Making Webflow GDPR-compliant: A simple guide

Note: I am not a legal expert, but a web developer and designer who regularly deals with the topic. The messages, views, and steps I communicate have no binding or legal meaning. They only represent my personal advice.

‍

Webflow has established itself as one of the most popular web design tools in recent years. But with the introduction of the General Data Protection Regulation (GDPR) in the EU, many web designers and companies are faced with the challenge of making their Webflow websites compliant with GDPR. However, with the new data privacy framework, you can now use Webflow and all its functions without restrictions in the EU. However, there are a few things to consider on the part of the website operator. In this blog post, I'll show you how to make Webflow GDPR-compliant in just four steps.

‍

1. Data processing agreement with Webflow

Before you launch your website, you'll need to sign a data protection agreement with Webflow. This is an important step to ensure that both you and Webflow comply with GDPR guidelines. Webflow has set up a special service for this purpose, which allows you to easily sign the contract online.

You can sign the agreement directly here: Webflow data processing agreement

‍

Important: The contract must be issued in the name of the account owner. So if you work for a customer who has their own Webflow account, the contract must be concluded on their behalf. In addition, as a company, you must also conclude such a data processing agreement with any service providers who have access to your Webflow website.

‍

2. Update privacy policy

It's important to mention in your privacy policy that you're using Webflow as a hosting service. There are ready-made texts for this, which you can include in your privacy policy. These texts contain links to Webflow's privacy policy and information on order processing.

Example of your privacy policy:

Webflow
We host our website with Webflow. The provider is Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA (hereinafter: Webflow). When you visit our website, Webflow collects various log files, including your IP addresses.

Webflow is a tool for building and hosting websites. Webflow stores cookies or other recognition technologies that are necessary to display the page, to provide certain website functions and to ensure security (necessary cookies).
For details, see Webflow's privacy policy: EU & Swiss Privacy Policy | Webflow.

Webflow is used on the basis of Art. 6 para. 1 lit. f DSGVO. We have a legitimate interest in presenting our website as reliably as possible. If a corresponding consent has been requested, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information on the user's device (e.g. device fingerprinting) within the meaning of the TTDSG. The consent can be withdrawn at any time.
Data transmission to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: EU & Swiss Privacy Policy | Webflow.

Order processing:
We have concluded an order processing contract (AVV) with the above-mentioned provider. This is a contract required by data protection law, which ensures that it only processes the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

‍

‍

3. Install cookie tool

Another important step towards GDPR compliance is installing a cookie tool. This tool should ensure that cookies are only set after the visitor has given their consent. There are lots of different tools to choose from, including:

• Cookiebot: A popular tool that automatically scans your website and sets the necessary cookies.
• Cookie script: Another popular tool that offers both a free and paid version.
• Finsweet: A free and customizable tool that is particularly suitable for Webflow users. This tool enables a 100% individual appearance. However, the integrated systems that want to set cookies must be manually categorized before integration. Finsweet provides detailed instructions for this.

‍

‍

4. Embed Google Fonts locally

The last and perhaps most complex step is the local integration of Google Fonts. If you use Google Fonts normally, a connection to Google's servers is established every time you access the page. To avoid this and be GDPR-compliant, you'll need to save the fonts locally on your website and load them from there.

Step-by-step guide:

1. Go to Google Fonts and download the font you want.
2. Go to Webflow and upload the font to Site Settings. Give it a name so that you can distinguish it from the already installed font (e.g. “font-local”).
3. Replace all instances of the old Google Font with the locally saved version in Webflow.
4. After you've made the changes, publish the page and open the source code.
5. Search here for the first day with “<head>...</head> “and click on the first link that ends with .css.
6. Search the source code for “font-family.” In every class that does not yet have your local font stored, you must now change this later.
7. To do this, go to the Webflow Designer and open the Style Manager (simply press the “G” key).
8. Here you search for the classes that still contain the old font and jump to where it is used.
9. Now change the font everywhere to your local font.

If you've done this for all classes, you shouldn't see anything about the Google Font API in the sources anymore. (fonts.gstatic.com, fonts.googleapis.com and ajax.googleapis.com may no longer appear here)

In conclusion, GDPR compliance is an important aspect of web design that should not be neglected. You can use the steps above to ensure that your Webflow site complies with the privacy policy. 🌐🔒

‍

Other important points

Hosting via US servers:
Since the repeal of the Privacy Shield Agreement, the use of Webflow has been anchored in legal uncertainty. Depending on the Webflow package, servers in North America and parts of Europe (standard CDN) or worldwide including Asia and Oceania (Global CDN) are used to host the websites. The use of US companies such as Fastly Inc. and Amazon Web Services Inc. to provide websites via external CDNs posed a data protection issue, in particular following the “Schrems II” ECJ ruling of 16.07.2020, as this could lead to a possible transfer of data to uncertain third countries.

The good news:
On 10.07.2023, the European Commission approved and published the recently adopted data protection agreement between the EU and the USA, the EU-U.S. Data Privacy Framework. This agreement confirms that US companies that have been successfully assessed by the International Trade Administration (ITA) and the U.S. Department of Commerce achieve a level of data protection that is equivalent to the requirements of the GDPR. From 17.07.2023, certified US companies were on the new website dataprivacyframework.gov listed. Webflow has also been listed here for some time.

That means:

1. Webflow hosting can be used again without restrictions.
2. Webflow forms can be used without restrictions again.
3. Webflow memberships can be used.

However, there are a few things to consider. The agreement does not change the necessary measures that must be taken by site operators to use Webflow (or any other service) in compliance with data protection regulations.

‍

Next steps:

1. As a site operator, you must sign Webflow's Data Privacy Addendum (the data processing agreement) before publishing the website.
2. It is also important to list Webflow as a host in the privacy policy.
3. It is essential that you use an appropriate cookie consent tool that blocks optional services and cookies until the user gives their consent. External cookies, such as those from Google Analytics, YouTube or Facebook Pixel, may only be loaded if the site visitor gives their consent. I use the cookie consent from Finsweet with the opt-in method. The advantage: CookieConsent can

‍

‍

‍

I hope I was able to help you with my post.

‍