Note: this post does not contain legal advice. Always work with your legal counsel to determine the right decisions to make about regulations.
The General Data Protection Regulation (GDPR) is coming for all of us. It's a set of EU laws and they apply to EU citizens. That means that even if your businesses is not in the EU, you're still potentially on the hook, because people from the EU can access your website.
At Thrive Themes, we have been hard at work to help you keep your website GDPR compliant in the easiest and most seamless ways possible.
In this post, you'll discover the GDPR related features that we've already released and get up to date information about the ones we're still working on.
More...
What Do You Need to Know About GDPR?
This is not a post about GDPR and what it means for online businesses. There is plenty of content on that topic already. If you aren't familiar with GDPR and what it may mean for you yet, here are some useful resources for you:
- Read the official guidelines here.
- This Hubspot post is a good "in normal English" summary of what GDPR means for online marketing.
- This post goes deeper into what compliance means under different scenarios, specifically for marketing automation.
The Features
At Thrive Themes, we're currently working on feature additions in our products that will make it easier for you to stay GDPR compliant. Here are the features and their current implementation status:
Lead Generation Checkboxes for Explicit Consent
Products: | Thrive Leads, Thrive Architect, Thrive Quiz Builder |
Status: | Completed! |
For lead generation forms created with our tools, we released a feature to add an optional checkbox for consent. This is so that you can have subscribers tick a box that says something like "I agree to receiving a newsletter and understand that I can unsubscribe any time". This way, you have proof of their explicit consent to receive messages from you. Learn how this feature works.
Data Overview, Export & Removal
Products: | All products |
Status: | Completed! |
An important part of GDPR is the citizen's right to know what data about them is being collected and the right to have that data deleted.
The WordPress team announced that a data export and removal tool will be added as a core feature. After a few delays, the beta version of this tool was finally released a few days ago. This is good news, because it means we can add data tracked by Thrive Themes products to this tool and you will have a central solution for managing data not only from our products, but from any other plugins and tools you might use (as long as they integrate with this WordPress feature).
Anonymized Data in Thrive Quiz Builder
Products: | Thrive Quiz Builder |
Status: | Completed! |
Thrive Quiz Builder can be used to gather insights about your audience, such as their personal preferences, their age range and gender or anything else you care to ask during a quiz.
We're about to release a new profiling feature which allows you to toggle between two types of data collection: anonymized and personal.
Personal data collection means you can see which visitor gave which answers, exactly. This requires explicit consent under GDPR. Anonymized means you can see the overall, averaged out results, but you can't track individual answers back to individual users.
Eliminating & Encrypting Personally Identifiable Information in Cookies
Products: | All products |
Status: | Completed! |
Cookies are an important convenience tool all across the Internet. Without cookies, you'd have to log back into every website where you have an account, every time you return there.
Thrive Themes tools utilize cookies in various ways and will continue to do so. We have released an update to our tools that encrypts or eliminates any personally identifiable information in cookies. Similar to the point above, it means you can still use cookies, but you can't tie tracking information back to a specific user, so as to protect their privacy.
Proof of Opt-In
Products: | Thrive Leads |
Status: | Completed! |
In the Thrive Leads reporting area, you can see a list of all leads that have signed up and you can see which of your Thrive Leads opt-in forms they have signed up for.
This counts as proof of consent: you can show that the contact with this email address signed up on your website, through a specific form. In other words: you didn't just send this person a spam message they never agreed to receive.
Coming Up
The deadline for GDPR compliance is May 25, 2018. Our team released all of our planned GDPR compliance features before this date and the last integration came into action with the WordPress update to version 4.9.6.
Coming up, we plan to extend and improve the lead generation element, to make the entire setup flow simpler. We have a good solution, but the flow was built without checkboxes in mind. Our next update will give you more advanced options and make things even easier.
Further, we are keeping an eye on GDPR features that are released by services we integrate with. Where it makes sense to do so, we will also update our integrations.
If you have any questions or feedback about this, please let us know by leaving a comment below.
P.S.: If you're looking for the previous update video we created about GDPR features, click below.
Thanks for this – be great to have the tick box available ASAP as obviously then we can make sure we’re compliant sooner rather than later – which means fewer people we have to go back to refresh consent from.
We will roll this feature out as soon as it’s ready.
Really hoping this will be very soon as Mailchimp’s solution is falling short of what I need for a Reconsent campaign… needing this real soon as closer to the date it gets the more chance I will lose a bigger percentage of my list.
Brilliant. Thank you Shane.
Ulf
Thank you, Ulf. 🙂
Thanks, Shane, for your ‘above and beyond’ efforts in our behalf. With regard to the new changes that will be implemented, will you provide examples such as opt-in pages, etc. that will us better understand how this all works?
As I have only one EU country where I’m doing business, I will just exclude it until the dust settles a little.
Also will you provide some guidance about how we can create our privacy pages to be compliant with GDPR?
Thanks!
Hello Robert,
We’ve released this blog post with some guidance and examples of what to do about GDPR for email marketing. We may also provide further tutorials in the future, depending on what questions and feedback we get.
Damn, can’t I remain just a simple blogger pecking away at my blog? 😉
Freedom of the press is limited to those who own one.
—A. J. Liebling
Seems that if the burdens of (Word)Press ownership can be increased beyond the practical ability of everyday-people/small-biz to carry, then… hmmm.
Another one who gets it!
This is definitely problem that small businesses are facing. I’m opposed to regulation like this, not because I don’t like protecting people’s privacy, but because they way it’s implemented is bad for small businesses. Huge, powerful companies can handle this kind of thing with their scores of lawyers and technicians. It’s the little guy that gets chewed up.
No, we can’t have that, sorry. We definitely need to get a bunch of rules, regulations and paper-pushers involved.
Awesome, awesome! We already have number 1 issue here in Russia, I’m glad that I can handle it soon with Thrive products!!!
Thank you, Pavel!
Hey Shane, thanks for the update and I really appreciate you guys working hard to make Thrive products GDPR compliant 🙂
Does work on these features impact release of new themes in any way? It will be good to have some clarity on release of new themes as well because it was promised quite sometime back and its now becoming a very long wait!
This is unrelated to anything regarding the new theme.
THANK YOU! For those of us smaller fish getting started in the online biz world, it is so very helpful to have someone know about, inform, and then assist with something I quite possibly would have walked into without any realization I was getting myself in trouble.
Thank you, Steven. We do our best to support the small businesses out there.
Thanks so much for helping us with the new regulations! Are you also planning a feature with a “Cookies get stored” bar? I have seen this on many websites, but I don’t know how to get it (actually do we need this for the new regulations?)
Just install the plugin “Cookie Notice”. Go to ‘Add New’ under ‘Plugins’ and search for it:-)
No, we don’t have a plan for adding such a feature.
Fantastic – thank you for the update and the consent tick box sounds perfect. Will we be able to customise the text here?
Yes, the text will be customizable.
EU-fornia
Thank you for having our backs!
It’s our mission to do so. 🙂
The Canadian CASL laws are also challenging (it asks for explicit consent to send info, etc.)
It sounds like your changes would be helpful for those wanting to be CASL-compliant.
If so, great!
If not, can you please tweak it to also be CASL compliant?
Thanks in advance.
Trevor
Being Canadian, I support and second Trevor’s comment on CASL. The checkbox on opt-in can provide our subscribers the ability to Explicitly consent.
Thank you Shane M!
Yes, the same feature should cover you for CASL as well.
Thanks for letting me know to block Canadians from my sites, too!
Thanks for the comment, Trevor. We’ll look into this. On first reading, it seems that these features will also lead to CASL compliance.
This. This is why I am an unabashed cheerleader for Thrive themes! Clear and concise explanations along with clear and concise actions that are to me and my customers benefit. Superb.
Thank you, Mark!
Hi Shane, great to hear the news! Good Job!
What is about Thrive Comments? Even only for comments we need a checkbox für explicit consent.
Robert
Hello Robert,
We’ve already added the checkbox for comments, in the latest release. 🙂
Hi Shane,
Thrive Comments is still not GDPR complient. The checkbox must appear before the Submit-button. But it appears only to get consent for sending email notifications for replies to the comment.
Is there any explanation somewhere how to use and install that checkbox in the latest release? Or when and how new features are implemented? Thanks!
Thank you so much for all your efforts and for keeping our business safe.
In regards to using other tools, I try to keep it down to Thrive Themes only tools, but I always end up using some others. That being said, will the new super theme be released along with the updates mentioned on this post, or will it be released prior to that?
I’m sorry to ask, but I’m kind of struggling right now with “looks” and “feels” from other themes which are really nice, but not 100% compatible with Thrive Themes Tools (this is a new project I’m working on).
Once again thank you so much for all your efforts, your great team and of course your great products and entrepreneurial vision.
The super theme is coming later. We’re going to start beta testing this month, so a full public release is still a ways out. These GDPR changes on the other hand will start showing up in the next plugin updates already and we’ll keep rolling them out as fast as possible.
Hi Shane, Thanks for all you do. May I ask that you consider adding dates to the comments here…so that things like ‘this month’ make some kind of sense? Thanks.
Thanks for staying on top of stuff like this.
We gotta look out for small business owners. This kind of thing is a massive obstacle for the kind of entrepreneur we build our tools for. It’s important for us to serve these entrepreneurs as best we can.
And Shane thanks for doing so. Grateful that you care… AND that your company as a small business has the critical mass to address it. Many don’t and their customers will be left hanging.
When all is said and done, I can’t imagine the expense lines in your P&L associated with this effort for legal, development, and your management time to navigate it all. Grateful!
Thank you, Tom. It’s not good for our business any more than for the businesses of our users. But hey, entrepreneurship is problem solving, so let’s get it done. 🙂
Well I’m impressed by your commitment to deliver on these important legal changes! Thank you so much for making it easier for small business owners, it’s a relief…
Thank you, Abigail.
Great to see ThriveThemes on top of their game again and adapting to the change. That’s why we love them. 🙂
Looking forward to the update.
Thanks, Shane
Thank you, Ed!
Hi Shane great to see you working on this issue. An another problem regarding gdpr compliance mighty be using google fonts within thrive architects. The ip address can be collected by google without anonymizing.
That’s an interesting point. I will have to do some more research on this.
I asked already to have custom fonts with the architect. That would be a great way to implement google fonts on our own server.
To be gdpr compliant I had to upload them via ftp, enter some new css but still it does not show up correctly everywhere ..
So .. it would be really nice to have the custom fonts as soon as possible. (Or another solution for google fonts)
Hi Shane,
Thank you for the information on the GDPR and for taking the necessary steps to help us comply. I love the work you guys do by the way – I can’t rave on enough about Thrive Themes and your plugins! If you guys ever want some good ideas for new features or plugins feel free to get in touch – I’m a fountain of ideas just lack the necessary coding skills to make them happen – so passing them off to you guys to implement would be the next best thing 😉
Thank you very much, Richard! I appreciate your encouraging words. 🙂
Regarding ideas: have you joined our beta testing group? That’s the best place for this kind of thing.
Hey Shane, fantastic. That was not boring at all. You’re looking out of your customers – us. I greatly appreciate that. Really!
Thank you, Patrick.
Well done. Thank you. Should put a lot of minds at ease.
Thank you, Rob.
Seriously cool … and what a painful process to have to undertake. Thank you … really … I really appreciate how you look after us thrive themers 🙂
Thank you, Nic! It’s a painful process indeed, but we’re doing our best to make it less so.
Hey Shane, what are the chances of Mailchimp allowing the checkboxes to work with your plugins, their GDPR checkboxes say they don’t support any integrations or APIs. Any ideas on if they are going to work with Thrive or if you will have to use a standard embed code instead or switch providers?
Thanks for your comment, David!
Our hands are tied in this regard, until they update their API. There’s nothing we can do from our side.
Thanks for confirming, hopefully, they will open it up soon or risk losing a load of customers that don’t want to mess with their fiddly code.
Good to know, thanks!
Thanks for your comment!
Hi, you’re doing a great job and you’re making things easier for your clients. I have a question related to this matter: I have a restricted area on my website and I ask people to register. Up to now, I also subscribed them to my newsletter. According to Gdpr this is not allowed anymore, is it possible to have a checkbox in the registration form, asking to subscribe also to the newsletter? If people don’t check it, they will only register on the website. Thanks in advance
If you use one of our lead gen forms to register the users then yes, you will be able to add a checkbox. If you use a different tool for the registration form, you’ll have to look for that tool to support the addition of the checkbox.
Where will the data be stored, that the user selected the checkbox? I have to proove that he does.
It will be stored in the dashboard on your own site. You’ll have an overview of all the data needed for GDPR compliance, regarding all of our tools.
Thank you!
Thx for sharing. Will you also provide contracts for order data-processing for your apps?
Hello Siliva,
Can you explain what you mean, exactly? Since I don’t understand the question, the answer is most likely “no”, but I’d like to know more about what feature you’re looking for here.
Hi Shane, thx for your interest. It is a contract to show that you handle the personal data which we provide/store/process with the plugins in a way that meets the requirements of the new regulation. E.g. how you store the data, is it send via SSL or not, what would you do in an uncertain case of data loss, do you have an IT security concept …
To comply with Art. 2 GDPR it is necessary to have a contract with every party in place. Thx for your help.
Thrive Themes does not process or store any data for you, in any form. Remember: we sell distributed tools. You run them on your server. You are not passing any data on to a 3rd party.
Thanks for the clarity: Thrive itself does not process data. Got it.
As we are processing data with Thrive tools o our sites we will need to update our site’s T’s&C’s etc.
It would be wonderful if you could help us out with updates to the Privacy, Terms, and Disclaimer copy as you have in past Theme templates.
I’m afraid we can’t do that without inviting all kinds of legal trouble. Our existing templates for this are already provided under the condition that you basically don’t use them and ask your lawyer instead.
Thx, that helps a lot 🙂
Hi Shane, doesn’t Thrive Leads transfer data to my e-mail provider?
When I’ve got the right informations, than we need an data processing contract (in German: Auftragsverarbeitungsvertrag) from Thrive Themes.
Yes, but the data is being sent from your website, from your server. Thrive Themes (the company) is not involved in this transfer of data.
Hi Shane
Will the check box on opt-in forms appear on all existing forms or will we have to re-create existing forms individually with the new checkbox? Thanks
Hello Martin,
You will have to edit your opt-in forms manually. The type of consent needed (or whether you need extra consent at all) is highly context dependent, so there’s no catch-all solution for this.
Shane, this is by far the best post I have ever seen concerning GDPR. You made it to answer exactly all the questions I had in less than 5 minutes. CONGRATS!
Best, Christoph
Thank you very much, Christoph.
Thanks for keeping us informed about this. We Americans fought a war in 1776 because we didn’t want to be ruled by Europe, and we fought two world wars to save Europe. I’ll just block EU residents from accessing my sites, because I will not be ruled by Brussels.
You are obviously entitled to your own opinion, but this is not about being “ruled” by Brussels, or anything for that matter.
It’s about better protecting PEOPLE’s data and privacy and giving them some autonomy (back).
And while I don’t like this from a logistics point of view (with all kinds of different tools this might be a real pain in the a**) – I think anything that helps protect people and their privacy from either themselves or companies they no longer trust with their personal data, is great.
I hope you enjoyed the Koolaid.
The problem I see with GDPR is not in the alleged cause of protecting people’s privacy. I’m all for that. The implementation of the laws is incredibly ham fisted, though and shows that the laws were written by people who haven’t the faintest clue of what it’s like to run a business.
Exactly
I agree. From a business perspective, like I said, it’s a pain.
But even as entrepreneurs or people who run a business, we are still individuals first. And I think it’s hard to argue from a individual point of view that this is not a good thing.
Even though the implementation is done poorly (like most of the times when goverments pass new laws that involves businesses..) – I feel looking at the bigger picture is (more) important.
Anyway. Looking at this wearing two different hats (our individual vs business pov) is probably where most of disagreements and mixed feelings come from.
exactly
Yes Shane, and the same was true of Mark Zuckerberg’s testimony before the U.S. Congress. It was obvious senators had not done their homework, resulting in one of my now-favorite memes: Senator, We Run Ads.
Yeah, Nick, you tell ’em. Mussolini made the trains run on time, and that was “great” too, in your logic.
Without the help of France you would not have won that war in 1776.
I think we may be overreaching into the annals of history, as it relates to legislation for Internet businesses…
I totally agree!!!
NOTE: I absolutely LOVE ThriveThemes. LOVE IT. I wouldn’t think of using anyone else. So this rant is NOT about ThriveThemes. This is about the stupid GDPR…
I have already blocked all EU countries (and quite a few more). Merely LOOKING at a website starts the whole “data” thing. I’m not going to waste my time saving data on people who come into the equivalent of a bricks and mortar store and end up telling me they’re “just looking.”
According to the EU, anyone can be “just looking” but I’m supposed to use the data-gathering equivalent of the FBI/CIA/NSA and hand over their data at their request, and do it politely? FOR FREE?!?! I didn’t go into business to merely gather, process, control, and give away (FOR FREE?!?!?) what is commonly known as market research — which, according to U.S. laws — is proprietary information not required BY U.S. law to be given away for free to just anyone (including persons “subject” to EU laws). What if people who are “just looking” ARE criminals already? Wouldn’t the FBI/CIA/NSA want to track them? HELLO! I certainly don’t want to be aiding and abetting a bunch of illegal activities that are illegal according to U.S. law.
Why on earth is anyone using their real name in their email address anyway? It’s not my fault or responsibility what people do with their data online! And it’s not their “jurisdiction” what happens on my website (or behind the scenes where only legal activity takes place, mind you).
If my physical eyes SEE an EU resident, how on earth am I supposed to follow GDPR — erase their data from my BRAIN when they request their stupid “right to be forgotten?” These stupid GDPR “laws” don’t make any sense in the physical realm! It’s totally outrageous! The EU, itself, can’t even make it work!
And since reports (as of this writing) are saying that up to 90% of all European companies online and offline are NOT compliant with GDPR (and won’t be by the May deadline), that makes ALL OF THEM operating illegally. And you think the BURDEN of proof is on ME for being legally responsible with their data?!?!? Why should I have the burden of proof for what WILL BE legally designated as non-compliant and therefore ILLEGAL activity on the part of European citizens?!?! My solution: block them. Too much unreasonable and ill-thought out “legal” nonsense. It’s not how physical reality actually works — offline or online. It’s not how LAW works, either.
GDPR is not at all congruent with current U.S. FTC regulations (not to mention the constitution). The EU has no jurisdiction over the Department of Homeland Security, either. A living person, by definition, is not “the sovereign” such that wherever that person “goes” (online or offline) their “sovereign” jurisdiction follows. When Americans are in Europe, we drive on the side of the road required by your jurisdiction. But when you’re on our land, you drive on OUR side of the road. Got it?
The GDPR is not legal in the U.S. for all kinds of reasons not the least of which is this: it’s a coerced contract and all coerced contracts are considered legally VOID. Websites in the U.S. are under U.S. jurisdiction AND individual states’ jurisdiction. My business is in the U.S. and other state jurisdictions. Nothing I do is in the EU. I do not target it and I don’t want it. Don’t make ME responsible for something I do not intend to have anything to do with or, now, want to.
A person “going through” a website they do not own, operate, control, process, etc. is, by definition, not in some kind of sovereign bubble, legally speaking. Their “data” is IN CONTEXT with what they actually DO on a particular website — i.e.: the jurisdiction in which the website, itself, resides and is created in. Literally speaking, any one person going on a website is in someone else’s property. If you come into my house, what you do in it is not “owned” by you, entirely. I can’t behave your behaviors but you can’t “own” the effects of you being in my house. That doesn’t even make any sense in physical reality!
Besides, how about this: suppose a data subject sends a website owner (data controller/processor) a request for their data files and the website owner (et al) realizes that with third party vendors, etc., it just isn’t possible or realistic to be in possession of a data subjects precious data. It’s already all over the internet because the data subject, themselves, WENT on the web and did stuff. I didn’t do that with their data, THEY did. So, before the dat subject gives a website owner (et al) “consent,” why not put the burden on the data subject IN THE FIRST PLACE by requiring the data subject to send the website owner a file of ALL THEIR DATA ON THER INTERNET so that if/when the stupid data subject sends a website owner the stupid request you can just send it right back to them (since this is exactly what the depth and breadth of GDPR is really about anyway — outsourcing the “scrubbing” of every EU resident’s “data” from the internet because EU residents refuse to take personal responsibility for what they, themselves, actually DO with their data.
The burden placed on website owners by these regulations is indeed ridiculous. What’s worse is that there’s a lot of grey area in these regulations. Changing a few words on a landing page can make the difference between needing multiple checkboxes or none at all.
Just as with the VAT MOSS laws, they’re basically placing a huge obstacle in front of businesses and giving themselves the leverage to sue and fine small businesses out of existence. As I’ve stated in other comments, I’m in favor of protecting people’s privacy, but not like this.
Thank you for all that you and the ThriveThemes team do, Shane. I am always impressed by what all of you do for us who use ThriveThemes. Just amazing. So much value!!!!
And thank you for letting me rant, too, about GDPR. I agree with you about the importance of privacy. While we’re going to be as compliant with GDPR as possible, I have to restructure all our systems for the worst case scenario (that “nightmare letter” I found online was actually a blessing in disguise — some legal expert wrote it to get us all thinking of the worst case scenario and what that would entail. And it really IS a nightmare — it makes me think of getting bogged down in talking to endless users about all their data while NOT doing the business we originally set out to do. Not fun at all.).
So, after reading all about GDPR from legal experts for over a week now (and still going…), our “legitimate” and “legal reason” for doing business online (and I thought BEING a business WAS the “legal reason” for using data. Unbelievable. LOL!)… is to force our website users to:
1) check boxes for all the GDPR stuff
2) accepting our website’s terms and conditions
3) checking a box that the user gives “explicit consent” (!) that they are NOT a European resident and are a U.S. citizen only (our training really is U.S. specific, luckily).
I’m not a lawyer, but I do know that we’re covered by U.S. federal law as well as California law (and a few other U.S. jurisdictions, too, not to mention our Federal Trade Commission and U.S. Patent laws) — so the only way to fully protect ourselves is for the user to enter into a contract — and that sucks. It is so utterly ridiculous — as if going into a traditional “bricks and mortar” store just to look and not buy anything now has to be the same thing as having to enter into a legal contract. Wow.
But this seems to be the best LEGAL way for us to do our online business while being protected/compliant. We have to have the user agree to the jurisdictions WE are in, while doing the whole GDPR compliant thing. I noticed a whole bunch of pro-GDPR “plugins” are now for sale, for annual subscription fees of over 300 Euros (and higher). That seems like a total scam to me. Money grab.
What I don’t understand is why some EU “authority” didn’t come out with a free plugin to help with their OWN citizens’ compliance (and everyone else’s). If they had done that, I might understand the alleged “privacy solution” known as GDPR. Until then, I don’t understand it and it is entirely impractical and takes traditional communication, itself, and market intelligence and turns it upside down. I keep thinking of all the security cameras, microphones, and everyone’s smartphones — that’s a LOT of everyone else’s data that, probably, won’t be GDPR compliant. LOL! Oh well.
Anyways, thanks again for all that you do. I appreciate all of it very much! Cheers.
Thanks, Shane. I would love to hear your wisdom regarding “Changing a few words on a landing page can make the difference between needing multiple checkboxes or none at all.”
If you don’t mind, would you show us how to do that on our landing pages and opt-in forms, especially those of us just starting to build our lists, who don’t want to frighten people from signing up with multiple opt-in checkboxes?
I just viewed the new MailChimp GDPR-compliant forms and am not sure I would opt-in to any list if I saw all that.
Currently, I don’t believe I have any EU subscribers and am primarily a US-based list.
I’m working on a post that will explain this in detail.
David, if I could give you 1000000 up votes I would! You just said what I was unable to express in words myself. It is, in fact, the dumbest, most annoying, and ridiculous thing I’ve seen/heard/read since “that guy” took office!
Yeah… I’m with you Chris.
And for anyone who wants to protect their privacy, it’s simple – leave the Internet. It’s not mandatory to visit anyone’s website, nor enter any personal data. No, really…
As usual, regulators find idiotic ways to irritate the people who actually do care and play nicely online, while doing nothing to find and prosecute the criminals whose INTENT is to steal, manipulate and decieve.
GDPR will do precisely nothing to stop data thieves with nefarious intent.
And once we’ve swallowed this regulation in that name of ‘privacy’ and ‘safety’, or whatever other slimy name they want to give it to sell it to the sleep-walkers – what’s next?
“As usual, regulators find idiotic ways to irritate the people who actually do care and play nicely online, while doing nothing to find and prosecute the criminals whose INTENT is to steal, manipulate and decieve.
GDPR will do precisely nothing to stop data thieves with nefarious intent.”
— Agree 100%!
I agree with you, Chris. Gdpr is going to penalise honest people who slip or get confused (crooks will keep on being crooks, they’ll just get creative and work around it as they always do) There has always been an unspoken agreement in place between marketers and subscribers: you get my free content and in exchange I’ll send you an offer every once in a while. By the way, you can get out of it at any point by hitting UNSUBSCRIBE! Instead of going after the existing crooks, EU bureaucrats are now making the lives of lots of honest people more difficult in the name of “protection”. I’d like to know what their plans are for the group who hacked my website a couple of months ago.
I refuse to comply so I am now blocking all EU traffic on all of my sites.
I am really glad that EU is doing this for us!
I think the goal of protecting people’s privacy is good and important. The implementation is very poor, though.
Thanks a lot Shane and the team for these important improvements
Thank you, Yannick.
It’s great to hear you are working hard to provide these features. Thank you very much. What about the other plugins like for example Thrive Ovation and Ultimatum? Are they also tracking personally identifiable information?
Hello Andrea,
In Thrive Ovation, it’s a matter of clearly stating what the form is for on your testimonial capture page. This is something we’ve advocated from the beginning and requires no extra consent. This is because the testimonial capture form doesn’t sign anyone up to a newsletter and doesn’t haven any other, non-disclosed purpose. The visitor should know that they are submitting text that can be published on the site as a testimonial.
For Thrive Ultimatum, we are looking to remove all personally identifyable information from what we track.
Thank you Shane for your answer.
Hi Shane,
great, great updates!!! (living and working in germany and using ThriveOvation and ThriveUltimatum lockdown campaigns very often)
Thanks for keeping us in the loop. I had no idea that even existed. Thanks for leading us and being on top of your game. However, I would ask for a favor, when this May 28 date comes to present, can you do a video tutorial on how to use these features you are adding? I ask so that we can effectively honor the rules and for us to protect ourselves.
Hello Luis,
We will create some more content related to this. However, I’m not a lawyer, Thrive Themes does not practice or consult on legal issues in any capacity and while we will share some of our thoughts and opinions on the matter, we have to disclaim that anything you read here regarding legal matters is for entertainment purposes only. You have to consult with a lawyer who knows about about laws in your own jurisdiction as well as internationally, to come to the right decisions for your own business.
Shane… Love what you guys do. Thank you!
I didn’t catch you mentioning IP address capture. If you did my bad. I’ve been talking to support for months on this topic with no resolve. Ug!
Thrive tools don’t capture nor can they pass on IP address data for subscribers… this is required the world over for anti-spam law compliance.
Please please include IP address data capture.
Your recommended method for optin forms is:
– build a form with Thrive tools; then…
– integrate an email service provider ESP.
However, anyone that does this is NON-compliant!
Wait?! What?!
For example, all Canadian and US users of Thrive products are currently by default non-compliant with anti-spam laws.
My question is:
–> Will you be addressing IP address capture in the GDPR upgrades to the Thrive product suite?
———————————————————-
PS. A Wish-list request: Please, build a credit card processing plugin. The purchase process is a complicated mess out there in WordPress land… it needs some “Thrive’ing”.
> For example, all Canadian and US users of Thrive products are currently by default non-compliant with anti-spam laws.
That’s not even close to correct. What do anti-spam laws have to do with a WP theme?
Hey Chris, thanks for chiming in!
Good question/point. Let’s learn together.
Other’s please chime in as well. Let’s create discussion as this is important.
The fines in some countries are as high as a million dollars a day! We can’t afford to get this wrong.
Let me first say, if I’m missing something please point it out (and be polite about it if you don’t mind :). I’m not busting anybody’s chops here… just asking the question, creating discussion, and seeking insight from other Thriver’s.
If you have insight please share and help us all learn.
For more context, I understand the 3 key pieces of data required for most anti-spam compliance requirements around the world are: *whom, when, and where*.
1. Whom – Email address of whom it is
2. When – Date Optin occurred
3. Where – IP address if online, or a store address if brick and mortar, or networking event if verbal discussion.
~ ~ ~
To address Chris L’s question directly… your’s and my websites are built with our chosen Theme and Plugins. In this case, Thrive tools: a given Thrive Theme and various Thrive Plugins, for example, Thrive Leads.
Do you agree then that our websites are our platforms?
The question then is: What platform do you have Optin forms on? If not your website where?
How do you collect user information? If not your website Optin form, then where?
Now if your website Optin form does not do the job of collecting the required data to be compliant with anti-spam laws… how can you be compliant? You can’t.
–> The tools we use to collect user data have everything to do with anti-spam law compliance.
Here is a scenario:
What data are you going to bring to court to give to a judge if your Optin forms can’t collect the whom, when, and where data? Your defence would be weak.
Again, with daily fines in some countries of $1,000,000.00… a million a day… this is no small thing.
~ ~ ~
Let’s pause for a second with a legit question right here…
If Thrive tools aren’t going to pass on the data you need… What do you and I do? How do we collect these simple pieces of data from our Thrive Optin forms?
If not from the Thrive Theme and Plugins we use to build our sites… then where?
Perhaps install yet another plugin to collect data… that Thrive is already sitting on? In my opinion, not good.
Thrive Optins are passing Name and Email address data already… why not IP address to complete the *whom, when, and where* data set?
To have tools that do not do the job we need as business owners of a website… then we have to look elsewhere.
Look, I love the Thrive tool set… I’ve been a user paying my dues annually since it launched in 2014. I’m not being dramatic… just saying to the Thrive gang… “Hey, help us out and do one more little thing…
–> Please collect and pass on the IP address of the subscriber… just like every ESP out there is doing… do the same.
The moment is right when the data collection of name and email address occurs on an Optin form… this is the moment it needs to be collected. It’s not hard. The data is sitting right there but currently NOT collected by Thrive tools or Optin forms.
I know this, because I’ve tested this. And I’ve been in discussion with support for months with no resolve.
Go look in your ESP database for the IP address from a Thrive Optin form. It’s not there.
Your ESP will say you used a 3rd party Optin form that is not passing on the IP address. Then they will suggest to stop using that 3rd party form but use their form. That is what they said to me.
It would be great if Thrive tools did this so we aren’t forced to use the ESP’s Optin forms?
I don’t want to use the ESPs Optin form… I want to use the high-converting Thrive Optin forms! It is the reason we purchased them in the first place.
~ ~ ~
Summarzing the topic…
To be comfortably compliant one would need to stop using Thrive Optin tools… and only use the ESP optin forms that are:
– not as flexible for design…
– nor as easy to use…
– nor as high-converting…
– nor recommended by Thrive.
But from the video above, I don’t recall that Shane addressed the *IP address* data point in this recent GDPR video.
So I happily bring it up here… seeking to create discussion and insight from you all.
~ ~ ~
Thrive does not have a user group like most companies do but defaults to the blog here so share this out, comment, click the vote button.
Good point, I didn’t know that. It’s sad we can’t have both high converting opt-ins and compliance at the moment. I guess that’s because most people are not aware of their obligations regarding this. When people become more aware, companies will adapt and provide what they need.
Thank you for this focused information Shane. In a way, it makes it easier and more focused to use your products for most of my opt-in needs, so I won’t have to coordinate too many technologies across multiple platforms There are so many features I have yet to put to use with Thrive products, this gives me extra incentive to do more with Thrive Themes–knowing you’re covering most of our concerns. It gives me more confidence to use your products.
Thank you, Lewi!
that sounds promising!!
Do we have to replace our opt-in forms or will there be an update which aromatically adds the consent column?
You’ll have to edit your forms.
There’s no catch-all solution here because the type of consent needed (or whether you even need additional consent) depends on your offer and the copy in your opt-in form.
Ok what am I missing here?
How exactly does the EU have jurisdiction over non-Europeans so that their laws “apply” to us? I understand they want their citizens to be protected, but how can they legislate what the rest of the world does?
They don’t have jurisdiction over non-Europeans, so they can only hope that the rest of the world applies it voluntarily.
It’s another story, for example, if a US business has an EU branch – like Google does. Then they have to comply.
They can still try to enforce it. Unlike the EU VAT laws, there’s no money in it for them, so they probably won’t go after it as hard. But technically, you have to comply if you have EU visitors on your site.
Glad to hear someone else gets it!
I’m not a lawyer and I don’t know how they intend to enforce these regulations. We’ll have to wait until actual cases start rolling in and the rulings from those will set more practical precedent.
There is a British solicitor who has started a really helpful and balanced FB group on all of this – it’s worth joining.
She has been creating daily videos covering topics and clearing up some misconceptions on whether or not you need a double opt in etc. She isn’t dogmatic and often balances the risk with the letter of the law.
She of course has a product to sell, but the group isn’t all about that and she gives lots of value: https://www.facebook.com/groups/GDPRforonlineentrepreneurs/
Thank you for the recommendation, Louise!
Jim… it’s simply the visitors to your site. If from the US you need to follow US rules. If from Canada, must follow Canadian rules. If from EU, must follow EU rules etc.
Or… do as Chris L is planning… blocking users from said countries and then not have to worry about it!
I love the simplicity of that solution.
Tom, that’s not the way it works. If you’re in the US, and I (from Canada) visit your site and optin to one of your freebies, you don’t have to use double opt-in for me (which is the law in Canada). It would be complete mayhem if, you as a website owner, had to comply with the rules of the countries of everyone who came to your site.
Hi Shane
Thank you for the update.
Two quick questions:
1. Please confirm that you will be supporting MULTIPLE tick boxes, connected to storing permissions in, say, Convert Kit etc. We need to offer granular consent, so in some cases will need more than one tick box.
2. Please could we have the tick box functionality ASAP. It isn’t just Thrive Themes that needs to comply by 25th May, it’s us, too. I have over 200 landing pages / forms / content reveals that I need to change and I can’t do this until Thrive gives me the functionality. When will we get ETAs for this, so we can plan in this work?
It would also be good to know what you are doing to support ‘right to erasure’ and to make sure that Thrive Comments are compliant.
Thanks
Clare
Thanks for your comment, Clare.
1) No, we will roll out the feature with one checkbox. We might add functionality for more in the future, but in general, I don’t recommend adding lots of checkboxes. It’s better to clearly communicate your offer in the opt-in form in the first place, instead of asking a visitor to understand and confirm a lot of fine print.
2) We will roll it out as soon as it’s ready, yes.
1) That might be better for marketing, but not for compliancy. GDPR requires granular consent, as mentioned, for signing up AND for having read the privacy policy AND for possible other things, such as receiving an incentive or participating in a giveaway.
I really appreciate that you’re marking Thrive compliant, but if it’s not fully compliant, all the effort is wasted.
Hi Shane,
When will we get the check box, please?
I have over 200 forms / content upgrades / pages etc to update and can’t start this work until I can get Thrive Themes to add a tag in Convert Kit if the box is ticked.
I’m effectively paralysed on my GDPR compliance work.
The laws come into effect in 4 weeks and I’m still signing people up who I will have to reconfirm, which makes me look stupid and is so frustrating.
It’s nearly a month since you published this.
What’s the timing? Please? ‘Urgent’ no longer describes how soon we need this.
Thanks,
Clare
P.S. I’m with other commenters – some will need more than one tick box, because that is the nature of their business. To tell them they can’t have it means it might be impossible for them to comply with the law. Consent has to be GRANULAR and ACTIVE, which can mean 2 tick boxes. Please reconsider.
We don’t have a release date for this. We are currently working on these features and will release them as soon as they are ready and tested.
So not necessarily before May 25?
Great so far … thank you. I suppose this checkbox is for the API-connection?
Another thing we have to have in mind are the social buttons.
We have to make sure they only connect to facebook, twitter, istagram … if they are pushed from the visitor.
Any plans on that?
As far as I know only the shariff-buttons have this feature ..?
https://github.com/heiseonline/shariff
Hello Henning,
Yes, this applies to our API connections.
Our social buttons never have loaded any scripts from the social networks on your site. That’s one of the reasons they load about 10x faster than the official sharing buttons. 😉
So for the buttons, there’s nothing further that you need to do.
Hallo Shane,
this Point with the social Buttons in Thrive architekt, is really important. And in my opinion only a few people know about this.
I was looking for a solution for the socialbuttons… and i got this Side via google.
Just Write a newsletter or make a Little video. Your users in Europe will thank you very much.
Thrive Architekt is just “Great stuff”…
great service by TT. glad to have you with me
I already use double optin! do I need add checkboxes as well? Looks like triple optin then tzzz …WTF EU
Yep, confirmed opt-in doesn’t cover you for this. Not in every case, anyway.
I used to state under the signup forms that submitting the form meant that they gave us permission to email them on a specified schedule and they could unsubscribe at any time.
Now, if we have to add an extra box for them to check to give us that permission – what does it mean if they submit the form but don’t check the box? I only want to give my free material to people that want to become regular subscribers.
Also, how would our email systems separate those folks that checked the box versus not?
My website will be intentionally targeting an audience within a specific region inside the U.S. I plan to specifically state who my material is designed for, including where they are located. This is appropriate, as I offer gardening instructions most suitable for a specific region.
From what I’ve read, if I don’t target folks in the EU and don’t track their data, I have no need to comply with all of the GDPR requirements.
Is there any way for me to automatically or periodically identify those folks from the EU that may have signed up for my website or services, despite my audience specifications, in order to purge their data and stop tracking them?
Yep, why would someone give you their email address if they don’t want you to email them? It’s not like you’re sending emails to random people.
Your autoresponder service should let you find people by country, then you can just delete the ones in the USSR, oops, I mean EU.
Hello Debra,
I’m not a lawyer and you shouldn’t listen to anything I say on this matter.
One of the most hairbrained rules in GDPR is that you aren’t allowed to disadvantage people who don’t want to sign up to your newsletter. Meaning: if you have an opt-in form that states “get my free report” and someone doesn’t check the box to be added to your newsletter, then you still have to send them the free report, but no other emails.
However, this is mostly semantics. If your offer is instead: “Sign up to my newsletter to get my free report” then you don’t need a checkbox and you don’t have to send the report to anyone who doesn’t sign up, becuase the report is part of the service you provide with your newsletter, which is what people sign up for…
Regarding regions: you can get out of GDPR compliance if you can prove that EU citizens are in no way targeted or appealed to on your site. We’ll have to wait for actual cases to come in, to see how this plays out in practice. Right now, it’s just a damocles’ sword dangling above everyone who’s ever used an opt-in form or sold something online.
As for identifying people from the EU: you’re not allowed to do that without getting their consent first. So, scratch what I said previously. THIS is the most hairbrained thing in the GDPR.
Hi Shane,
thanks for your work on this topic. This article and the discussion contains the most concrete, usable advice I’ve found so far. Most blogs just re-iterate the legalese without any real advice about how to implement it.
Anyways – does this mean that when an offer is worded as per your suggestion above, we don’t have to use the new checkbox feature? Frankly, I would much prefer that…
Wait… and further (and similar) to Gerfried’s point… are you suggesting/educating/creating awareness (and not in any way providing legal advice) that:
– if EU persons are not specifically targeted by our sites
– nor do we identify them as EU people
– we just market to the world in general
– we collect in a single currency – US dollars…
…We don’t need to worry about GDPR?
Shane writes: “…you can get out of GDPR compliance if you can prove that EU citizens are in no way targeted or appealed to on your site.”
Well, it’s one of those gray areas, but yes. There’s a clause that at least provides wiggle room. Specifically this one. This is convoluted legalese, as to be expected, but it seems that if your site doesn’t feature a language spoken in the EU and doesn’t offer products in a currency used in the EU, you might be off the hook.
It’s one of those things where we’ll have to wait for actually cases to be processed, to set a practical, legal precedent.
Hello Gerfried,
Thank you for your comment!
I am working on a piece of content that provides some practical guidelines regarding what to do about these regulations. I’m getting it all checked with lawyers as well, so it may take a bit longer to complete. But I hope to be able to provide thorough answers. At least as thorough as the regulation allows for…
Thanks Shane.
I know you said that people can’t be forced to accept a newsletter in response to another comment. I just found a claim that this is what google does though: https://www.onlinegrowthguru.com/email-gdpr/ (paragraph “force people to click”).
In case your lawyers find a feasible workaround (like wording the offer as per above, “Would you like to receive my newsletter in return for a free report?”), will there be an option to only allow for subscription when all the required checkboxes have been checked?
(I mean, legalese aside: Why would a business give away anything for free? Will we soon be required to deliver the same services and products to non-paying customers as to our paying customers in order to avoid discrimination? Lawyers/politicians, seriously!)
There’s definitely leeway here, depending on how the offer is worded. Basically, if you advertise your newsletter and one of the services people get from your newsletter is a downloadable PDF, you should be fine.
However, this is all a grey area until we see some legal cases and rulings.
I am planning to target people located within a very small region (within a particular state in the U.S.). I actually do not want anyone from outside this particular area to have any access to my website.
I only want people inside my local region to join my membership, as the information is designed specifically for this local area.
So, I am looking into using a plugin that will limit access to my website to folks only inside my target area. But then I noticed your comment: “As for identifying people from the EU: you’re not allowed to do that without getting their consent first.”
That’s pretty insane! I’m not targeting folks in the EU, and I’m not going to allow them access to my site (along with nearly the entire world). I am NOT going to ask their consent to identify them so I can block their access to my site.
Thank you very much, awesome! What about Thrive Comments and Thrive Ovation?
In Thrive Comments, we already implemented a checkbox to get consent for reply notifications. In Thrive Ovation, it’s a matter of clearly stating what the form is for on your testimonial capture page. This is something we’ve advocated from the beginning and requires no extra consent. This is because the testimonial capture form doesn’t sign anyone up to a newsletter and doesn’t haven any other, non-disclosed purpose. The visitor should know that they are submitting text that can be published on the site as a testimonial.
Hi Shane, will I have to purchase thrive comment or it will be included for those who just have the theme? Thanks
Thank you
Hi,
Thanks for the update.
Will it be possible the customer not to be able to hit the subscribe button unless the required check-boxes are ticked?
THanks!
This is one of the crappy things about GDPR: you aren’t allowed to make checking the box mandatory. Not under certain circumstances anyway. For example, you can’t offer a downloadable and make signing up to a newsletter a mandatory part of it.
The first poster is spot on! In the UK we will be letting people know from the auto-responder confirmation that GDPR is not relevant and by opting in they are accepting all responsibility. Information will never be misused or sold. Very thankful for BREXIT and to pull away from the powers of Brussels. EU needs to focus on bigger problems rather than optins LOL! If they carry on with trying to rule the world, Brussels and Germany will be the only countries left in this “European Union”. I recommend also to get hosting from NON-EU countries, use a VPN and keep yourself safe from these PIRATES.
Brexit won’t save you from this, I’m afraid. The UK have already stated that the same rules will apply in non-EU UK.
Thank you so much for taking this burden from us!
May I suggest, that when you are now pimping Thrive Quizzes, to add some functionality so that it can be used as a real survey tool to ask specific questions to clients where their answers can be stored by tagging in Active Campaign?
Thanks for your comment, Chris. We may add some more features to Thrive Quiz Builder in the future, but for now, our focus is on improving Thrive Architect and releasing a new theme.
Great point Chris. It would be hugely valuable to tag into ActiveCampaign from the Quiz builder.
Thank you, Marco!
Thank you very much for taking us by the hand in this.
I actually am glad this has come up, because I’d been procrastinating over my privacy policy and now I think it is good to have clear guidance.
Thank you for your comment, Edward.
When will these options be available on the Thrive leads and Quiz? Also is we integrate our Thrive Leads with Mail chimp what do we need to do?
Hello Shane and Team,
do we need a “Vertrags zur Auftragsdatenverarbeitung”/ “Contract for order data processing” with you because of that?
If so, where we get this?
Best Regards
No. We are not processing any data for you. It’s all happening on your website.
Like already said in the comments: A problem will also be the Google Fonts used in Thrive Leads and Architect. A great feature would be just to somehow have an option to deactivate the loading of Google Fonts and choose some local stored fonts.
According to what I’ve read, Google Fonts are fine to use because Google have feature they call “Privacy Shield” which will not track visitors coming from the EU.
Hi, regarding the Data Overview & Export, will it apply to the comment section as well?
Thank you
Yes.
Thank you so much for helping us with all this GDPR Crap. I’m soo relieved that Thrive is caring about making all those great Plugins compliant. BUT I came across one stumbling block and maybe you can help me out with it: I heard that with the GDPR it’s no longer legal to use the normal social media share buttons, because these send informations to social media sites even when website users don’t click on them. Are the social media share buttons from thrive themes compatible with the GDPR or do they send informations to the social media sites by just visiting the website like the normal share buttons do, too?
Hello Jan,
Yes, this is correct but it only applies to the official sharing buttons. Meaning: if you go to Facebook or Twitter or whatever and you generate their social buttons and add them to your site, they load a tracking script. They’re basically monitoring visitors on your site, through these buttons.
However, if you use the social buttons built into Thrive Architect or one of our themes, you don’t have this problem. These buttons don’t include any tracking scripts, so no extra consent is needed.
Thanks. I think it’s great that you are doing this.
Thanks, Thomas. We’re doing our best to look out for our users.
It’s nice that we can at least count on you guys being helpful.
I’m sure these regulations have a purpose other than kicking small and medium businesses in the teeth, but they sure read as that’s the goal.
On top of being hamfisted and byzantine, they are also unclear.
I’ve been reading various guides about GDPR, and the situation is not clear at all…but it seems to me that if you must inform the person of every minute detail concerning their rights and your handling of their data before they can give active informed consent, the only way to be compliant is to link the full privacy policy + terms of use in the check-box text, and make the ticked box a required condition for signup.
Will we be able to make the box tick required to subscribe?
Will the ticked box be somehow recorded in the email marketing software as proof of consent?
Thanks for your comment, Lorenzo.
It’s quite context dependent. If you take some parts of the regulations, it does indeed seem like you’d have to pop up a new prompt asking for the visitor’s explicit consent every time they click on something or make any move on your site. But in practice, you can be compliant without being that annoying.
You can’t make the checkbox required. That would no longer be compliant with the regulation, unfortunately.
I see. So how do we know whether we have consent or not? Does the checkbox trigger a tag or something? This will make things more complicated on the email software front as well, many are not used to segmentation, conditions and such. For some, it will probably mean having to switch to another email marketing software altogether.
The solution I’m looking at is using correct semantics on a first form, the freebie being the “welcome gift” when you subscribe to the updates or whatever, no checkbox. Then use the signup links function to show a different form that tells the returning (and therefore interested) visitor to click a button if they want to receive information on the paid product, which will trigger a new and independent follow up sequence linked to an evergreen launch in T Ultimatum.
This will give me better deliverability and stronger relevancy = lower probability that someone actually files a complaint, which as far as I can see is by far the most likely way you could ever get in trouble.
It however raises the question, HOW DO WE OBTAIN CONSENT FOR BEHAVIORAL MARKETING TRIGGERS?
I swear, these people are either ridiculously incompetent or malicious, or both. This EU behemoth can’t fall soon enough.