All features and elements in the Editor are designed to enable you to gather, manage and delete visitor data in compliance with data privacy laws outlined in the General Data Protection Regulation (GDPR).
Important notice
Any information within this article is not be considered as legal advice. Please consult with your own legal counsel to make sure you live up to the general requirements outlined in GDPR as well as any additional, regional privacy laws that may apply in your country. It is your responsibility as a website owner to make the required adjustments on your website in order to be compliant with GDPR.
What is GDPR?
The GDPR is a European Union (EU) regulation aimed at strengthening the data protection of individuals (data subjects) within the EU. Its focus is to give more control and transparency to data subjects about what, how and when data is collected about them online. The GDPR came into effect on May 25, 2018 and doesn't only apply to businesses located within the EU but also to businesses located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.
GDPR and your website
The GDPR states that data subjects (website visitors) have four fundamental rights. Below, we've outlined what website owners need to think about in order to comply with these rights.
- The right to transparency: visitors have the right to be informed about how you gather and manage their personal data. Make sure that you clearly display this information in a privacy policy and link to that policy from any place on your website where visitors submit data.
- The right to consent and control: visitors must be able to provide consent (and withdraw it again) to having their data gathered and stored. Make sure to set up a cookie notification message, think about how you want visitors to opt-in to having their cookies stored, and add an opt-out option as well. Additionally, ensure that all your contact forms require visitors to provide consent when they submit data.
- The right to data portability: visitors have the right to request a list of information/data any company has on them. Use the Editor's User Data Report feature to extract a full list of data you have on individual visitors.
- The right to be forgotten: visitors have the right to request the deletion of specific personal data that they have previously submitted on your website. In the Editor, you can delete any piece of data that has been submitted by visitors (with the exception of E-commerce order data).
The right to transparency
The key to transparency is having a privacy policy on your website that clearly states how you gather and manage visitor data. You can have this policy on a separate page on your website and then link out to it from forms, buttons, links, etc. If you make the page hidden, it won't show up in your main navigation. Alternatively, you can enter the policy text in the Legal section in Global Data.
Read more about adding a privacy policy to your website here.
There are five different channels through which user data can come into your website that you should be aware of:
- Forms
- On-Site Engagements
- User logins
- E-commerce
- Blog
Forms
When visitors submit contact forms on your website, they may be sending personal data which is being stored in the Editor.
There are three modules where user data can come in through forms to your website:
Read more about the modules by clicking the links above. If you have entered your email address in the Email Recipient field in the Form and Mailchimp form modules, the submitted data will be sent to your email. Keep in mind that this entails you'll be storing visitor data in your inbox. On the Form, Mailchimp form and Email signup form modules, you can also enable Data Collection which means that form data will be stored in Customers under Forms. Read more about this feature here.
You can add an opt-in option on any contact form, requiring visitors to consent to your privacy policy by ticking a box before submitting the form. Add a link to your privacy policy on the opt-in box so visitors can easily head there and read your terms.
On-Site Engagements
These pop-up elements can be set to appear on your website and allow for various types of visitor engagement. Three of these engagement types may involve the visitor submitting personal data:
- Submit a contact form
- Sticky contact form
- Sign up to a newsletter
Just like with the Form modules, you can add an opt-in option to your On-Site Engagements.
Here you can read more about On-Site Engagements.
User login
If you have password protected pages or use the User login module, users will have to sign up in order to access your site and may submit personal data in the process. This data is stored in CRM in the Editor.
Here you can read more about the User login module.
Blog
If you have access to Blog, you can write blog posts and open them up to visitor comments. These comments may contain visitors' personal data and are stored in the Blog section within the Editor.
Just as with Form modules, you can add an opt-in option on your Blog so that website visitors have to consent to your privacy policy before being able to add a comment.
Here you can read more about Blog.
E-commerce
If you have added the E-commerce component to your website, you can take orders and accept payments. These transactions contain personal data about the customers. Order data will figure in the Editor while anything related to credit card payment details will be stored with the payment gateway and not in the Editor.
The right to consent and control
At any instance where a visitor can submit data on your website, you have the option to have them consent to the terms outlined in your privacy policy. Please refer to the following articles for practical information on how to set it up in the Editor:
Cookies
If your website stores data from cookies, be aware that personally identifiable data may be transmitted from the visitor, in which case you must inform about this in your data privacy policy. Cookies might be added to your website if you, for example, have embedded a video or added a third-party widget.
The following types of cookies are being set by default in the Editor from Google Analytics:
- CONSENT (gstatic.com) for Google tracking
- _ga .{domain} for Google tracking
- _gat .{domain} for Google request rate throttling
- _gid .{domain} for Google user differentiation
- site_session {subdomain}.{domain} for PHP Session ID used for session-specific interactions (Shop, Blog, etc)
- _utmz .{domain} for ga.js cookie usage - See Google Documentation for specifics
- _utma .{domain} for ga.js cookie usage - See Google Documentation for specifics
Cookie information
None of the cookies above store any personally identifiable information about visitors - their IP addresses are masked and, therefore, fully anonymized. The cookies are added to all websites created in the Editor and are necessary in order for the website to function and to supply visitor data on the Editor dashboard. For more information, please visit: https://developers.google.com/analytics/devguides/...
The pre-installed Google Analytics use session-based cookies to collect information about a visitor's behavior on the site. As no personally identifiable data is being stored through these cookies, they are not subject to GDPR legislation.
We wish to reiterate that this pertains to the standard, pre-installed or "out of the box" Google Analytics in the Editor. If you add any additional Google Analytics or other cookie-relevant external code to the website, there may be other obligations to which you need to consult with local counsel.
Other cookies used within the platform are based on sessions and are necessary in order to carry out and support basic website functions such as login, form submissions and maps. Just as with analytics, these cookies are not personally identifiable and only session-based. In short, the cookies the Editor uses do not affect your company's ability to comply with GDPR.
If website visitors do not wish to have cookies stored, they have the option to opt-out. Read this article for more information about cookie settings. Please note that it is your responsibility as a business owner (data controller) to add the cookie consent feature to your website. It is also possible to add a privacy policy.
Social media opt-in
If you have social media share modules added to your website, for example the Facebook Like module, you can enable a double opt-in functionality. This gives you the possibility to ask your website visitors to first give their consent to displaying this module before they can start interacting with it. After they have toggled the button, they can click on the modules and perform actions. This way, you can clearly inform website visitors that if they interact with social media modules, they might be passing on information to third parties. Read more about setting up social media opt-in here.
The right to data portability
Visitors have the right to request an overview of all the data that they have submitted on your website. Using the Editor's User Data Report feature you can generate an overview of all data submitted by individual visitors. It collates all the data that you have on a specific visitor and allows you to export that data to a PDF file (that you could pass on to the relevant visitor, if required).
The report contains data submitted through the following modules and features:
- Forms
- Customers
- Blog (comments)
- E-Commerce (orders)
Read more about the User Data Report feature here.
The right to be forgotten
Visitors have the right to request the deletion of specific personal data that they have previously submitted on your website.
Here's an overview of where you can delete visitor data that you have previously collected:
- Form data can be deleted in Customers -> Forms. Read more here.
- Customer data can be deleted from the Customers overview.
- Blog comment data can be deleted in Blog -> Comments. Read more here.
- E-commerce order data cannot be deleted as it contains necessary information concerning financial transactions.