Weebly has been diligently working to make sure that we are fully compliant with the European Union’s (EU) General Data Protection Regulation (GDPR), which comes into effect on May 25th, 2018. To further support you and your customers’ preparation towards compliance, we wanted to give you an update regarding the new tools and features we’ve built to support the GDPR.
Processing Data Subject Rights Requests
A major component of the GDPR gives site users the right to access, correct, port and erase their personal data. To support the processing of these users’ rights requests on behalf of any site in your Weebly Cloud account, Weebly has implemented the following process for all Cloud partners:
- Site user makes request to Site Owner.
- Site Owner makes request to Weebly Partner.
- Weebly Partner authenticates and confirms request.
- Weebly Partner sends request to Weebly via the Cloud Admin Ticket submission form.
- Weebly handles request within scope of Weebly Partner’s sites and passes details/export to Weebly Partner.
- Weebly Partner follows up with Site Owner or Site User.
There will be no mechanism for your Site Owners, or their site users to submit rights requests to Weebly directly. Also, while site owners can delete some user data directly in the product, they must submit a rights request to ensure that the user’s personal data is fully removed from our system. Weebly will fulfill rights requests within the time limit enforced by the GDPR, which is 30 days.
New Cookie Banner
Weebly will automatically display a cookie notification banner on published sites (site owners can configure whether to show the banner only to EU IP address or all visitors of their site).
If installed App Center apps, or, your own Cloud Apps rely on published site cookies, they may be impacted by this change. Cookie functionality will be restored on the next page load after the site user’s cookie consent is obtained.
In order for the new cookie banner to display to EU visitors on your FTP-published Weebly sites, the websites must be re-published. It is very important that you communicate this requirement with your customers, otherwise their sites will not be in compliance with the GDPR.
Alternatively, Weebly Cloud provides you the capability to publish your sites via API, if you wish to forcibly republish your Weebly sites. Please note that if you choose to republish your sites via API, you will be publishing any in-progress changes made in the Editor since the last publish.
New Cookie Opt-Out Element
Allows a Site Owner to create a cookie opt out on a page. The element includes a button and a paragraph with disclaimer text above a button labeled “Opt Out of Cookies.” On published sites, if a site’s user has accepted cookies via our new cookie banner, they can use the new Opt-Out Element to opt-out at any time. Once they have opted out, the message in the element button will change, and the new cookie banner will once again be placed over the page, prompting them to accept.
Updates to Weebly’s Form and Newsletter Elements
Because many Site Owners choose to collect Site User information with Weebly forms, we are adding an opt-in feature to these forms. Site Owners will now have the ability to enable an opt-in checkbox with compliance language, and to make this opt-in is required for submission.
Updated Buyer Address Options for Store Checkout
Provides sellers with the option of not collecting the buyer address under certain circumstances, such as when selling digital products.
Considerations Regarding Site Stats
There is a chance that Site Stats for sites with a lot of EU visitors might drop due to these users opting to disable cookies.
GDPR Considerations for Your Site Owners
Additionally, we suggest that they evaluate any third-party apps and vendors for compliance. If they are using any third-party services to gather or process customer data, they will need to check with those companies to verify they are GDPR compliant and will assist them with, among other things, site users’ data removal and portability requests.
GDPR Considerations for Your Weebly Cloud Apps
If you have built and deployed private Cloud Apps to any of your sites that are located in the EU, and your app uses “consent” as the lawful basis for data processing, the GDPR may require that you obtain conspicuous and affirmative end user consent before any personal data may be collected, transported, or used (to the extent originating from an end user located in the EU). Your app’s interface must include a data usage consent form so users know exactly how your app will use their personal data.
Weebly Cloud developers who are also data controllers are responsible for the protection of consumer data, no matter where it eventually resides. Please consult an attorney or take extra caution when launching software with known vulnerabilities and/or storing data. Likewise the GDPR may be relevant when your app uses code for data processing.
We want to make sure that you and your customers are confident heading into May 25th, so if you have any questions about Weebly’s GDPR readiness, please reach out to your designated account manager, or business development contact, and we will be happy to help.
Please note that the information provided above is for general informational purposes only and does not constitute legal advice; it has not been prepared with your specific circumstances in mind and therefore may not be suitable for use in your business. By relying on the information contained in this message, you assume all risk and liability that may result.
Nothing in this article or the links provided herein constitutes legal advice. Please consult an attorney for recommendations on GDPR compliance for your site.
You can find the Weebly Data Processing Agreement here.