First things first: especially if you are European this law was very present during the last weeks and there is a good chance you already know about it. If you don’t: what exactly is the General Data Protection Regulation?
What is the GDPR?
“The General Data Protection Regulation (GDPR) is a regulation by which the EU intends to strengthen and unify data protection for all individuals from the European Union (EU). It also addresses the export of personal data outside the EU.
It aims primarily to give control back to EU citizens and residents over their personal data and to simplify the regulatory environment for international business (any company that is gathering, processing or storing the personal data of EU citizens).”
If you ended up on our site chances are good you are running your own website. If you have visitors from the EU on your site the GDPR basically requires you to adhere to European standards regarding the data of your users, otherwise, you might get fined.
What do I need to do?
What do I not need to do?
There are currently a lot of horror stories out there on how websites must be adapted (like all forms must come with checkboxes, all user IP addresses must be erased, all external services like Google Fonts, Video Embeds and Maps must be removed, all Cookies must be blocked and whatnot).
Non-compliance will result in catastrophic fines and will end your business. We should all close our websites right now and be done with it. etc etc
We have talked to lawyers, we have visited information events and we have scoured the web for reliable resources written by people with a background in data protection or law. The gist we got from those sources:
It’s all not as bad as it sounds. Yes, there is some work to do. But many of these “required changes” are highly debatable or outright wrong, and even if you don’t get everything right from the beginning: the authorities in each country are tasked to try to inform first and only if they encounter a repeated violation of the law impose fines.
The key takeaway from our talks with lawyers
This might probably be the most important takeaway we got from our research. According to our lawyers, you can pretty much use every feature as is if one of 2 conditions are met: legitimate interest on your side, or consent given by the visitor.
The problem with legitimate interest is that its one of those things that are not strictly defined by the law, which means its open to interpretation. The question is: when are you allowed to put your interest first and when do you need to step back and ask for permission? A question that got no general answer as we understand it, but needs to be reviewed for each case individually.
Although legitimate interest may be open to interpretation, according to our lawyers it’s usually still the better option compared to user consent. The problem with consent is that it can be revoked at any time which can cause you a lot of extra work.
So what did change with Enfold 4.4
Finally, we are talking about the theme :D As was discussed above, it is currently hard to tell what is allowed, what is not and what is in a legal grey area. So what we did is: allow you to choose how you want to use certain features, depending on what the legal advisors and authorities in your country tell you :)
The biggest changes we applied are in regard to external services. Since external services receive user IP addresses if you use their services we have implemented ways that this only happens on user interaction.
You can now set up your Instagram and facebook widget in a way that they do not send data unless the user interacts with them. Same goes for google maps where you can set up a placeholder image that is displayed until the user requests the actual map. The very same was implemented for Vimeo videos and youtube. The cool thing about those features is that it does not only help with data protection but its also in accordance with our recent efforts to improve page speed and performance scores. And it, of course, helps a lot with performance if external sources are only loaded on user request.
We have also implemented a font upload feature that allows you to upload google web fonts (or any fonts for that matter) to your web server. Users have asked for the possibility to use their own custom fonts for some time now and it was a good opportunity to implement that feature ;)
One more word about Cookies
You may notice the absence of a feature to generally disable cookies. This is a “requirement” that is also heavily discussed on the internet but since Enfold does not set any cookie that stores any personal information we decided against it. Enfold cookies do one of 3 things:
dismiss the cookie consent bar permanently (permanent cookie)
make sure that the breadcrumb navigation is displayed properly (session cookie)
allow a user to disable certain features like web fonts, analytics, maps or videos (permanent cookies)
Last but not least: a disclaimer :
We are not lawyers, so don’t take any of this as legal advice!
We wrote down what we have been told by people who are well versed in legal matters but a lot of this is subject to interpretation so make sure to consult with your lawyer if you want to be sure what to do.