Compliance
KYC, age gating, terms-of-service, GDPR, donor wall, tax receipts. The tools you'll lean on to stay legal in regulated jurisdictions.
Available compliance features
| Feature | Where to enable |
|---|---|
| KYC verification | Settings → Trust & Security |
| Age verification | Settings → Trust & Security |
| Terms of service | Settings → Trust & Security |
| Cookie consent | Settings → Trust & Security |
| Tax receipts (charity) | Settings → Payments → Charity |
| Donor wall (charity) | Settings → Payments → Charity |
| Bid terms acceptance | Per-auction in Add Auction |
| GDPR data export / delete | Tools → GDPR (always available) |
KYC verification
Required before bidding above a threshold you choose.
When KYC is on and a customer's planned bid exceeds the threshold:
- The bid form is replaced with a Verify your identity call-to-action.
- The customer uploads a government-issued ID (passport / driver's license), proof of address (utility bill, bank statement) and a self-portrait selfie.
- Documents are stored encrypted, attached to the customer's WP profile.
- An admin reviews under WP Users → Edit User → KYC review.
- On approval the customer can bid; on rejection they get an email explaining why.
Document handling
KYC documents are highly sensitive personal data. Store them on encrypted storage and consider using a third-party KYC provider (Onfido, Jumio, Trulioo) instead of self-hosting.
Age verification
For age-restricted lots (alcohol, weapons, adult goods):
When a user attempts to bid on an age-gated lot, the plugin asks for date of birth. If they're under the configured minimum age, the bid form is permanently locked for that user. Otherwise, age is recorded once and subsequent age checks pass automatically.
Age-gated categories are picked from your existing WooCommerce product categories under Auctions → Settings → Trust & Security → Age-gated categories.
Terms of service
If enabled, before placing the first bid every user must tick "I have read and accept the Terms" and (optionally) click through to the linked terms page. Acceptance is logged with timestamp and IP and is one-time per user; re-acceptance is forced when you publish a new terms version.
Cookie consent
For GDPR / ePrivacy compliance, choose between four providers in Settings → Trust & Security → Cookie consent:
- None — no banner
- Cookiebot — integrate with Cookiebot
- Iubenda — integrate with Iubenda
- Built-in — the plugin's lightweight banner
If consent is required and not given, the plugin's marketing features (Klaviyo, Mailchimp) skip emitting events until consent is granted.
Bid terms acceptance
Per-auction terms (e.g. "you agree this is final sale"):
- Configurable on each auction in Add / Edit Auction.
- Acceptance is required before the first bid on that lot.
- Logged in the audit trail with timestamp and IP.
Tax receipts (charity)
For charity auctions, when a lot sells the plugin auto-generates a tax-deductible receipt PDF containing:
- Customer's name and address
- Auction title and winning bid
- Charity name and registration number
- Receipt date and a unique receipt ID
- The charity's signature image (configurable)
The receipt is emailed to the buyer and downloadable from My Account → Orders.
For US 501(c)(3): include the IRS-required disclosure language. For UK: Gift Aid declarations. Customise the template for your jurisdiction.
Donor wall
A public list of recent charity-auction donors at /donor-wall/. Each row shows the donor's name (or "Anonymous" if they opted out), the auction title and the amount given. Donors can opt out individually with a "Stay anonymous" checkbox at checkout.
GDPR data export and delete
Standard WordPress Tools → Export Personal Data flow includes the user's auction data:
| Section | Contents |
|---|---|
| Bids | Every bid the user has placed |
| Watchlist | Every auction they're watching |
| Wallet | Full ledger of credits / debits |
| Disputes | Filed cases and their resolutions |
| Block list | If the user is blocked, the record |
| Notifications | Email / push / SMS history |
| Audit log | Audit entries that mention the user |
GDPR delete (right to be forgotten) anonymises the user across all auction tables, deletes their watchlist and fraud signals, and preserves the audit log's integrity by stripping personal data from each row while keeping the chain valid.
Reporting
Reports → Compliance shows:
- KYC approval / rejection rate
- Average KYC review time
- Donor wall total
- Terms acceptance rate
- Cookie consent rate
Common questions
"Do I need a license to run an auction site?"
Depends on jurisdiction. In the US, most general auction activity is unregulated; specific categories (real estate, vehicles, alcohol) require licensing. In the UK, an FCA license is needed for high-value financial auctions. Consult local legal counsel.
"What about anti-money-laundering (AML)?"
For high-value auctions (typically over $10,000 in a single transaction), AML / SAR (suspicious activity reporting) requirements apply. The plugin's audit log, KYC and dispute tracking provide the data — you handle the regulatory reporting.
"Are the tax receipts legally valid?"
The receipt provides the data fields required by major jurisdictions (US IRS, UK HMRC, Canada CRA). Verify with your accountant that the format meets your specific requirements; you may need to customise the template.