Enfold 4.4 and the GDPR (General Data Protection Regulation)
By now most people have probably heard about the new EU data privacy law that will come to full effect on May 25th 2018. We have adapted Enfold to make the journey to compliance a little easier for those who deal with European Visitors on their site
First things first: especially if you are European this law was very present during the last weeks and there is a good chance you already know about it. If you don’t: what exactly is the General Data Protection Regulation?
What is the GDPR?
“The General Data Protection Regulation (GDPR) is a regulation by which the EU intends to strengthen and unify data protection for all individuals from the European Union (EU). It also addresses the export of personal data outside the EU.
It aims primarily to give control back to EU citizens and residents over their personal data and to simplify the regulatory environment for international business (any company that is gathering, processing or storing the personal data of EU citizens).”
If you ended up on our site chances are good you are running your own website. If you have visitors from the EU on your site the GDPR basically requires you to adhere to European standards regarding the data of your users, otherwise you might get fined.
What do I need to do?
At the very least you need to set up a proper privacy policy on your website (WordPress 4.9.6 added the tools to do that), establish a record of processing activities and make sure that users get control over their data (they should be able to get info on what data you have about them, how you use it and if requested you also need to remove it, if that does not interfere with other lawful duties of yours) We are not going into detail here since there are a ton of fully fledged, well written articles out there that explain in detail which steps to take to be compliant.
What do I not need to do?
There are currently a lot of horror stories out there on how websites must be adapted (like all forms must come with checkboxes, all user IP addresses must be erased, all external services like Google Fonts, Video Embeds and Maps must be removed, all Cookies must be blocked and whatnot).
Non compliance will result in catastrophic fines and will end your business. We should all close our websites right now and be done with it. etc etc
We have talked to lawyers, we have visited information events and we have scoured the web for reliable resources written by people with a background in data protection or law. The gist we got from those sources:
It’s all not as bad as it sounds. Yes there is some work to do. But many of these “required changes” are highly debatable or outright wrong, and even if you don’t get everything right from the beginning: the authorities in each country are tasked to try to inform first and only if they encounter repeated violation of the law impose fines.
The key takeaway from our talks with lawyers
This might probably be the most important takeaway we got from our research. According to our lawyers you can pretty much use every feature as is if one of 2 conditions are met: legitimate interest on your side, or consent given by the visitor.
The problem with legitimate interest is that its one of those things that are not strictly defined by the law, which means its open to interpretation. The question is: when are you allowed to put your interest first and when do you need to step back and ask for permission? A question that got no general answer as we understand it, but needs to be reviewed for each case individually.
Although legitimate interest may be open to interpretation, according to our lawyers it’s usually still the better option compared to user consent. The problem with consent is that it can be revoked at any time which can cause you a lot of extra work.
So if its possible its better to argue that you need a feature for a particular business reason, inform the user on your privacy policy page about it and be done with it, instead of placing consent checkboxes and popups all over the website ;) In some cases this might not be possible, so we have added several new options to the theme that allow you to go either route, depending on what you (and your lawyers) feel is appropriate.
So what did change with Enfold 4.4
Finally we are talking about the theme :D As was discussed above, it is currently hard to tell what is allowed, what is not and what is in a legal grey area. So what we did is: allow you to choose how you want to use certain features, depending on what the legal advisors and authorities in your country tell you :)
External services
The biggest changes we applied are in regard to external services. Since external services receive user IP addresses if you use their services we have implemented ways that this only happens on user interaction.
You can now set up your instagram and facbook widget in a way that they do not send data unless the user interacts with them. Same goes for google maps where you can set up a placeholder image that is displayed until the user requests the actual map. The very same was implemented for vimeo videos and youtube. The cool thing about those features is that its not only helpful with data protection but its also in accordance with our recent efforts to improve page speed and performance scores. And it of course helps a lot with performance if external sources are only loaded on user request.
We have also implemented a font upload feature that allows you to upload google webfonts (or any fonts for that matter) to your webserver. Users have asked for the possibility to use their own custom fonts for some time now and it was a good opportunity to implement that feature ;)
Consent Checkboxes
Enfold now allows you to display checkboxes after any theme generated form, that asks for user acceptance of your privacy policy before sending the form. As mentioned earlier we do not think that this is necessary (legitimate interest vs consent), but it was requested so often, we figured we can at least provide the feature for now until there are definite rulings for sending contact, newsletter or comment forms :)
Shortcodes for your privacy policy
We also added a few shortcodes that allow the user to disable certain features on your website, in case you decide to use them without asking in the first place.
- [av_privacy_google_tracking] – allows a user to disable google tracking in his or her browser
- [av_privacy_google_webfonts] – allows a user to disable the use of google webfonts in his or her browser
- [av_privacy_google_maps] – allows a user to disable the use of google maps in his or her browser
- [av_privacy_video_embeds] – allows a user to disable video embeds in his or her browser
- [av_privacy_link] – displays a link to the privacy policy page set in your WordPress admin panel
If you do not like the default text or language these shortcodes generate you can use your own text like this: [shortcode]YOUR OWN TEXT[/shortcode]
Cookie consent bar improvements
The cookie consent bar was also heavily improved in 2 ways.
- It is now possible to generate any number of call to action buttons
- It is now possible to display a information modal window that explains which cookies are used on your site and how they are used. It also explains why some of them can not be disabled via shortcode (of course browser disabling always works) and how to opt out of services like google analytics tracking. You can of course change that default info and set up your own modal information.
And since we are talking about cookies:
One more word about Cookies
You may notice the absence of a feature to generally disable cookies. This is a “requirement” that is also heavily discussed on the internet but since Enfold does not set any cookie that stores any personal information we decided against it. Enfold cookies do one of 3 things:
- dismiss the cookie consent bar permanently (permanent cookie)
- make sure that the breadcrumb navigation is displayed properly (session cookie)
- allow a user to disable certain features like webfonts, analytics, maps or videos (permanent cookies)
As you can see none of those store any user information, so the GDPR does not apply here. We would recommend to mention that you set cookies in your privacy policy and also explain how they are used and how to disable them in the web browser, if the user really really does not want any cookies to be set, but we do not think its necessary to block them as a whole. If you think it is: there are plugins out there that can do the job.
Whats more?
Although we only had very little time since our last major update we were able to also set up a new demo for you. Since this is an update that is caused by a new law, we only considered it fitting to provide a demo for lawyers :D
Last but not least: a disclaimer :/
Full Changelog
Since the last major update was only a month ago there is not a lot more going on than what has been discussed above. Nevertheless here is the full changelog:
- added: new demo: Enfold Law
- added: cookie consent bar got an improved way of adding unlimited buttons
- added: cookie consent bar got an option to display a modal window with detailed information and the possibility to deactivate some cookies and features
- added: custom font uploader – you can now upload and use any font you like
- added: the facebook page widget got a “data protection” mode were it does not load the facebook javascript without user interaction
- added: the instagram widget got a “data protection” mode were it does store all images on your own server
- added: google maps got a “data protection” mode that allows to load the maps API only when the user clicks on a google map fallback image
- added: shortcode that can be used in your data protection policy that allows the visitor to disable google analytics tracking
- added: shortcode that can be used in your data protection policy that allows the visitor to disable google web fonts
- added: shortcode that can be used in your data protection policy that allows the visitor to disable youtube and vimeo video embeds
- added: shortcode that can be used in your data protection policy that allows the visitor to disable google map embeds
- added: option to add a checkbox to all comment forms that asks for approval of your privacy policy before sending the form
- added: option to add a checkbox to all contact forms that asks for approval of your privacy policy before sending the form
- added: option to add a checkbox to all newsletter forms that asks for approval of your privacy policy before sending the form
- added: option to add a checkbox to your login form that asks for approval of your privacy policy before logging in
- improved: cookie management for portfolio breadcrumb navigation is deactivated if breadcrumbs are deactivated
- fixed: an issue with safari admin menu
- fixed: an issue with the linkpicker not displaying all posts to select
Gibt es eine Möglichkeit des Opt-Ins? Sodass die Maps und die Schriften erst dann geladen werden wenn der Nutzer auch zustimmt.
Hintergrund: Ich nutze Borlabs Cookie, um den Nutzer die Wahl zu lassen.
Nein, die Möglichkeit gibt es leider nicht. wie gesagt sind sowohl wir als auch unsere anwälte nicht der Meinung dass ein vollständiges unterbinden von cookies notwendig ist, besonders da Enfold ja keine personenbezogenen cookies setzt, daher fehlt dem theme auch die option dazu.
Du kannst das umgehen indem du deine eigene Schriftart hochlädst, was die verwendung von google fonts verhindert und indem du bei den maps die du verwendest die option wählst “erst laden wenn der user auf das vorschaubild klickt”
Danke, das reicht schon.
Wo genau kann ich die Checkbox für alle Formulare (Kommentare, Kontaktformular, Newsletter) aktivieren?
Habe es leider nirgends gefunden.
Danach suche ich auch :-)
Ah – ich musste die Datenschutz-Seite verlinken. Nun habe ich jedoch die falsche Unterseite verlinkt (es war ein Entwurf). Wie kann ich die Verlinkung aktualisieren?
In WordPress unter Settings->Privacy einfach einen andere Page wählen ;)
Ja – für die Message Bar ist das klar. Allerdings kann ich die Zielseite für die Checkboxen nicht mehr ändern, nachdem ich es einmal definiert habe? :-(
The GDPR feature does not seem to disable any cookies. To do that if would have to automatically reload the page after the settings are changed. I manually reloaded the page and nothing changes.
People do realise that this feature doesn’t actually disable cookies, right?
Not sure which feature you are actually referring to but no, there is no cookie disable feature in the theme. the reasons for that are laid out in the blog post ;)
Shouldn’t the page at least re-load automatically once the setting window has closed. There needs to be a way to trigger a re-load after the settings have been changed.
Thank You for sharing.
Who is mirzepapa and why does he appear in my Enfold Update Username? And his API key is also there?
Sounds strange. Only thing I can imagine is a faulty demo import. did you recently import a demo?
This was a great release… very focused, no new bugs (smile) and the new controls are easy to use. I think we might need a tutorial on the hosted fonts soon though I was able to figure it out. I love that you are continuing to focus on speed.
Hi Rob, would you please share how you have achieved the usage of self hosted fonts? Many thanks in advance and have a nice day, Nenad
Hallo zusammen,
erstmal großes Lob für die tolle Arbeit – super Lösung, vielen Dank!
Hab jetzt das Problem, dass meine Cookie-Info Box immer wieder auf meiner Site auftaucht – egal wie oft ich auf “OK” drücke (und das ganze auch noch in unterschiedlichen Versionen (einmal im Footer, einmal oben rechts) … je nach Unterseite. Browser Cache hab ich geleert … hilft nix – was mache ich falsch?
Danke für eure Hilfe!
klingt in der tat komisch. ein extra cookie notice order cookie blocker plugin hast du ja nehme ich an nicht aktiviert? Und der browser lässt cookies generell zu?
Würde aber mal empfehlen einen thread im support forum aufzumachen ;)
Einfach nur Danke für das tolle Theme und die super Arbeit – ihr seid echt die Besten ;)
Erst einmal vielen Dank für die DSGVO Erweiterungen. Wichtig wäre m.E. noch ein anzukreuzendes Feld (analog zu den Kontaktformularen) auf der Checkoutseite bei Woocommerce Shops (also über dem “Jetzt kaufen” Button).
Ich hatte bei mehreren Installationen das Problem, das beim erstellen der Cookie Consens Buttons diese erst angezeigt wurden nachdem ich die “Setupseite” mehrfach verlassen und wieder aufgerufen hatte. Bei einer Installation war erst nur der OK Button editierbar (da nur dieser zu sehen war) nach ein paar mal Seite verlassen und wieder aufrufen konnte ich einen weitern Button hinzufügen. Vielleicht wäre es auch hilfreich, nur die Privacy und Cookie Einstellungen exportieren und importieren zu können.
Hi, congratulations for the great work done for the new privacy law.
Now…I have some questions to ask you:
1) Under Google Service there is Google Analytics Tracking Code section where should be inserted the Google Analytics tracking code (Global Site Tag (gtag.js)).
Can this section manage Google Remarketing Code also?
Disabling the Google Analytics Tracking via shortcode is deactivated all code in the box above (Including the Google Remarketing Code)?
2) How can I manage scripts from other platforms such as tripadvisor?
Thanks in advance
Leo