EU Withdrawal Compliance

Description

From June 19, 2026, EU Directive 2023/2673 obliges every online retailer in the European Union to offer a digital withdrawal function that is at least as easy to use as the purchase flow itself. Most plugins in the directory stop at “a button”. This one ships the complete toolkit every EU store needs to comply — and a few things competitors don’t offer at any price.

Only this plugin in the directory ships, all of it, for free

• Two-step confirmation function (Art. 11a(3)) — the EU-wide baseline of the online withdrawal right. The public form leads to a review screen with a read-only summary and a dedicated “Confirm withdrawal” button; the request is registered only when that button is pressed, preventing the unintended exercise of the right. Held server-side between the two steps in a single-use token, so it works even without JavaScript.
• Complete durable-medium acknowledgement of receipt (Art. 11a(4)): the confirmation email reproduces the full content of the declaration (name, order, order date, scope, affected products) and the exact date and time of submission, carrying a verifiable SHA-256 receipt hash as tamper-evident proof — recomputable from the stored fields if a dispute arises.
• Annex I.B model withdrawal form (Directive 2011/83/EU) generated dynamically from your shop data, rendered as a collapsible block below the public form, with a printable view on the same URL. Meets the pre-contractual information obligation of Art. 6(1)(h).
• Double-consent checkboxes at the WooCommerce checkout for the two consents the directive expects to apply specific exceptions:
  • Mandatory consent for digital content (Art. 16(m)) — blocks the place-order step until accepted.
  • Optional consent for services started within the 14-day window (Art. 14(4)(a)) — enables pro-rated billing if the customer later withdraws.
    Every consent is persisted on the order with the exact text shown, accepted/declined state, timestamp, IP and user agent — durable proof in case of dispute.
• Single “Withdrawal status” dropdown per product and per category with four explicit options (Standard, Digital content, Service started early, Other Article 16 exception). Drives both the Article 16 exclusion flag and the matching checkout consent in one place, with full subcategory inheritance.
• Configurable public notice on excluded products, rendered between price and add-to-cart, with separate title+body for digital content and other Article 16 exceptions.
• Article 16 exclusions with category inheritance — competing plugins gate this behind a paid Pro tier; here it’s free.
• Native GDPR integration: suggested Privacy Policy snippet + personal-data exporter + eraser, all keyed on the customer email — no second GDPR plugin to install.
• Standalone mode: the form, shortcode, request log, email notifications, SHA-256 receipt hash, Annex I.B model and GDPR integration all run without WooCommerce. The plugin always lives in its own top-level Withdrawals menu (with a Settings submenu), with or without WooCommerce — same path on every install.

Public-facing pieces

• Public withdrawal page automatically created on activation with a neutral, translation-ready template and the form embedded via shortcode (with a “review with a legal advisor” disclaimer).
• [ayudawp_withdrawal_form] shortcode for embedding the form anywhere on the site.
• [ayudawp_withdrawal_link] shortcode for a permanent link to the withdrawal page from any widget area, footer or template part — helps meet the “clearly identifiable” requirement of Article 11a of Directive 2023/2673 without forcing a specific footer layout.
• HTML5-semantic form with HTML5 validation, honeypot anti-spam, escaped output, sanitized input and CSRF nonces.
• Privacy-policy acceptance checkbox before submit, linked to the WordPress-configured Privacy Policy page.
• Frontend and backend links generated by the plugin carry rel="noopener nofollow" to keep the site’s link equity contained.

WooCommerce-specific pieces (auto-activated when WooCommerce is detected)

• My Account → Right of withdrawal endpoint with a per-order “Withdraw” button shown while the order is in an eligible status, deep-linked to the form with the order pre-filled.
• Withdrawal notice injected into transactional emails (processing, completed, customer invoice) with a direct link to the form pre-filled with the order number. Eligible order statuses configurable; admin emails never receive the notice.
• Automatic verification of the order/email pair when WooCommerce is active: the request is matched to a real order and gated by the configured eligible statuses. The 14-day deadline is surfaced as an advisory flag for the admin, not an automatic rejection (the period legally runs from delivery, which the shop verifies).
• Configurable advisory deadline: choose order date vs. WooCommerce completion date as the basis, plus optional grace days, for the deadline flag surfaced to the admin — all from the settings UI, no code.
• Order-number compatibility with Sequential Order Numbers (free and Pro), Custom Order Numbers for WooCommerce (WPFactory) and YITH numbering schemes out of the box; a filter covers any other resolver.
• “Withdrawal” column on the WooCommerce orders screen (legacy and HPOS) showing the status of any linked request, toggleable from Screen Options.
• Private order notes added at every lifecycle step (request received, accepted, rejected, completed) including any admin comment.
• HPOS-compatible from day one, declared via FeaturesUtil::declare_compatibility().

Admin tooling

• Full request log as a private custom post type with status lifecycle (pending → accepted → rejected → completed), customer details, scope (full / partial), IP, user agent and UTC submission timestamp for legal traceability.
• CSV export of the request log for accounting and consumer-protection audits: an “Export to CSV” bulk action on the listing plus a filtered export by status and date range under Withdrawals → Export withdrawals. Columns include submission and resolution timestamps, scope, status, acknowledgement-delivery flag, receipt hash and excluded items, with cells escaped against CSV/formula injection.
• Audit trail per request: resolution timestamp recorded on every status change and a flag for whether the acknowledgement email was accepted for delivery (with its timestamp), both shown in the request detail and the CSV as burden-of-proof evidence.
• Bulk actions to mark several requests as accepted, rejected or completed at once, with email notification on transition.
• Status metabox with required comment when rejecting, optional comment when completing — comment forwarded to the customer email.
• Acknowledgement email to the customer on confirmation: the Art. 11a(4) durable-medium receipt with the full declaration content, the date and time of submission and the SHA-256 hash as proof, plus a follow-up email on every status transition.
• Notification email to the shop admin with reply-to set to the customer, sanitized against header injection.
• Captured checkout consents surfaced in the request detail metabox: exact text, accepted/declined state, timestamp, IP, user agent — durable proof on file.
• Consistent admin menu: always a top-level Withdrawals menu with a Settings submenu, regardless of whether WooCommerce is active. Same path on every install.
• Legal disclaimer block in the settings page making it explicit that the plugin provides optional technical tools and does not guarantee legal compliance.
• Mandatory / Recommended / Optional tags on every setting description so the merchant can scan the form quickly.

Built for production

• Conditional asset loading: CSS only loads on the withdrawal page, single-product pages that actually show the excluded notice, and plugin admin screens.
• Translation-ready, bundled es_ES translation, follows WordPress Coding Standards, fully escaped output and sanitized input, capability checks and nonces on every admin action.
• 7 documented filters and 3 actions for developers and agencies to extend the plugin without forking.
• PHP 7.4+, WordPress 6.0+, WooCommerce 7.0+ (optional).

Why this plugin?

The EU directive becomes enforceable in every member state on June 19, 2026, so the WordPress.org directory is filling up with “withdrawal button” plugins. This one stands out for verifiable reasons:

• Fully free, no paid tier. No premium add-on, no feature locked behind an upsell, no “Pro” version on the horizon. Everything documented on this page is what you get on install.
• Two-step “confirm withdrawal” function built in, the EU-wide baseline of Article 11a(3): the public form shows a read-only review screen and registers the request only after explicit confirmation, fully server-side and working without JavaScript — where many “button-only” plugins register the request on the very first click.
• The only plugin in the directory that issues a SHA-256 receipt hash as durable-medium proof of every withdrawal request, recoverable from the stored fields if a dispute later arises.
• The only plugin in the directory that ships the Annex I.B model withdrawal form dynamically generated from the shop data, with a printable view — meeting the Art. 6(1)(h) information obligation that the new directive does not replace.
• The only plugin in the directory that injects the two consent checkboxes (Art. 16(m) digital content and Art. 14(4)(a) service started early) at the WooCommerce checkout, with durable proof persisted on the order.
• The only plugin in the directory that ships Article 16 product/category exclusions with full subcategory inheritance — competing plugins gate this behind their own paid Pro tier.
• The only plugin in the directory that integrates natively with the WordPress GDPR tools (Privacy Policy snippet + personal-data exporter and eraser) — no second GDPR plugin to install.
• Standalone or with WooCommerce. Works without WooCommerce as a self-contained tool (form, shortcode, log, emails, SHA-256, GDPR, Annex I.B) and lights up store-specific features automatically when WooCommerce is detected.
• Compatible by default with Sequential Order Numbers (free and Pro), Custom Order Numbers for WooCommerce (WPFactory) and YITH numbering schemes.
• Configurable from the settings UI, without writing code: deadline basis (order date vs. completion date), grace days, eligible order statuses, withdrawal page, notification email, consent text per type, excluded-notice text per type, Annex I.B trader phone.
• Developer-friendly: 7 documented filters + 3 actions so agencies can extend it without forking.
• Maintained by a Spanish WordPress trainer with 15+ years on the platform: bundled es_ES translation, prompt replies on the WordPress.org support forum and an active roadmap of free improvements (classic widget, Gutenberg block, dashboard widget, custom WC order status and more — all free).

Roadmap

Planned for upcoming free versions:

• WooCommerce Checkout block support for the Art. 16(m) and Art. 14(4)(a) consent checkboxes, using woocommerce_register_additional_checkout_field() so the consents work on stores that have already migrated from the classic [woocommerce_checkout] shortcode to the block.
• Classic widget to surface the withdrawal link in themes with widget areas.
• Gutenberg block for the withdrawal link, fully supported in block themes (align, color, typography).
• Dashboard widget with counters, pending requests and monthly basic stats.
• Custom WooCommerce order status “Withdrawal requested” with automatic transition on acceptance.
• Urgency indicators in the request list (days remaining, expired).
• PDF download of the request with the SHA-256 receipt hash printed on it, reusing the same standalone-print infrastructure as the Annex I.B view.
• Signed token in the email link so guest customers can check status without logging in.
• Rate limiting on the public form to prevent abuse.
• Optional IBAN field to speed up manual refunds.
• HTML email templates that inherit the WooCommerce email theme.
• Optional modal display mode for the shortcode.
• Visible audit log on each request detail screen (status transitions, admin comments, email-delivery timestamps).
• Optional opt-in auto-injection of the withdrawal link in wp_footer.

Privacy

This plugin stores the following personal data for each withdrawal request, exclusively to fulfil the legal traceability of consumer rights and to allow the shop to handle the request:

• Customer name and email address (required to contact the consumer about the request).
• Order reference and order date (required to validate the request against the purchase).
• IP address and User-Agent string (required to evidence when and how the request was submitted, in line with the directive’s “durable medium” requirement).
• Submission timestamp (UTC) and SHA-256 receipt hash (required to recompute and verify the integrity of the original submission if disputed).

Data is stored as a private custom post type entry (ayudawp_withdrawal) accessible only to administrators. The plugin does not transmit any data to third-party services; all communication happens between the shop and the customer via standard WordPress emails.

You should add a section to your site’s privacy policy describing this storage. The plugin contributes a suggested Privacy Policy snippet that you can paste from Settings → Privacy → Policy Guide. Withdrawal data is also exposed to the native WordPress Tools → Export Personal Data and Tools → Erase Personal Data screens (filtered by customer email).

Support

Need help or have suggestions?

• Official website
• WordPress support forum
• YouTube channel
• Documentation and tutorials

Love the plugin? Please leave us a 5-star review and help spread the word!

About AyudaWP.com

We are specialists in WordPress security, SEO, AI and performance optimization plugins. We create tools that solve real problems for WordPress site owners while maintaining the highest coding standards and accessibility requirements.