Enfold 4.4 and the GDPR (General Data Protection Regulation)
By now most people have probably heard about the new EU data privacy law that will come to full effect on May 25th 2018. We have adapted Enfold to make the journey to compliance a little easier for those who deal with European Visitors on their site
First things first: especially if you are European this law was very present during the last weeks and there is a good chance you already know about it. If you don’t: what exactly is the General Data Protection Regulation?
What is the GDPR?
“The General Data Protection Regulation (GDPR) is a regulation by which the EU intends to strengthen and unify data protection for all individuals from the European Union (EU). It also addresses the export of personal data outside the EU.
It aims primarily to give control back to EU citizens and residents over their personal data and to simplify the regulatory environment for international business (any company that is gathering, processing or storing the personal data of EU citizens).”
If you ended up on our site chances are good you are running your own website. If you have visitors from the EU on your site the GDPR basically requires you to adhere to European standards regarding the data of your users, otherwise you might get fined.
What do I need to do?
At the very least you need to set up a proper privacy policy on your website (WordPress 4.9.6 added the tools to do that), establish a record of processing activities and make sure that users get control over their data (they should be able to get info on what data you have about them, how you use it and if requested you also need to remove it, if that does not interfere with other lawful duties of yours) We are not going into detail here since there are a ton of fully fledged, well written articles out there that explain in detail which steps to take to be compliant.
What do I not need to do?
There are currently a lot of horror stories out there on how websites must be adapted (like all forms must come with checkboxes, all user IP addresses must be erased, all external services like Google Fonts, Video Embeds and Maps must be removed, all Cookies must be blocked and whatnot).
Non compliance will result in catastrophic fines and will end your business. We should all close our websites right now and be done with it. etc etc
We have talked to lawyers, we have visited information events and we have scoured the web for reliable resources written by people with a background in data protection or law. The gist we got from those sources:
It’s all not as bad as it sounds. Yes there is some work to do. But many of these “required changes” are highly debatable or outright wrong, and even if you don’t get everything right from the beginning: the authorities in each country are tasked to try to inform first and only if they encounter repeated violation of the law impose fines.
The key takeaway from our talks with lawyers
This might probably be the most important takeaway we got from our research. According to our lawyers you can pretty much use every feature as is if one of 2 conditions are met: legitimate interest on your side, or consent given by the visitor.
The problem with legitimate interest is that its one of those things that are not strictly defined by the law, which means its open to interpretation. The question is: when are you allowed to put your interest first and when do you need to step back and ask for permission? A question that got no general answer as we understand it, but needs to be reviewed for each case individually.
Although legitimate interest may be open to interpretation, according to our lawyers it’s usually still the better option compared to user consent. The problem with consent is that it can be revoked at any time which can cause you a lot of extra work.
So if its possible its better to argue that you need a feature for a particular business reason, inform the user on your privacy policy page about it and be done with it, instead of placing consent checkboxes and popups all over the website ;) In some cases this might not be possible, so we have added several new options to the theme that allow you to go either route, depending on what you (and your lawyers) feel is appropriate.
So what did change with Enfold 4.4
Finally we are talking about the theme :D As was discussed above, it is currently hard to tell what is allowed, what is not and what is in a legal grey area. So what we did is: allow you to choose how you want to use certain features, depending on what the legal advisors and authorities in your country tell you :)
External services
The biggest changes we applied are in regard to external services. Since external services receive user IP addresses if you use their services we have implemented ways that this only happens on user interaction.
You can now set up your instagram and facbook widget in a way that they do not send data unless the user interacts with them. Same goes for google maps where you can set up a placeholder image that is displayed until the user requests the actual map. The very same was implemented for vimeo videos and youtube. The cool thing about those features is that its not only helpful with data protection but its also in accordance with our recent efforts to improve page speed and performance scores. And it of course helps a lot with performance if external sources are only loaded on user request.
We have also implemented a font upload feature that allows you to upload google webfonts (or any fonts for that matter) to your webserver. Users have asked for the possibility to use their own custom fonts for some time now and it was a good opportunity to implement that feature ;)
Consent Checkboxes
Enfold now allows you to display checkboxes after any theme generated form, that asks for user acceptance of your privacy policy before sending the form. As mentioned earlier we do not think that this is necessary (legitimate interest vs consent), but it was requested so often, we figured we can at least provide the feature for now until there are definite rulings for sending contact, newsletter or comment forms :)
Shortcodes for your privacy policy
We also added a few shortcodes that allow the user to disable certain features on your website, in case you decide to use them without asking in the first place.
- [av_privacy_google_tracking] – allows a user to disable google tracking in his or her browser
- [av_privacy_google_webfonts] – allows a user to disable the use of google webfonts in his or her browser
- [av_privacy_google_maps] – allows a user to disable the use of google maps in his or her browser
- [av_privacy_video_embeds] – allows a user to disable video embeds in his or her browser
- [av_privacy_link] – displays a link to the privacy policy page set in your WordPress admin panel
If you do not like the default text or language these shortcodes generate you can use your own text like this: [shortcode]YOUR OWN TEXT[/shortcode]
Cookie consent bar improvements
The cookie consent bar was also heavily improved in 2 ways.
- It is now possible to generate any number of call to action buttons
- It is now possible to display a information modal window that explains which cookies are used on your site and how they are used. It also explains why some of them can not be disabled via shortcode (of course browser disabling always works) and how to opt out of services like google analytics tracking. You can of course change that default info and set up your own modal information.
And since we are talking about cookies:
One more word about Cookies
You may notice the absence of a feature to generally disable cookies. This is a “requirement” that is also heavily discussed on the internet but since Enfold does not set any cookie that stores any personal information we decided against it. Enfold cookies do one of 3 things:
- dismiss the cookie consent bar permanently (permanent cookie)
- make sure that the breadcrumb navigation is displayed properly (session cookie)
- allow a user to disable certain features like webfonts, analytics, maps or videos (permanent cookies)
As you can see none of those store any user information, so the GDPR does not apply here. We would recommend to mention that you set cookies in your privacy policy and also explain how they are used and how to disable them in the web browser, if the user really really does not want any cookies to be set, but we do not think its necessary to block them as a whole. If you think it is: there are plugins out there that can do the job.
Whats more?
Although we only had very little time since our last major update we were able to also set up a new demo for you. Since this is an update that is caused by a new law, we only considered it fitting to provide a demo for lawyers :D
Last but not least: a disclaimer :/
Full Changelog
Since the last major update was only a month ago there is not a lot more going on than what has been discussed above. Nevertheless here is the full changelog:
- added: new demo: Enfold Law
- added: cookie consent bar got an improved way of adding unlimited buttons
- added: cookie consent bar got an option to display a modal window with detailed information and the possibility to deactivate some cookies and features
- added: custom font uploader – you can now upload and use any font you like
- added: the facebook page widget got a “data protection” mode were it does not load the facebook javascript without user interaction
- added: the instagram widget got a “data protection” mode were it does store all images on your own server
- added: google maps got a “data protection” mode that allows to load the maps API only when the user clicks on a google map fallback image
- added: shortcode that can be used in your data protection policy that allows the visitor to disable google analytics tracking
- added: shortcode that can be used in your data protection policy that allows the visitor to disable google web fonts
- added: shortcode that can be used in your data protection policy that allows the visitor to disable youtube and vimeo video embeds
- added: shortcode that can be used in your data protection policy that allows the visitor to disable google map embeds
- added: option to add a checkbox to all comment forms that asks for approval of your privacy policy before sending the form
- added: option to add a checkbox to all contact forms that asks for approval of your privacy policy before sending the form
- added: option to add a checkbox to all newsletter forms that asks for approval of your privacy policy before sending the form
- added: option to add a checkbox to your login form that asks for approval of your privacy policy before logging in
- improved: cookie management for portfolio breadcrumb navigation is deactivated if breadcrumbs are deactivated
- fixed: an issue with safari admin menu
- fixed: an issue with the linkpicker not displaying all posts to select
Thanks for the great news and work you put into making Enfold GDPR-compliant Kriesi!
Regards
Thanks for making Enfold more GRPD compliant. Perhaps you can deliver a minor update in the next days to have the content for the shortcodes also available in German language.
Improvement: in case of data reduction in GDPR, the name field in a contact / comment form should not be set as recommended field. It should be optional.
The content of our new shortcodes can be set by using: [shortcode]your text here[/shortcode] ;)
Hi again,
another improvement: [av_privacy_google_maps] has to be used as “OptIn” and not as “OptOut” :)
Best,
Martin
We have been told with legitimate interest and a correctly worded privacy policy you may use the maps as is and we will do so. if you think it is necessary you can provide a fallback image in your google map template builder element that the user needs to click in order to load it.
If this option is selected no data is transferred unless the user requests the map
Hi!
Ihr macht wirklich sehr gute Arbeit. Hut ab! 13 Lizenzen habe ich bei bereits gekauft, jedes sein Geld Wert!
Danke an Kriesi und das Team!
Brilliant. I´m an early ENFOLD user and I use it for the majority of my client projects and today I know again why I´m doing it.
Thanks a lot Guys
Brillant Job. Thanks so much !
Just in time! Good job mates!
A question. I don’t see the Cookie and Privacy Settings like the above image whth several settings bottons. Where is this functionality? Thanks for yuur attention .
Hey! In your backend at “Privacy and cookies” you need to activate the cookie consent feature. this will enable the notification bar. you can then place a button in this notification bar that allows to open the modal window
Theme Options > Privacy and Cookies > > Check to enable cookie bar then you should see this at bottom > Modal window with privacy and cookie info
Hallo Krisi,
warum kann ich mein Theme nicht mehr updaten? Ich hatte zwei Lizenzen gekauft…. Im Zuge des DSGVO wäre es sehr wichtig auf die neuste Version zu updaten.
Kann ich leider so ad hoc nicht sagen warum das nicht geht. Entweder im Forum nen neuen Thread aufmachen oder manuell updaten (du kannst immer die letzte version direkt auf themeforest runterladen). Einfach auf themeforest einloggen und unter https://themeforest.net/downloads das theme erneut laden ;)
Danke für die sehr schnelle Antwort.
Bitte noch eine Frage:
Bzgl. Opt-In hast du aber nichts möglich gemacht bzw. ergänzt, oder?
opt in wofür genau :)? wir haben keine globalen opt ins, aber wie gesagt: maps, videos, facebook, etc können alle so eingestellt werden dass keine daten übetragen werden und nur auf user anfrage laden.
Dear Kriesi team,
thank you so so so much for the work you’ve done! As a very small company we are really grateful and love you (which is basically your Enfold theme ^^) even a little more…
Cheers… *off creating even more protocols for GDPR again… -.-
Vielen Dank, Kriesi! Ich verwende Enfold auf verschiedenen Seiten und bin begeistert. Ich habe 3 Fragen:
Die Shortcodes for your privacy policy hebeln nur das Google Tracking aus, wenn man das in Enfold integrierte Analytics-Feature nutzt oder auch wenn ich das Google Analytics Dashboard Plugin nutze?
Gleiche Frage für das Maps-Feature. Auch hier deaktiviert ihr nur die Google Map, wenn sie über das Template eingebaut wurde, aber nicht via Mappress, richtig?
ja. in beiden fällen funktioniert das nur wenn die Enfold features verwendet werden.
Hallo liebes Kriesi-Team,
danke wieder einmal für das pünktliche Update! Ihr macht einen super Job!
Wäre es bei einem der kommenden Updates möglich, dass man auch in den Kommentaren (wie dieser hier am Ende eines Artikels) eine Checkbox hat, um den DSGVO-Quatsch zu bestätigen? Das fehlt noch und ist bislang nur über ein Plugin zu machen, das leider bei uns auf dem Blog mit Enfold nicht funktioniert (oder habe ich das jetzt bei dem Update übersehen?)
Viele Grüße
Florian
Ist jetzt schon möglich (unter privacy & cookies können diese checkboxen aktiviert werden). Ist allerdings nur für nicht eingeloggte user sichtbar.
Tatsächlich mehren sich aber die stimmen die sagen dass das gar nicht notwendig ist. ein eher amüsanteres beispiel: https://www.datenschutz-guru.de/braucht-mein-kontaktformular-jetzt-eine-checkbox/
Where can I find the option to set a checkbox for newsletter sign up?
Best regards
Its a global option at privacy & cookies in your backend:
“Append a privacy policy message to mailchimp contact forms?”
Brillant job, as always. Thank you very much!
Perfekt Leute!
Ihr macht echt nen mega guten Job!
Habe nur eine Frage zu den eigenen Schriften. Kann keine eigene Schrift als .zip-datei hochladen. Da passiert nichts.
Kann die Datei zwar auswählen, aber ich ich habe dann keine Möglichkeit die Schrift über “Allgemeines Styling -> Schrfiten -> Schrift für Body” auszuwählen. Oder muss man die chriften ganz anders verwalten/hochladen und nicht über Import/Export?
Beste Grüße
Stefan
nein, sollte genau so funktionieren. würde mal versuchen den browser cache im admin bereich zu leeren und wenn das nicht hilft einen thread im support forum aufmachen ;)
Danke für die schnelle Antwort.
Teste es nachher sofort!
ich musste bei mir das Plugin “Enhanced Media Library” deaktivieren um die hochgeladene ZIP auswählen zu können. Im Anschluss konnte ich die ZIP bei den Schriftwarten auswählen.
Hello, your theme is great, thank you!
Where can I find the old version of Enfold (4.3) because the new version is not compatible with our server (php 5.3). My blog displays a blank page. :(
Thank you very much !
Großartige Leistung von Kriesi. Danke!!!
Kann jemand Überstetzungen für die Coockie-Consents zur Verfügung stellen?
Great Job @Kriesi and Enfold team. We are very pleased with Enfold and have been using it for years.
Thanks for sharing your key takeaways with your lawyers.
Questions:
Does cookie banner prevent cookies from being set until consent is given?
With respect to the shortcodes on the contact forms where the privacy policy link appears with the text, is there an option to have the link open in a new Window? This way the user does not hesitate about losing data they entered. The default link opens in the same window.
++Tx
regarding cookies: No, its a cookie notification bar only and does not block any cookies. Currently there is no option for opening in a new window but we might add that in the future if requested often.
In most cases it should not cause any troubles with your forms though, most modern browsers store that information anyways and if a user clicks the back button re-fill the form fields
“No, its a cookie notification bar only and does not block any cookies. Currently there is no option for opening in a new window but we might add that in the future if requested often.”
Yes, it would be great to have both options!
Is there a possibility to get a link directly to the Modal window with privacy and cookie info?
I would like to add a link on my Privacy Policy page to the modal window so the user can change the cookie settings even after the have checked the OK button.
a link to the modal window is currently not possible. but as stated in the article, you can use the new shortcodes in your privacy policy to let the user change their settings ;)
Thanks for this update, you are doing a great job.
What about the Share-Buttons? Is there a solution for them in this update? Can they be turned off, if not?
Our share buttons are simple links. you can have any number of links to any site without the need to even mention them in your privacy policy.
What you are probably talking about are like/+1 buttons. those are true data collectors. But enfold does not use any of those ;)
Our share buttons (or rather share links) are safe ;)
Have I ever told you how awesome this is.. IT IS MY FRAMEWORK by years! Not just a template a framework!
So know if there is just more resized images for mobile view – that`s all
Hi,
There are these shortcodes: google_tracking, google_webfonts, google_maps, video_embeds, privacy_link
and this is good, according to the GDPR the user can block whatever he wants to his liking.
But how do I manually add a new service, such as Pixel Facebook?
I opened a discussion in the forum, and also in the comments on Themeforest, but apparently it does not seem possible?
Thanks for any help or suggestion
No sorry this is not possible. since enfold does not open any option for facbeook pixel this is not something we are going to add. you will need to use a plugin for that
Just updated. Where do I find the font upload feature?
Thanks.
located in your enfold admin panel at import/export
Ah, there. Thanks for the hint. I now uploaded a zip file Open_Sans.zip previously downloaded from fonts.google.com. But where can I select this font now and thus prevent the theme from loading Google Fonts at all?
In the General Styling section , Fonts tab, “Font for your body text” section it reads: “Choose between your own uploaded fonts, web safe fonts (faster rendering) and Google webkit fonts (more unqiue).” But there is no section “Uploaded Fonts” or “Local Fonts” in the dropdown where I could select my uploaded Open Sans font. The only Open Sans that I can find there is listed under Google Fonts, and that’s what I want to avoid…
your uploaded font should be at the very top of the list. but since you are not the only one not able to detect it I will probably change that to display at the bottom of the list, which is more natural
Hm. Definitively not there. First entry in the dropdown list is “Standard”, followed by “Websafe Fonts”.
Thats weird then. in that case I would recommend to open a support thread with login credentials so we can take a look at the issue :)
Kriesi … just THANK YOU to you and your team!
I love ENFOLD now for years and it is the best WordPress theme EVER EVER EVER. It is so flexible, so versatile, you can change the look so easy, even for non-coder.
Thank you for your ongoing work on this great theme.
Thank you for so many new great features over the time, not just bugfixing.
Thank you for the great support forum.
As long as ENFOLD lives, I will never switch to another theme.
Promised :-)
Hallo und erst einmal vielen Dank. Ich habe nun für die Kommentarfunktion die Check-Box aktibviert. Diese wird beim “kommentieren” aber nicht angezeigt. Beim Absenden des Kommentars kommt aber der Hinweis “ERROR, you must agree to our…”. Wo kann der Fehler liegen? Beim Kontaktformular hat es wunderbar geklappt. Lieben Dank Patrick
schaut nach einem kleinen bug aus, danke für die info!
das feld soll ja ansich nur für nicht eingeloggte user erscheinen da funktionierts auch. für eingeloggte user wird es nicht angezeigt, der check wird aber derzeit trotzdem noch gemacht. werden wir im nächsten update beheben ;)
This is just brilliant. Thanks a bunch!
You are welcome! Glad you like the update :)
Thanks for your great work guys! Makes the GDPR compliance efforts much easier for us developers!
A little UI remark: the usual orientation of “toggle switch” checkboxes is OFF when it is on the left (grey) and ON when it is on the right (green). Why are yours reversed? Is that a “opt-in” trick? :-)
haha, not really :D
Since we did not have any css for those toggles I googled for some helpful snippets adn this was one of the best so i used it. Didn’t really think about it, especially since the layerslider ones use the same pattern :D
Okay :-) got it.
Well, here is a link to a standard example: https://www.w3schools.com/howto/howto_css_switch.asp
Please include the correct orientation in the next release. For me, as UI professional, flipping the toggle orientation is the same as placing the “x” button in the bottom left corner of the popup. Thanks!
Vielen Dank für den tollen neuen Cookie-Hinweis! Im Falle der Abwahl des Analytic Cookies: Passiert hier ein “echter” gaOptout() für den entsprecheneden UA Account oder wird hier z.B. nur die Einbindung des Snippets aus den Enfold-Einstellungen unter “Google-Dienste” unterbunden?
wir setzen wie von google empfohlen folgende JS variable um das tracking zu deaktivieren
window[‘ga-disable-UA-XXXXX-X’] = true;
das enfold script wird nicht unterbunden da es ja möglich ist dass mehr als nur das tracking script im JS fenster hinterlegt wurde.