Data Privacy – Plugin sends customer data to Stripe on login or registration

  • Resolved hilrap2

    (@hilrap2)


    3 years, 6 months ago

    Good day,

    we installed this plugin on a live shop, did the API setup, but disabled all payment methods (still testing).

    Yet, customers who had been active, or had registered an account on our shop, have had their data (username, user-id, name and email) send to stripe, where they appear in the customers section.

    How is this possible? No payment was processed by these customers.

    Never mind that we don’t want to share our customers info with Stripe (unless a customer makes a payment via Stripe), this is a total breach of European privacy laws.

    Please urgently advise!
    Thank you.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Payment Plugins

    (@mrclayton)

    Hi @hilrap2,

    Here is a good article written by Stripe regarding GDPR. Stripe and GDPR

    How is this possible? No payment was processed by these customers. For performance reasons, the plugin sends the user information to Stripe once your customer has an active account on your WordPress site. The same information you store on your WordPress site is sent to Stripe. This prevents longer payment processing times on the checkout page, since the customer already exists and doesn’t need to be created at time of payment.

    Never mind that we don’t want to share our customers info with Stripe (unless a customer makes a payment via Stripe), this is a total breach of European privacy laws. In my experience, this statement is not true. Please educate me how my plugin is in breach of European privacy laws. That’s quite an accusation. I have worked directly with engineers at Stripe to develop this solution and this design was approved. I am happy to engage Stripe further to alleviate your concerns.

    Kind Regards,

    Thread Starter hilrap2

    (@hilrap2)

    Dear @mrclayton,

    Thank you very much for the fast response. Let me first state, that from my side there is no harm/accusation intended. You have developed a fantastic plugin, I know how much work this takes. I sincerely hope that we can have a fruitful discussion and solution for this issue.

    Thank you also for providing your reasons with regards to this data harvesting by Stripe. You pointed out the legal basis for processing personal data in the GDPR in your link provided above. Thus:

    “a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes;”

    I don’t know if speak for most shop owners (I suspect it might be common practice for many). In our case, we do obtain consent from our customers with regards to payment processing. This consent, however, does not involve transfer of personal data to Stripe on login or registration in our online-shop and/or WordPress blog. Especially, if no payments are being processed, or different payment options chosen.

    In my opinion, neither does §b provide a valid legal basis, which sates:

    “The processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;”

    For Stripe to pre-obtain personal data from our customer is not necessary for the performance of a contract, if our customer or user has no intention to make a purchase using Stripes payment processing.

    Furthermore, you stated:

    For performance reasons, the plugin sends the user information to Stripe once your customer has an active account on your WordPress site

    In my tests, the plugin sends the user information even prior to activation of a WordPress account, if the WP site uses double-opt-in account registration.

    I would very much appreciate if this would be further alleviated to Stripe.

    From a GDPR, as well as from a business perspective, we do not want to pre-share our customer and user info with Stripe. We would have to look at alternative payment providers, if this cannot be resolved.

    • This reply was modified 3 years, 6 months ago by hilrap2.
    • This reply was modified 3 years, 6 months ago by hilrap2.
    Plugin Author Payment Plugins

    (@mrclayton)

    @hilrap2

    I see you replied but for some reason the reply is not showing here. I have a record via email of your reply.

    I have forwarded this correspondence to Stripe’s legal team so they can weigh in on your concerns regarding GDPR.

    I’ll update this thread when there is a reply.

    Kind regards

    Thread Starter hilrap2

    (@hilrap2)

    Hi @mrclayton,

    After editing a typo, my post went in for manual moderation… Will try to repost.

    Thank you for all your efforts, much appreciated!

    Plugin Author Payment Plugins

    (@mrclayton)

    Hi @hilrap2,

    Here is the response I received my Stripe:

    `Hi there,

    “John” here from Stripe again, in this case we’re unable to provide legal advise or provide such confirmation.

    I can see that you have already shared this article with the user: https://stripe.com/en-ie/guides/general-data-protection-regulation.

    While I can’t provide any confirmation regarding the GDPR questions I do have some useful links you can share with the user to help them understand how Stripe works.

    Link 1: https://support.stripe.com/questions/check-if-a-card-is-valid-without-a-charge
    Link 2: https://stripe.com/docs/payments/save-and-reuse

    Thanks,`

    Their response doesn’t provide much guidance. From my perspective, this is a none issue and there is no concern using my plugin. It’s easy enough to remove the functionality that automatically creates the user in Stripe so it matches your business need.

    Kind Regards,

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Data Privacy – Plugin sends customer data to Stripe on login or registration’ is closed to new replies.