How Asteris Cart handles GDPR Article 7 consent at checkout
What Article 7 asks for
GDPR Article 7 sets out conditions for valid consent. The part most relevant to a checkout is Article 7(2): where consent is given in a written declaration that also concerns other matters, the request for consent must be presented in a manner clearly distinguishable from those other matters [VERIFY: quote the exact Article 7(2) text + EDPB guidance at publish].
The everyday failure mode is bundling. A single checkbox that says “I accept the terms and agree to receive marketing” rolls two different things into one tick. Accepting the terms of sale and consenting to marketing are not the same, and Article 7(2) is the reason they should not share a checkbox.
How the Asteris Cart GDPR Consent module is built
The module is built to keep marketing consent separate and properly recorded:
- Unbundled opt-in. The marketing consent is a distinct checkbox, separate from terms acceptance, and not pre-ticked.
- Region detection. It is shown to customers detected in the EU, EEA or UK using WooCommerce geolocation, rather than to everyone regardless of location.
- Proof of what was consented to. Each consent is recorded with a policy-version fingerprint, so you can show which version of your policy applied at the time.
- Privacy-respecting records. Rather than storing raw IP addresses, it stores a salted SHA-256 hash, which keeps a record without retaining the raw identifier.
- Subject-rights support. It supports the WooCommerce personal-data export and erase hooks, so consent records are included when a customer exercises their rights.
Code receipts: src/Checkout/Gdpr_Consent.php::hash_ip(), current_policy_version()
[CODE SNIPPET — CC to insert the relevant Gdpr_Consent logic from src/ at build; must match shipping v1.0.]
What this page is not
This is a description of how a software module is built to align with Article 7. It is not legal advice, and it is not a compliance guarantee. Whether a given store is compliant depends on its whole setup — privacy policy, data processors, other plugins and how it is configured. For that, consult a qualified adviser. Asteris Cart gives you the mechanism; it cannot give you a legal opinion about your store.
Why this is a wedge
Most WooCommerce consent tooling is a cookie banner bolted to the front of the site, not a checkout-level consent record. A cookie banner and a checkout marketing opt-in are different problems. Asteris Cart treats the checkout opt-in as a first-class, properly recorded event — unbundled, version-stamped and stored without raw IPs — which is the part the banner plugins tend to leave to a bare checkbox.
How this fits
GDPR Consent is one of 22 Asteris Cart modules and one of the six wedges. CheckoutWC, the closest comparison, ships no GDPR consent module [VERIFY: CheckoutWC docs]. See the GDPR Consent module → · Asteris Cart vs CheckoutWC → · See pricing →
FAQ
What does GDPR Article 7 require for consent? Article 7 sets conditions for valid consent. Article 7(2) requires a consent request bundled with other matters to be clearly distinguishable from them — so a marketing opt-in should be separate from accepting the terms.
How does Asteris Cart handle marketing consent at checkout? An unbundled, not-pre-ticked opt-in shown to EU, EEA or UK customers, recorded with policy-version fingerprinting and salted hashed IPs.
Is this legal advice or a compliance guarantee? No. It describes how the module is built to align with Article 7. Compliance depends on your full setup; consult a qualified adviser.
Sources
- Asteris Cart code receipts: src/Checkout/Gdpr_Consent.php (hash_ip, current_policy_version)
- GDPR Article 7(2) + EDPB guidance: [attach exact text + cite at publish]