Every time your WooCommerce store sends customer data to Meta, Google, TikTok, or Klaviyo, GDPR Article 28 requires a signed Data Processing Agreement (DPA) with each of those vendors. Most store owners have never heard of this requirement. €5.88 billion in cumulative GDPR fines later, regulators are actively checking whether the legal paperwork matches the data flows (GDPR Enforcement Tracker, 2026).

Cookie consent banners are not the issue here. Article 28 is a separate legal obligation that sits underneath every pixel, every CAPI event, every GA4 hit your store sends. Consent handles whether you can collect data. Article 28 handles whether you can legally hand it to someone else to process.

What GDPR Article 28 Actually Requires

Article 28 of the General Data Protection Regulation sets one clear rule: if you share personal data with any third party that processes it on your behalf, you must have a binding legal agreement with that party before the processing begins.

Definition: Data Processing Agreement (DPA)

A legally binding contract required by GDPR Article 28 between a data controller (your WooCommerce store) and any data processor (Meta, Google, TikTok, Klaviyo). It must specify the subject matter, duration, nature, and purpose of the processing, and it must include specific obligations on the processor regarding data security, sub-processor use, and deletion. (Source: GDPR Article 28, European Parliament)

The agreement must be in writing. It cannot be implied by conduct. Accepting a vendor’s standard terms of service does not satisfy it. The DPA is a distinct document, a distinct legal obligation, and in most cases a distinct click-through or signature process from anything in a standard TOS flow.

GDPR fines for non-compliance can reach €20 million or 4% of global annual turnover—whichever is higher (GDPR Article 83). For a WooCommerce store turning over €500,000 a year, the theoretical maximum fine is €20 million. The DPA requirement is not a technicality.

Your WooCommerce Store Is a Data Controller

Definition: Data Controller

The entity that determines the purposes and means of processing personal data. When your WooCommerce store collects customer names, emails, purchase histories, and IP addresses, and decides to send that data to Meta for retargeting or Google for conversion tracking, your store is the data controller. (Source: GDPR Article 4(7))

Definition: Data Processor

Any entity that processes personal data on behalf of the controller. Meta, Google, TikTok, and Klaviyo are data processors when they receive your customer event data via pixels, Conversions API, GA4 Measurement Protocol, or email tracking integrations. They are processing your customers’ data, on your instruction, for your marketing purposes. (Source: GDPR Article 4(8))

The controller-processor relationship is what triggers Article 28. If you decide what data to share and why, you are the controller. If another entity receives and processes that data under your instruction, they are the processor. The legal obligation to have a DPA flows from that relationship automatically—regardless of whether the processor is Google or a small analytics tool.

Most WooCommerce store owners assume they are just a customer of Meta’s or Google’s advertising platform. Under GDPR, they are a data controller instructing those platforms as processors. That distinction carries legal weight and specific obligations.

You may be interested in: GA4 Consent Mode Is Killing Your WordPress Analytics

What Vendor Terms of Service Don’t Cover

Here is the assumption that gets most stores into trouble: I accepted Meta’s terms of service when I set up my ad account, so I’m covered.

That’s not how it works. A vendor’s terms of service governs the commercial relationship between you and the platform—what you can advertise, what content policies apply, how billing works. It is not a GDPR Article 28 Data Processing Agreement. The DPA is a specific additional document that addresses the legal mechanics of personal data processing under EU law.

Meta, Google, and TikTok do offer standard DPAs that comply with Article 28. But in most cases they require a separate action to accept or sign—they are not embedded in the standard account setup flow that most WooCommerce store owners complete when they create an ad account and install a pixel.

75% of websites still fail basic GDPR compliance requirements (SecurePrivacy, 2025). The DPA gap is a significant contributor. Stores that have consent banners, privacy policies, and even technically compliant pixel setups may still be operating without a signed Article 28 agreement with every vendor receiving their customer data.

The DPAs Your Platforms Already Have—You Just Haven’t Signed Them

The practical situation is less alarming than it sounds. Meta, Google, and TikTok have all published standard Article 28-compliant DPAs. The issue is not that the documents don’t exist—it’s that they require active acceptance, and most store owners have never been guided to that step.

Meta’s Data Processing Terms are available separately from its standard Business Terms. You accept them by navigating to your Meta Business Manager settings and explicitly agreeing to the Data Processing Terms for each Business account that processes EU customer data. Installing the Meta Pixel or setting up Conversions API does not trigger this automatically.

Google’s equivalent is its Ads Data Processing Terms, available under your Google account settings. If you use GA4 alongside Google Ads, you may need separate DPA acceptance for each product—GA4’s data processing terms are accepted via the Google Analytics admin interface, not the Ads interface.

TikTok’s Data Processing Agreement is accessible through TikTok for Business settings. It covers data sent via both the TikTok Pixel and the Events API.

Klaviyo includes a Data Processing Agreement in its business terms for customers processing EU personal data—it typically requires direct acceptance through your Klaviyo account settings or a signed addendum for enterprise accounts.

Meta was fined €1.2 billion in 2023 for unlawful EU-US data transfers—the largest GDPR fine in history (Irish Data Protection Commission, 2023). The data flows involved are the same category your WooCommerce pixel creates every day.

You may be interested in: How Bad WooCommerce Tracking Data Trains Facebook to Target the Wrong Customers

What Server-Side Tracking Changes About the Obligation

Client-side pixels pass data from the visitor’s browser directly to ad platforms—a relatively indirect chain. Server-side tracking creates a more direct relationship: your server explicitly packages and transmits customer event data to each destination. That makes the data transfer more deliberate, more auditable, and more squarely within the Article 28 framework.

This is not a reason to avoid server-side tracking. It’s a reason to get your DPAs in order before you deploy it—and to treat the server-side architecture as an opportunity to document your data flows more rigorously than client-side tracking ever allowed.

A first-party server architecture creates a clear, auditable record of what data your store sent, to which destination, at what time, and under what legal basis. That audit trail is exactly what a GDPR compliance review—or an enforcement investigation—would look for. Stores that can produce it are in a fundamentally different position from those that can’t.

Transmute Engine™ is a first-party Node.js server that runs on your subdomain (e.g., data.yourstore.com). The inPIPE WordPress plugin captures events from WooCommerce hooks and sends them via API to the Transmute Engine server, which routes them to each configured destination—GA4, Meta CAPI, Google Ads, TikTok Events API, and more. Every data flow is explicit, logged, and controlled from your own infrastructure. Pair that architecture with signed DPAs from each destination, and your Article 28 compliance posture is documented rather than assumed.

Key Takeaways

• Article 28 is a separate obligation from cookie consent. Consent covers data collection from visitors. Article 28 covers data sharing with processors. Both are required. Only one of them gets talked about.
• Accepting vendor TOS is not the same as signing a DPA. Meta, Google, TikTok, and Klaviyo all offer Article 28-compliant DPAs—but they require a separate acceptance action that most store owners have never taken.
• Every pixel, every CAPI event, every GA4 hit triggers the obligation. If your WooCommerce store sends personal data to a third party that processes it on your instruction, you need a DPA with that party.
• €5.88 billion in cumulative GDPR fines have been issued since enforcement began—and regulators are specifically targeting data sharing arrangements between controllers and processors without valid legal frameworks.
• Server-side tracking makes your data flows more auditable, not more exposed. A documented, first-party architecture paired with signed DPAs is stronger compliance posture than undocumented client-side pixels with no paperwork trail.

Check your Meta Business Manager, Google Analytics admin, TikTok for Business, and Klaviyo account settings. If you haven’t actively accepted a Data Processing Agreement with each platform your WooCommerce store sends data to, that’s where to start. seresa.io