Does order attribution feature in WooCommerce 8.5.1 break GDPR? And what to do about it.
WooCommerce 8.5.1 has a new feature which shows store owners the last traffic source of a purchase.
The first impression is positive. Data seems useful and it is shown in a simple way. However, there are two problems with it:
- In order to get this information, WooCommerce uses a SourceBuster.js script which (probably) breaks GDPR
- The data is actually useless.
Why collecting order attribution data (probably) breaks GDPR?
WooCommerce uses sourcebuster.js script to collect information on the source of traffic. The problem is that it does it with non-necessary, statistical cookies. And these cookies may break GDPR.
Why “may”? Because it is open for debate.
People who argue that it is compliant (including Automattic, the owners of WooCommerce) say that:
- the cookie does not contain personal data
- it only contains the source of traffic that people used to visit the site
- this information is not sent anywhere before visitors make a purchase
- when they make a purchase, the traffic source information is only saved in the store’s database and is not shared with 3rd parties
- store owners have a lawful basis for processing this data since it lets them know what sources brought them traffic
On the other hand, the group that is against using this cookie without consent, say that:
- the cookie is not necessary for the operation of the website
- it is used for statistics, which need consent
- before a website visitor becomes a client, the store owner has no lawful basis for processing.
So what is the result of this discussion? Does WooCommerce’s order attribution break GDPR or not?
Nobody knows.
But… it is not really a problem, because…
Order attribution is… useless.
From the point of view of a website analyst, attributing conversion to the last source of traffic is a BIG mistake. The reasons are these:
All sources of traffic are important
It almost never happens that a person buys a product on their first visit to a store.
Sometimes they need 2 visits, sometimes 5 and sometimes 15. With that in mind, why would only the last source of traffic get all the credit for the purchase?
Why not the first one? Or the second one? Or the one from your ad campaign informing about the sale?
The last source of traffic is mostly direct traffic
When people come to your site multiple times, they either save its address in the browser or get to remember its address and visit directly.
In that respect, the information that a huge portion of your clients purchased a product after they came directly to your site, is not hugely important.
Proper conversion attribution is practically impossible
Conversion attribution is a very, very tough cookie.
In order to attribute a portion of order’s value to every source that a client used to come to the site, we need to know what all these sources were. However, it is… impossible.
This is because people use multiple browsers to visit your site, use ad blockers which stop your tracking tools from working, visit your site from apps that do not send the referral information and many more.
And if you think that Google Analytics can attribute conversions properly, you are wrong. Even with tons of data fed to GA, it uses machine learning to make an informed guess how valuable a traffic source really is. learn more about GA4’s Data Driven Attribution.
So, with all that said, what can we do about it? There are 2 solutions.
Solution #1. Measure quality of traffic sources in a better way
In WP Full Picture 8 you will find a new feature called Lead Scoring which lets you:
- measure the quality of traffic coming to your website,
- see how many of your current visitors are likely to convert in the future,
- measure how good or bad your traffic sources and ad campaigns really are,
- create powerful remarketing and lookalike lists for your ad campaigns,
- better plan future marketing investments.
This is a perfect solution if you want actionable, reliable and easy to understand data.
Solution #2. Make order attribution in WooCommerce GDPR-compliant
If you really, really don’t want to turn off order attribution, you can make it comply with GDPR.
In order to do this, you need the WP Full Picture version 8.0 or later (8.0 will be launched at the end of August).
When you install it on your site, you need to:
- enable the consent banner in the opt-in mode
- enable the Tracking Tools Manager module
- enable the option to manage SourceBuster.js script in WooCommerce
When you do this, the script will only turn on when visitors accept statistical cookies on your site, making it fully compliant with GDPR.
And if you do not want to use any of these solutions, you can still…
How to turn off order attribution in WooCommerce
Disabling order attribution in WooCommerce is very easy. In the admin panel, go to WooCommerce > Settings > Advanced > Features and tick off the Order Attribution option.