If you check the WC orders and click on the customer address you get to see a Google map! Is there a way to get rid of this option? I can hardly imagine this option is is GDPR compliant!
Thank you for your time,
Eva
Hello Eva, thanks for your comment! I guess if collecting the customer address is GDPR compliant, then the Google Map is not a problem. Surely there is a way to disable that via PHP, but I won’t worry too much. As usual, try contacting a GDPR expert and don’t rely too much on what I say 🙂
GDPR…. Groan. Who put the EU in charge of the internet? I’m lucky to get 10k visitors a month, less than 5% of total visitors from the EU but because I advertise and sell there (sell worldwide but only ship to selected countries, none in the EU) I have to do this rubbish.
On the email form I can see it being different IMHO. The text and requirement doesn’t comply with the GDPR rules. I can possibly see it being a non-required field with possibly a checkbox. If they enter their email they opt in but if they don’t then you simply can’t communicate with them, which is dumber than dumb. Who’d have thought politicians and bureaucrats could think of something so incredibly dumb and cumbersome?
Hey John, thanks so much for your comment! I understand your frustration and trust me, GDPR is nothing in comparison to something called VAT MOSS here in the EU… totally confusing and misleading. GDPR is actually a good thing in my opinion, and the rest of the world will soon adapt to it with their own version. It’s great to look after your website users. The more clarity, more honesty and the more the trust 🙂 Let’s hope WordPress and WooCommerce are going to help us soon on this, so the major problem is now with other plugins – one by one they should be helping you comply. Good luck 🙂
Hi Rodolfo, wonderful article, so clear and useful! Thank you so much for clarifying so many questions I had regarding GDPR!!!
Could you please give us more details on cookies opt-out? I know some of them must be always active, others can be toggled on or off, others must be configured from a 3rd party.
So far I managed to identify only a small part of the cookies my web-store is using (even using CookieBot plugin), the rest I don’t know which plugins are placing them and for what purposes (I found no useful info on the web about them).
For instance a certain plugin is placing a cookie that my users must be able to toggle on or off when they enter the site. Right now the plugin doesn’t offer any hook or something to allow me to toggle its cookie on or off. So what is the solution, other than waiting for the plugin author to make his plugin GDPR compliant or to delete the plugin from my site? I can not give up to so many features, or should I?
(the examples I found so far are only for cookies placed by Google Analytics scripts, and those are pretty simple)
Thank you once again!
Hey there, thanks so much for your comment! I’m not entirely sure here, as it really depends on the plugin you use. Maybe it would be better if you asked each plugin developer for more info? Let me know and keep us updated 🙂
Hi Rodolfo
I am having an issue implimentind the check box on my registration page.
Maybe it is my lack of understanding of the coding but it just cant get it to work.
I have managed to get the privacy policy check box working on the checkout page.
Do you have a full snippit for the registration pace add functions?
I have basically tries mashing up the two you link to above but i am guessing i am doing something wrong.
Hey Aston! WooCommerce 3.4 will have this by default, if you wait until May 23rd you won’t require a snippet 🙂
I did the same thing and kept ending up with a syntax error. I started sifting through these comments, hoping someone else ran into the same issue… Thanks for asking this, Aston, and thanks for answering, Rodolfo!!! 🙂
🙂
Hi,
Are normal websites not being a store, without blog comments also need to be compatible with gdpr?
Yes Pankoszyk, 100% 🙂 If you have EU traffic, you need to do something.
Thanks, one more …
Functionality to take care of GDPR’s ‘right to be forgotten’. Users can request their data to be anonymised.
How to do it?
Cool 🙂 WooCommerce/WordPress should introduce this in their next release.
This is the most comprehensive and ready to implement guide on GDPR. Most of this is also applicable to normal WordPress site as well. Thank for the post.
Cheers Vikas 🙂
Rodolfo, grazie mille per questo aiuto!
Prego! You’re very welcome Nagy 🙂
Nice article :
Your guidance on the abandoned carts around the email address field is partly incorrect. There needs to be a check box beside the email address where it clearly states how, when and why you are collecting their email address and how long you are going to keep it. There needs to be an option for the shopper to opt out of abandonment emails and marketing.
In my view abandoned cart marketing is pretty much dead after GDPR, because who will opt into this ?
Excellent feedback Sean, thanks a million for that! And yes, I’m pretty curious to find out more about cart abandonment. Maybe this will be exclusively used for logged-in users from now on?
Great list of actions / to do’s, Rodolfo!
My question on the “accept general conditions” or a 2nd checkbox that says “I agree that my personal data will be stored in your system” (or something similar): according to the GDPR we need to have a proof in the logs that the customer ticked this option. So where is this information stored in the order / database? I know this WooCommerce option that requires a customer to accept the general conditions, but there is not a real proof, right? May be this 2nd checkbox value is stored as a custom field in the order (still no proof of the acceptance of general conditions, though)…
Thanks!
Best Belgian regards,
Jurgen
Hey Jurgen, thanks so much for your comment! Yes, that’s a good point – in order to show proof you will also nee to save this to the “order_meta” or “user_meta” (I think the first is the best option). Try using something like Part #5 of this snippet: https://businessbloomer.com/woocommerce-add-custom-checkout-field-php/
Hope this helps!
Unless you tick the consent check box, WooCommerce won’t let you complete the order. Could an actual order be proof enough, I wonder?
My understanding is that consent has to be independent of any other data collection. ie not assumed as part of a process, nor contingent upon it… that is you can’t offer a sign in only if the consent is given, sign in has to be independent
Hi !
Really great post, very helpful.
Thank you so much !
Thanks so much Carin 🙂
As usual, Rodolfo my friend, you have done a splendid job and have helped us all immensely. Thank you!
If I may add a suggestion, I believe it’s important for us all to get our information from the source, or at least as close to the source as possible. There’s a fair amount of confusion and a touch of hysteria out there. I strongly suggest everyone read through the ICO interpretation of the GDPR found here:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
You’ll find some very useful information, including the six permitted bases for collecting customer’s data, and the fact that you need to state your basis or bases (you can have more than one) in your privacy statement. Any judgement of compliance will be based on this statement, so it’s very important. Most of us will probably fall under Consent (for opt-in newsletters, etc) and Contract (for memberships and other agreements that fall under your existing T&C agreement).
It’s not exactly light reading, but not too bad and it’s full of important information. It should prove very useful when writing up a privacy statement.
Thanks a million Joe 🙂
Recital 47 of the GDPR actually says that:
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
This means, for example, that if a business wishes to send postal marketing about a new product to its customer base, it can often do so in reliance on its ‘legitimate interests’ – it generally does not need its customers’ consent to this mailing. It will, however, always need to offer them an opt-out (Art 21(2)).
Read article here: https://privacylawblog.fieldfisher.com/2017/re-consenting-to-marketing-under-gdpr/
Good point Johannes 🙂 Thank you!
I was just wondering about this. So if a customer orders a product from me, and then I email them to notify them that their package is on the way, or even ask them how they like their product, does this fall under ‘legitimate interests’ if there’s an opt-out option? Thanks!
YES 🙂
Hi, do the same rules apply to websites that are only ment for B2B busines?
Where all the visitors represent companies, not themselves as private.
Hello Johannes, thanks so much for your comment! The answer is very simple: of course! No matter if users are customers or businesses, you still have to look after their privacy 🙂
Marketing: Here in Norway it have been allowed to send marketing emails to companies with a general email address like post@mycompany123.no etc, but not to johannes@mycompany123.no. It should be possible to continue with that??
No idea Johannes – ask your lawyer 🙂
Thanks for this Rodolfo for an excellent article!
I didn’t spot any reference to what happens with existing personal data held on a WooCommerce site. So where customers have ordered previously what happens about their data? Do we have to delete it or perform some sort of re-engagement? How would that even be managed? Let’s say I have 10,000 customers held on my database – do I need to send an email to each one asking them to opt-in? How would I g about synchronising that? I mostly thinking about registered customers but there is also the question about customers who are unregistered. What’s your view – better to delete all and start again?
Regards
Rob
PS, where is your opt-in box (Privacy Policy) for these comments – do you intend to delete these after May 25th or are the ‘Notify me’s’ sufficient?
Hey Rob, that’s a great comment. I’m about to add a new section about “Consent From Existing Customers”. Excellent 🙂
R
p.s. There is no opt-in box yet, I’m waiting on WordPress Core to implement this by May 25th 🙂
The key to customers who have previously ordered from your WooCommerce website is in the legal basis for processing their data. As an online retailer you have a responsibility to collect certain data from your customer – for payment, shipping and accounting purposes. These are all legal bases for processing this data and no further opt in is required for previous customers.
Imo, the EU created something ‘for the EU’, but actually it applies worldwide.
As a company based in the USA, you could geoblock visitors from the EU, but then again, what would happen if they use a proxy server to visit your website?
Not sure if non EU businesses are ready for this.
Pieter, thanks so much for your comment! Great point there – I’m pretty sure non-EU legislation will soon follow the EU GDPR as this affects the whole world data privacy 🙂
Thank you so much for this great article Rodolfo. Really appreciate your help with all the info. Just want to verify if I understood correctly. The sentence: “Sending unsolicited emails (no more buying email lists please)” in the last point is not related to the Subscribers. I can still contact the subscribers and notify them of the latest products and offers, is it?
Thanks again.
Hey Anita, thanks so much for your comment! As long as your Subscribers gave you the ok to send them promotional email, then yes 🙂
Currently, we don’t have user account registration available on the website, because we didn’t want to save and keep customers data, but now we must add this functionality to avoid any fines?
Hey Poly, thanks so much for your comment! I don’t think you “must” do or must not do anything. As long as users are aware of how their data is collected, you’re ok 🙂
Thank you! Great post!
Thank you for reading it all 🙂
Great article and feedback from everyone!
Thank you Lyse 🙂
Absolutely brilliant article Rodolfo – clear and concise advice!
Clarified how to go about ensuring your website is GDPR compliant. This certainly help me out on my journey. You’d actually touched on several things that I’d missed.
Best
Bob
Excellent, thanks Bob 🙂
Hi rodolpho
great article!
If we don’t store contact form data , do we still need an opt in on the contact forms
Hey Brian, thanks so much for your comment! 100% yes – you as an admin are receiving an email with the contact form details… so even if you’re not storing it, you’re anyway handling it. At least this is my view 🙂
Thanks for this Rodolfo,
Obviously we in the UK are the soonest affected by these changes, so now I need to budget about a week to go back through everything and change it. 🙁 I’m concerned about the ‘last mile’ part of the checkout process. We store no customer order or payment processing details on site, save their delivery address and contact details, and I have disabled the “My account” tab on woocommerce. However, should I re-implement it again to follow GDPR guidelines?
Kind regards
Tony
Tony, thanks so much for your comment? If you’re using WooCommerce you store order info in the Dashboard, or am I missing something? Let me know 🙂
Hi Rodolfo, the link you posted from Medium – article about Google and GDPR, goes to another article for some reason (How to prepare for GDPR).
Hey Nemanja, you’re right, and I have the same problem… I can’t seem to find it anymore. Maybe they changed the content yesterday 🙂 At the same time, I got an email from Google Analytics last night, so I’m about to update my blog with official information. Thank you!
Great Post!! I wonder if you could expand on ”Does plugin _____ either get, read, store, use, edit, handle, access user personal data?” in Step 10. I assume you are referring strictly to plugins where the user data is held by the plugin author on a different server to the one the website is hosted on? For example, we use Events Calendar by Modern Tribe and none of the user information is passed to them.
Hey John Paul, thanks so much for your comment! That’s exactly what I meant. If a third party plugin / API / anything stores some of your personal data on their servers, then you need to be careful
Hi Rodolfo, great article. Very helpful.
As far as I know a checkbox has to be added to the checkout page, comments, contact forms where the sender is explicitly asked for consent to store and process the data. A very helpful plugin is the GDPR Compliance plugin by Van Ons (https://wordpress.org/plugins/wp-gdpr-compliance/). It is far from complete but it is perhaps a good help to start with as it is able to add consent checkboxes on various pages (woocommerce, comments, contact forms and make some suggestions what more has to be done. I do hope this comment is beneficial. And yes….. you have my consent to store and process this data until I revoke 😉
Best wishes,
Adri
Excellent, thanks Adri!
As Andrea said, Google Fonts and even Google Maps is a problem as well because something is being loaded from third party servers. With that your site can be considered “transmitting personal data” (the users IP address) without consent. Great post though!
Ah, the IP address… I see, you surely have a point here! I guess it’s the same for social media sharing – if the user is logged in into this 3rd party account (Google, Facebook, etc) your site is passing personal data to it. Maybe Google/Facebook will provide some clarification?
For GDPR-compliant social sharing buttons I recommend Shariff Wrapper (https://wordpress.org/plugins/shariff/). We had to deal with GDPR-like data protection laws for some time now here in Germany.
Exactly, and you also need to make contracts with EVERY company that processes data from you. For Google, you can set this up in your Google dashboard, but you also need to think about your hoster, payment services, certain plugins, freelancers etc…
Very helpful, Adolfo! You continue to be a great resource!
This is just what I was looking for to explain the new EU privacy policies and help ensure compliance for my EU sites.
Thank you!
Brilliant 🙂
Very nice guide Rodolfo! Regarind GDPR Compliance Step 5: Most Woocommerce shops allow cusotmers to checkout without registering an account, so I assume most shopowners (including myself) will need to find another solution for this…
Hey Jan, thanks so much for your comment! I can’t find this info in my Step 5 – are you referring to product reviews?
Thank you for the detailed steps to take… you make it so easy. I am a USA company and do not sell internationally so it sounds like this does not apply (or at least yet)?
Disregard my comment. It sounds like I need it because even though they won’t be ordering, they will be on my site.
Exactly 🙂 And I’m sure US will introduce something similar very soon!
Hello friend,
First time I’m commenting here but the circumstance requires it.
Very good and informative article. Thanks for the valuable information provided.
Regards from Greece!
Awesome 🙂
One point worth making – you suggest merging ToS with your Privacy Policy.
This does make things simpler, however, it’s not something I would recommend. If you get investigated by GDPR regulators and it turns out you’re not following your own policy to the letter – as well as potentially getting a reprimand or fine for being non-compliant, you can also potentially be sued by customers for being in breach of contract.
A policy is just a policy, it’s not a contractual obligation. ToS is a contractual obligation, so keeping the two things separate means your Privacy Policy remains outside of being a contractual obligation. And so you can likely protect yourself from at least being in breach of contract.
Excellent point. I only suggested to link Privacy Policy from a new ToS paragraph, not to merge them though (unless I’m too tired and cannot find this!). Thanks!
Hi Rodolfo,
Great article you have published. For all my projects (general & e-commerce both) I provide individual links to Terms & Conditions and Privacy Policy at the footer as well as a cookie confirmation bar at the bottom of the website. Can this cookie bar functionality be extended to comply with GDPR?
Best regards.
Thanks Manas! No, they actively need to give you T&C and Privacy consent where you have inline forms. You will need a checkbox 🙂
Remember also things like Google fonts, jquery, CDNs etc…if anything is on different servers, it might not work with GDPR.
Andrea, thank you so much for your comment! I would love to hear more about that if you could. I’m not 100% sure you require personal data handling to use Google Fonts for example, so I don’t see the problem there (unless I’m missing something!). Let me know and in case I’ll update the blog 🙂
A well written, comprehensive post! Privacy improvements are also coming in WordPress core. You can see the tickets being worked on here: https://core.trac.wordpress.org/query?status=!closed&keywords=~gdpr for things like comment anonymization, user data export and privacy policy tools.
Allen, this is excellent! I will immediately update the blog with that 🙂
hi Rodolfo, really great post!!!
Thank you so much Angelo 🙂