How Page Builder Framework Has Tackled GDPR Compliance
By now, you’ve probably brushed up on what the General Data Protection Regulation (GDPR) is and what it means for your business, so I’m not going to rehash that here. What I will say, however, is that GDPR is good because it protects the end user and provides guidance to businesses on how to adhere to strict privacy policies (which are already very strict in Germany).
With the GDPR deadline on May 25, it seems like everyone is rushing to get their websites compliant with the new EU regulation. Because we at Page Builder Framework take your privacy very seriously, I wanted to use today’s post to talk you through what I’ve done to make our website and Page Builder Framework GDPR-compliant.
How we made our website GDPR-Compliant
Before we delve into the changes made to the Page Builder Framework and website, I want to state that I am not a lawyer and all changes made were based solely on research.
Site Notice & Privacy Policy
There are two elements you should use to communicate changes related to GDPR compliance: the Privacy Policy and the Site Notice (what we refer to as “Imprint”).
In terms of how we handled this, we used a service called e-recht24 to create a unique Privacy Policy and Imprint in German and English for our site. We also worked with a lawyer who reviewed everything.
The Privacy Policy is a written notice visitors can use to better understand what you’re doing to protect their privacy. If your website and policy page do not meet the current requirements with the GDPR, make sure to review and fix it now. Also, remember to update your Site Notice for other applications your business uses, like Facebook.
Cookies
It’s important to inform visitors that you use cookies to save their session data. Then, give them the option to opt out if they want to.
Our plugin of choice is to handle Cookies is Borlabs Cookie.
Before installing on your site, it allows you to choose whether or not you want to opt in to services like Google Analytics and Facebook pixel tracking. In addition, it provides you with shortcodes you can add to your privacy policy page that let visitors opt out from any tracking services you’ve enabled.
The plugin offers a lot more features that I’m not going to cover in this post. Learn more about Borlabs Cookie.
Web Hosting
Your web host is storing data, so it’s a good idea to have a data processing agreement (DPA) with them. Here’s the mail we received from DigitalOcean on this:
SSL Certificate
There are two ways in which GDPR advises businesses to protect user data: encryption and tokenization. By using an SSL certificate and transferring your website to encrypted HTTPS, you’ll be well on your way to GDPR compliance.
WordPress Plugins & Theme
It’s important to know that some plugins and even themes can store data, especially contact form, backup, and security plugins. If you’re unsure of whether any theme or plugin you use stores data, make sure to ask the developer. Page Builder Framework is now 100% GDPR compliant! Read more about below.
Backup Plugins
In terms of what we did for our site, we removed all backups from external servers and now only host them locally. Our backup plugin of choice is Snapshot by WPMU DEV.
Security Plugins
Now, with security plugins this can get a bit more complex. Audit logging is something we wouldn’t want to do with the new GDPR regulations. IP lockouts, though, can be very beneficial.
If you use this feature, it’s important not to store any data on external servers and to clear data on a regular basis (if possible, automate it for every 7 days or so). As far as I can tell, using a feature like this falls under the classification of “justified interest”. Our security plugin of choice is Defender by WPMU DEV.
Image Compression Plugins
Image Compression plugins that use and send images to their servers can be problematic with the new regulation. Some providers delete images right after compressing them, so before you toss your optimization plugin, verify with the developer that they do indeed delete the files. Alternatively, use a plugin that handles compression directly on your server (can take a lot of resources).
The list of WordPress plugins (and themes) to be mindful of doesn’t stop there. I’d suggest you go through each of your plugins as well as your theme, and do your own research and verification.
Google Analytics
Because Google Analytics is a service built around user data, there are a number of things you have to do as a customer of Google.
First, you must review and accept Google Analytics’ data processing contract. This is the one we used for our Germany-based business. After reviewing this contract, I sent two signed copies to Google in Dublin, Ireland. Use this one if your business is based in the United States.
Secondly, accept Google’s amendment in-app. To do this:
- Log into your Google Analytics account.
- Go to the Admin menu.
- Under the Account column, select Account Settings.
- Locate the Data Processing Amendment
- section.
- Review the Amendment. Then hit Accept.
- Update your settings and save the changes.
Finally, Google Analytics is going to ask you to review and save your web property’s Data Retention settings. It’s a good practice to change retention to 14 months and turn off “Reset on new activity”. You can make this change by doing the following:
- Log into your account.
- Go to the Admin menu.
- Under the Property menu, select Tracking Info > Data Retention.
- Update your settings and save the changes.
Contact Forms
We’ve added a checkbox to our contact forms letting visitors know their data is being stored on our email client and will only be used to get back in touch with them. There’s also a section in our privacy policy that addresses this topic.
The GDPR doesn’t tell you to add checkboxes to your contact form – a notice on how we handle the data, what we use it for and a link to our Privacy Policy may have been enough. For businesses in Germany though, it’s recommended to have such a checkbox.
Spam Protection
For spam protection, we’ve stopped using Google ReCaptcha and installed Contact Form 7 Honeypot.
For your blog, we’d suggest using an Akismet alternative called Antispam Bee since it can be configured for GDPR compliance.
3rd Party E-Mail clients
Our E-Mail client of choice is zoho. We have signed a Data Processing Addendum with them.
Comment Forms
With WordPress 4.9.6, there is a comment form notice for non-logged-in users that lets them choose whether or not their data should be stored in the browser. We’ve also added a link to our privacy policy that provides further information on this.
In terms of what we’ve done with our blog, we have stopped storing IP addresses for comments and also removed existing IPs from our database. Also, be sure to deactivate Gravatar if you’re using it.
Google Fonts
There are different opinions on if Google Fonts should be hosted locally (on your server) or if a notice in your Privacy Policy is good enough. We’ve decided to host Google Fonts on our server instead making use of Google’s CDN. If you’re using a theme like Page Builder Framework, this is can be done by just a click (more on that here). Otherwise manual action is required.
Here’s a clause that should be included if you’re using Google Fonts without hosting them on your own server:
“The use of Google Web fonts is done in the interest of a uniform and attractive presentation of our website. This constitutes a justified interest pursuant to Art. 6 (1) (f) DSGVO.”
Social Sharing
Visitors that want to share your content on social media also need to be GDPR-compliant. To do this properly, I’d suggest using a social sharing plugin like Shariff.
Newsletter Services
We use MailChimp at Page Builder Framework, so the following may not exactly apply to you. However, if you’re using a mail or newsletter service, this will give you an idea of how to approach GDPR compliance for this.
To start, since data is processed by MailChimp, we needed a data processing agreement with them.
Next, we decided to no longer use a plugin (MailChimp for WordPress by ibericode) to let visitors subscribe to our list. Instead, we opted to create our own form using MailChimp’s embedded forms feature. We used the Naked template and later styled it with CSS.
The good thing about this embedded form is that it doesn’t actually sign people up to your mailing list. Instead, it forwards users to MailChimp’s signup form.
Personally, I prefer the non-plugin approach. Of course, we’re still covering ourselves by including a notice that tells people we won’t spam them and added a link to our privacy policy with further information on how we handle newsletter signups.
You’d also want to make it very clear what people sign up for. In our case, subscribers will receive emails only about new features and updates. We also only ask for peoples email address to keep the collected data at a minimum. Later, on the MailChimp sign-up form, they can also enter their name (optional).
Finally, if you are using a GDPR-compliant newsletter system like MailChimp, make sure to configure settings within the app. In MailChimp, you do this by navigating to Settings > “List name and defaults”. Then, check “Enable GDPR fields”.
This will make the MailChimp signup form look like this:
This also adds a GDPR badge next to your form.
Video Hosting Services
Embedding videos means that data is being processed between your website and a video hosting service (like YouTube and Vimeo). This is actually similar to Google Fonts in that it may be another case of “justified interest”. However, we have taken steps to ensure that your sites remain in compliance.
Borlabs Cookie for instance crawls your content area for iframes (e.g. Google Maps, YouTube & Vimeo videos, etc.) and gives you the option to opt-in. No iframes being loaded before the visitor actually opt’s in.
Page Builder Framework is 100% GDPR Compliant!
I’m happy to announce that Page Builder Framework is now fully GDPR Compliant! We were going the extra mile to ensure you’re save using Page Builder Framework and comply with the new Data Protection Regulations.
Google Fonts
For your WordPress site, you can now host Google Fonts locally using Page Builder Framework. With the latest update, you can quickly enable this by ticking off the “Download font-family to server instead of using the Google CDN” checkbox.
Embedded Videos
With the Premium Add-On for Page Builder Framework, you can add responsive YouTube and Vimeo Videos with a shortcode. With the latest release, there’s a new tag called “opt_in”. This lets visitors choose whether they want the video to be loaded by default or not. This means that a connection to the video hosting servers will not be established until the user clicks on “Load Video”. This is similar to the Borlabs Cookie feature explained above.
Shortcode:
[wpbf-responsive-video src="https://www.youtube-nocookie.com/embed/qII-SDZzvD8" opt_in="true"]
Example:
Click the button below to load the video from YouTube.
Load VideoAlso, notice the youtube-nocookie.com link we’re using in the shortcode. All embedded videos should be embedded with the YouTube nocookie domain. To do that, check the “Enable privacy-enhanced mode” option.
Summary
The GDPR deadline is upon, which means there’s no time to waste. If you haven’t taken steps to get the above items compliant with the new regulation, do it now. For those of you already using the Page Builder Framework – which is 100% GDPR-compliant – we’ve already simplified much of this for you. Just use the checklist above to ensure you hit all the required points.
Again, just a reminder: I am not a lawyer, so I am not advising you on the legalities of conducting business within the EU (or with customers based in the EU). I am simply providing guidance on how to bring your WordPress site in line with new privacy rules.
This list is by no means perfect. However, I hope it gives you some useful insights on how we’ve tackled GDPR compliance and are hoping to equip our users with a tool that helps them do the same. There are still a few more compliance matters we hope to take care of, but we’ll address those as time goes by and we gain a better understanding of the new regulation.
Question for all of you: How is GDPR compliance going for you? If you’ve already taken steps with your website, is there anything we missed that you would like to recommend to our readers?
Stay in the Loop!
Sign up for our Newsletter & be the first to get notified about new updates & features!
Leave a Reply