As far we're aware GDPR does not apply to personal websites, however if you're a business you should start work on making sure your website is compliant.
Don't worry though, it's actually fairly straight forward.
Q: Is RapidWeaver GDPR Compliant?
Yes, RapidWeaver is GDPR Compliant out of the box providing you are using the built-in themes, and no extra plugins. If you are using third-party addons you should check with the developer that they have been updated to comply with GDPR.
In the future we plan to allow RapidWeaver to set crossorigin="anonymous" on all external img, video, script and link tags.
Because, as far as we understand it, the EU only considers an IP address Personally Identifiable Information (PII) if other data is being sent along with it that could identify a user. With crossorigin="anonymous", a server can’t tell one request from another from the same IP address (you could be one of thousands of users on a university network all sharing the same public IP).
Q: Are RapidWeaver Themes GDPR Compliant?
All official built-in themes are GDPR compliant, none of them make calls to any third-party hosted libraries (such as JQuery or Google Fonts).
We’ve also taken a look at a lot of other third-party themes and are pleased to report that most of them we looked at are also GDPR compliant. While we cannot guarantee all themes from third-parties are compliant, we did find that most of the newer and recently updated themes are.
If you’re unsure (or are using an older theme) just check with the theme developer directly.
Q: Can I still use a Contact Form on my Site?
There’s no hard and fast rule for how you get consent, as long as you do, assuming you’re collecting information that requires consent, such as re-marketing.
As far as we know (and using a little common sense) collecting a name and email on a contact form where a reply is expected doesn’t require consent. e.g. no need to include a disclaimer or check-box, this is essentially the same as them emailing you directly. You’d only need to add an opt-in check box if you were going to send email marketing to them at a later date or sell their details on to third-parties, etc.
Q: Can I use Google Analytics?
The basic configuration of Google Analytics which most people will use does not collect any identifying information and doesn't conflict with the GDPR, so no consent is required from the user. However, if you need something beyond the default configuration and turn on any of the following features then you will need to ask for consent via a cookie pop-up.
- User ID
- Demographic reports
- Remarketing functions
Q: Can I use Google Fonts?
We believe so, although we are still researching this.
Q: Can I hot link to Unsplash Images?
In short yes. Unsplash collect and store only one thing from hotlinked images: the path to the file. They do this so that we can increment a view counter on their side to allow the original photographer to know the engagement on their photo. Unsplash do not collect or store any IP address or other personally identifiable information for a user when they view a hotlinked photo.
Q: Can I include a mailing list sign-up?
No problem. Just make sure you ask for consent to email them when they sign-up. Services such as Mailchimp now do this for you, but the check box would be something like this:
I consent to receive emails about your products and special offers [ ]
If the individual ticks the box, they will have explicitly consented, and this is fine.
Start Updating your Websites now.
Remember, GDPR is a relatively new law, and everyone is still working out exactly what's required to make sure they are compliant, there's a lot of information out there, and it's hard to work out what's required. We hope this guide has giving you a good starting point to work from.
Please be aware this is not legal advice, all the information above (and below) is based on the research we've undertaken and you must do your own research.
If you're unsure on anything please seek the proper legal advice.
There’s a lot new acronyms to learn surrounding internet privacy, so we put togther a quick run down on what you need to know, along with links to learn more about each.
- GDPR (DSVGO in Germany) = General Data Protection Regulation
- PII = Personally Identifiable Information
- HSTS = HTTP Strict Transport Security
- CSP = Content Security Policy
- HTTPS = Hypertext Transfer Protocol Secure
- SSL = Secure Sockets Layer
- TLS = Transport Layer Security
RapidWeaver 8 and GDPR
RapidWeaver 8 and Setting a Cookie Notice
Serving your RapidWeaver website over HTTPS
Official GDPR Resources
- The Official GDPR Data Protection Website
- ico. Guide to the General Data Protection Regulation (GDPR)
- GDPR Consent Guidance (PDF)
GDPR Compliant Checkers
- How to make a website GDPR Complient
- Implement Google Analytics without Cookies to comply with GDPR, EU Cookie Law and ePrivacy
- GDPR – A practical Guide for Developers
- Tidbits: General Data Protection Regulation
- GDPR compliance means caring about what's in your logfiles
- GDPR Workshop + Q&A
Website Security Deep Dive