Most WooCommerce stores are not violating GDPR because of how they collect data. They’re violating it because of how long they keep it. GDPR Article 5(1)(e) — the storage limitation principle — requires data to be held no longer than necessary for its stated purpose. Meta retains your customers’ behavioral pixel data for up to 7 years by default. GA4 deletes event-level data after 2 months unless you manually extend the setting. Neither of these defaults is automatically compliant — and most WooCommerce store owners have configured neither.
€479.6 million in GDPR fines were issued in September 2025 alone. Retention violations are a consistent enforcement target. Here is the framework that separates data you must keep from data you’re holding with no legal basis.
Two Buckets: Data You Must Keep vs. Data You’re Holding by Default
The clearest way to think about GDPR data retention for WooCommerce is to split everything into two buckets. They have completely different legal bases, different retention periods, and different compliance requirements.
Bucket 1: Data you must keep. WooCommerce order records — customer names, addresses, purchase amounts, tax details — are financial records. EU VAT Directive obligations require transaction records to be kept for 6–10 years depending on your member state. This data has a legal retention basis. Deleting it early is not a GDPR compliance win — it’s a tax compliance problem.
Bucket 2: Data you’re keeping by default with no documented legal basis. Behavioral analytics data, ad platform pixel event histories, session recordings, GA4 event logs, Facebook CAPI conversion data — this data has no equivalent long-term legal basis. It accumulates indefinitely on your servers, in your Google Analytics account, in your Meta ad account, and in any third-party tools you’ve connected. Holding this data without a retention policy is a direct violation of GDPR Article 5(1)(e).
The mistake most stores make is treating retention as a single problem. It isn’t. Every category of data you hold requires its own documented purpose and proportionate retention period.
You may be interested in: The ‘Legitimate Interests’ Toggle in Your WordPress Cookie Plugin Is a GDPR Trap
The Third-Party Retention Problem Most Guides Ignore
Most GDPR data retention guides for WooCommerce focus on the WooCommerce database — the orders table, customer records, and WordPress user data. That’s one layer. The harder layer is what your third-party tools are doing with the same data, in their infrastructure, on their retention schedules.
Meta: 7 Years by Default
Meta retains pixel event data — purchases, add-to-carts, page views, custom events — for up to 7 years by default on ad accounts. That means every purchase your Facebook pixel or CAPI integration has sent to Meta since you set it up may still be sitting in Meta’s data infrastructure. As the Data Controller, you are responsible for ensuring your third-party processors retain data in line with GDPR’s storage limitation principle. Most WooCommerce store owners have never opened their Meta data settings.
The practical question is whether 7 years of behavioral event data is proportionate to your advertising purpose. For most WooCommerce stores, it isn’t — custom audience lookback windows rarely exceed 180 days, and conversion attribution windows are typically 7–28 days. The retention basis for keeping 7 years of data doesn’t survive scrutiny.
GA4: 2 Months by Default — or Forever If You’re Not Careful
Google Analytics 4 sets event-level data retention to 2 months by default. Most WooCommerce stores never change this setting — which means GA4 is automatically deleting more event-level data than GDPR strictly requires. The appropriate period for most analytics purposes is 12–14 months — long enough to capture year-on-year seasonality comparisons. Shorter than that, your year-over-year analysis breaks.
But here’s the trap on the other side: GA4’s user-level and session-level data has different retention settings, and aggregated reporting data persists beyond event-level retention. Many stores assume 2 months means everything is deleted. It doesn’t. The setting is more granular than most store owners realise.
BigQuery, Session Recorders, and Everything Else
If you’ve connected GA4 to BigQuery — or if you’re using Hotjar, Microsoft Clarity, or any session recording tool — you have another retention layer to audit. BigQuery tables have no default expiry. Data ingested via streaming inserts sits there indefinitely unless you configure table expiration policies. Session recording tools typically retain recordings for 90–365 days depending on plan, but most store owners never verify this against their privacy policy.
You may be interested in: GDPR Data Retention for WooCommerce: How Long Can You Actually Keep Customer Data?
Why Your Pipeline Architecture Is the Only Real Control Point
The problem with managing retention across GA4, Meta, BigQuery, and every other tool individually is that you’re configuring retention in ten different interfaces with ten different settings formats, with no central audit trail. When a regulator asks for your data retention policy and evidence of compliance, “I checked the box in each tool” is not a documented process.
Here’s where the architecture matters. Transmute Engine™ — Seresa’s first-party Node.js server running on your own subdomain — routes all WooCommerce events through a single pipeline before they reach any destination. That means retention policy can be enforced at the pipeline level: events older than your defined window are flagged, purged, or anonymised before reaching BigQuery, not after. BigQuery dataset table expiry policies can be set once and inherited by all tables in the dataset, giving you a single configuration point that covers the entire event history. One retention policy. One audit trail. One thing to show a regulator.
Key Takeaways
- Split data into two buckets. Financial/order records (6–10 years, legal retention basis) vs. behavioral analytics data (proportionate to purpose — typically 12–14 months maximum). Different data, different rules.
- Check your Meta account settings. Meta retains pixel event data for up to 7 years by default. As Data Controller, you’re responsible for this. Most stores have never reviewed it.
- Configure GA4 retention to 14 months. The default 2-month event-level retention is too short for year-on-year analysis. Set it to 14 months — the maximum — and document your purpose.
- Audit your BigQuery tables. If you’re sending WooCommerce data to BigQuery, set dataset-level table expiry policies. No expiry means indefinite retention — no legal basis for that.
- Document your retention policy. €479.6 million in GDPR fines issued in September 2025 alone. The question isn’t whether enforcement is happening. It’s whether you have a paper trail when it finds you.
Frequently Asked Questions
WooCommerce order data used for accounting and tax purposes can be retained for 6–10 years under EU VAT Directive obligations, depending on your member state. This financial record-keeping basis is legally separate from behavioral analytics data, which has no equivalent long-term basis and should be subject to a defined retention period proportionate to its purpose — typically 12–14 months for analytics.
GDPR Article 5(1)(e) requires data to be kept no longer than necessary for its stated purpose — but specifies no universal maximum period. You need a documented purpose for each category of data you hold, and a retention schedule aligned to that purpose. Financial records have a long-retention legal basis. Behavioral analytics data and ad platform pixel histories generally do not.
GA4 sets event-level data retention to 2 months by default, extendable to 14 months in settings. Under GDPR, the appropriate period is whatever is proportionate to your analytical purpose — typically 12–14 months to capture year-on-year seasonality comparisons. Retaining beyond 14 months requires a documented justification. Most stores never configure this setting at all.
Meta retains pixel event data for up to 7 years by default. As the Data Controller, you are responsible for ensuring third-party processors — including Meta — retain data in accordance with GDPR’s storage limitation principle. Most WooCommerce stores have never reviewed their Meta data retention settings. The 7-year default is almost certainly disproportionate to any standard advertising purpose.
Yes, in most cases. GDPR Article 5(1)(e) prohibits keeping personal data longer than necessary for the purpose for which it was collected. Behavioral analytics data — session recordings, pixel event histories, user journey data — rarely has a justified retention basis beyond 12–14 months. Indefinite retention without a documented purpose is a direct violation of the storage limitation principle.
Run the audit now — before enforcement does it for you. Check GA4 retention settings, open your Meta Events Manager data settings, and list every tool touching WooCommerce customer data. If you can’t state a retention period and a legal basis for each one, you have a gap. seresa.io