Fun fact: WooCommerce collects your sensitive information without asking for consent.
Luckily, it merely consists of about 1000 data points.
Let's dive into it... π§΅
Disclosure: I'm a WooCommerce Marketplace partner.

During installation, the "opt-in" box is pre-checked and easy to miss on larger screens.
According to the EU, this is considered opt-out, not opt-in.
According to the EU, this is considered opt-out, not opt-in.

When you connect your store to Woo's services via "WooCommerce > Extensions," they'll automatically enable tracking for you β this time, without requesting any consent at all.

You can disable this tracking at: WP Admin > WooCommerce > Settings > Advanced > WooCommerce dot com > Allow usage of WooCommerce to be tracked.

All this tracking is done via class WC_Tracker. With this data, they'll know exactly how many customers you have.
The file header states: "The WooCommerce tracker class adds functionality to track WooCommerce usage based on if the customer opted in. No personal information is tracked, only general WooCommerce settings, general product, order and user counts and admin email for discount code."
The file header states: "The WooCommerce tracker class adds functionality to track WooCommerce usage based on if the customer opted in. No personal information is tracked, only general WooCommerce settings, general product, order and user counts and admin email for discount code."

OK, cool. So, what data do they collect? Here's a small list:
- Unique identifier
- Domain name
- Email address
- Theme
- WordPress version and locale
- Server information
- Active plugins and their author names
- Inactive plugins and their author names
- Jetpack installation status
- Number of users and their roles
- Number of products and their types
- First and last order date
- Order statuses (completed, failed, refunded, pending, etc.)
- GROSS REVENUE
- Payment provider revenue (PayPal, Stripe, Braintree, etc.)
- Number of reviews on products
- Details of the first and last 20 orders
- Payment gateway configurations
- Enabled WooCommerce features
- Currency
- Postal code
- Selling locations
- Site installation date
- Custom templates
- Checkout settings
- WooCommerce subscription order data (switch count, revenue, resubscribe count, etc.)
- Unique identifier
- Domain name
- Email address
- Theme
- WordPress version and locale
- Server information
- Active plugins and their author names
- Inactive plugins and their author names
- Jetpack installation status
- Number of users and their roles
- Number of products and their types
- First and last order date
- Order statuses (completed, failed, refunded, pending, etc.)
- GROSS REVENUE
- Payment provider revenue (PayPal, Stripe, Braintree, etc.)
- Number of reviews on products
- Details of the first and last 20 orders
- Payment gateway configurations
- Enabled WooCommerce features
- Currency
- Postal code
- Selling locations
- Site installation date
- Custom templates
- Checkout settings
- WooCommerce subscription order data (switch count, revenue, resubscribe count, etc.)




This data includes email addresses and plugin author names, even for plugins not intended for public listing.
This is considered personal-identifiable information (PII).
Hence, having this tracking be opt-out instead of opt-in is a GDPR violation.
1. curia.europa.eu/juris/liste.jsβ¦
2. gdpr.eu/Recital-32-Conβ¦
This is considered personal-identifiable information (PII).
Hence, having this tracking be opt-out instead of opt-in is a GDPR violation.
1. curia.europa.eu/juris/liste.jsβ¦
2. gdpr.eu/Recital-32-Conβ¦


Out of curiosity, I reviewed the pull request that added tracking of the first and last 20 orders.
No explanation was provided as to why they needed this data.
Like much of WordPress, these decisions are made privately, leaving the public in the dark.
We only see the code. Never the why. Never the how. Never the plan.
And when we're invited to join the discussion, we're often ignored or overwritten.
WordPress is an open-source theater.
github.com/woocommerce/woβ¦
No explanation was provided as to why they needed this data.
Like much of WordPress, these decisions are made privately, leaving the public in the dark.
We only see the code. Never the why. Never the how. Never the plan.
And when we're invited to join the discussion, we're often ignored or overwritten.
WordPress is an open-source theater.
github.com/woocommerce/woβ¦
Additionally, the tracker spawns many PHP 8 deprecation notices in the logs and quickly exhausts memory thanks to badly developed queries.
These are easy to fix, but since they haven't, I can safely assume all WooCommerce developers have tracking disabled.
These are easy to fix, but since they haven't, I can safely assume all WooCommerce developers have tracking disabled.
Also, when tracking is enabled, WooCommerce embeds a pixel in your admin area. So they don't just track your site's data but also your IP and how you're administrating it.
Pro dev tip: Stop creating hooks in your constructors. Instead, create a procedural file that contains all hooks. It makes your plugin easy to understand and super manageable. You can also remove all those "instances" you need only once.
Pro dev tip: Stop creating hooks in your constructors. Instead, create a procedural file that contains all hooks. It makes your plugin easy to understand and super manageable. You can also remove all those "instances" you need only once.


Open-source software doesn't guarantee respect for its users. At WordPress, open source is uniquely used as a facade to hide dishonest practices.
This is why the community demands a new governance model that holds everyone accountable equally to ensure better software.
This is why the community demands a new governance model that holds everyone accountable equally to ensure better software.
My next rant: WooCommerce's animated logo of inaccessibility and how they promised to remove it a year ago.
</π§΅>
</π§΅>
Generated by Thread Navigator
Press β + S to quick-export
