Webflow, GDPR & CCPA

Sygnal's 4 Project Zones

Overview
Sygnal's Perspective & Approach
Sygnal's GDPR Perspectives
001
Sygnal's 4 Project Zones
002
Sygnal's GDPR Approach
004
The Problem
The GDPR
101
California ( CCPA / CPRA )
102
German Privacy Act (BDSG-new)
103
Approaches & Solutions
Webflow and the GDPR
400
Cookie Consent
401
Additional Notes
New Zealand & GDPR
800
Children's Online Privacy Protection Act ( COPPA )
801
Health Insurance Portability and Accountability Act ( HIPAA )
801
No items found.
Published
May 28, 2023
Updated
in lightbox
We are not lawyers, and this is not legal advice. If you need current, accurate advice to base your decisions on, contact a lawyer who can provide that. Use of this information is entirely at your own risk.

Sygnal's perspective on how to best align our work with the GDPR and other privacy initiatives ( CCPA, CPRA, COPPA, HIPPA ... ) is continually evolving.

That said, here's my take on the impact of these changes, and how it affects my agency Sygnal and our clients.

Our four zones of website projects

Based on current legislation, we loosely organize projects into one of four zones. Each zone progressively adds design, technical, legal, and planning requirements on top of the previous zone.

These classifications affect certain decisions regarding data capture, cookies, privacy policies, data processing, and the design and messaging of forms on the site.

They also give us a common ground for dialogue and planning with our clients and technical team. This ensures that all of the pieces - legal, design, technical, and budget planning, are clearly communicated and usefully organized.

Zone 1 - The "NZ" zone

  • No cookie consent dialogs requires, so we avoid them to allow for a cleaner and less intrusive UX.
  • Clear, easy-to-fine, easy-to-understand privacy policy. Clear communication of how data will be used.
  • Good data security.
  • Breach notification, if customer data is ever exposed- either in private internal databases, in Webflow's own forms-data-storage, or in online services like Salesforce, Zapier, Stripe...

Zone 2 - The "California" zone

All of the above, plus...

  • Customer opt-out ability regarding customer data resale ( if this is relevant )
  • Inclusion of a delete-my-data page and process.
  • Specific privacy policy to cover CCPA / CPRA regulations.

Zone 3 - The "GDPR" zone

All of the above, plus...

  • Cookie consent.
  • Specific requirements on form messaging and behavior.
  • Specific privacy policy to cover GDPR regulations.

Zone 4 - The "Germany" zone

All of the above, plus...

  • Data sovereignty. Significant changes need to be made regarding hosting and data storage, especially regarding access to third party resources ( Google fonts, Google maps... ) tracking, and storage of form data.

Which countries are where?

Good luck figuring that out. Our approach to date is;

  • NZ clients are zone 1. We don't usually include cookie consent, since it impedes the site UX badly.
  • US clients are zone 2, since California is necessarily covered.
  • Canadian clients are in zone 1 or 2, depending. If they do substantial business in the US, we treat them as zone 2.
  • European and multinational clients are in zone 3.
  • German and Chinese clients are in zone 4, as both have data sovereignty laws that require the storage of data within country borders.

But the pieces are continually moving.

FAQs

Answers to frequently asked questions.

Videos
No items found.
Table of Contents
Comments
Did we just make your life better?
Passion drives our long hours and late nights supporting the Webflow community. Click the button to show your love.