Hi Andrej,
We recommend checking out our documentation article about this feature: https://woo.com/document/order-attribution-tracking/
You can find all the relevant information about how the feature processes your visitors’ data on the docs.
I asked a privacy expert about this new feature. It’s data stored on own server, so that is not an issue. Although for more clearity you can better add it to the privacy policy.
An order on it’s own has already a lot of personal information, WooCommerce also saves the IP-adress, so it’s already a must you should add what data you store in your privacy policy. Although this feature won’t be a big issue in my opinion, as UTM-tags are also mostly sees as save.
I know a few privacy-focussed people that dropped their Analytics tools, and just use it like this way: utm or get origin, save it in a cookie, connects the cookie in a hidden field of a contact form, and now they have a clear overview of the impact of their campaigns. And that is perfectly compliant. And WooCommerce does the same thing now. And as long as this data is stored on the own server, you’re save.
(I know it’s not really allowed to give advice on the matter in this forum, but i really checked an expert in this; he even tracks all the cases/fines in Europe, so that advice is legit: https://www.dailybits.be/item/overzicht-gdpr-boetes-rechtszaken/)
Hi @r33d3m33r,
The Order Attribution feature does collect data about user behaviour using cookies. However, this data is stored on your server, which is not typically a GDPR issue. That said, we strongly recommend adding information about this feature and the data it collects to your privacy policy for clarity and transparency with your users. More info: https://woo.com/document/order-attribution-tracking/
While we strive to ensure our features comply with GDPR, consulting with a legal professional or a privacy expert is crucial to ensure you are fully compliant with all aspects of GDPR. The link provided by @davelo is an excellent resource for tracking GDPR cases and fines in Europe.
We hope this information is helpful and thank you for your understanding.
Just wanted to mention that even with the first party cookies, if the cookies are not necessary for website function, it still requires consent. This order attribution tracking is an add-on, I think, it’s not strictly necessary for the website, so it should be blocked before visitors give consent.
Pref. link here
The cookies should be blocked until consent, since they are now necessary for any functionality other than statistics. Which is why they should default to the statistics category of cookies. I would think that if users are saying “no” to statistics data and cookies, then they don’t want to be a statistic on the website either. Sourcebuster/order attribution should be an optin feature, and not auto enabled.
To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must receive users’ consent before you use any cookies except strictly necessary cookies.
Plugin Support
AW a11n
(@slash1andy)
Automattic Happiness Engineer
Order attribution is a new feature we consider essential to WC Core. It helps merchants understand the traffic sources that lead to orders on their online shops. The feature has been designed with data privacy in mind and as a response to increasing concerns about sharing such tracking data with third parties. The feature helps merchants to collect first-party data.
In its default configuration, order attribution doesn’t make any visitor data accessible to the merchant before there’s an order event. By default, the cookies used to temporarily store the order source information are set to expire with the visitor’s session. These cookies will only be read if there is an order placed.
The scope of this feature shipped in WooCommerce Core does not help to track visitors across sessions, and it is not suited to aggregate visitor profiles for re-marketing purposes.
In case merchants don’t want to store any traffic-related data with their orders, this feature can be disabled the feature at WooCommerce > Settings > Advanced > Features > Order Attribution.
If I enable this feature, what should I tell my customers and site visitors?
In your Privacy Policy, you should tell your site visitors what data you collect, how you will use the data, and whether you will share the data with any third parties. The type of data that you would gather through the use of the Order Attribution is referring source, UTM parameters, device type, and session page views.
Final Notes:
We do understand that some merchants in specific countries (Germany springs to mind), as well as other merchants (inside EU or not), will either need or want to add some kind of mechanism for capturing consent, which is why we integrated this with the WordPress Consent API. We do consider this feature as compliant with GDPR by default.
Ok, thanks for clarification but for the said countries in EU to be safe we need to ask for consens. For instance with Cookiehub it is not able to block those cookies, because it says they will be set before consent. So even with Automatic Blocking by CookieHub enabled which is able to block any common tracking (GA for instance), it is not able to block you order attribution cookies and is asking to fix this by the shop owner.
So how to block those cookies before consens?
Your docs on it are useless in that regard. I do not understand why your solution is set up that common and widely used consent plugins aren’t able to block those cookies before user consent-
-
This reply was modified 3 months, 2 weeks ago by
mike8040.
Hi there @mike8040,
We understand your concern regarding the order attribution cookies and the need for user consent in compliance with EU regulations.
This seems to have been addressed in the latest WooCommerce release in version 8.7.0. You can read about it from the changelog in line 229. Here’s the direct GitHub link for your reference.
I hope this helps.
Thanks for the reply. I had a look on the docs / Github. Unless I study PHP development this is just gibberish. Can you just state if any Cookie Consent solution can grab that cookie and script automatically and pull it into their blocking system appropriately to wait for the user consents like with all other cookies like GA4?
The feature itself is great and if the customer is fine with it, good. We do not want a lawsuit just because a code line was missing.
Plugin Support
RK a11n
(@riaanknoetze)
Hi Mike,
It’s best to start your own thread but just to confirm, the cookie consent was tested with a cookie consent plugin Complianz. The exacts tests we ran can be seen at this link: https://github.com/woocommerce/woocommerce/pull/43012
Specifically:
- Denied by default
- Consent granted on the checkout page
- Consent granted before
- Consent revoked on the checkout page
