How to Make Your Divi Website GDPR Compliant Plus 4 Myths Debunked
Yes, I know, another GDPR blog post! GDPR is the buzzword of the century, and it seems like every hour of the day I see a new GDPR related blog post, email, video, Facebook post etc.
So what makes this one different?
Well, obviously our website is called Divi Life, so we’ll be talking about GDPR compliance tools that work well Divi, including some free ones, and some of our own paid ones too (plus some GDPR/Cookie notice templates for Divi Bars and Divi Overlays!). More on that in a bit.
We’ll also be debunking quite a few myths that are floating around the internet regarding GDPR compliance. For example, no you don’t have to have 11 checkboxes on every contact form or optin form!
Let’s get started, but before we do, please take a second to re-consent to reading this email and all of our cookies…just kidding. #GDPRjokes
A quick disclaimer: I am not a lawyer by any means, and you should not take this article to be official legal advice in any way. Please consult a lawyer that specializes in GDPR compliance before making decisions about your website’s compliance.
Also, I’m not completely reinventing the wheel here. Some of these concepts talked about today I learned from other posts, and I will give credit where credit is due. At the bottom of the posts, I’ll link out to helpful related articles.
Debunking Some Common GDPR Myths
Myth 1: “I will be forced to pay huge fines if I don’t comply”
A lot of people seem to think that if their website isn’t 100% compliant by the deadline (May 25, 2018) then they will have to immediately pay large sums of money. This is not true!
It’s true that the upper level fines for failure to comply is €20 million/$23,561,000 or 4% of annual revenue, whichever is higher, but it’s been confirmed by the EU that these fines are a last resort.
The Information Commissioner of the EU, Elizabeth Dunham, stated the following recently:
“It’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm,” she said. “The ICO’s commitment to guiding, advising, and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”
“While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective,” she continued. “The GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow.”
So in other words, don’t freak out, it’s going to be fine (no pun intended). I’m by no means saying to ignore GDPR compliance, but you don’t need to panic.
Myth 2: I need to get consent for every script or cookie that runs on my website
GDPR is all about the user’s personal data, not cookies or scripts. So if the cookie or script does not capture or process any personal data (or Personally Identifying Information, aka PII), then you don’t need to get consent for every cookie. Of course the previous cookie law is still in place, so a general GDPR/cookie consent notification bar is always a good idea.
For example, two of our plugins (Divi Overlays and Divi Bars) have a (optional) feature that will set a cookie in the users browser when they close a popup or promo bar so that it doesn’t keep annoying them every page they visit or when they come back again.
The cookie does not store any personal data in any way, nor does it communicate with any external source. It’s only purpose is to tell the browser not to trigger the popup or promo bar again until the cookie expires.
So in the example above, there is no need to get consent for the specific cookie since it does not collect or track any personal data.
You might be thinking, “what about cookies or scripts that DO collect or track personal identifying information.” If you have any of those, then yes, you are required to ask for consent specifically for that cookie or script.
One common misconception is that you need specific consent for Google Analytics. This is not necessarily true. If there is no personally identifiable information that Google Analytics is collecting, then you do not need to get specific consent.
There is a few necessary steps to take to make sure your Google Analytics is GDPR compliant. It’s fairly easy and should be pretty painless. We’ll outline the steps later in the article, or you can [go there now].
Okay the next big one: Facebook. If you’re using the Facebook Pixel on your website, you will need to give the users the ability to opt-out of the tracking. Even though you won’t have direct access to the data that the Facebook Pixel tracks, it still gathers data and reports back to Facebook to build the user’s behavior profile. So because of this, it’s advisable to give users the ability to opt out of the Pixel.
For Facebook Opt-Out, you can use this plugin to allow users to opt-out.
The plugin page is in German, but I installed it and it was fully in English for me.
Okay as promised, you can here’s how you make your Google Analytics GDPR Proof!
1. Make sure you have IP Address Anonymization Turned On
GDPR considers an IP Address to be personal data. Google Analytics used the IP Address for Geolocation data, however it’s not accessible to you in your reports. So you could probably make the argument that you don’t need to do this. But to be safe, you can simply anonymize the IP addresses. According to Google, the impact on this is that “geographic reporting accuracy is slightly reduced.
The exact method of how you will turn on anonymous IP addresses will depend on the method you’re using to add Google Analytics tracking code to your website. If you’re using the Monster Insights plugin (most popular), then they have a EU compliance add-on that will make it a simple checkbox to enable anonymization. However, it looks like that option is only available in the paid version. It looks like Google Analytics Dashboard for WP plugin will do it for free.
2. Make sure you don’t have any personally identifiable information that comes through in your reporting.
Take a look at your GA reporting (Site Content > Content Drilldown) and page through to your least popular pages. Depending on the site, occasionally email addresses or other personal data will show through in the URL via a query string parameter ([email protected]).
This shouldn’t be happening on most websites. We looked through our analytics for Divi Life extensively, and found no traces.
Unfortunately if this is happening, it potentially could be very involved to fix. If it’s happening due to a plugin, contact the developer.
3. Create an Opt Out Capability
You may notice I said Opt Out and NOT Opt In. As long as you’re in the clear for the first two items in this list, you do NOT need to get consent in order for Google Analytics to run when the user first lands on the site.
A lot of articles are incorrectly stating that you NEED prior consent before analytics can run, and the user must clearly and specifically opt in before the analytics script can fire. This is false.
Again, if you’re not collecting any personally identifiable information (as outlined in steps 1 and 2 above) then you do not need prior consent.
Some will argue that you might as well get consent first, to be safe.
I highly disagree for several reasons. Firstly, it will significantly lower your numbers. Most people won’t opt in. You’ll have very skewed and inaccurate data. Secondly, and probably more importantly, it provides a terrible user experience. And that’s the case whether they opt in or not.
Having one general cookie notice opt in is fine, and the internet has been able to get used to it. But a lot of the new GDPR cookie notices that are becoming popular that have multiple options and show all the different types of cookies, are incredibly confusing and in most cases, entirely unnecessary.
We recommend having one general GDPR cookie notice that users accept, that include a link to more information on exactly what it entails.
That’s what we modeled our new GDPR templates for Divi Bars and Divi Overlays to be like.
They’re simple, clean, and easy for the user to understand. They allow you to be GDPR compliant without completely obliterating the experience of your website. And if you’re using Divi Bars and/or Divi Overlays, it means you can use the Divi Builder and make something that actually looks really great too!
Okay back to the opt out for Google Analytics. Just like the Facebook opt-out I linked to above, there’s a Google Analytics opt-out plugin by the same developer.
Or, there’s another Google Analytics opt-out plugin that does the same thing.
Okay, let’s get back to debunking GDPR myths.
Myth 3: I need to send an email out to my entire email list asking them if they want to remain on my list.
I think we’ve all received dozens if not hundreds of emails from various companies asking us to click a link to confirm we want to continue receiving email from them. Or, we’ve received emails with updated privacy policies. Neither of these are necessarily mandatory, despite what a lot of “experts” are saying online about GDPR.
If your email subscribers already consented to receive emails from you, then you don’t need to make them re-consent. This is especially true if you have proof of their consent.
For example, here on Divi Life, we have various lead magnets (freebies) on our blog that users can obtain when they subscribe to our list. It’s also very clear that they are subscribing to our list when they download the freebie. More on this in the next myth.
So if someone ever claims that they never subscribed to our list, we have a log that shows exactly what lead magnet they subscribed for.
Additionally, we use Mailchimp which shows the history of a subscriber. It will show when they subscribed, and the method they subscribed.
Myth 4: I need to add checkboxes to all my contact forms and opt-in forms.
This one seems to be the most common misconception when it comes to GDPR. I think a lot of people initially thought that’s all that GDPR was: GDPR = Checkboxes on all my forms
GDPR wants clear consent, but checkboxes are not mandatory. If it’s perfectly clear what the user is subscribing to/for, then you don’t need to get additional consent via a checkbox.
Checkboxes will also hurt your conversion too:
(image credit: Thrive Themes)
If your opt-in very clearly states what will be happening when the users subscribes, then you do not need to add a checkbox.
Check out this image from a recent AWeber article:
This opt-in is 100% GDPR compliant, and guess what, no checkboxes!
It’s GDPR compliant because the videos are a bonus for subscribing, and it’s clear that the subscriber will be receiving regular emails, and what the topics of those emails will be.
It would not be compliant if it did not clearly state that the user would be subscribing for regular updates.
Divi’s Compatibility With GDPR
So most of the above will apply regardless of what theme you’re using. But a lot of people still ask about Divi and GDPR. Elegant Themes has stated an update is on it’s way.
Here’s the thing though, in most cases, you don’t NEED Divi to do anything additional in order to be GDPR compliant. For example, we’ve already debunked the checkbox myth above for opt-ins, which will come into play with Divi’s opt-in module as well as the Bloom plugin.
I realize there may be cases that checkboxes are necessary, for consent to an additional email list, etc, and if that’s the case for you then you will either have to wait for Divi’s GDPR update or use another form plugin that will let you add additional checkboxes (Gravity Forms, Caldera Forms, etc).
Other than the checkboxes, there’s nothing else you need to worry about with Divi. Divi’s contact form does not store any data, and Bloom’s analytics are anonymous.
Keep in mind though that if you have an eCommerce site or use third party form plugins, you’ll need to make sure they have GDPR compatibility built in, and that you have it turned on.
Nick Roach’s Response to GDPR & Divi
Just before publishing this, I saw a comment on a recent Elegant Themes blog post from Nick Roach himself (CEO of Elegant Themes). As usual, people were complaining in the blog comments about things completely unrelated to the post. So of course people were asking about GDPR and Divi, and Nick Roach responded with the following, which affirms everything above 🙂
“We are working hard to add the GDPR related features that our customers have requested. Please understanding that our blog writers are not developers and the fact that a blog post is published has no effect on the GDPR release timeline which our development team is 100% focused on.
I know that these new regulations can be stressful, especially when there is so much misinformation and misinterpretation out there. Rest assured that we are working on giving our customers the tools they need to feel comfortable with the way they choose to comply.
The GDPR has very little effect on Divi itself, since Divi doesn’t store any information on its visitors aside from a few very rare situations (which we are adjusting in the upcoming update). Divi does allow you to transmit some information to third parties through the Email Optin module and the Contact Form module.
In these situations, some customers may choose to add a consent checkbox to the form. It’s worth noting that I do not believe such a checkbox is at all necessary for these modules. Consent is only one of many lawful methods that you can use to collect data, and ICO even discourages the use of consent whenever possible because it is unnecessarily burdensome on both the data controller and the user. Consent is more applicable in situations where you are collecting or storing data in ways that are unknown to the user. For the Email Optin module and Contact Form module, storing the data that the user sends you is necessary to fulfill their request to be contacted.
It’s interesting that online forms like this have been singled out for the “consent checkbox.” You might ask yourself, if someone uses a different form to send you an email, how do you plan to get their consent before that email is stored in your email provider? If someone uses an online Gmail form to send an email to your Yahoo account, how do you plan to get consent before that email is stored? You wont, because it’s neither possible nor necessary. The fact that your contact form is hosted on your website isn’t any different
Anyway, just something to think about before adding consent checkboxes all over your site! Once you commit to using consent, you have committed to a particular path that is really not ideal.”
Okay, time for shameless self-promotion! It is our blog right?
It just so happens that we have two tools that can be used separately or together to create some really awesome GDPR consent bars and/or popups!
Divi Bars is a plugin that lets you create promo bars and more using the Divi Builder. It also works great for cookie consent forms.
And Divi Overlays is a popup/overlay/lightbox builder that lets you use the Divi Builder to create them too!
With all the GDPR hype, we’ve had A LOT of requests for some GDPR templates. And I’m happy to say the templates are finally ready!
Let’s take a look!
Divi Bar GDPR Cookie Privacy Consent Bar Template 1
Divi Bar GDPR Cookie Privacy Consent Bar Template 2
Divi Bar GDPR Cookie Privacy Consent Bar Template 3
Divi Bar GDPR Cookie Privacy Consent Bar Template 4
Divi Overlays GDPR Cookie Privacy Popup Template
We hope you like the templates! Let us know if there’s any additional templates you’d like to see! 🙂
Additional Articles & Resources
I’ve linked to quite a few resources throughout this post, but here’s some additional reading you can do, as well as a few additional tools that can help you with GDPR compliance.
- Additional Tips on Google Analytics GDPR Compliance
- Great Article for GDPR for Websites
- A Great Plugin for Showing Specific Text Based on User’s Location (like EU)
Hope this article and video have been helpful! Remember, GDPR compliance is more of an evolution that may take some time. As long as you’re taking some steps in the right direction, you should be fine.
1. GDPR applies to EU residents only. That means that if your website/business sells products, collects data, or otherwise has EU resident traffic, you need to be concerned with GDPR.
2. If your website/business does NOT do business in any way shape or form with EU residents, you do NOT need to comply.
3) If you are not generating an income because you have a blog site that isn’t monetized, and you are not profiting from that business, then the 4% penalty equals zero. So you also do not need to comply (yet).
4) Eventually, all websites and businesses will be forced to do the sale level of consumer privacy. So, although to do not need to go into crisis mode over GDPR, you should consider implementing the features anyway (at some point).
Hope that helps!
Yep, agreed! Thanks Erik. 🙂
I understand trying to put it all in realistic, manageable framing. And at this point, everyone is either afraid, tired or giddy when it comes to GDPR. But, Re: Erik’s point #3, it sounds a little flippant and careless—my understanding from [https://www.imperva.com/blog/2017/03/gdpr-series-part-4-penalties-non-compliance/] :
In the case of non-compliance with key provisions of the GDPR, regulators have the authority to levy a fine in an amount that is up to the GREATER of €20 million or 4% of global annual turnover in the prior year. So, Erik, your comment is not correct: it’s not 4% of $0. The key word is “greater”. Sounds to me like it’s a fine that starts at €20M. The basis is not the monetization of your site, but the handling of any personal data obtained for any reason. The fine is to ensure everyone complies to the level they are required to.
Examples that fall under this category are non-adherence to the core principles of processing personal data, infringement of the rights of data subjects and the transfer of personal data to third countries or international organizations that do not ensure an adequate level of data protection.
Still, I have read ICO documentation that assures us we are not all going to get fined €20M, but to do what we can to reasonably comply. That’s the reason we can “breathe” a little. Not because 4% of $0 is zero, but because they just expect you to TRY your best to comply. Not everyone is going to get it 100% correct the first round. But as long as you are not blatantly ignoring the law, one would expect you won’t get fined right out of the gate. (Don’t quote me on that)
Tim’s assessment seems to be in line with what I have read and understood. Again, not giving advice, just continuing to put the pieces together in a way that makes sense. Thanks for the information, Tim.
Hey. Nice blog post. Thank you. But I disagree regarding the Facebook pixel. An opt out is necessary, right. But when a user visits your site which has a Facebook pixel, data is transmitted without his consent. Don’t you agree? Opting out would be too late, I guess. I am no lawyer, but logic tells me that every user has to have the right to agree BEFORE any personal data is transmitted.
What’s annoys me the most is that there is no reaction or clear announcement how elegant themes will make Divi GDPR compliant. For example google fonts seem to be another problem.
Happy to hear your opinion.
Thanks for reading. Yeah you may be right. GDPR as well as Facebook themselves are VERY vague about this kind of thing. I think we’ll start to see more clear answers to this and other things as things progress the next few months. Personally, I think Facebook Pixel opt-in or opt-out should be done at the Facebook account level, not on the individual site level, especially since Facebook is the one processing the data. I also think that if people don’t want to be advertised to via Facebook then they should simply not use Facebook lol. Personally I value the data that Facebook has on me (I realize this is controversial lol). To use their free platform, there’s going to be advertising, and I’d rather see ads that I’m interested in opposed to ads I’m not. I’ve purchased lots of products (software, physical products, etc) because of ads I’ve seen in my Facebook feed. So I have no problem with Facebook pixels, but that’s just me 🙂
As for Elegant Themes, and Divi’s GDPR tools, a clear announcement would have been nice. It looks like an update will be out today with some new functionality for adding checkboxes, etc (although in most cases they’re not necessary) 🙂
Nice article. Though I think you do need consent check-boxes for situations where you’re capturing data for, say, a free download. You might want to use that data to promote offers. The user needs to consent to that usage.
You could put a load of copy up saying, ‘By taking up this offer you agree to marketed to – we’ll use your data for such and such’.
However, I think it would be simpler to have some opt-in boxes like
Send me great articles!
Send me great offers when they arise!
That way you get definite active consent. Copy can be overlooked, misread etc. whereas having to check a box is a clear affirmative action.
So I still think ET should add check options to the email optin module. Let us the developers, designers and marketers decide what strategy to use.
Cheers once again for a great article and providing great products.
Thanks for taking the time to read and for your insights. From my research, checkboxes aren’t necessary if you have the right copy. I understand what you’re saying that the text could get very long, but I think the main point is clarity. You don’t want to do a “bait-and-switch” on the subscriber, if they put there email in to get a freebie and not know you’re going to be sending promos.
Here’s another example of a GDPR compliant title without a checkbox: “Subscribe for more tutorials, product offers, and more, PLUS a FREE plugin sent to you as a bonus!” With copy like that, it’s overwhelming clear that I will be subscribed to the email list which will include free stuff and product promos, and I’m getting a free bonus too.
You’re right that the affirmative action helps making it extremely clear for the user, and it’s definitely GDPR compliant, but conversions will suffer dramatically. The whole point of lead magnets is to get the user on the list with an enticing offer. If they can get the offer without anything in exchange then in a lot cases they won’t subscribe. But if you can make a clear call to action that is also GDPR compliant, and doesn’t have a checkbox, then I’ll choose that option all day long 🙂
And yes, ET will definitely be adding the ability to add checkboxes so each Divi user will have the ultimate decision. That update should be out today. The last I heard was it’s in the QA testing phase now.
Thanks for the reply, Tim. Believe me, I know the logic of what you’re saying. However, I’ve had some clients that aren’t willing to take the risk. They literally demand clear, active consent. I just want to cater for the market.
Also, I’m not sure it is bad for conversion. We could end up with better quality lists as a result. If people actively optin to receive promotional messages, it means they’re genuinely interested and are more likely to respond to offers etc. Take your brand for example: I want to receive marketing messages from you because your products have a lot of value for me.
Lists could end up smaller, but of a higher quality potentially meaning lower email costs (think huge lists on Mailchimp) and higher email conversion rates. Just a hypothesis.
One thing I think we can all agree on: GDPR is one big, monumental headache.
I appreciate you taking the time to comment, Simon! Yeah for clients that are scared out of their mind then checkboxes are definitely the better route for sure haha 🙂
Yeah I get what you’re saying with lead quality, but I’m not sure I totally agree. Here’s why: a lot of times when someone opt-ins for a freebie for something, it’s the first time they’ve come in contact with the website/business. They’re seeking out a solution to a problem they might have, and they stumble onto a blog post from a Google search. So they’re a totally “cold” lead/subscriber. It’s unlikely that they’ll want to opt-in to receive emails from a company they’ve never heard of. They’ll rather just take the freebie and move on. But, if you get them on the list, and have the ability to “nurture” them with a series of other value-added emails/freebies, then you’re going to earn their trust and they’ll be much more likely to buy when a product promo comes their way.
I definitely agree about having a smaller higher quality list though. But personally I’d rather “clean” the list later down the road and have the opportunity to get as many people going through the “funnel” as possible 🙂
And yes, we can definitely all agree that GDPR is a huge nightmare 🙂
The form mentioned on a the AWeber article above (https://divilife.com/wp-content/uploads/2018/05/paul-kirtley.png) is NOT GDPR compliant!
You are not telling the person what you will do with their details. There is no link to your policy, hence it breaks the law.
It clearly states in the text that the user will receive regular information on the several topics, plus the 20 free videos. It’s definitely compliant.
The link to the Aweber article explains it more in depth. 🙂
I beg to differ so does ICO. AWeber is wrong!
Neither of the following is followed.
☐ We have made the request for consent prominent and separate from our terms and conditions.
☐ We ask people to positively opt in.
☐ We keep a record of when and how we got consent from the individual.
You are asking my data without telling me what you will do with it. Why you want it is nothing to do with asking consent.
I appreciate your points and taking the time to write them. We may have to agree to disagree on this one 🙂
In my opinion, what you posted further proves my point.
Here’s my responses to each:
☐ We have made the request for consent prominent and separate from our terms and conditions.
This does not apply because the opt-in form isn’t trying to get consent for a terms and conditions of a product/service. It’s simply an opt-in form. This point refers to when companies will have a terms and conditions agreement (at a checkout for example) with a checkbox with text that says something like, “I agree to the terms and conditions of this service, and I agree to be emailed regarding other products and services from us and our partners.”
☐ We ask people to positively opt in.
This means you can’t have pre-checked boxes (if you’re using checkboxes) or you can’t start emailing someone and tell them to opt-out if they don’t want to receive emails anymore, when they never positively opted in.
The example requires the user to put in there email address and hit submit. That very act IS the positive consent. An additional checkbox would be redundant. It’s essentially saying “put in your email and click submit if you consent to receiving emails from us, AND check this box if you consent to receiving emails from us.”
☐ We keep a record of when and how we got consent from the individual.
This will depend on the email marketing software and how the opt-in form is built, but most email marketing platforms will show details of when and how a user subscribes to the list. So in the Aweber example, the form will likely log data in the email marketing platform that states they subscribed on 5/25/18 through the “Newsletter with 20 Free Videos” opt-in. I have all that data on all my subscribers using similar type forms as the Aweber example.
You are asking my data without telling me what you will do with it. Why you want it is nothing to do with asking consent.
I disagree. I think the example very clearly states will happen when the user subscribes: “Get regular information on bushcraft, survival and outdoor life, starting with 20 FREE VIDEOS today.”
Getting a cloudflare SSL error when trying to view the demos.
Also, check out my site using the Divi Bars for cookie consent.
Maybe the error was a temporary thing? All is working on my end here.
Your cookie consent bar with Divi Bars looks great! Thanks for sharing 🙂
Tim – your https links aren’t working: https://tutorialdemos.divilife.com/gdpr-cookie-consent-divi-bar-1-demo-page/
https://tutorialdemos.divilife.com/gdpr-cookie-consent-divi-bar-1-demo-page/ works though!
Hmm that’s very strange. It’s working for me in multiple browsers on both http and https.
Perhaps it was a temporary glitch with Cloudflare. I’ll look into it more though.
Same happens on Safari and Chrome in LA- Browser “Working”>CLoudflare “Working”> says “Host Error”
Error 526 Ray ID: 420a84944d247808 • 2018-05-25 19:48:09 UTC
Invalid SSL certificate
Very strange! I appreciate you letting me know! I’ve updated the post to link to the http version for the time being 🙂
You are welcome – and thanks for the great plugins and input on GDPR – super helpful!!
You’re welcome, Stan!! Glad you found it helpful 🙂
What about the normal contact form?
Does it need a checkbox or not?
And if not, I ask for a source about it.
The normal contact form in most cases won’t need a checkbox. If you’re using it as a basic contact form then you definitely need a checkbox. But if you’re going to take the user’s email after they submit the form and add them to a marketing list, then yes you would need a checkbox so they can opt into that. Or the alternative to that would be having very clear text above the contact form that says you will be marketing to them if they fill out the form lol
Are they blank in the Builder, or when you look at the front end?
They are blank in both the back end builder and after it’s rendered on the front-end page visible to visitors.
Great article Tim.
It’s true that GDPR is making people panic a little. From my point of view one of the reasons for this is that our clients, most of them companies, have lawyers and rely on them to what is the correct way to implement GDPR measures in their websites. The problem is that not every lawyer reads EU GDPR regulation the same way and we end up having to implement different solutions for our clients sites.
Once again, great post! Thanks a lot.
Great points, Morgado. Thanks for taking the time to read and comment. 🙂
Being a Dutch citizen myself I’d like to make a small nuance.
I can understand that everybody overseas is talking about the GDPR but it is worth noting that this a ‘Regulation’, it is not the law in the European countries.
Each EU country has to make their own law based on the regulation. You could see the GDPR as a sort of minimum requirement for a new law that is to be made in each country of the EU.
In The Netherlands we have the ‘AVG’, which was finished just in time. The AVG is pretty much the same as the GDPR except that it is a little stricter in some areas.
In the AVG one has to have a clear purpose to collect personal data but also a rightful ground (not sure if that is translated properly. In Dutch it is called ‘rechtsgrondslag’) to collect data.
For example; the rightful ground to collect personal data on a contact form is ‘Consent’ (as apposed to an business agreement for example).
In case of Consent the AVG uses the concept of ‘reversed proof’, which is more strict than what the GDPR prescribes. This means that in case of an arguement it is not the person that filled out the form that has to prove that he didn’t give consent, it is the owner of the contact form that has to prove the person that filled it out gave his consent. The las says we should get ‘explicit and clear’ consent.
For this reason it is smart to add a checkbox to a contact form with the specific text “YES, I give my consent to collect my personal data on this form’.
I’ve been stuggling with this myself but strictly speaking I have to store the consent. I can’t use the Divi contact form module for that reason. Luckily Contact Form 7 has resolved it and with a little CSS it works very nicely with Divi.
With that said, I realize it is bit ridiculous because when one uses a contact form is is obvious that they are giving consent. But to avoid any arguments (there is no case law yet) it seems smart to get clear consent.
In the greater scheme of things it is nit picking because the impact of a leak in case of a contact form is probably very small anyway.
Hope that helps!
Hi Remco, thanks for taking the time to put together your thoughts. That’s interesting that each European country will have different laws based on the GDPR. I did not know that. In the case of the AVG, do you know if the Netherlands expects all websites that have Dutch users visiting their website to have the specific nuances of the AVG in practice on the website? It may be impossible to keep up with each countries individual laws when you get traffic from many different European countries. 🙂
In theory it could be hard to keep up with all the tiny differences in laws in the EU countries but one way to avoid possible issues is to design with a worst case scenario in mind.
But to put this into perspective, I have to make sure my website is compliant with Dutch law. I do not have to make my website to be compliant with US laws or for that matter German laws or any other countries laws. It’s the same the other way around; in the US you don’t have to make your website compliant for the GDPR, or local laws like the AVG.
We’ve had a similar issue with double opt-ins vs single opt-ins for mailing lists. In some countries a double opt-in is required by law, in other countries it isn’t. As long as you comply with local law you’re good. Of course, the moment you do business in other countries you will have to comply with their laws as well but for a contact form you don’t to worry about that.
With that said, there is another thing to keep in mind here. You might have heard about another European law called the ePrivacy Regulation. It was supposed to go into effect along with the GDPR but it has been postponed. The draft is ready but it hasn’t been approved yet by the EU.
@Remco, your statement is incorrect! It was correct before the GDPR but with the GDPR, the entire EU has the same privacy law.
This is stated on the main GDPR page of the Dutch personal data authority:
Sinds 25 mei 2018 geldt de Algemene verordening gegevensbescherming (AVG). Deze verordening zorgt ervoor dat in de hele EU dezelfde privacywetgeving geldt.
Which translates to English as:
Since 25 May 2018, the general data protection regulation (AVG). This Regulation ensures that across the EU the same privacy legislation.
I think you’re right! I’m not sure where I picked this up, I’ve read through dozens of articles and I’m pretty sure I read it somewhere. The GDPR is supposed to be the same throughout all the translations in Europe. Indeed the reversed proof concept is also used in the GDPR. Thanks for setting me straight.
There are some issues though.
Apart from countries like Poland that want to make exemptions on the GDPR (https://iapp.org/news/a/polands-proposed-gdpr-exemptions-spark-outrage/) there is also an issue with the translation.
The EU has 28 countries (with the UK leaving 27) and at least 24 ‘official’ languages with their own legislation. There’s bound to be some translation and even interpretation errors (https://iapp.org/news/a/gdpr-lost-in-translation/)
Agreed, the intention of the GDPR is to be the same throughout the EU. I still think it is (offially) needed to register consent.
I found the article that states countries can somewhat deviate from the GDPR. It reads in Dutch:
“Toch is er hier en daar nog wat ruimte waar landen mogen afwijken. Daarom zal de Nederlandse wet nog wel op de AVG worden aangepast, maar dat zal nog enige tijd duren.
© Charlotte’s Law)
“Yet there is some room for countries to deviate from the GDPR. This is why the Duch law will be applied to the AVG, althought it will still take some time.”
@John-Pierre, I agree that the intention of the GDPR is to be the same througout the EU, thanks for setting me straight. In in case of the contact form it seems this is indeed the case; the reversed proof is also described in the GDPR.
With that said, there are countries like Poland that want to make exemptions on the GDPR (https://iapp.org/news/a/polands-proposed-gdpr-exemptions-spark-outrage/), although I’m not sure they will get away with it.
Also, the EU has 28 countries now. With the UK leaving 27. There are at least 24 official languages, each with their own legislation. There’s bound to be translation and interpretation differences. (https://iapp.org/news/a/gdpr-lost-in-translation/)
@John-Pierre, I agree that the intention of the GDPR is to be the same througout the EU. The reversed proof requirement is also part of the GDPR and therefor not specific for the AVG. Thanks for setting me straight!
With that said, there are EU countries like Poland that try to make exemptions on the GDPR. Not sure if they will get away with that.
Also, the EU has 28 countries. With the UK leaving 27. There are at least 24 official languages in the EU, each with their own legislation.
There’s bound to be some translation and interpretation differences.
@Remco, thanks for replying. The predecessor of the GDPR, the “Wet bescherming persoonsgegevens (Wbp)” (Personal Data Protection Act) had set a minimum of privacy requirements, so some countries, including NL integrated it wth much stricter requirements into their own law. That’s gone with the GDPR.
Ref. charlotteslaw, the article is from 2017 + she doesn’t give any details + I have found that different lawyers have different opinions on the actual implementation of the GDPR. For example, one says a contact form needs a checkbox and the next one says it doesn’t. There is no jurisprudence yet, so no way to tell who is right.
PS: how did you know I replied to your comment? Did you get a notification? I didn’t get one after your comment. I just aw it because I have a habit to check back on pages where I left a comment to see if someone replied.
I didn’t get an email about a reply, I also tend to check the threads I commented on which I how I found out you replied to me again as well 😉
The very fact that there are different ‘opinions’ simply means there is room for interpretation. It will be a while before the dust settles down and things become clear
Personally I think that the authorigties will eventually indulge the solution which could be classified as ‘grey areas’, as long as they are relatively unimportant. A contact form is ‘small beer’ after all.
Great article! Helps so much. Thanks for posting!
You’re welcome! Glad it was helpful 🙂
Hi Tim. Random question but your videos are so cool how you share your screen and show your face at the same time. Can I ask what program you use for this?
Hi Emma! I use Screenflow for my videos 🙂
Can I download the template for Divi Overlays somewhere on the website?
Sorry if I didn’t look good enough, in a kinda rush now for GDPR.
You can download the templates in your Divi Life account: My Account > Purchase History > Plugin Layout Templates (tab)