@therealmf The RW Contact Form plugin is actually not GDPR compliant because it has no consent checkbox, and there is AFAIK, no way to display a Cookie or Privacy policy warning using the core RW App.
2 Likes
Though Will Woodgate has contributed a bit of CSS to the forum that solves this problem.
1 Like
Nice of Will but shouldn’t it be inside the base product? What about cookie and privacy policy? Shouldn’t legal compliance issues be addressed by the base product? Shouldn’t it be addressed by the current production version?
1 Like
Maybe it is inside version 8. I simply don’t know.
I think we make our lives to easy to just require all “might be relevant” for GDPR stuff coming from RMS.
Contact form: the standard contact form already has the option to mark a checkbox as mandatory.
Legal page: Creating a page with the legal details of the website should not be obligation of the web design product. There are many (legal) implications, which cannot be - in their full extend - addressed by RMS for that.
Cookies: In its base functionality, RW doesn’t store any cookies. Also there the law is quite different, dependent on the country you live in, etc.
IMHO…
3 Likes
I don’t speak on behalf of @dan here, but I’d like to understand these GDPR questions some more. Please be specific when you answer. You’re welcome to provide examples.
I can’t go into what may or may not be in future versions of RapidWeaver, but I can try and help figure out whether current releases can do what you need.
What do you want to do that RapidWeaver can’t currently provide?
For a contact form, you may need to have a bit of text telling your user how you store their information. Are the “Customizable Text” fields not enough?
You can set certain fields as “Mandatory”, so you can require that users tick a box to accept terms before they can submit.
What else do you require to make your contact form GDPR compliant?
This is really down to theme developers. Adding crossorigin="anonymous" is enough if theme developers still want to link out to a third party CDN (the Information Commissioner’s Office, or ICO, do exactly that here in the UK when linking out to Google’s CDN for jQuery). Check it out.
Again: please be specific here. If we can’t figure out exactly what you’re asking for, we can’t discuss it internally for future development. Don’t just say “this isn’t GDPR compliant”, but explain what steps need to be taken to make it GDPR compliant in your opinion.
3 Likes
Hi, in Germany the IP address is counted as personal data. So even by using this flag, the IP address is still transmitted and we have no control of how it is used later by e.g. Google. That is why many of us use local storage only.
In that case, it’s not legally possible for you to browse the Internet. Your IP address is sent with every single HTTP request your device makes, even before you’re able to opt-in to anything (how can you press “I Agree” if you can’t make the request that loads the button in the first place?).
As I understand it, the EU only considers an IP address Personally Identifiable Information (PII) if other data is being sent along with it that could identify a user. With crossorigin="anonymous", a server can’t tell one request from another from the same IP address (you could be one of thousands of users on a university network all sharing the same public IP).
It is ok for the IP to be transmitted while a website is loaded. The IP stays at the hosters servers and - following GDPR - will be anonymized or deleted shortly after. It is the connection to third parties like Google webfonts, YouTube etc. where no control is possible. So in these instances you either host yourself, or get specific consent from the user to continue.
It will take a few years until the judges will decide what is allowed with explicit consent and with information about what is happening with the IP only. Most German developers I talked to stay on the safe side.
Mostly because we do have specialized clubs/societies which are allowed to sue (and this is their only business model) whereas in other countries only the state has the right to do so…
1 Like
It is not about me surfing but people visiting my website which I am responsible for 
I’d like to see the regulation you’re citing here. This isn’t correct under GDPR, so if it’s something specific to Germany then that’s something entirely different. Under GDPR, an IP address may be considered PII, but isn’t automatically PII. If an IP address is the only information sent, it’s definitely not PII. That’s also the case under the ePrivacy Directive too.
Yes, it is kind of specific for Germany as of my knowledge… I think a high court decision, but I have to look it up.
Thanks, please do. It sounds technically impossible to comply with that and also run even a static website.
Edit: my German is somewhat passable, and I can use Google Translate for the bits I don’t understand if you can only find a German source. I’d like to see something official though, rather than a blog or newspaper report.
@simon It’s really a bit late to be discussing whether IP addresses are personal data or not. This forum is full of similar discussion over the 9 months. Whether it is or not, this is one of the issues that a GDPR compliant web site should address and it certainly isn’t the only thing to consider.
In answer to your original question what would need to be updated in RW7 to enable RM to make a statement about RW7 being a GDPR compliant web site creation tool?
-
The Contact Form needs to have a way of linking from the checkbox text link, to a privacy policy. AFAIK this is not possible in any version of RW.
-
An initial visit pop up modal message would be very handy to display privacy or cookie notices with an Accept button needed to continue to visit the site. i.e. exactly they type of message we are all seeing every day when we visit all GDPR compliant sites.
Loading all CDN code and icons, fonts, etc would also be very handy and would add another tick in the box for what RM has done about GDPR. This is what RMs competition (Blocs 7 Sparkle) did recently in time for May 25 with point releases of their products. Here is a blog post that details what Sparkle did for their GDPR point release - Introducing Sparkle 2.6: GDPR! .
BTW, Sparkles own web site gets 100% GDPR compliance in the Swedish GDPR checker.
Here is the RMs RW created site result:
Adam did a great job of making Foundry GDPR compliant so maybe a site update would be good idea.
Whether GDPR is taken seriously or not, prospective new customers for RW will want to know whether RW is GDPR compliant.
1 Like
Swedish GDPR checker
where can I find this checker?
https://webbkoll.dataskydd.net/en, I think
1 Like
@simon
I think the main areas I would like to see carry a ‘GDPR Ready’ badge are:
-
The built in contact form. I know not many people use it, because, well, lets face it, it’s not the most sophisticated or useful thing out there and has not been subject to much development time as far as I can see; but that said, I still think that RW users on a budget would appreciate it being made GDPR complaint. I’ll supply a link at the end which appears to nicely summate the examples and target outcome for each area.
-
Could this have been an opportunity, in RW8, to include a really well done ‘opt in to mailing list’ solution? Was anything like that considered?
-
Google fonts. Yes, I know that the default product is quite capable of packaging fonts and referencing them in CSS thus displacing any need to call out the CDN. I’m quite clear on that. What I am asking is whether GDPR and the potential grey area of using the GF CDN might have been a trigger for RMS to build a font manager into RW to make it easier and faster for people to do exactly that.
Examples for contact forms/opt in-outs and some narrative are here:
An earlier poster thought I was perhaps being unfair in asking this question. I think they went on to say that that any GDPR gaps should be filled by stacks developers. I’d love to know if that is a view shared by RMS. I disagree that its down to stacks developers, I would like to see robust handling of things like GDPR baked into RW.
Finally, and apologies if I simply missed it, but I would have liked to see some comms from RMS about how to leverage RW functionality to ensure GDPR compliance. With all due respect, instead of asking me, for example to demonstrate where the product might be lacking:
What else do you require to make your contact form GDPR compliant?
That kind of captures the motivation for asking; I was hoping that you guys would know and include it in the next update.
I’d much rather be consuming information from RMS teaching me what the product can, or will, do in this area. You did ask for examples, so here is the Elegant Themes write up on how to make Divi for WP GDPR compliant:
They also provided information about Data Protection:
Has there been anything similar from RMS?
No doubt stacks developers will plug the gap, there are probably already devs hard at work on GDPR complaint stacks and related utilities, for all I know. Do you see it that RW can/should abdicate from this area entirely?
Yes. Just to confirm NeilUK’s link. The Swedish GDPR test tool is at https://webbkoll.dataskydd.net/en/
This is no doubt the first of many but these official in country GDPR checkers, that will be used by customers to verify compliance of their web sites. Hence the requirement for “The best web design software for Mac” to pass these type of official GDPR checks.
Again, this isn’t an official statement from @dan or Realmac. We’ve been talking about GDPR extensively internally (and that’s been so much fun). Seriously - it’s been almost non-stop for what feels like years. And, again, I can’t discuss what will or won’t be in future releases, but I’m trying to help you be compliant using current versions.
I assume you mean to copy them to your server here? Again, I’m going to point you to the Information Commissioner’s Office here in the UK. It’s their responsibility to enforce GDPR here, and even they are linking out to Google’s CDN. I’ve had conversations with staff there, and they believe that using crossorigin="anonymous" is more than enough (which is why that’s what they do).
It’s not particularly nice, but it’s definitely possible in every version of RapidWeaver. If this is how you want to implement it (you could also implement it using the Customizable Text fields), you could set your label to something like this:
Can we store your personal data? We need this so we can reply to you. <a href="/">Click here for our privacy policy</a>.
There’s no hard and fast rule for how you get consent, as long as you do (assuming you’re collecting information that requires consent - collecting name and email on a contact form where a reply is expected doesn’t require consent). This is just one way that you can implement this in current releases.
RapidWeaver doesn’t have the ability to set cookies, so you shouldn’t need to show a cookie notice. If you’re doing something custom, I’m sure there are addons available that can do this for you.
Thanks for the link to the GDPR test tool. It looks very useful. Obviously some of the things it checks for are server settings that RapidWeaver has no chance of being able to change, but a bunch are things that can be set in the page itself. In existing versions of RapidWeaver, you can set extra meta tags in Settings → Code → Head.
Sure, it’s a bit of a manual process - but it’s certainly possible to create GDPR compliant websites right now.
Yes, we do know - but I’ve seen a lot of incorrect information being spread around. For a website built with RapidWeaver, it’s not hard to be GDPR compliant. If you’re Facebook? That’s significantly harder, but you probably aren’t using RapidWeaver to build your service.
And, with that, I’m out. The more time I spend here posting, the longer it takes for RapidWeaver 8 to ship 
1 Like
I am a little puzzled over this discussion. For various / diverging reasons:
- It irritates me that a european law such as GDPR can be interpreted so differently in various member states. I am by no means thinking we Germans know how to do these law things, but having read the original text of the DSGVO (german abbr. for the GDPR) and having attended a few seminars on it it seems evident to me that the collection of ip addresses requires consent. Yes I know how self-contradictory this is to the idea of the internet as such, but that’s no reason to doubt that this is what the law states. The law is problematic, but that’s the way it is.
- I don’t have fundamental difficulties with RW as an app to build websites that are GDPR compliant. It is more that some themes don’t offer the option to e.g. host scripts and google fonts locally or turn off CDN calls except by digging into the basics really heavily. The same goes for stacks. Some just don’t allow that. But Stacks as a plugin is GDPR-compliant enough, as is RW. I don’t need RW to do more in this regard. I can add a cookie banner, a link to a privacy policy and a checkbox in the forms using other tools, I don’t need that all built into RW. The times when RW alone was enough to build a complete site are long gone. Just my 2c.
- For me personally perfomance matters much more. I have lost hours (literally) waiting for RW and Stacks to render pages or upload files. I have made it a habit to run a second task (something annoying and simple) alongside to web design in RW in order to fill the wait time with something at least a little useful. And I am working on an iMac 27 4 Ghz with 32 GB RAM and SSD. A fast machine. Still it takes loooong, because RW only uses a single processor. So please build multiprocessor handling into RW 8 and I will be happy to take care of GDPR myself
In order not to sound like ranting: I love creating website with RW and each time I have to work with WordPress I am presented the reason why this is so.
1 Like