How Thrive Themes Products Will Help You With GDPR Compliance

​Note: this post does not contain legal advice. Always work with your legal counsel ​to determine the right decisions to make about regulations.

The General Data Protection Regulation (GDPR) is coming for all of us. It's a set of EU laws​ and they apply to EU ​citizens. ​That means that even if your businesses is not in the EU, ​you're still potentially on the hook, because ​people from the EU​ can access your website​​​.​​​

​This post is a preview of what we at Thrive Themes are doing in our products, to help you stay compliant with these regulations.

More...

​What Do You Need to Know About GDPR?

This is not a post about GDPR and what it means for online businesses. There is plenty of content on that topic already. If you aren't familiar with GDPR and what it may mean for you yet, here are some useful resources for you:

The Features

At Thrive Themes, we're currently working on feature additions in our products that will make it easier for you to stay GDPR compliant. The 4 main features for this purpose are:

1) Lead Generation Checkboxes for Explicit Consent

For lead generation forms created with our tools, we are working on a feature to add an optional checkbox for consent. This is so that you can have subscribers tick a box that says something like "I agree to receiving a newsletter and understand that I can unsubscribe any time". This way, you have proof of their explicit consent to receive messages from you.

2) Data Overview & Export

An important part of GDPR is the citizen's right to know what data about them is being collected and the right to have that data deleted.

In the Thrive Dashboard, we'll be introducing a data overview feature, where you can see a list of all the visitors that have been tracked through any of our products, along with all the data being tracked for each one. From this dashboard, you'll be able to show a visitor what data is being collected about them if they request it and you'll be able to delete said data.

Note​

​This data feature applies only to Thrive Themes products. For example, when someone signs up through a Thrive Leads form, our plugin collects their email address and adds a cookie to later be able to identify them as a visitor who's already subscribed. This is the kind of data we can provide.

​We can not cover tracking data from other tools and services you are using on your website.​ To be compliant, you have to be able to produce all data gathered about a visitor, from every tool and service used on your site.​​​

​3) Data Anonymization in Thrive Quiz Builder

Thrive Quiz Builder can be used to gather insights about your audience, such as their personal preferences, their age range and gender or anything else you care to ask during a quiz.

A new feature will allow you to toggle between two types of data collection: anonymized and personal.

Personal data collection means you can see which visitor gave which answers, exactly. This requires explicit consent under GDPR. Anonymized means you can see the overall, averaged out results, but you can't track individual answers back to individual users.

4) Eliminating & Encrypting Personally Identifiable Information in Cookies

Cookies are an important convenience tool all across the Internet. Without cookies, you'd have to log back into every website where you have an account, every time you return there.

Thrive Themes tools utilize cookies in various ways and will continue to do so. One change we are making is that we will be either eliminating or encrypting any personally identifiable information in cookies. Similar to the point above, it means you can still use cookies, but you can't tie tracking information back to a specific user, so as to protect their privacy.

Coming Up Before the Deadline

The deadline for GDPR compliance is May 25, 2018. We don't have exact release dates for all the features above yet, but we will be pushing them out as soon as possible and we will have all of them implemented and released before the May 25 deadline.

​If you have any questions or feedback about this, please let us know by leaving a comment below.

Shane

Author: Shane Melaugh

Shane Melaugh is a co-founder and the CEO of Thrive Themes. When he isn't plotting new ways to create awesome WordPress themes & plugins, he likes to geek out about camera equipment and medieval swords. He also writes about startups and marketing here.

  • Nicola says:

    Thanks for this – be great to have the tick box available ASAP as obviously then we can make sure we’re compliant sooner rather than later – which means fewer people we have to go back to refresh consent from.

    • Shane Melaugh says:

      We will roll this feature out as soon as it’s ready.

  • Ulfried T says:

    Brilliant. Thank you Shane.
    Ulf

    • Shane Melaugh says:

      Thank you, Ulf. :)

  • Joe G says:

    Damn, can’t I remain just a simple blogger pecking away at my blog? ;-)

    • Max says:

      Freedom of the press is limited to those who own one.
      —A. J. Liebling

      Seems that if the burdens of (Word)Press ownership can be increased beyond the practical ability of everyday-people/small-biz to carry, then… hmmm.

      • Chris L says:

        Another one who gets it!

      • Shane Melaugh says:

        This is definitely problem that small businesses are facing. I’m opposed to regulation like this, not because I don’t like protecting people’s privacy, but because they way it’s implemented is bad for small businesses. Huge, powerful companies can handle this kind of thing with their scores of lawyers and technicians. It’s the little guy that gets chewed up.

    • Shane Melaugh says:

      No, we can’t have that, sorry. We definitely need to get a bunch of rules, regulations and paper-pushers involved.

  • Baidhurya M says:

    Hey Shane, thanks for the update and I really appreciate you guys working hard to make Thrive products GDPR compliant :)

    Does work on these features impact release of new themes in any way? It will be good to have some clarity on release of new themes as well because it was promised quite sometime back and its now becoming a very long wait!

    • Shane Melaugh says:

      This is unrelated to anything regarding the new theme.

  • Steven B says:

    THANK YOU! For those of us smaller fish getting started in the online biz world, it is so very helpful to have someone know about, inform, and then assist with something I quite possibly would have walked into without any realization I was getting myself in trouble.

    • Shane Melaugh says:

      Thank you, Steven. We do our best to support the small businesses out there.

  • Matthias says:

    Thanks so much for helping us with the new regulations! Are you also planning a feature with a “Cookies get stored” bar? I have seen this on many websites, but I don’t know how to get it (actually do we need this for the new regulations?)

    • Rene says:

      Just install the plugin “Cookie Notice”. Go to ‘Add New’ under ‘Plugins’ and search for it:-)

    • Shane Melaugh says:

      No, we don’t have a plan for adding such a feature.

  • Sarah Arrow says:

    Fantastic – thank you for the update and the consent tick box sounds perfect. Will we be able to customise the text here?

    • Shane Melaugh says:

      Yes, the text will be customizable.

  • Larry says:

    EU-fornia

  • Lexi says:

    Thank you for having our backs!

    • Shane Melaugh says:

      It’s our mission to do so. :)

  • The Canadian CASL laws are also challenging (it asks for explicit consent to send info, etc.)

    It sounds like your changes would be helpful for those wanting to be CASL-compliant.

    If so, great!

    If not, can you please tweak it to also be CASL compliant?

    Thanks in advance.

    Trevor

    • Shane says:

      Being Canadian, I support and second Trevor’s comment on CASL. The checkbox on opt-in can provide our subscribers the ability to Explicitly consent.

      Thank you Shane M!

      • Shane Melaugh says:

        Yes, the same feature should cover you for CASL as well.

    • Chris L says:

      Thanks for letting me know to block Canadians from my sites, too!

    • Shane Melaugh says:

      Thanks for the comment, Trevor. We’ll look into this. On first reading, it seems that these features will also lead to CASL compliance.

  • Mark B says:

    This. This is why I am an unabashed cheerleader for Thrive themes! Clear and concise explanations along with clear and concise actions that are to me and my customers benefit. Superb.

    • Shane Melaugh says:

      Thank you, Mark!

  • Robert S says:

    Hi Shane, great to hear the news! Good Job!

    What is about Thrive Comments? Even only for comments we need a checkbox für explicit consent.

    Robert

    • Shane Melaugh says:

      Hello Robert,

      We’ve already added the checkbox for comments, in the latest release. :)

  • Thank you so much for all your efforts and for keeping our business safe.

    In regards to using other tools, I try to keep it down to Thrive Themes only tools, but I always end up using some others. That being said, will the new super theme be released along with the updates mentioned on this post, or will it be released prior to that?

    I’m sorry to ask, but I’m kind of struggling right now with “looks” and “feels” from other themes which are really nice, but not 100% compatible with Thrive Themes Tools (this is a new project I’m working on).

    Once again thank you so much for all your efforts, your great team and of course your great products and entrepreneurial vision.

    • Shane Melaugh says:

      The super theme is coming later. We’re going to start beta testing this month, so a full public release is still a ways out. These GDPR changes on the other hand will start showing up in the next plugin updates already and we’ll keep rolling them out as fast as possible.

  • Jesse C says:

    Thanks for staying on top of stuff like this.

    • Shane Melaugh says:

      We gotta look out for small business owners. This kind of thing is a massive obstacle for the kind of entrepreneur we build our tools for. It’s important for us to serve these entrepreneurs as best we can.

      • Tom B says:

        And Shane thanks for doing so. Grateful that you care… AND that your company as a small business has the critical mass to address it. Many don’t and their customers will be left hanging.

        When all is said and done, I can’t imagine the expense lines in your P&L associated with this effort for legal, development, and your management time to navigate it all. Grateful!

      • Shane Melaugh says:

        Thank you, Tom. It’s not good for our business any more than for the businesses of our users. But hey, entrepreneurship is problem solving, so let’s get it done. :)

  • Abigail says:

    Well I’m impressed by your commitment to deliver on these important legal changes! Thank you so much for making it easier for small business owners, it’s a relief…

    • Shane Melaugh says:

      Thank you, Abigail.

  • Ed Johnson says:

    Great to see ThriveThemes on top of their game again and adapting to the change. That’s why we love them. :)

    Looking forward to the update.
    Thanks, Shane

    • Shane Melaugh says:

      Thank you, Ed!

  • Detlef says:

    Hi Shane great to see you working on this issue. An another problem regarding gdpr compliance mighty be using google fonts within thrive architects. The ip address can be collected by google without anonymizing.

    • Shane Melaugh says:

      That’s an interesting point. I will have to do some more research on this.

  • Hi Shane,

    Thank you for the information on the GDPR and for taking the necessary steps to help us comply. I love the work you guys do by the way – I can’t rave on enough about Thrive Themes and your plugins! If you guys ever want some good ideas for new features or plugins feel free to get in touch – I’m a fountain of ideas just lack the necessary coding skills to make them happen – so passing them off to you guys to implement would be the next best thing ;-)

    • Shane Melaugh says:

      Thank you very much, Richard! I appreciate your encouraging words. :)

      Regarding ideas: have you joined our beta testing group? That’s the best place for this kind of thing.

  • Patrick says:

    Hey Shane, fantastic. That was not boring at all. You’re looking out of your customers – us. I greatly appreciate that. Really!

    • Shane Melaugh says:

      Thank you, Patrick.

  • Rob Cooper says:

    Well done. Thank you. Should put a lot of minds at ease.

    • Shane Melaugh says:

      Thank you, Rob.

  • Nic says:

    Seriously cool … and what a painful process to have to undertake. Thank you … really … I really appreciate how you look after us thrive themers :-)

    • Shane Melaugh says:

      Thank you, Nic! It’s a painful process indeed, but we’re doing our best to make it less so.

  • paxpa says:

    Good to know, thanks!

    • Shane Melaugh says:

      Thanks for your comment!

  • Leonardo R says:

    Hi, you’re doing a great job and you’re making things easier for your clients. I have a question related to this matter: I have a restricted area on my website and I ask people to register. Up to now, I also subscribed them to my newsletter. According to Gdpr this is not allowed anymore, is it possible to have a checkbox in the registration form, asking to subscribe also to the newsletter? If people don’t check it, they will only register on the website. Thanks in advance

    • Shane Melaugh says:

      If you use one of our lead gen forms to register the users then yes, you will be able to add a checkbox. If you use a different tool for the registration form, you’ll have to look for that tool to support the addition of the checkbox.

      • Michaela T says:

        Where will the data be stored, that the user selected the checkbox? I have to proove that he does.

      • Shane Melaugh says:

        It will be stored in the dashboard on your own site. You’ll have an overview of all the data needed for GDPR compliance, regarding all of our tools.

      • Michaela T says:

        Thank you!

  • Silvia says:

    Thx for sharing. Will you also provide contracts for order data-processing for your apps?

    • Shane Melaugh says:

      Hello Siliva,

      Can you explain what you mean, exactly? Since I don’t understand the question, the answer is most likely “no”, but I’d like to know more about what feature you’re looking for here.

      • Silvia says:

        Hi Shane, thx for your interest. It is a contract to show that you handle the personal data which we provide/store/process with the plugins in a way that meets the requirements of the new regulation. E.g. how you store the data, is it send via SSL or not, what would you do in an uncertain case of data loss, do you have an IT security concept …

        To comply with Art. 2 GDPR it is necessary to have a contract with every party in place. Thx for your help.

      • Shane Melaugh says:

        Thrive Themes does not process or store any data for you, in any form. Remember: we sell distributed tools. You run them on your server. You are not passing any data on to a 3rd party.

      • Tom B says:

        Thanks for the clarity: Thrive itself does not process data. Got it.

        As we are processing data with Thrive tools o our sites we will need to update our site’s T’s&C’s etc.

        It would be wonderful if you could help us out with updates to the Privacy, Terms, and Disclaimer copy as you have in past Theme templates.

      • Shane Melaugh says:

        I’m afraid we can’t do that without inviting all kinds of legal trouble. Our existing templates for this are already provided under the condition that you basically don’t use them and ask your lawyer instead.

      • Silvia says:

        Thx, that helps a lot :-)

      • Michaela T says:

        Hi Shane, doesn’t Thrive Leads transfer data to my e-mail provider?
        When I’ve got the right informations, than we need an data processing contract (in German: Auftragsverarbeitungsvertrag) from Thrive Themes.

      • Shane Melaugh says:

        Yes, but the data is being sent from your website, from your server. Thrive Themes (the company) is not involved in this transfer of data.

  • Martin C says:

    Hi Shane
    Will the check box on opt-in forms appear on all existing forms or will we have to re-create existing forms individually with the new checkbox? Thanks

    • Shane Melaugh says:

      Hello Martin,

      You will have to edit your opt-in forms manually. The type of consent needed (or whether you need extra consent at all) is highly context dependent, so there’s no catch-all solution for this.

  • Christoph says:

    Shane, this is by far the best post I have ever seen concerning GDPR. You made it to answer exactly all the questions I had in less than 5 minutes. CONGRATS!
    Best, Christoph

    • Shane Melaugh says:

      Thank you very much, Christoph.

  • Chris L says:

    Thanks for keeping us informed about this. We Americans fought a war in 1776 because we didn’t want to be ruled by Europe, and we fought two world wars to save Europe. I’ll just block EU residents from accessing my sites, because I will not be ruled by Brussels.

    • Nick B says:

      You are obviously entitled to your own opinion, but this is not about being “ruled” by Brussels, or anything for that matter.

      It’s about better protecting PEOPLE’s data and privacy and giving them some autonomy (back).

      And while I don’t like this from a logistics point of view (with all kinds of different tools this might be a real pain in the a**) – I think anything that helps protect people and their privacy from either themselves or companies they no longer trust with their personal data, is great.

      • Chris L says:

        I hope you enjoyed the Koolaid.

      • Shane Melaugh says:

        The problem I see with GDPR is not in the alleged cause of protecting people’s privacy. I’m all for that. The implementation of the laws is incredibly ham fisted, though and shows that the laws were written by people who haven’t the faintest clue of what it’s like to run a business.

      • Chris L says:

        Exactly

      • Nick B says:

        I agree. From a business perspective, like I said, it’s a pain.

        But even as entrepreneurs or people who run a business, we are still individuals first. And I think it’s hard to argue from a individual point of view that this is not a good thing.

        Even though the implementation is done poorly (like most of the times when goverments pass new laws that involves businesses..) – I feel looking at the bigger picture is (more) important.

        Anyway. Looking at this wearing two different hats (our individual vs business pov) is probably where most of disagreements and mixed feelings come from.

    • Edward S says:

      Without the help of France you would not have won that war in 1776.

      • Shane Melaugh says:

        I think we may be overreaching into the annals of history, as it relates to legislation for Internet businesses…

    • David G says:

      I totally agree!!!

      NOTE: I absolutely LOVE ThriveThemes. LOVE IT. I wouldn’t think of using anyone else. So this rant is NOT about ThriveThemes. This is about the stupid GDPR…

      I have already blocked all EU countries (and quite a few more). Merely LOOKING at a website starts the whole “data” thing. I’m not going to waste my time saving data on people who come into the equivalent of a bricks and mortar store and end up telling me they’re “just looking.”

      According to the EU, anyone can be “just looking” but I’m supposed to use the data-gathering equivalent of the FBI/CIA/NSA and hand over their data at their request, and do it politely? FOR FREE?!?! I didn’t go into business to merely gather, process, control, and give away (FOR FREE?!?!?) what is commonly known as market research — which, according to U.S. laws — is proprietary information not required BY U.S. law to be given away for free to just anyone (including persons “subject” to EU laws). What if people who are “just looking” ARE criminals already? Wouldn’t the FBI/CIA/NSA want to track them? HELLO! I certainly don’t want to be aiding and abetting a bunch of illegal activities that are illegal according to U.S. law.

      Why on earth is anyone using their real name in their email address anyway? It’s not my fault or responsibility what people do with their data online! And it’s not their “jurisdiction” what happens on my website (or behind the scenes where only legal activity takes place, mind you).

      If my physical eyes SEE an EU resident, how on earth am I supposed to follow GDPR — erase their data from my BRAIN when they request their stupid “right to be forgotten?” These stupid GDPR “laws” don’t make any sense in the physical realm! It’s totally outrageous! The EU, itself, can’t even make it work!

      And since reports (as of this writing) are saying that up to 90% of all European companies online and offline are NOT compliant with GDPR (and won’t be by the May deadline), that makes ALL OF THEM operating illegally. And you think the BURDEN of proof is on ME for being legally responsible with their data?!?!? Why should I have the burden of proof for what WILL BE legally designated as non-compliant and therefore ILLEGAL activity on the part of European citizens?!?! My solution: block them. Too much unreasonable and ill-thought out “legal” nonsense. It’s not how physical reality actually works — offline or online. It’s not how LAW works, either.

      GDPR is not at all congruent with current U.S. FTC regulations (not to mention the constitution). The EU has no jurisdiction over the Department of Homeland Security, either. A living person, by definition, is not “the sovereign” such that wherever that person “goes” (online or offline) their “sovereign” jurisdiction follows. When Americans are in Europe, we drive on the side of the road required by your jurisdiction. But when you’re on our land, you drive on OUR side of the road. Got it?

      The GDPR is not legal in the U.S. for all kinds of reasons not the least of which is this: it’s a coerced contract and all coerced contracts are considered legally VOID. Websites in the U.S. are under U.S. jurisdiction AND individual states’ jurisdiction. My business is in the U.S. and other state jurisdictions. Nothing I do is in the EU. I do not target it and I don’t want it. Don’t make ME responsible for something I do not intend to have anything to do with or, now, want to.

      A person “going through” a website they do not own, operate, control, process, etc. is, by definition, not in some kind of sovereign bubble, legally speaking. Their “data” is IN CONTEXT with what they actually DO on a particular website — i.e.: the jurisdiction in which the website, itself, resides and is created in. Literally speaking, any one person going on a website is in someone else’s property. If you come into my house, what you do in it is not “owned” by you, entirely. I can’t behave your behaviors but you can’t “own” the effects of you being in my house. That doesn’t even make any sense in physical reality!

      Besides, how about this: suppose a data subject sends a website owner (data controller/processor) a request for their data files and the website owner (et al) realizes that with third party vendors, etc., it just isn’t possible or realistic to be in possession of a data subjects precious data. It’s already all over the internet because the data subject, themselves, WENT on the web and did stuff. I didn’t do that with their data, THEY did. So, before the dat subject gives a website owner (et al) “consent,” why not put the burden on the data subject IN THE FIRST PLACE by requiring the data subject to send the website owner a file of ALL THEIR DATA ON THER INTERNET so that if/when the stupid data subject sends a website owner the stupid request you can just send it right back to them (since this is exactly what the depth and breadth of GDPR is really about anyway — outsourcing the “scrubbing” of every EU resident’s “data” from the internet because EU residents refuse to take personal responsibility for what they, themselves, actually DO with their data.

      • Shane Melaugh says:

        The burden placed on website owners by these regulations is indeed ridiculous. What’s worse is that there’s a lot of grey area in these regulations. Changing a few words on a landing page can make the difference between needing multiple checkboxes or none at all.

        Just as with the VAT MOSS laws, they’re basically placing a huge obstacle in front of businesses and giving themselves the leverage to sue and fine small businesses out of existence. As I’ve stated in other comments, I’m in favor of protecting people’s privacy, but not like this.

      • David G says:

        Thank you for all that you and the ThriveThemes team do, Shane. I am always impressed by what all of you do for us who use ThriveThemes. Just amazing. So much value!!!!

        And thank you for letting me rant, too, about GDPR. I agree with you about the importance of privacy. While we’re going to be as compliant with GDPR as possible, I have to restructure all our systems for the worst case scenario (that “nightmare letter” I found online was actually a blessing in disguise — some legal expert wrote it to get us all thinking of the worst case scenario and what that would entail. And it really IS a nightmare — it makes me think of getting bogged down in talking to endless users about all their data while NOT doing the business we originally set out to do. Not fun at all.).

        So, after reading all about GDPR from legal experts for over a week now (and still going…), our “legitimate” and “legal reason” for doing business online (and I thought BEING a business WAS the “legal reason” for using data. Unbelievable. LOL!)… is to force our website users to:

        1) check boxes for all the GDPR stuff
        2) accepting our website’s terms and conditions
        3) checking a box that the user gives “explicit consent” (!) that they are NOT a European resident and are a U.S. citizen only (our training really is U.S. specific, luckily).

        I’m not a lawyer, but I do know that we’re covered by U.S. federal law as well as California law (and a few other U.S. jurisdictions, too, not to mention our Federal Trade Commission and U.S. Patent laws) — so the only way to fully protect ourselves is for the user to enter into a contract — and that sucks. It is so utterly ridiculous — as if going into a traditional “bricks and mortar” store just to look and not buy anything now has to be the same thing as having to enter into a legal contract. Wow.

        But this seems to be the best LEGAL way for us to do our online business while being protected/compliant. We have to have the user agree to the jurisdictions WE are in, while doing the whole GDPR compliant thing. I noticed a whole bunch of pro-GDPR “plugins” are now for sale, for annual subscription fees of over 300 Euros (and higher). That seems like a total scam to me. Money grab.

        What I don’t understand is why some EU “authority” didn’t come out with a free plugin to help with their OWN citizens’ compliance (and everyone else’s). If they had done that, I might understand the alleged “privacy solution” known as GDPR. Until then, I don’t understand it and it is entirely impractical and takes traditional communication, itself, and market intelligence and turns it upside down. I keep thinking of all the security cameras, microphones, and everyone’s smartphones — that’s a LOT of everyone else’s data that, probably, won’t be GDPR compliant. LOL! Oh well.

        Anyways, thanks again for all that you do. I appreciate all of it very much! Cheers.

  • Danielius G says:

    I am really glad that EU is doing this for us!

    • Shane Melaugh says:

      I think the goal of protecting people’s privacy is good and important. The implementation is very poor, though.

  • Yannick D says:

    Thanks a lot Shane and the team for these important improvements

    • Shane Melaugh says:

      Thank you, Yannick.

  • It’s great to hear you are working hard to provide these features. Thank you very much. What about the other plugins like for example Thrive Ovation and Ultimatum? Are they also tracking personally identifiable information?

    • Shane Melaugh says:

      Hello Andrea,

      In Thrive Ovation, it’s a matter of clearly stating what the form is for on your testimonial capture page. This is something we’ve advocated from the beginning and requires no extra consent. This is because the testimonial capture form doesn’t sign anyone up to a newsletter and doesn’t haven any other, non-disclosed purpose. The visitor should know that they are submitting text that can be published on the site as a testimonial.

      For Thrive Ultimatum, we are looking to remove all personally identifyable information from what we track.

  • Luis says:

    Thanks for keeping us in the loop. I had no idea that even existed. Thanks for leading us and being on top of your game. However, I would ask for a favor, when this May 28 date comes to present, can you do a video tutorial on how to use these features you are adding? I ask so that we can effectively honor the rules and for us to protect ourselves.

    • Shane Melaugh says:

      Hello Luis,

      We will create some more content related to this. However, I’m not a lawyer, Thrive Themes does not practice or consult on legal issues in any capacity and while we will share some of our thoughts and opinions on the matter, we have to disclaim that anything you read here regarding legal matters is for entertainment purposes only. You have to consult with a lawyer who knows about about laws in your own jurisdiction as well as internationally, to come to the right decisions for your own business.

  • Tom B says:

    Shane… Love what you guys do. Thank you!

    I didn’t catch you mentioning IP address capture. If you did my bad. I’ve been talking to support for months on this topic with no resolve. Ug!

    Thrive tools don’t capture nor can they pass on IP address data for subscribers… this is required the world over for anti-spam law compliance.

    Please please include IP address data capture.

    Your recommended method for optin forms is:
    – build a form with Thrive tools; then…
    – integrate an email service provider ESP.

    However, anyone that does this is NON-compliant!
    Wait?! What?!

    For example, all Canadian and US users of Thrive products are currently by default non-compliant with anti-spam laws.

    My question is:
    –> Will you be addressing IP address capture in the GDPR upgrades to the Thrive product suite?

    ———————————————————-

    PS. A Wish-list request: Please, build a credit card processing plugin. The purchase process is a complicated mess out there in WordPress land… it needs some “Thrive’ing”.

    • Chris L says:

      > For example, all Canadian and US users of Thrive products are currently by default non-compliant with anti-spam laws.

      That’s not even close to correct. What do anti-spam laws have to do with a WP theme?

      • Tom B says:

        Hey Chris, thanks for chiming in!
        Good question/point. Let’s learn together.

        Other’s please chime in as well. Let’s create discussion as this is important.

        The fines in some countries are as high as a million dollars a day! We can’t afford to get this wrong.

        Let me first say, if I’m missing something please point it out (and be polite about it if you don’t mind :). I’m not busting anybody’s chops here… just asking the question, creating discussion, and seeking insight from other Thriver’s.

        If you have insight please share and help us all learn.

        For more context, I understand the 3 key pieces of data required for most anti-spam compliance requirements around the world are: *whom, when, and where*.

        1. Whom – Email address of whom it is
        2. When – Date Optin occurred
        3. Where – IP address if online, or a store address if brick and mortar, or networking event if verbal discussion.

        ~ ~ ~

        To address Chris L’s question directly… your’s and my websites are built with our chosen Theme and Plugins. In this case, Thrive tools: a given Thrive Theme and various Thrive Plugins, for example, Thrive Leads.

        Do you agree then that our websites are our platforms?

        The question then is: What platform do you have Optin forms on? If not your website where?

        How do you collect user information? If not your website Optin form, then where?

        Now if your website Optin form does not do the job of collecting the required data to be compliant with anti-spam laws… how can you be compliant? You can’t.

        –> The tools we use to collect user data have everything to do with anti-spam law compliance.

        Here is a scenario:
        What data are you going to bring to court to give to a judge if your Optin forms can’t collect the whom, when, and where data? Your defence would be weak.

        Again, with daily fines in some countries of $1,000,000.00… a million a day… this is no small thing.

        ~ ~ ~

        Let’s pause for a second with a legit question right here…

        If Thrive tools aren’t going to pass on the data you need… What do you and I do? How do we collect these simple pieces of data from our Thrive Optin forms?

        If not from the Thrive Theme and Plugins we use to build our sites… then where?

        Perhaps install yet another plugin to collect data… that Thrive is already sitting on? In my opinion, not good.

        Thrive Optins are passing Name and Email address data already… why not IP address to complete the *whom, when, and where* data set?

        To have tools that do not do the job we need as business owners of a website… then we have to look elsewhere.

        Look, I love the Thrive tool set… I’ve been a user paying my dues annually since it launched in 2014. I’m not being dramatic… just saying to the Thrive gang… “Hey, help us out and do one more little thing…

        –> Please collect and pass on the IP address of the subscriber… just like every ESP out there is doing… do the same.

        The moment is right when the data collection of name and email address occurs on an Optin form… this is the moment it needs to be collected. It’s not hard. The data is sitting right there but currently NOT collected by Thrive tools or Optin forms.

        I know this, because I’ve tested this. And I’ve been in discussion with support for months with no resolve.

        Go look in your ESP database for the IP address from a Thrive Optin form. It’s not there.

        Your ESP will say you used a 3rd party Optin form that is not passing on the IP address. Then they will suggest to stop using that 3rd party form but use their form. That is what they said to me.

        It would be great if Thrive tools did this so we aren’t forced to use the ESP’s Optin forms?

        I don’t want to use the ESPs Optin form… I want to use the high-converting Thrive Optin forms! It is the reason we purchased them in the first place.

        ~ ~ ~

        Summarzing the topic…
        To be comfortably compliant one would need to stop using Thrive Optin tools… and only use the ESP optin forms that are:
        – not as flexible for design…
        – nor as easy to use…
        – nor as high-converting…
        – nor recommended by Thrive.

        But from the video above, I don’t recall that Shane addressed the *IP address* data point in this recent GDPR video.

        So I happily bring it up here… seeking to create discussion and insight from you all.

        ~ ~ ~

        Thrive does not have a user group like most companies do but defaults to the blog here so share this out, comment, click the vote button.

      • Stefan C says:

        Good point, I didn’t know that. It’s sad we can’t have both high converting opt-ins and compliance at the moment. I guess that’s because most people are not aware of their obligations regarding this. When people become more aware, companies will adapt and provide what they need.

  • Lewi G says:

    Thank you for this focused information Shane. In a way, it makes it easier and more focused to use your products for most of my opt-in needs, so I won’t have to coordinate too many technologies across multiple platforms There are so many features I have yet to put to use with Thrive products, this gives me extra incentive to do more with Thrive Themes–knowing you’re covering most of our concerns. It gives me more confidence to use your products.

    • Shane Melaugh says:

      Thank you, Lewi!

  • Mrinal says:

    that sounds promising!!

    Do we have to replace our opt-in forms or will there be an update which aromatically adds the consent column?

    • Shane Melaugh says:

      You’ll have to edit your forms.

      There’s no catch-all solution here because the type of consent needed (or whether you even need additional consent) depends on your offer and the copy in your opt-in form.

  • Jim says:

    Ok what am I missing here?

    How exactly does the EU have jurisdiction over non-Europeans so that their laws “apply” to us? I understand they want their citizens to be protected, but how can they legislate what the rest of the world does?

    • Peter H says:

      They don’t have jurisdiction over non-Europeans, so they can only hope that the rest of the world applies it voluntarily.

      It’s another story, for example, if a US business has an EU branch – like Google does. Then they have to comply.

      • Shane Melaugh says:

        They can still try to enforce it. Unlike the EU VAT laws, there’s no money in it for them, so they probably won’t go after it as hard. But technically, you have to comply if you have EU visitors on your site.

    • Chris L says:

      Glad to hear someone else gets it!

    • Shane Melaugh says:

      I’m not a lawyer and I don’t know how they intend to enforce these regulations. We’ll have to wait until actual cases start rolling in and the rulings from those will set more practical precedent.

      • Louise B says:

        There is a British solicitor who has started a really helpful and balanced FB group on all of this – it’s worth joining.

        She has been creating daily videos covering topics and clearing up some misconceptions on whether or not you need a double opt in etc. She isn’t dogmatic and often balances the risk with the letter of the law.

        She of course has a product to sell, but the group isn’t all about that and she gives lots of value: https://www.facebook.com/groups/GDPRforonlineentrepreneurs/

      • Shane Melaugh says:

        Thank you for the recommendation, Louise!

    • Tom B says:

      Jim… it’s simply the visitors to your site. If from the US you need to follow US rules. If from Canada, must follow Canadian rules. If from EU, must follow EU rules etc.

      Or… do as Chris L is planning… blocking users from said countries and then not have to worry about it!
      I love the simplicity of that solution.

  • Clare says:

    Hi Shane
    Thank you for the update.

    Two quick questions:

    1. Please confirm that you will be supporting MULTIPLE tick boxes, connected to storing permissions in, say, Convert Kit etc. We need to offer granular consent, so in some cases will need more than one tick box.

    2. Please could we have the tick box functionality ASAP. It isn’t just Thrive Themes that needs to comply by 25th May, it’s us, too. I have over 200 landing pages / forms / content reveals that I need to change and I can’t do this until Thrive gives me the functionality. When will we get ETAs for this, so we can plan in this work?

    It would also be good to know what you are doing to support ‘right to erasure’ and to make sure that Thrive Comments are compliant.

    Thanks
    Clare

    • Shane Melaugh says:

      Thanks for your comment, Clare.

      1) No, we will roll out the feature with one checkbox. We might add functionality for more in the future, but in general, I don’t recommend adding lots of checkboxes. It’s better to clearly communicate your offer in the opt-in form in the first place, instead of asking a visitor to understand and confirm a lot of fine print.

      2) We will roll it out as soon as it’s ready, yes.

      • Sofie C says:

        1) That might be better for marketing, but not for compliancy. GDPR requires granular consent, as mentioned, for signing up AND for having read the privacy policy AND for possible other things, such as receiving an incentive or participating in a giveaway.
        I really appreciate that you’re marking Thrive compliant, but if it’s not fully compliant, all the effort is wasted.

  • Henning says:

    Great so far … thank you. I suppose this checkbox is for the API-connection?

    Another thing we have to have in mind are the social buttons.

    We have to make sure they only connect to facebook, twitter, istagram … if they are pushed from the visitor.
    Any plans on that?
    As far as I know only the shariff-buttons have this feature ..?
    https://github.com/heiseonline/shariff

    • Shane Melaugh says:

      Hello Henning,

      Yes, this applies to our API connections.

      Our social buttons never have loaded any scripts from the social networks on your site. That’s one of the reasons they load about 10x faster than the official sharing buttons. ;)

      So for the buttons, there’s nothing further that you need to do.

  • Ingmar says:

    great service by TT. glad to have you with me

    I already use double optin! do I need add checkboxes as well? Looks like triple optin then tzzz …WTF EU

    • Shane Melaugh says:

      Yep, confirmed opt-in doesn’t cover you for this. Not in every case, anyway.

  • debra3 says:

    I used to state under the signup forms that submitting the form meant that they gave us permission to email them on a specified schedule and they could unsubscribe at any time.

    Now, if we have to add an extra box for them to check to give us that permission – what does it mean if they submit the form but don’t check the box? I only want to give my free material to people that want to become regular subscribers.

    Also, how would our email systems separate those folks that checked the box versus not?

    My website will be intentionally targeting an audience within a specific region inside the U.S. I plan to specifically state who my material is designed for, including where they are located. This is appropriate, as I offer gardening instructions most suitable for a specific region.

    From what I’ve read, if I don’t target folks in the EU and don’t track their data, I have no need to comply with all of the GDPR requirements.

    Is there any way for me to automatically or periodically identify those folks from the EU that may have signed up for my website or services, despite my audience specifications, in order to purge their data and stop tracking them?

    • Chris L says:

      Yep, why would someone give you their email address if they don’t want you to email them? It’s not like you’re sending emails to random people.

      Your autoresponder service should let you find people by country, then you can just delete the ones in the USSR, oops, I mean EU.

    • Shane Melaugh says:

      Hello Debra,

      I’m not a lawyer and you shouldn’t listen to anything I say on this matter.

      One of the most hairbrained rules in GDPR is that you aren’t allowed to disadvantage people who don’t want to sign up to your newsletter. Meaning: if you have an opt-in form that states “get my free report” and someone doesn’t check the box to be added to your newsletter, then you still have to send them the free report, but no other emails.

      However, this is mostly semantics. If your offer is instead: “Sign up to my newsletter to get my free report” then you don’t need a checkbox and you don’t have to send the report to anyone who doesn’t sign up, becuase the report is part of the service you provide with your newsletter, which is what people sign up for…

      Regarding regions: you can get out of GDPR compliance if you can prove that EU citizens are in no way targeted or appealed to on your site. We’ll have to wait for actual cases to come in, to see how this plays out in practice. Right now, it’s just a damocles’ sword dangling above everyone who’s ever used an opt-in form or sold something online.

      As for identifying people from the EU: you’re not allowed to do that without getting their consent first. So, scratch what I said previously. THIS is the most hairbrained thing in the GDPR.

      • Gerfried says:

        Hi Shane,

        thanks for your work on this topic. This article and the discussion contains the most concrete, usable advice I’ve found so far. Most blogs just re-iterate the legalese without any real advice about how to implement it.

        Anyways – does this mean that when an offer is worded as per your suggestion above, we don’t have to use the new checkbox feature? Frankly, I would much prefer that…

      • Tom B says:

        Wait… and further (and similar) to Gerfried’s point… are you suggesting/educating/creating awareness (and not in any way providing legal advice) that:
        – if EU persons are not specifically targeted by our sites
        – nor do we identify them as EU people
        – we just market to the world in general
        – we collect in a single currency – US dollars…

        …We don’t need to worry about GDPR?

        Shane writes: “…you can get out of GDPR compliance if you can prove that EU citizens are in no way targeted or appealed to on your site.”

      • Shane Melaugh says:

        Well, it’s one of those gray areas, but yes. There’s a clause that at least provides wiggle room. Specifically this one. This is convoluted legalese, as to be expected, but it seems that if your site doesn’t feature a language spoken in the EU and doesn’t offer products in a currency used in the EU, you might be off the hook.

        It’s one of those things where we’ll have to wait for actually cases to be processed, to set a practical, legal precedent.

      • Shane Melaugh says:

        Hello Gerfried,

        Thank you for your comment!

        I am working on a piece of content that provides some practical guidelines regarding what to do about these regulations. I’m getting it all checked with lawyers as well, so it may take a bit longer to complete. But I hope to be able to provide thorough answers. At least as thorough as the regulation allows for…

      • Gerfried says:

        Thanks Shane.

        I know you said that people can’t be forced to accept a newsletter in response to another comment. I just found a claim that this is what google does though: https://www.onlinegrowthguru.com/email-gdpr/ (paragraph “force people to click”).

        In case your lawyers find a feasible workaround (like wording the offer as per above, “Would you like to receive my newsletter in return for a free report?”), will there be an option to only allow for subscription when all the required checkboxes have been checked?

        (I mean, legalese aside: Why would a business give away anything for free? Will we soon be required to deliver the same services and products to non-paying customers as to our paying customers in order to avoid discrimination? Lawyers/politicians, seriously!)

      • Shane Melaugh says:

        There’s definitely leeway here, depending on how the offer is worded. Basically, if you advertise your newsletter and one of the services people get from your newsletter is a downloadable PDF, you should be fine.

        However, this is all a grey area until we see some legal cases and rulings.

  • Gerlinde T says:

    Thank you very much, awesome! What about Thrive Comments and Thrive Ovation?

    • Shane Melaugh says:

      In Thrive Comments, we already implemented a checkbox to get consent for reply notifications. In Thrive Ovation, it’s a matter of clearly stating what the form is for on your testimonial capture page. This is something we’ve advocated from the beginning and requires no extra consent. This is because the testimonial capture form doesn’t sign anyone up to a newsletter and doesn’t haven any other, non-disclosed purpose. The visitor should know that they are submitting text that can be published on the site as a testimonial.

  • S says:

    Thank you

  • Ned says:

    Hi,

    Thanks for the update.
    Will it be possible the customer not to be able to hit the subscribe button unless the required check-boxes are ticked?

    THanks!

    • Shane Melaugh says:

      This is one of the crappy things about GDPR: you aren’t allowed to make checking the box mandatory. Not under certain circumstances anyway. For example, you can’t offer a downloadable and make signing up to a newsletter a mandatory part of it.

  • The first poster is spot on! In the UK we will be letting people know from the auto-responder confirmation that GDPR is not relevant and by opting in they are accepting all responsibility. Information will never be misused or sold. Very thankful for BREXIT and to pull away from the powers of Brussels. EU needs to focus on bigger problems rather than optins LOL! If they carry on with trying to rule the world, Brussels and Germany will be the only countries left in this “European Union”. I recommend also to get hosting from NON-EU countries, use a VPN and keep yourself safe from these PIRATES.

    • Shane Melaugh says:

      Brexit won’t save you from this, I’m afraid. The UK have already stated that the same rules will apply in non-EU UK.

  • Chris says:

    Thank you so much for taking this burden from us!

    May I suggest, that when you are now pimping Thrive Quizzes, to add some functionality so that it can be used as a real survey tool to ask specific questions to clients where their answers can be stored by tagging in Active Campaign?

    • Shane Melaugh says:

      Thanks for your comment, Chris. We may add some more features to Thrive Quiz Builder in the future, but for now, our focus is on improving Thrive Architect and releasing a new theme.

    • Tom B says:

      Great point Chris. It would be hugely valuable to tag into ActiveCampaign from the Quiz builder.

  • Edward S says:

    Thank you very much for taking us by the hand in this.

    I actually am glad this has come up, because I’d been procrastinating over my privacy policy and now I think it is good to have clear guidance.

    • Shane Melaugh says:

      Thank you for your comment, Edward.

  • Mikey L says:

    When will these options be available on the Thrive leads and Quiz? Also is we integrate our Thrive Leads with Mail chimp what do we need to do?

  • Ulf Z says:

    Hello Shane and Team,

    do we need a “Vertrags zur Auftragsdatenverarbeitung”/ “Contract for order data processing” with you because of that?

    If so, where we get this?

    Best Regards

    • Shane Melaugh says:

      No. We are not processing any data for you. It’s all happening on your website.

  • Markus says:

    Like already said in the comments: A problem will also be the Google Fonts used in Thrive Leads and Architect. A great feature would be just to somehow have an option to deactivate the loading of Google Fonts and choose some local stored fonts.

    • Shane Melaugh says:

      According to what I’ve read, Google Fonts are fine to use because Google have feature they call “Privacy Shield” which will not track visitors coming from the EU.

  • Stefan C says:

    Hi, regarding the Data Overview & Export, will it apply to the comment section as well?
    Thank you

  • Jan says:

    Thank you so much for helping us with all this GDPR Crap. I’m soo relieved that Thrive is caring about making all those great Plugins compliant. BUT I came across one stumbling block and maybe you can help me out with it: I heard that with the GDPR it’s no longer legal to use the normal social media share buttons, because these send informations to social media sites even when website users don’t click on them. Are the social media share buttons from thrive themes compatible with the GDPR or do they send informations to the social media sites by just visiting the website like the normal share buttons do, too?

    • Shane Melaugh says:

      Hello Jan,

      Yes, this is correct but it only applies to the official sharing buttons. Meaning: if you go to Facebook or Twitter or whatever and you generate their social buttons and add them to your site, they load a tracking script. They’re basically monitoring visitors on your site, through these buttons.

      However, if you use the social buttons built into Thrive Architect or one of our themes, you don’t have this problem. These buttons don’t include any tracking scripts, so no extra consent is needed.

  • Thomas O'Toole says:

    Thanks. I think it’s great that you are doing this.

    • Shane Melaugh says:

      Thanks, Thomas. We’re doing our best to look out for our users.

  • Lorenzo D says:

    It’s nice that we can at least count on you guys being helpful.

    I’m sure these regulations have a purpose other than kicking small and medium businesses in the teeth, but they sure read as that’s the goal.
    On top of being hamfisted and byzantine, they are also unclear.

    I’ve been reading various guides about GDPR, and the situation is not clear at all…but it seems to me that if you must inform the person of every minute detail concerning their rights and your handling of their data before they can give active informed consent, the only way to be compliant is to link the full privacy policy + terms of use in the check-box text, and make the ticked box a required condition for signup.

    Will we be able to make the box tick required to subscribe?

    Will the ticked box be somehow recorded in the email marketing software as proof of consent?

    • Shane Melaugh says:

      Thanks for your comment, Lorenzo.

      It’s quite context dependent. If you take some parts of the regulations, it does indeed seem like you’d have to pop up a new prompt asking for the visitor’s explicit consent every time they click on something or make any move on your site. But in practice, you can be compliant without being that annoying.

      You can’t make the checkbox required. That would no longer be compliant with the regulation, unfortunately.

      • Lorenzo D says:

        I see. So how do we know whether we have consent or not? Does the checkbox trigger a tag or something? This will make things more complicated on the email software front as well, many are not used to segmentation, conditions and such. For some, it will probably mean having to switch to another email marketing software altogether.

        The solution I’m looking at is using correct semantics on a first form, the freebie being the “welcome gift” when you subscribe to the updates or whatever, no checkbox. Then use the signup links function to show a different form that tells the returning (and therefore interested) visitor to click a button if they want to receive information on the paid product, which will trigger a new and independent follow up sequence linked to an evergreen launch in T Ultimatum.

        This will give me better deliverability and stronger relevancy = lower probability that someone actually files a complaint, which as far as I can see is by far the most likely way you could ever get in trouble.

        It however raises the question, HOW DO WE OBTAIN CONSENT FOR BEHAVIORAL MARKETING TRIGGERS?

        I swear, these people are either ridiculously incompetent or malicious, or both. This EU behemoth can’t fall soon enough.

      • Shane Melaugh says:

        The easiest way to do this is to simply not send contact information from people who don’t give consent to your email marketing service. You can use the asset delivery feature in Thrive Leads to send them the thing they opted in for, but there’s no point sending someone to MailChimp or ActiveCampaign or whatever, if you can’t send them emails anyway.

        But the better solution is to basically reframe your offer and change your copy so that whatever the opt-in incentive is becomes part of the service subscribers receive with your newsletter. Framed like this, you don’t need additional consent. Regarding the behavioral marketing stuff, I’ll have a more detailed answer to that soon.

      • Hilary says:

        Ok — can you guys do a “framing” of it that way in a video — so we can work on that?

  • Klaudyna says:

    Thanks!
    Can opt in can be already pre-checked? Something like: “Yes, I want to add my email to your list” and “checked” by default?

    • Shane Melaugh says:

      No, the checkboxes can’t be pre-checked. This would not be GDPR compliant.

    • Kara L says:

      This wouldn’t be compliant for Australian users either.

  • Ingrid says:

    I heard there will be plug-ins that identify whether a website visitor comes from the EU and shows the additional tick box just to them- but not to all the other visitors from outside the EU. Will Trive Leads also be able to do so?

    • Shane Melaugh says:

      Maybe. We’re still looking into such options.

  • Would it be possible to disable the “subscribe” button if all the checkboxes are not ticked? I’d like to register a new user only if all the checkboxes are ticked. Also, I would really like to know when you plan to release the update. Time is ticking. Thanks

    • Shane Melaugh says:

      Under some circumstances, this is not compliant with GDPR. There’s a clause that states you’re not allowed to disadvantage people who don’t want to receive your newsletter vs. people who do.

      • stefan says:

        Hi Shane, so how webmaster are supposed to sign people in without having at least their email. According to GDPR it means you can’t deny the service if people don’t consent BUT then, that would undermine the marketing purpose for asking people’s email. In other words, content creators are forced by law to provide the service without any reward. I mean there I. No win wi situation. So in this case, businesses that rely heavily on email marketing would have to process data based on legitimate interest, otherwise there is no business to run.

  • mark says:

    Hi,
    Will the new checkbox be able to integrate into mailchimp to update that via the API connection?

    Will there be an option to only display a variant of the popup to people from europe?

    • Shane Melaugh says:

      Hello Mark,

      Yes, this will work with MailChimp as well. Showing a different form for people from different regions is something we’re considering. It’s a legal gray area, unfortunately, so I’m sure if we can do that.

      • Peter H says:

        I would very much like to have this option of showing a different form for people from different regions. It would be our decision to use this feature or not.

      • Shane Melaugh says:

        Thanks for your comment, Peter. Noted. We’re looking into ways to make this happen.

  • Markus Thoma says:

    Will the Checkboxes for Lead Generation be in both Thrive Architect and Thrive Leads? I think it’s important, because the subscribers also maybe have to accept that their data will be sent to my Newsletter Provider. This Checkbox has to be checked, otherwise they can’t sign up. I hope this will be part of both plugins until 24th May 18.

    • Shane Melaugh says:

      Yes, the lead generation element is where the checkbox will apply and that element is the same in Thrive Architect and Thrive Leads.

  • shashank says:

    Thanks, a lot shane for sharing this.

    • Shane Melaugh says:

      You’re very welcome.

  • Gerfried says:

    Hi Shane,

    I’ve been talking to Activecampaign support about how to prove that a subscriber actually subscribed. My subscribers show up as having subscribed with IP address 127.0.0.1, which, of course, doesn’t prove anything. Support says that’s what is shown when the API connection is used.

    So my question is: Is this going to change? Is Thrive going to pass on the subscriber’s IP address via the API? How else are we going to be able to prove someone subscribed?

    Thanks

  • Raul says:

    Where will coming the upgrade?

  • Would it be possible to have an option to say “never store opt-in information” in Thrive Leads? This way I know Thrive only passed data to the email marketing service and I don’t have any personal data stored on my wordpress server. Is this technically possible?

  • >

    Join Thrive University (it's FREE!)