GDPR Guide for Your Webflow Showcase and E-commerce Site

Documentation
March 20, 2023
3 min
GDPR compliance screen with European stars, padlock, and Webflow logo on a wavy blue background
Key points

In this article, we cover everything about GDPR compliance in Webflow to help you align your e-commerce site or showcase site with European standards.

1 - Is Webflow a GDPR compliant tool?

YES, Webflow is a nocode tool 100% compliant with GDPR for several reasons.

Firstly, Webflow has a privacy policy dedicated to the European Union ("EU"), the United Kingdom ("UK"), as well as the entire European Economic Area ("EEA") and Switzerland. It targets anyone who visits their website and other sites within the domain webflow.com, or who are customers using their SaaS tool, web design software, or any other related tools and services. This privacy policy outlines how Webflow collects, uses, discloses, and protects the personal information of individuals as part of the service, in accordance with applicable data protection laws in the UK, the EU, the EEA, and Switzerland.

In this document, you will find, particularly in Article 8, "the measures taken to comply with regulations concerning the transfer of data outside the European Union":

"we rely on the Standard Contractual Clauses approved by the European Commission [...] for any transfer of data from the United States to a country located outside [...] of the EU [...] "
"Webflow has also certified its compliance with the EU-U.S. Privacy Shield Framework [...] concerning the collection, use, disclosure, and retention of personal information transferred from the UK, the EU, the EEA, and Switzerland to the United States."

In case of a conflict between the terms of the global privacy policy of Webflow and the EU & Switzerland privacy policy, the EU & Switzerland privacy policy will prevail for any conflict related to individuals from the UK, the EU, the EEA, or Switzerland.

2 - GDPR and User Data: What’s at Stake for Your Website

What is a cookie?

Cookies are small text files that websites store on your computer files when you visit a website. They contain information about users' browsing preferences. They are essential for the proper functioning of websites and enhance the user experience.

From a technical perspective, we differentiate session cookies, which are deleted when the user closes the browser, from persistent cookies, which remain on the user’s hard drive until their expiration date.

On the website side, cookies allow for measuring the site's traffic, storing information about shopping carts, contact details, offering targeted advertisements, or even geolocating a user to display the website in their country's language.

What is GDPR?

Since May 25, 2018, the GDPR, or General Data Protection Regulation, has strengthened the Data Protection Act of 1978 to better regulate the management of personal data. Any organization within the EU, start-ups, small and medium-sized enterprises (SMEs), associations, large groups, etc., is compelled to comply with these new data protection requirements. This new legislation improves transparency regarding the management of user data and offers genuine guarantees about the use of personal data by companies.

What data is covered by GDPR?

Whether for e-commerce or a simple online presence, your website collects data. This data varies according to your needs, but is essential for the proper functioning of your website, for your marketing campaigns, to recontact your visitors, and to provide tracking of e-commerce items, etc. According to the regulation, "any information concerning an identified or identifiable natural person" is covered. By "identifiable," we can find indirect data such as phone numbers, addresses, emails, etc.

A significant amount of data is collected on a website, and it is these personal data that must be processed. Regardless of the CMS used—Webflow, Shopify, Wix, WordPress—you will need to implement a data processing and protection policy for your visitors and users on your website and within your organization.

3 - Rules to Follow for a GDPR Compliant Website

Rule #1 - Cookies

Cookies and trackers on your Webflow site must obtain the consent of users and visitors of your website. From a GDPR perspective, there are two types of cookies and trackers on a website. First, there are default cookies or trackers, which are necessary for the proper functioning of a website.

1 - Cookies Requiring Consent

  • Cookies for advertising retargeting
  • Cookies for your marketing campaigns, e.g., your newsletter
  • Cookies related to social media, e.g., share buttons for your pages
  • etc.

2 - Cookies Not Requiring Consent

  • Cookies that save your choice regarding cookie usage
  • Trackers related to authentication for certain services, e.g., ensuring authentication security, limiting bots, etc.
  • Trackers to store the content of your cart on an e-commerce site or web platform
  • Trackers to restrict access to certain parts or features of the site, e.g., accessing a paid area
  • Cookies that personalize the interface necessary for the service offered, e.g., the language of the site
  • etc.

New Regulation in 2024

Since March 2024, regulations have evolved, and companies using Google solutions such as Google Ads or Google Analytics must comply with the new Google Consent Mode V2 (CoMo 2). It is now essential to use a compliant cookie management solution.

Guide on Google Consent Mode V2

Rule #2 - Web Forms

Each data collection form must adhere to certain rules. The goal is to meet the principles of informing the visitor, transparency, and obtaining consent.

Rule #3 - Privacy Policy

Your site must provide complete information about your data collection and processing policy in your privacy policy or in a dedicated section of your legal mentions.

Rule #4 - Contact Method

You must identify a person responsible for data management within your organization and provide a contact point for your users to easily exercise their rights.

4 - Steps to Make Your Webflow Site GDPR Compliant

Step 1 - Integrate a Cookie Banner in Webflow

The principles of GDPR rely on informing users, obtaining their consent, protecting their data, and enabling them to enforce their rights (modification, deletion, collection, etc.).

Consent must be obtained before cookies are placed. In other words, until your visitor has given their consent for the placement of cookies (not requiring consent), no tracker can be deposited. Similarly, if your website uses trackers from third-party solutions, such as social media cookies via share buttons, you will also need to obtain the consent of your visitors.

To collect your Webflow users' consent, you must inquire about their preferences as soon as they enter your site. This can be done either through a GDPR banner or a pop-up. This GDPR banner should include several elements:

  • List of all cookies on the site
  • Purpose of each cookie
  • Option to accept or refuse each cookie
  • A link to your privacy policy

You can either use a cookie management tool like Axeptio or create your own Webflow cookie banner. This alternative to Axeptio is the one we recommend for several reasons:

  • 100% free
  • 100% customizable
  • 100% secure
  • Optimized for your SEO
  • Unlimited cookies
  • Data recording
Blurred background of digidop.fr with a focus on the Webflow GDPR cookie banner
⚠️ Ensure that every tool you use to deposit cookies is compliant with GDPR. This is the case for tools like Google Analytics, Google Search Console, Hubspot, etc.
💡 Note that the collection of this consent should be retained as proof for at least 6 months. Furthermore, the consent given by the client is recorded for a maximum of 13 months.

Step 2 - GDPR Compliant Web Forms

In addition to collecting information via cookies and trackers, most websites have web forms. These forms can be used for contact from the site, signing up for a newsletter, applying for a job, creating a user account, etc.

Just as with cookies, the GDPR rules remain the same concerning the notions of information and consent request. Therefore, you must adhere to certain rules to ensure that each of your web forms is GDPR compliant.

1 - Collecting Mandatory and Non-Mandatory Data

In general, you should only collect the information essential to the data collection objective. If you wish to gather more information, you must specify which are mandatory or non-mandatory, for example, by using an asterisk.

2 - Collecting Data from a Free Text Field

To moderate the content and information you gather, you must inform the user that no sensitive information should be submitted.

3 - Processing Terms

Specify the terms of data processing for each form. To avoid impacting your site's UI, we recommend summarizing it in one sentence and directing your visitor to your privacy policy: “learn more” “privacy policies.”

4 - Reaffirming Consent

Through a checkbox at the end of the form, you should collect the user's consent for data collection. Indicate next to this box the terms of processing.

Step 3 - Draft Your Legal Mentions

Legal mentions are essential for the GDPR compliance of your Webflow website. They serve to identify the site owner, the editor's responsible person, the hosting provider, and provide crucial information about the company. The mandatory legal mentions on a website can vary by sector. Here are the mandatory legal mentions for a commercial business:

1 - Identification

  • Company name or trade name
  • Head office address
  • Phone number and email address
  • Legal form of the company (SA, SARL, SNC, SAS, etc.)
  • Amount of share capital
  • Name of the director or co-director of publication and that of the editorial manager, if applicable
  • Name, trade name or reason for social naming, address and phone number of the website's host

2 - Activity

  • Registration number with the trade and companies register
  • Individual tax identification number
  • General terms of sale (GTC) including prices inclusive of tax in euros, delivery fees and dates, payment methods, customer service, right of withdrawal, offer duration, cost of remote communication

3 - Mentions on the use of cookies

We will elaborate on this part in Step 4 - Draft Your Privacy Policy.

4 - Mentions on the use of personal data

We will elaborate on this part in Step 4 - Draft Your Privacy Policy.

Step 4 - Draft Your Privacy Policy

Every website editor is obliged to provide access from their site to a privacy policy compliant with GDPR and CNIL rules. The goal is to give rapid, simple, and transparent access to all your practices and purposes regarding the use of personal data. This section can either be integrated into your legal mentions or kept separate. In both cases, it is necessary for the GDPR compliance of your nocode Webflow site.

1 - Accessibility of the Privacy Policy

Your privacy policy must be accessible from your site with one click. Its content must be understandable to all; that is to say, avoid technical or legal terms and be as concise as possible.

2 - Mandatory Fields in a Privacy Policy

  • Data Controller: identify the data controller known as the DPO and provide their contact information to allow each person to reach out to exercise their rights.
  • Recipients: a third-party tool, a subcontractor, a technical service provider such as a web agency or web host, a data processing manager within your company.
  • Categories of Data: identify each type of data you will collect and use (email, phone, name, surname, etc.)
  • Purpose of Data Collection: you must justify the collection of each data point, for instance, explain that you collect an email address primarily to recontact a user who has reached out or to subscribe them to your newsletter.
  • International Data Transfers: will the data be transferred outside the European Union or not
  • Data Retention Period: 25 months maximum for the CNIL
  • Users' Rights Concerning Their Data: the ability to access, modify, delete, oppose, or erase all their data.
  • Contact Method: indicate how it is possible to exercise one’s rights concerning their data. For example, by email, by post, directly from the site, etc.
  • Supervisory Authority: you must facilitate access to a supervisory authority such as the CNIL by providing a contact or redirecting to the site.

Step 5 - Secure the Data

As we have seen, one of the principles of GDPR is the security of your users' personal data. To achieve this, various security rules must be followed for your website. Some rules are specific to e-commerce platforms and websites (see 5 - GDPR Rules for an E-commerce Site or Web Platform), but in general, your site must use an HTTPS protocol.

5 - GDPR Rules for a Webflow E-commerce Site or Web Platform

All the GDPR rules previously outlined in this article apply to e-commerce platforms. However, additional rules complement those for e-commerce websites.

Rule #1 - Customer Account Creation

As previously mentioned, your privacy policy must be accessible in one click from your website. It is typically found in the footer of sites. You must also make this privacy policy accessible from the account creation space and request consent from users via a checkbox.

Rule #2 - Ordering an E-commerce Item

For an e-commerce site, you must also provide access to the privacy policy at the time of order. Similarly, you will need to obtain the user’s consent to validate the order.

Rule #3 - Customer Reviews

Even for customer reviews, your e-commerce platform must collect users' consent regarding your privacy policy. Most sites allow reviews only from their customers. These customers accepted the privacy policy at the time of purchase.

Small note 💡 this is also a way to improve the UX of your site by identifying reviews with names, usernames, or even photos.

Rule #4 - General Terms of Sale

Just like with the privacy policy, the GTC must be easily accessible on your e-commerce site. They can be located in your footer and encompass all the terms and conditions of selling your products. The GTC must also be present and validated at the time of purchasing a product or service on your web platform.

Rule #5 - E-commerce Site and Web Platform Security

In addition to having an HTTPS protocol, your site must implement certain security measures specific to e-commerce and web platforms.

  • Require your customers to create a “complex” password to set up their accounts.
  • Do not retain payment data. On Webflow, we recommend managing all this with Stripe.
  • Secure payment transactions. The same applies, directly managed by Stripe in Webflow.
  • Ensure the security level of your e-commerce service providers.
Thomas Labonne
Thomas Labonne
Co-founder

Suggested articles

Webflow Localization, Credial's Use Case
Documentation
Webflow

Webflow Localization: Practical Guide & Credial's Use Case

Webflow Localization: Practical Guide & Credial's Use Case
Visuel showcasing digidop.fr switching to digidop.com
News
Digidop

Digidop.fr is now Digidop.com

Digidop.fr is now Digidop.com
Photo of the Digidop team with the Digidop Logo 2024
News
Digidop

A Look Back at an Exceptional 2024 and Vision 2025

A Look Back at an Exceptional 2024 and Vision 2025
See all articles

Want to turn your website into your most valuable asset?

Contact us today