How to Make Your Divi Website GDPR Compliant Plus 4 Myths Debunked
Yes, I know, another GDPR blog post! GDPR is the buzzword of the century, and it seems like every hour of the day I see a new GDPR related blog post, email, video, Facebook post etc.
So what makes this one different?
Well, obviously our website is called Divi Life, so we’ll be talking about GDPR compliance tools that work well Divi, including some free ones, and some of our own paid ones too (plus some GDPR/Cookie notice templates for Divi Bars and Divi Overlays!). More on that in a bit.
We’ll also be debunking quite a few myths that are floating around the internet regarding GDPR compliance. For example, no you don’t have to have 11 checkboxes on every contact form or optin form!
Let’s get started, but before we do, please take a second to re-consent to reading this email and all of our cookies…just kidding. #GDPRjokes
A quick disclaimer: I am not a lawyer by any means, and you should not take this article to be official legal advice in any way. Please consult a lawyer that specializes in GDPR compliance before making decisions about your website’s compliance.
Also, I’m not completely reinventing the wheel here. Some of these concepts talked about today I learned from other posts, and I will give credit where credit is due. At the bottom of the posts, I’ll link out to helpful related articles.
Debunking Some Common GDPR Myths
Myth 1: “I will be forced to pay huge fines if I don’t comply”
A lot of people seem to think that if their website isn’t 100% compliant by the deadline (May 25, 2018) then they will have to immediately pay large sums of money. This is not true!
It’s true that the upper level fines for failure to comply is €20 million/$23,561,000 or 4% of annual revenue, whichever is higher, but it’s been confirmed by the EU that these fines are a last resort.
The Information Commissioner of the EU, Elizabeth Dunham, stated the following recently:
“It’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm,” she said. “The ICO’s commitment to guiding, advising, and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”
“While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective,” she continued. “The GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow.”
So in other words, don’t freak out, it’s going to be fine (no pun intended). I’m by no means saying to ignore GDPR compliance, but you don’t need to panic.
Myth 2: I need to get consent for every script or cookie that runs on my website
GDPR is all about the user’s personal data, not cookies or scripts. So if the cookie or script does not capture or process any personal data (or Personally Identifying Information, aka PII), then you don’t need to get consent for every cookie. Of course the previous cookie law is still in place, so a general GDPR/cookie consent notification bar is always a good idea.
For example, two of our plugins (Divi Overlays and Divi Bars) have a (optional) feature that will set a cookie in the users browser when they close a popup or promo bar so that it doesn’t keep annoying them every page they visit or when they come back again.
The cookie does not store any personal data in any way, nor does it communicate with any external source. It’s only purpose is to tell the browser not to trigger the popup or promo bar again until the cookie expires.
So in the example above, there is no need to get consent for the specific cookie since it does not collect or track any personal data.
You might be thinking, “what about cookies or scripts that DO collect or track personal identifying information.” If you have any of those, then yes, you are required to ask for consent specifically for that cookie or script.
One common misconception is that you need specific consent for Google Analytics. This is not necessarily true. If there is no personally identifiable information that Google Analytics is collecting, then you do not need to get specific consent.
There is a few necessary steps to take to make sure your Google Analytics is GDPR compliant. It’s fairly easy and should be pretty painless. We’ll outline the steps later in the article, or you can [go there now].
Okay the next big one: Facebook. If you’re using the Facebook Pixel on your website, you will need to give the users the ability to opt-out of the tracking. Even though you won’t have direct access to the data that the Facebook Pixel tracks, it still gathers data and reports back to Facebook to build the user’s behavior profile. So because of this, it’s advisable to give users the ability to opt out of the Pixel.
For Facebook Opt-Out, you can use this plugin to allow users to opt-out.
The plugin page is in German, but I installed it and it was fully in English for me.
Okay as promised, you can here’s how you make your Google Analytics GDPR Proof!
1. Make sure you have IP Address Anonymization Turned On
GDPR considers an IP Address to be personal data. Google Analytics used the IP Address for Geolocation data, however it’s not accessible to you in your reports. So you could probably make the argument that you don’t need to do this. But to be safe, you can simply anonymize the IP addresses. According to Google, the impact on this is that “geographic reporting accuracy is slightly reduced.
The exact method of how you will turn on anonymous IP addresses will depend on the method you’re using to add Google Analytics tracking code to your website. If you’re using the Monster Insights plugin (most popular), then they have a EU compliance add-on that will make it a simple checkbox to enable anonymization. However, it looks like that option is only available in the paid version. It looks like Google Analytics Dashboard for WP plugin will do it for free.
2. Make sure you don’t have any personally identifiable information that comes through in your reporting.
Take a look at your GA reporting (Site Content > Content Drilldown) and page through to your least popular pages. Depending on the site, occasionally email addresses or other personal data will show through in the URL via a query string parameter ([email protected]).
This shouldn’t be happening on most websites. We looked through our analytics for Divi Life extensively, and found no traces.
Unfortunately if this is happening, it potentially could be very involved to fix. If it’s happening due to a plugin, contact the developer.
3. Create an Opt Out Capability
You may notice I said Opt Out and NOT Opt In. As long as you’re in the clear for the first two items in this list, you do NOT need to get consent in order for Google Analytics to run when the user first lands on the site.
A lot of articles are incorrectly stating that you NEED prior consent before analytics can run, and the user must clearly and specifically opt in before the analytics script can fire. This is false.
Again, if you’re not collecting any personally identifiable information (as outlined in steps 1 and 2 above) then you do not need prior consent.
Some will argue that you might as well get consent first, to be safe.
I highly disagree for several reasons. Firstly, it will significantly lower your numbers. Most people won’t opt in. You’ll have very skewed and inaccurate data. Secondly, and probably more importantly, it provides a terrible user experience. And that’s the case whether they opt in or not.
Having one general cookie notice opt in is fine, and the internet has been able to get used to it. But a lot of the new GDPR cookie notices that are becoming popular that have multiple options and show all the different types of cookies, are incredibly confusing and in most cases, entirely unnecessary.
We recommend having one general GDPR cookie notice that users accept, that include a link to more information on exactly what it entails.
That’s what we modeled our new GDPR templates for Divi Bars and Divi Overlays to be like.
They’re simple, clean, and easy for the user to understand. They allow you to be GDPR compliant without completely obliterating the experience of your website. And if you’re using Divi Bars and/or Divi Overlays, it means you can use the Divi Builder and make something that actually looks really great too!
Okay back to the opt out for Google Analytics. Just like the Facebook opt-out I linked to above, there’s a Google Analytics opt-out plugin by the same developer.
Or, there’s another Google Analytics opt-out plugin that does the same thing.
Okay, let’s get back to debunking GDPR myths.
Myth 3: I need to send an email out to my entire email list asking them if they want to remain on my list.
I think we’ve all received dozens if not hundreds of emails from various companies asking us to click a link to confirm we want to continue receiving email from them. Or, we’ve received emails with updated privacy policies. Neither of these are necessarily mandatory, despite what a lot of “experts” are saying online about GDPR.
If your email subscribers already consented to receive emails from you, then you don’t need to make them re-consent. This is especially true if you have proof of their consent.
For example, here on Divi Life, we have various lead magnets (freebies) on our blog that users can obtain when they subscribe to our list. It’s also very clear that they are subscribing to our list when they download the freebie. More on this in the next myth.
So if someone ever claims that they never subscribed to our list, we have a log that shows exactly what lead magnet they subscribed for.
Additionally, we use Mailchimp which shows the history of a subscriber. It will show when they subscribed, and the method they subscribed.
Myth 4: I need to add checkboxes to all my contact forms and opt-in forms.
This one seems to be the most common misconception when it comes to GDPR. I think a lot of people initially thought that’s all that GDPR was: GDPR = Checkboxes on all my forms
GDPR wants clear consent, but checkboxes are not mandatory. If it’s perfectly clear what the user is subscribing to/for, then you don’t need to get additional consent via a checkbox.
Checkboxes will also hurt your conversion too:
(image credit: Thrive Themes)
If your opt-in very clearly states what will be happening when the users subscribes, then you do not need to add a checkbox.
Check out this image from a recent AWeber article:
This opt-in is 100% GDPR compliant, and guess what, no checkboxes!
It’s GDPR compliant because the videos are a bonus for subscribing, and it’s clear that the subscriber will be receiving regular emails, and what the topics of those emails will be.
It would not be compliant if it did not clearly state that the user would be subscribing for regular updates.
Divi’s Compatibility With GDPR
So most of the above will apply regardless of what theme you’re using. But a lot of people still ask about Divi and GDPR. Elegant Themes has stated an update is on it’s way.
Here’s the thing though, in most cases, you don’t NEED Divi to do anything additional in order to be GDPR compliant. For example, we’ve already debunked the checkbox myth above for opt-ins, which will come into play with Divi’s opt-in module as well as the Bloom plugin.
I realize there may be cases that checkboxes are necessary, for consent to an additional email list, etc, and if that’s the case for you then you will either have to wait for Divi’s GDPR update or use another form plugin that will let you add additional checkboxes (Gravity Forms, Caldera Forms, etc).
Other than the checkboxes, there’s nothing else you need to worry about with Divi. Divi’s contact form does not store any data, and Bloom’s analytics are anonymous.
Keep in mind though that if you have an eCommerce site or use third party form plugins, you’ll need to make sure they have GDPR compatibility built in, and that you have it turned on.
Nick Roach’s Response to GDPR & Divi
Just before publishing this, I saw a comment on a recent Elegant Themes blog post from Nick Roach himself (CEO of Elegant Themes). As usual, people were complaining in the blog comments about things completely unrelated to the post. So of course people were asking about GDPR and Divi, and Nick Roach responded with the following, which affirms everything above 🙂
“We are working hard to add the GDPR related features that our customers have requested. Please understanding that our blog writers are not developers and the fact that a blog post is published has no effect on the GDPR release timeline which our development team is 100% focused on.
I know that these new regulations can be stressful, especially when there is so much misinformation and misinterpretation out there. Rest assured that we are working on giving our customers the tools they need to feel comfortable with the way they choose to comply.
The GDPR has very little effect on Divi itself, since Divi doesn’t store any information on its visitors aside from a few very rare situations (which we are adjusting in the upcoming update). Divi does allow you to transmit some information to third parties through the Email Optin module and the Contact Form module.
In these situations, some customers may choose to add a consent checkbox to the form. It’s worth noting that I do not believe such a checkbox is at all necessary for these modules. Consent is only one of many lawful methods that you can use to collect data, and ICO even discourages the use of consent whenever possible because it is unnecessarily burdensome on both the data controller and the user. Consent is more applicable in situations where you are collecting or storing data in ways that are unknown to the user. For the Email Optin module and Contact Form module, storing the data that the user sends you is necessary to fulfill their request to be contacted.
It’s interesting that online forms like this have been singled out for the “consent checkbox.” You might ask yourself, if someone uses a different form to send you an email, how do you plan to get their consent before that email is stored in your email provider? If someone uses an online Gmail form to send an email to your Yahoo account, how do you plan to get consent before that email is stored? You wont, because it’s neither possible nor necessary. The fact that your contact form is hosted on your website isn’t any different
Anyway, just something to think about before adding consent checkboxes all over your site! Once you commit to using consent, you have committed to a particular path that is really not ideal.”
Okay, time for shameless self-promotion! It is our blog right?
It just so happens that we have two tools that can be used separately or together to create some really awesome GDPR consent bars and/or popups!
Divi Bars is a plugin that lets you create promo bars and more using the Divi Builder. It also works great for cookie consent forms.
And Divi Overlays is a popup/overlay/lightbox builder that lets you use the Divi Builder to create them too!
With all the GDPR hype, we’ve had A LOT of requests for some GDPR templates. And I’m happy to say the templates are finally ready!
Let’s take a look!
Divi Bar GDPR Cookie Privacy Consent Bar Template 1
Divi Bar GDPR Cookie Privacy Consent Bar Template 2
Divi Bar GDPR Cookie Privacy Consent Bar Template 3
Divi Bar GDPR Cookie Privacy Consent Bar Template 4
Divi Overlays GDPR Cookie Privacy Popup Template
We hope you like the templates! Let us know if there’s any additional templates you’d like to see! 🙂
Additional Articles & Resources
I’ve linked to quite a few resources throughout this post, but here’s some additional reading you can do, as well as a few additional tools that can help you with GDPR compliance.
- Additional Tips on Google Analytics GDPR Compliance
- Great Article for GDPR for Websites
- A Great Plugin for Showing Specific Text Based on User’s Location (like EU)
Hope this article and video have been helpful! Remember, GDPR compliance is more of an evolution that may take some time. As long as you’re taking some steps in the right direction, you should be fine.