How Thrive Themes Products Will Help You With GDPR Compliance

Author
Shane Melaugh   299

​Note: this post does not contain legal advice. Always work with your legal counsel ​to determine the right decisions to make about regulations.

The General Data Protection Regulation (GDPR) is coming for all of us. It's a set of EU laws​ and they apply to EU ​citizens. ​That means that even if your businesses is not in the EU, ​you're still potentially on the hook, because ​people from the EU​ can access your website​​​.​​​

At Thrive Themes, we have been hard at work to help you keep your website GDPR compliant in the easiest and most seamless ways possible.

In this post, you'll discover the GDPR related features that we've already released and get up to date information about the ones we're still working on.

More...

​What Do You Need to Know About GDPR?

This is not a post about GDPR and what it means for online businesses. There is plenty of content on that topic already. If you aren't familiar with GDPR and what it may mean for you yet, here are some useful resources for you:

The Features

At Thrive Themes, we're currently working on feature additions in our products that will make it easier for you to stay GDPR compliant. Here are the features and their current implementation status:

Lead Generation Checkboxes for Explicit Consent

Products:

Thrive Leads, Thrive Architect, Thrive Quiz Builder

Status:

Completed!

For lead generation forms created with our tools, we released a feature to add an optional checkbox for consent. This is so that you can have subscribers tick a box that says something like "I agree to receiving a newsletter and understand that I can unsubscribe any time". This way, you have proof of their explicit consent to receive messages from you. Learn how this feature works.

Data Overview, Export & Removal

Products:

All products

Status:

Completed!

An important part of GDPR is the citizen's right to know what data about them is being collected and the right to have that data deleted.

The WordPress team announced that a data export and removal tool will be added as a core feature. After a few delays, the beta version of this tool was finally released a few days ago. This is good news, because it means we can add data tracked by Thrive Themes products to this tool and you will have a central solution for managing data not only from our products, but from any other plugins and tools you might use (as long as they integrate with this WordPress feature).

Anonymized Data in Thrive Quiz Builder

Products:

Thrive Quiz Builder

Status:

Completed!

Thrive Quiz Builder can be used to gather insights about your audience, such as their personal preferences, their age range and gender or anything else you care to ask during a quiz.

We're about to release a new profiling feature which allows you to toggle between two types of data collection: anonymized and personal.

Personal data collection means you can see which visitor gave which answers, exactly. This requires explicit consent under GDPR. Anonymized means you can see the overall, averaged out results, but you can't track individual answers back to individual users.

Eliminating & Encrypting Personally Identifiable Information in Cookies

Products:

All products

Status:

Completed!

Cookies are an important convenience tool all across the Internet. Without cookies, you'd have to log back into every website where you have an account, every time you return there.

Thrive Themes tools utilize cookies in various ways and will continue to do so. We have released an update to our tools that encrypts or eliminates any personally identifiable information in cookies. Similar to the point above, it means you can still use cookies, but you can't tie tracking information back to a specific user, so as to protect their privacy.

Proof of Opt-In

Products:

Thrive Leads

Status:

Completed!

In the Thrive Leads reporting area, you can see a list of all leads that have signed up and you can see which of your Thrive Leads opt-in forms they have signed up for.

This counts as proof of consent: you can show that the contact with this email address signed up on your website, through a specific form. In other words: you didn't just send this person a spam message they never agreed to receive.

Coming Up

The deadline for GDPR compliance is May 25, 2018. Our team released all of our planned GDPR compliance features before this date and the last integration came into action with the WordPress update to version 4.9.6.

Coming up, we plan to extend and improve the lead generation element, to make the entire setup flow simpler. We have a good solution, but the flow was built without checkboxes in mind. Our next update will give you more advanced options and make things even easier.

Further, we are keeping an eye on GDPR features that are released by services we integrate with. Where it makes sense to do so, we will also update our integrations.

​If you have any questions or feedback about this, please let us know by leaving a comment below.

Shane

P.S.: If you're looking for the previous update video we created about GDPR features, click below.

GDRP features announcement video

by Shane Melaugh  May 11, 2018

299

Enjoyed this article ?

You might also like:

Leave a Comment

  • Thanks for this – be great to have the tick box available ASAP as obviously then we can make sure we’re compliant sooner rather than later – which means fewer people we have to go back to refresh consent from.

      • Really hoping this will be very soon as Mailchimp’s solution is falling short of what I need for a Reconsent campaign… needing this real soon as closer to the date it gets the more chance I will lose a bigger percentage of my list.

      • Thanks, Shane, for your ‘above and beyond’ efforts in our behalf. With regard to the new changes that will be implemented, will you provide examples such as opt-in pages, etc. that will us better understand how this all works?

        As I have only one EU country where I’m doing business, I will just exclude it until the dust settles a little.

        Also will you provide some guidance about how we can create our privacy pages to be compliant with GDPR?
        Thanks!

      • Hello Robert,

        We’ve released this blog post with some guidance and examples of what to do about GDPR for email marketing. We may also provide further tutorials in the future, depending on what questions and feedback we get.

    • Freedom of the press is limited to those who own one.
      —A. J. Liebling

      Seems that if the burdens of (Word)Press ownership can be increased beyond the practical ability of everyday-people/small-biz to carry, then… hmmm.

      • This is definitely problem that small businesses are facing. I’m opposed to regulation like this, not because I don’t like protecting people’s privacy, but because they way it’s implemented is bad for small businesses. Huge, powerful companies can handle this kind of thing with their scores of lawyers and technicians. It’s the little guy that gets chewed up.

    • No, we can’t have that, sorry. We definitely need to get a bunch of rules, regulations and paper-pushers involved.

  • Hey Shane, thanks for the update and I really appreciate you guys working hard to make Thrive products GDPR compliant 🙂

    Does work on these features impact release of new themes in any way? It will be good to have some clarity on release of new themes as well because it was promised quite sometime back and its now becoming a very long wait!

  • THANK YOU! For those of us smaller fish getting started in the online biz world, it is so very helpful to have someone know about, inform, and then assist with something I quite possibly would have walked into without any realization I was getting myself in trouble.

  • Thanks so much for helping us with the new regulations! Are you also planning a feature with a “Cookies get stored” bar? I have seen this on many websites, but I don’t know how to get it (actually do we need this for the new regulations?)

  • The Canadian CASL laws are also challenging (it asks for explicit consent to send info, etc.)

    It sounds like your changes would be helpful for those wanting to be CASL-compliant.

    If so, great!

    If not, can you please tweak it to also be CASL compliant?

    Thanks in advance.

    Trevor

    • Being Canadian, I support and second Trevor’s comment on CASL. The checkbox on opt-in can provide our subscribers the ability to Explicitly consent.

      Thank you Shane M!

    • Thanks for the comment, Trevor. We’ll look into this. On first reading, it seems that these features will also lead to CASL compliance.

  • This. This is why I am an unabashed cheerleader for Thrive themes! Clear and concise explanations along with clear and concise actions that are to me and my customers benefit. Superb.

  • Hi Shane, great to hear the news! Good Job!

    What is about Thrive Comments? Even only for comments we need a checkbox für explicit consent.

    Robert

      • Hi Shane,

        Thrive Comments is still not GDPR complient. The checkbox must appear before the Submit-button. But it appears only to get consent for sending email notifications for replies to the comment.

      • Is there any explanation somewhere how to use and install that checkbox in the latest release? Or when and how new features are implemented? Thanks!

  • Thank you so much for all your efforts and for keeping our business safe.

    In regards to using other tools, I try to keep it down to Thrive Themes only tools, but I always end up using some others. That being said, will the new super theme be released along with the updates mentioned on this post, or will it be released prior to that?

    I’m sorry to ask, but I’m kind of struggling right now with “looks” and “feels” from other themes which are really nice, but not 100% compatible with Thrive Themes Tools (this is a new project I’m working on).

    Once again thank you so much for all your efforts, your great team and of course your great products and entrepreneurial vision.

    • The super theme is coming later. We’re going to start beta testing this month, so a full public release is still a ways out. These GDPR changes on the other hand will start showing up in the next plugin updates already and we’ll keep rolling them out as fast as possible.

      • Hi Shane, Thanks for all you do. May I ask that you consider adding dates to the comments here…so that things like ‘this month’ make some kind of sense? Thanks.

    • We gotta look out for small business owners. This kind of thing is a massive obstacle for the kind of entrepreneur we build our tools for. It’s important for us to serve these entrepreneurs as best we can.

      • And Shane thanks for doing so. Grateful that you care… AND that your company as a small business has the critical mass to address it. Many don’t and their customers will be left hanging.

        When all is said and done, I can’t imagine the expense lines in your P&L associated with this effort for legal, development, and your management time to navigate it all. Grateful!

      • Thank you, Tom. It’s not good for our business any more than for the businesses of our users. But hey, entrepreneurship is problem solving, so let’s get it done. 🙂

  • Well I’m impressed by your commitment to deliver on these important legal changes! Thank you so much for making it easier for small business owners, it’s a relief…

  • Great to see ThriveThemes on top of their game again and adapting to the change. That’s why we love them. 🙂

    Looking forward to the update.
    Thanks, Shane

  • Hi Shane great to see you working on this issue. An another problem regarding gdpr compliance mighty be using google fonts within thrive architects. The ip address can be collected by google without anonymizing.

      • I asked already to have custom fonts with the architect. That would be a great way to implement google fonts on our own server.

        To be gdpr compliant I had to upload them via ftp, enter some new css but still it does not show up correctly everywhere ..

        So .. it would be really nice to have the custom fonts as soon as possible. (Or another solution for google fonts)

  • Hi Shane,

    Thank you for the information on the GDPR and for taking the necessary steps to help us comply. I love the work you guys do by the way – I can’t rave on enough about Thrive Themes and your plugins! If you guys ever want some good ideas for new features or plugins feel free to get in touch – I’m a fountain of ideas just lack the necessary coding skills to make them happen – so passing them off to you guys to implement would be the next best thing 😉

    • Thank you very much, Richard! I appreciate your encouraging words. 🙂

      Regarding ideas: have you joined our beta testing group? That’s the best place for this kind of thing.

  • Seriously cool … and what a painful process to have to undertake. Thank you … really … I really appreciate how you look after us thrive themers 🙂

    • Thank you, Nic! It’s a painful process indeed, but we’re doing our best to make it less so.

      • Hey Shane, what are the chances of Mailchimp allowing the checkboxes to work with your plugins, their GDPR checkboxes say they don’t support any integrations or APIs. Any ideas on if they are going to work with Thrive or if you will have to use a standard embed code instead or switch providers?

      • Thanks for your comment, David!

        Our hands are tied in this regard, until they update their API. There’s nothing we can do from our side.

      • Thanks for confirming, hopefully, they will open it up soon or risk losing a load of customers that don’t want to mess with their fiddly code.

  • Hi, you’re doing a great job and you’re making things easier for your clients. I have a question related to this matter: I have a restricted area on my website and I ask people to register. Up to now, I also subscribed them to my newsletter. According to Gdpr this is not allowed anymore, is it possible to have a checkbox in the registration form, asking to subscribe also to the newsletter? If people don’t check it, they will only register on the website. Thanks in advance

    • If you use one of our lead gen forms to register the users then yes, you will be able to add a checkbox. If you use a different tool for the registration form, you’ll have to look for that tool to support the addition of the checkbox.

      • Where will the data be stored, that the user selected the checkbox? I have to proove that he does.

      • It will be stored in the dashboard on your own site. You’ll have an overview of all the data needed for GDPR compliance, regarding all of our tools.

    • Hello Siliva,

      Can you explain what you mean, exactly? Since I don’t understand the question, the answer is most likely “no”, but I’d like to know more about what feature you’re looking for here.

      • Hi Shane, thx for your interest. It is a contract to show that you handle the personal data which we provide/store/process with the plugins in a way that meets the requirements of the new regulation. E.g. how you store the data, is it send via SSL or not, what would you do in an uncertain case of data loss, do you have an IT security concept …

        To comply with Art. 2 GDPR it is necessary to have a contract with every party in place. Thx for your help.

      • Thrive Themes does not process or store any data for you, in any form. Remember: we sell distributed tools. You run them on your server. You are not passing any data on to a 3rd party.

      • Thanks for the clarity: Thrive itself does not process data. Got it.

        As we are processing data with Thrive tools o our sites we will need to update our site’s T’s&C’s etc.

        It would be wonderful if you could help us out with updates to the Privacy, Terms, and Disclaimer copy as you have in past Theme templates.

      • I’m afraid we can’t do that without inviting all kinds of legal trouble. Our existing templates for this are already provided under the condition that you basically don’t use them and ask your lawyer instead.

      • Hi Shane, doesn’t Thrive Leads transfer data to my e-mail provider?
        When I’ve got the right informations, than we need an data processing contract (in German: Auftragsverarbeitungsvertrag) from Thrive Themes.

      • Yes, but the data is being sent from your website, from your server. Thrive Themes (the company) is not involved in this transfer of data.

  • Hi Shane
    Will the check box on opt-in forms appear on all existing forms or will we have to re-create existing forms individually with the new checkbox? Thanks

    • Hello Martin,

      You will have to edit your opt-in forms manually. The type of consent needed (or whether you need extra consent at all) is highly context dependent, so there’s no catch-all solution for this.

  • Shane, this is by far the best post I have ever seen concerning GDPR. You made it to answer exactly all the questions I had in less than 5 minutes. CONGRATS!
    Best, Christoph

  • Thanks for keeping us informed about this. We Americans fought a war in 1776 because we didn’t want to be ruled by Europe, and we fought two world wars to save Europe. I’ll just block EU residents from accessing my sites, because I will not be ruled by Brussels.

    • You are obviously entitled to your own opinion, but this is not about being “ruled” by Brussels, or anything for that matter.

      It’s about better protecting PEOPLE’s data and privacy and giving them some autonomy (back).

      And while I don’t like this from a logistics point of view (with all kinds of different tools this might be a real pain in the a**) – I think anything that helps protect people and their privacy from either themselves or companies they no longer trust with their personal data, is great.

      • The problem I see with GDPR is not in the alleged cause of protecting people’s privacy. I’m all for that. The implementation of the laws is incredibly ham fisted, though and shows that the laws were written by people who haven’t the faintest clue of what it’s like to run a business.

      • I agree. From a business perspective, like I said, it’s a pain.

        But even as entrepreneurs or people who run a business, we are still individuals first. And I think it’s hard to argue from a individual point of view that this is not a good thing.

        Even though the implementation is done poorly (like most of the times when goverments pass new laws that involves businesses..) – I feel looking at the bigger picture is (more) important.

        Anyway. Looking at this wearing two different hats (our individual vs business pov) is probably where most of disagreements and mixed feelings come from.

      • Yes Shane, and the same was true of Mark Zuckerberg’s testimony before the U.S. Congress. It was obvious senators had not done their homework, resulting in one of my now-favorite memes: Senator, We Run Ads.

      • Yeah, Nick, you tell ’em. Mussolini made the trains run on time, and that was “great” too, in your logic.

      • I think we may be overreaching into the annals of history, as it relates to legislation for Internet businesses…

    • I totally agree!!!

      NOTE: I absolutely LOVE ThriveThemes. LOVE IT. I wouldn’t think of using anyone else. So this rant is NOT about ThriveThemes. This is about the stupid GDPR…

      I have already blocked all EU countries (and quite a few more). Merely LOOKING at a website starts the whole “data” thing. I’m not going to waste my time saving data on people who come into the equivalent of a bricks and mortar store and end up telling me they’re “just looking.”

      According to the EU, anyone can be “just looking” but I’m supposed to use the data-gathering equivalent of the FBI/CIA/NSA and hand over their data at their request, and do it politely? FOR FREE?!?! I didn’t go into business to merely gather, process, control, and give away (FOR FREE?!?!?) what is commonly known as market research — which, according to U.S. laws — is proprietary information not required BY U.S. law to be given away for free to just anyone (including persons “subject” to EU laws). What if people who are “just looking” ARE criminals already? Wouldn’t the FBI/CIA/NSA want to track them? HELLO! I certainly don’t want to be aiding and abetting a bunch of illegal activities that are illegal according to U.S. law.

      Why on earth is anyone using their real name in their email address anyway? It’s not my fault or responsibility what people do with their data online! And it’s not their “jurisdiction” what happens on my website (or behind the scenes where only legal activity takes place, mind you).

      If my physical eyes SEE an EU resident, how on earth am I supposed to follow GDPR — erase their data from my BRAIN when they request their stupid “right to be forgotten?” These stupid GDPR “laws” don’t make any sense in the physical realm! It’s totally outrageous! The EU, itself, can’t even make it work!

      And since reports (as of this writing) are saying that up to 90% of all European companies online and offline are NOT compliant with GDPR (and won’t be by the May deadline), that makes ALL OF THEM operating illegally. And you think the BURDEN of proof is on ME for being legally responsible with their data?!?!? Why should I have the burden of proof for what WILL BE legally designated as non-compliant and therefore ILLEGAL activity on the part of European citizens?!?! My solution: block them. Too much unreasonable and ill-thought out “legal” nonsense. It’s not how physical reality actually works — offline or online. It’s not how LAW works, either.

      GDPR is not at all congruent with current U.S. FTC regulations (not to mention the constitution). The EU has no jurisdiction over the Department of Homeland Security, either. A living person, by definition, is not “the sovereign” such that wherever that person “goes” (online or offline) their “sovereign” jurisdiction follows. When Americans are in Europe, we drive on the side of the road required by your jurisdiction. But when you’re on our land, you drive on OUR side of the road. Got it?

      The GDPR is not legal in the U.S. for all kinds of reasons not the least of which is this: it’s a coerced contract and all coerced contracts are considered legally VOID. Websites in the U.S. are under U.S. jurisdiction AND individual states’ jurisdiction. My business is in the U.S. and other state jurisdictions. Nothing I do is in the EU. I do not target it and I don’t want it. Don’t make ME responsible for something I do not intend to have anything to do with or, now, want to.

      A person “going through” a website they do not own, operate, control, process, etc. is, by definition, not in some kind of sovereign bubble, legally speaking. Their “data” is IN CONTEXT with what they actually DO on a particular website — i.e.: the jurisdiction in which the website, itself, resides and is created in. Literally speaking, any one person going on a website is in someone else’s property. If you come into my house, what you do in it is not “owned” by you, entirely. I can’t behave your behaviors but you can’t “own” the effects of you being in my house. That doesn’t even make any sense in physical reality!

      Besides, how about this: suppose a data subject sends a website owner (data controller/processor) a request for their data files and the website owner (et al) realizes that with third party vendors, etc., it just isn’t possible or realistic to be in possession of a data subjects precious data. It’s already all over the internet because the data subject, themselves, WENT on the web and did stuff. I didn’t do that with their data, THEY did. So, before the dat subject gives a website owner (et al) “consent,” why not put the burden on the data subject IN THE FIRST PLACE by requiring the data subject to send the website owner a file of ALL THEIR DATA ON THER INTERNET so that if/when the stupid data subject sends a website owner the stupid request you can just send it right back to them (since this is exactly what the depth and breadth of GDPR is really about anyway — outsourcing the “scrubbing” of every EU resident’s “data” from the internet because EU residents refuse to take personal responsibility for what they, themselves, actually DO with their data.

      • The burden placed on website owners by these regulations is indeed ridiculous. What’s worse is that there’s a lot of grey area in these regulations. Changing a few words on a landing page can make the difference between needing multiple checkboxes or none at all.

        Just as with the VAT MOSS laws, they’re basically placing a huge obstacle in front of businesses and giving themselves the leverage to sue and fine small businesses out of existence. As I’ve stated in other comments, I’m in favor of protecting people’s privacy, but not like this.

      • Thank you for all that you and the ThriveThemes team do, Shane. I am always impressed by what all of you do for us who use ThriveThemes. Just amazing. So much value!!!!

        And thank you for letting me rant, too, about GDPR. I agree with you about the importance of privacy. While we’re going to be as compliant with GDPR as possible, I have to restructure all our systems for the worst case scenario (that “nightmare letter” I found online was actually a blessing in disguise — some legal expert wrote it to get us all thinking of the worst case scenario and what that would entail. And it really IS a nightmare — it makes me think of getting bogged down in talking to endless users about all their data while NOT doing the business we originally set out to do. Not fun at all.).

        So, after reading all about GDPR from legal experts for over a week now (and still going…), our “legitimate” and “legal reason” for doing business online (and I thought BEING a business WAS the “legal reason” for using data. Unbelievable. LOL!)… is to force our website users to:

        1) check boxes for all the GDPR stuff
        2) accepting our website’s terms and conditions
        3) checking a box that the user gives “explicit consent” (!) that they are NOT a European resident and are a U.S. citizen only (our training really is U.S. specific, luckily).

        I’m not a lawyer, but I do know that we’re covered by U.S. federal law as well as California law (and a few other U.S. jurisdictions, too, not to mention our Federal Trade Commission and U.S. Patent laws) — so the only way to fully protect ourselves is for the user to enter into a contract — and that sucks. It is so utterly ridiculous ̵