Is Webflow an RGPD compliant tool? How to have a RGPD compliant website? Which data protection rules for an e-commerce webflow site? We have written a whole guide to help you understand how to make your Webflow website compliant with European standards. Website or e-commerce, update your legal notice and privacy policy to be RGPD compliant ✅
In this article we take a look at the Webflow RGPD, to help you to make your e-commerce or shop window site compliant with European standards.
1 - Is Webflow a RGPD compliant tool?
YES, Webflow is a 100% RGPD compliant nocode tool for several reasons.
First of all, webflow has a privacy policy dedicated to the European Union ("EU"), the United Kingdom ("UK"), as well as the entire European Economic Area ("EEA") and Switzerland. It is directed to anyone who visits their website and other websites in the webflow.com domain, or who is a customer using their SaaS tool, web design software, or other related tools and services. This privacy policy details how Webflow collects, uses, discloses and protects data subject information in connection with the service, in accordance with UK, EU, EEA and Swiss data protection laws.
In this document, you will find in particular in article 8, "the measures taken to comply with the regulations in the case of data transfer outside the European Union":
"rely on the Standard Contractual Clauses approved by the European Commission [...] for any transfer of data from the US to a country outside [...] the EU [...]"
"Webflow has also certified its compliance with the EU-US Privacy Shield Framework [...] regarding the collection, use, disclosure and retention of personal information transferred from the UK, EU, EEA and Switzerland to the US."
In the event of a conflict between the terms of the Webflow Global Privacy Policy and the EU & Switzerland Privacy Policy, the EU & Switzerland Privacy Policy will prevail for any conflict relating to UK, EU, EEA or Swiss data subjects.
2 - RGPD and user data: the challenges for your website
What is a cookie?
Cookies are small text files that websites save in the files of your computer when you visit a website. They contain information about users' browsing preferences. They are necessary for websites to function properly and to provide a pleasant user experience.
From a technical point of view, a distinction is made between session cookies, which are deleted when the user closes the browser, and persistent cookies, which remain on the user's hard drive until their expiry date.
On the website side, cookies can be used to measure the website's audience, record information about an e-commerce basket, contact details, offer targeted advertising or even geolocate a user to display the site in the language of their country.
What is the RGPD
Since 25 May 2018, the General Data Protection Regulation (GDPR) has strengthened the 1978 Data Protection Act to provide a better framework for data management. Any organisation in the European Union, whether a strat-up, a small business, an SME, an association or a large group, etc., is thus obliged to respect these new data protection conditions. This new law improves transparency on the management of user data and offers real guarantees on the use of personal data by companies.
What data is affected by the GDPR?
Whether it is for e-commerce or a simple online presence, your website collects data. This data varies according to your needs, but is essential for the proper functioning of your website, for your marketing campaigns, for recontacting your visitors, for offering follow-up of e-commerce items, etc. If we look purely at the text, "any information relating to an identified or identifiable natural person" is concerned by this regulation. Identifiable" therefore includes indirect data such as telephone numbers, addresses, e-mails, etc.
A large amount of data is collected on a website and it is this personal data that needs to be processed. Whatever CMS you use, Webflow, Shopify, Wix, Wordpress, you will have to set up a data processing and protection policy for your visitors and users in your company and on your website.
3 - The rules to follow to have a RGPD compliant website
Rule 1 - Cookies
The cookies and trackers present on your Webflow website must have the consent of the users and visitors of your website. From an RGPD point of view, there are two types of cookies and trackers on a website. First of all, there are the default cookies or trackers, which are present and mandatory to allow the proper functioning of a website.
1 - Cookies subject to consent
- Cookies for advertising retargeting
- Cookies for your marketing campaigns, e.g. your newsletter
- Cookies related to social networks. e.g.: share button to your pages
- etc.
2 - Cookies not subject to consent
- Cookies to record your choice for the use of cookies
- Tracers related to authentication after certain services, e.g. ensuring authentication security, limiting bots, etc.
- Trackers to record the contents of your shopping cart on an e-commerce site or web platform
- Tracers to restrict access to certain parts or features of the site. e.g. access to a paid area
- Cookies allowing to personalize the interface essential to the proposed service. e.g.: the language of the site
- etc.
New 2024 regulations
Since March 2024, regulations have changed and companies using Google solutions such as Google Ads or Google Analytics will have to comply with the new Google Consent Mode V2 (CoMo 2). It is now essential to use a compliant cookie management solution.
Guide to Google Consent Mode V2
Rule 2 - Web forms
Each data collection form must be governed by certain rules. The aim is to meet the principles of visitor information, transparency and consent.
Rule 3 - Privacy Policy
Your site should provide full information about your data collection and processing policy in your privacy policy or in a dedicated section of the legal notice.
Rule 4 - Means of contact
You should identify a person responsible for data management within your company, and leave a contact person so that your users can easily exercise their rights.
4 - Steps to make your Webflow site RGPD compliant
Step 1 - Integrate a Webflow cookie banner
The principles of the RGPD are based on information, the collection of consent from your users, the protection of their data and the possibility of asserting their rights (modification, deletion, collection, etc.).
Consent must be obtained prior to the deposit of cookies. In other words, as long as your visitor has not given his or her consent for the deposit of cookies (not subject to consent), no cookies can be deposited. Similarly, if your website uses third-party cookies, such as social networking cookies via a share button, you will also need to obtain your visitors' consent.
To collect the consent of your Webflow users you must ask them about their preferences as soon as they enter your site. This is done either by a RGPD banner or by a pop-up. This RGPD banner must include several elements:
- All cookies on the site
- Purpose of each cookie
- Ability to accept or decline each cookie
- A link to your privacy policy
You can either use a cookie management tool like Axeptio or create your own Webflow cookie banner. This alternative to Axeptio is the one we recommend for several reasons:
- 100% free
- 100% customisable
- 100% secure
- Optimised for your SEO
- Unlimited cookies
- Data recording
⚠️ Make sure that every tool you use to deposit cookies is GDPR compliant. This is for example the case for tools like Google Analytics, Google Search Console, Hubspot, etc.
💡 Note that the collection of this consent must be kept as evidence for at least 6 months. In addition, the consent given by the customer is recorded for a maximum of 13 months.
Step 2 - RGPD compliant web forms
In addition to collecting information via cookies and trackers, most websites have web forms. These forms are used, for example, to be contacted from the site, to sign up for a newsletter, to apply for a job, to create a user account, etc.
As for cookies, the rules of the RGPD remain the same on the notions of information and request of consent. You will therefore have to respect certain rules so that each of your web forms is RGPD compliant.
1 - Collect data mandatory or non mandatory
In general, you should only collect the information that is necessary for the purpose of the data collection. If you wish to have more information, you must specify which information is mandatory or not, for example by using an asterisk.
2 - Collecting data from a free field
In order to moderate the content and the information you collect, you must indicate to the user that no sensitive information should be sent.
3 - Treatment modalities
Indicate how the data will be processed for each form. In order not to impact the UI of your site, we recommend that you summarise it in one sentence and refer your visitor to your privacy policy: "learn more" "privacy policies".
4 - Welcoming consent
By means of a checkbox at the end of the form, you must obtain the user's consent to the collection of their data. Indicate next to this box the modalities of the processing.
Step 3 - Write your legal notice
Legal notices are essential for the RGPD compliance of your webflow website. They allow to identify the owner of the website, the person in charge of the edition, the host, and brings essential information about the company. The legal mentions required in a website can vary according to the sector of activity. Here are the compulsory legal notices for a company with a commercial activity:
1 - Identification
- Company name or business name
- Head office address
- Telephone number and e-mail address
- Legal form of the company (SA, SARL, SNC, SAS, etc.)
- Amount of share capital
- Name of the director or co-editor of the publication and that of the editor, if there is one
- Name, denomination or company name and address and telephone number of the host of its site
2 - Activity
- Company registration number
- Individual tax identification number
- General Terms and Conditions of Sale (GTCS) including the price in euros including VAT, delivery date and costs, payment terms, after-sales service, right of withdrawal, duration of the offer, cost of the distance communication
3 - Notice on the use of cookies
We will go into this part in more detail in Step 4 - Write your privacy policy.
4 - Information on the use of personal data
We will go into this part in more detail in Step 4 - Write your privacy policy.
Step 4 - Write your privacy policy
Every website publisher is obliged to provide access from its website to a privacy policy that complies with the RGPD and the rules of the CNIL. The aim is to provide quick, simple and transparent access to all your practices and purposes in terms of personal data use. This part can either be integrated into your legal notice or separated from it. In both cases, it is necessary for the RGPD compliance of your nocode webflow website.
1 - Accessibility of the privacy policy
Your privacy policy should be accessible from your website with one click. Its content should be understandable to everyone, i.e. avoid technical or legal terms, and be as concise as possible.
2 - Mandatory fields of a privacy policy
- Data controller : identify the data controller, known as the DPO, and indicate his or her contact details to enable each person to contact him or her to enforce their rights.
- Recipients : a third party tool, a subcontractor, a technical service provider such as a web agency or web host, a data controller within your company.
- Categories of data : identify each type of data you will collect and use (email, telephone, name, surname, etc.)
- Purpose of data collection : you must justify the collection of each data, for example explain that you are collecting an email address in order to contact a user who has contacted you or to subscribe to your newsletter.
- International data transfer : whether or not data will be transferred outside the European Union
- The duration of data retention : 25 months maximum for the CNIL
- The rights of the users concerned by this data : possibility to access, modify, delete, oppose or erase all their data.
- Means of contact : indicate the means by which it is possible to exercise one's rights regarding one's data. For example, by sending an e-mail, by post, directly from the website, etc.
- Supervisory authority : you must facilitate access to a supervisory authority such as the CNIL by indicating a contact or making a reference to the site.
Step 4 - Add a cookie policy
To supplement the information in your privacy policy, you can add a cookie or web tracker policy. This policy informs users about the cookies on your website:
- The owner of the cookie: indicate the third party solution if there is one
- The name of the cookie: to uniquely identify it
- The purpose of the cookie: what it does to understand the purpose of the deposit
- How long the cookie is kept: the CNIL recommends 13 months for the retention of an audience measurement cookie and a maximum of 25 months for the information collected.
Step 5 - Secure the data
As we have seen, one of the principles of the RGPD is the security of your users' personal data. For this, several rules must be respected in terms of security for your website. Some rules are specific to web platforms and e-commerce sites (see 5 - RGPD rules for an e-commerce site or a web platform), but in general, your site must use an https protocol.
5 - The RGPD rules for an e-commerce website or web platform
All the RGPD rules previously seen in this article apply to e-commerce platforms. However, there are additional rules for e-commerce sites.
Rule 1 - Create a customer account
As we saw earlier, your privacy policy should be accessible at the click of a button from your website. It is usually found in the footer of sites. You should also make this privacy policy accessible from the account creation area, and ask for users' consent via a checkbox.
Rule 2 - Ordering an e-commerce item
For an e-commerce site, you should also provide access to the privacy policy at the time of ordering. In the same way, you will need to obtain the user's consent to validate the order.
Rule 3 - Customer opinions
Even for customer reviews, your e-commerce platform will need to collect consent from users regarding your privacy policy. Most sites give access to reviews only to their customers. These customers have agreed to the privacy policy at the time of purchase.
Small aside 💡 it's also a way to improve the UX of your site by identifying reviews with names, nicknames, or even photos.
Rule 4 - Terms and conditions of sale
As with the privacy policy, the GTCs must be easily accessible on your e-commerce site. They can therefore be found in your footer and contain all the terms and conditions of sale for your products. The GTCs must also be found and validated at the time of purchase of a product or service on your web platform.
Rule 5 - E-commerce site and web platform security
In addition to having an https protocol, your site will have to offer certain security features specific to e-commerce and web platforms.
- Impose a "complex" password on your customers to create their account.
- Do not store any banking data. On Webflow we advise you to manage all this with Stripe.
- Secure bank transactions. Same thing, directly managed by Stripe in Webflow.
- Make sure your e-commerce providers are secure.