Uncode is a flexible WordPress theme that can use (depending on user choice) external services like YouTube, Vimeo, SoundCloud, Spotify, Google Fonts, Twitter, Facebook and Tracking codes. All these popular services use cookies and scripts that send personal data, such as the IP address, to the provider of the service in exchange for the free service offered (this is the same thing that happens when you use the YouTube website, etc.). According to the new GDPR legislation, a user must agree through explicit consent before these services are used and before each type of personal data is processed.

Let’s try to understand. When you use a service like Google Fonts, Google Analytics, YouTube, Facebook, or Twitter on your website, some personal data (usually your IP address) is sent to the provider in exchange for the free service offered. This data is then used to create targeted advertisements. Suppose that on your website’s home page, you use a YouTube video as the background for your main header. When this video is watched, some personal data about the viewer is sent to service provider (YouTube). It’s not compliant with the GDPR to simply include the video and communicate to the user that it's possible to disable it. After all, by the time the page loads, YouTube (in this example) has already collected some personal data.The GDPR stipulates that users will first have to provide approval through consent before any data is processed. Obtaining this consent needs to be of the utmost importance.

For this reason, we have developed the Uncode Privacy Plugin. When this plugin is installed and properly configured, it’s possible to block usage of third-party services up to the explicit consent of the user. Note that the use of this plugin is not mandatory. It's website owner chose to evaluate whether to use this plugin based on geographic target, the type of content offered and the type of compliance to GDPR each intends to implement. However, it’s our intention to provide our customers with all the tools needed to be compliant with the new terms imposed by GDPR.

Privacy Plugin demo

To better understand the features of this plugin and the Uncode’s implementations, we created on our official website a page that can help to understand the functionality. In this page, there are videos, embedded and as background, and some audio elements, as embedded. When accessing the page, it will not be possible to display these items because the consent was not expressly stated. When the privacy preferences open, and you set the related consents, the page will be reloaded and it will be possible to view all items.

• Uncode Privacy Plugin demo

Privacy Banner and Preferences

• Privacy Banner
  When the plugin is installed and correctly configured, a banner, with a notification that informs the user that the site makes use of cookies and third party technologies, will appear on every page of the site. The message can be configured by the user according to own needs. From this banner, it’s possible to open the privacy preference, where the user can accept and approve all consent required, screenshot .
• Privacy Preferences Manager
  Clicking on 'Privacy Preferences' is possible to open the Privacy Preferences Manager. From this window, users can set specific consent and update their own settings, screenshot .

General Settings

This section handles the settings for the Privacy Policy Page link, the Privacy Banner text, the Privacy Excerpt text and the Consent Notice text screenshot :

• Privacy Policy Page
  If selected enable the link to your Privacy Policy page in the Privacy Preferences Manager. If you do not have a Privacy Policy, you can generate one through the many free tools online. Anyway our suggestion is to consult a legal expert or use a convenient tool such as Iubenda.
• Privacy Banner Text
  In this field, please insert the Privacy Banner text. If the Privacy Banner Text is not filled out, the Privacy Banner will not show up.
• Privacy Excerpt Text
  In this field, please insert the Privacy Excerpt text, it will be visible in your own Privacy Preferences Manager.
• Consent Notice Text
  In the Consent Notice Text, please enter the fallback notice text that will be shown if the user has not enabled a consent. In this field, it is desirable to insert a link to the Privacy Preferences Manager, to change the settings. We have therefore inserted a convenient shortcode [uncode_privacy_box] Privacy Settings [/uncode_privacy_box].

Consents

In this screen, you can configure the consents for your site. In Uncode, you have defaults consents that enable you to use the fallback functions for all native elements. To add one consent verification, please enter one of the following names (IDs). Pay attention to name your Consents IDs exactly as directed, it's important to respect the same IDs (name), screenshot :

• YouTube
• Vimeo
• SoundCloud
• Spotify
• Twitter
• Facebook
• Google Fonts
• Tracking

Fallbacks

In Uncode you have fallbacks for all native elements that send personal data to third-party services, so as to make the user experience conform as much as possible to the original design and make it at the same time aware of new terms/options arising from GDPR. These include:

• YouTube or Vimeo video background:
  If the site uses a YouTube or Vimeo background video, and consent has not been confirmed, this video will not be visible. Uncode will use as fallback the Media Poster applied to the video. If a video background is fundamental for the user experience, it is of course recommended to use a self-hosted video that does not imply the execution of scripts by third parties.
• YouTube, Vimeo, SoundCloud, Spotify, Twitter and Facebook embeds 
  If the site uses a YouTube, Vimeo, SoundCloud or Spotify embedded element, and consent has not been confirmed, the embedded material will be not visible. Uncode will show a notice, stating that the content cannot be presented for privacy restriction, with a link to open the Privacy Preferences, screenshot .
• Google Fonts 
  If the site uses Google Fonts, and consent has not been confirmed, Google Fonts will not be shown on the site. We remember when you use Google Fonts, via the Google API, that some personal data are sent to Google in exchange for the free service offered. Our suggestion is to start using self-hosted fonts solutions. In fact, it’s possible to also use Self-hosted Google Fonts installed on your server without using the Google API. If interested, please follow the dedicated documentation. If anyway you plan to use this method is suggest to specify the Fallback Font in Theme Options > Customise > General.
• Tracking
  If the site uses some tracking codes inserted in the Theme Options > CSS/JS > Tracking, and consent has not been confirmed, the tracking codes will not be inserted into the pages. Please note that with tracking codes we refers more 'aggressive' tracking codes like Facebook Pixels. If you are interested in compliance for Google Analytics please follow the relative documentation. 

Visual Composer Consent Logic

A new interesting feature is the Consent Logic. With the Consent Logic you can include or exclude Visual Composer rows based on the user's consent. This is convenient if you use extra modules or plugins that send or collect data. When the Privacy Plugin is active and you have defined at least a consent, in each row and inner row you have a new 'Consent' tab. If you want to include or exclude a row, based on user's consent, you just need to set the consent and define the 'Include' or 'Exclude' options, screenshot .

• Exclude:
  If a specific consent is confirmed the row is excluded from the page, otherwise is included.
• Include:
  If a specific consent is confirmed the row is included from the page, otherwise is excluded.

Let's assume you have in your page an extra plugin that sends personal data (ex: Instagram, geolocation Map, Facebook module, etc), with the Consent Logic you can exclude this row until consent is given and include another row (when consent is not given),  screenshot .

You can create the fallback content manually or by using the new Consent Notice module (easy fallback) inside a row with Consent Logic option applied, screenshot .

Shortcode

If you need to use media from extra services that send data in your text using the native WordPress editor (for example, a video inserted in an article without Page Builder), we have also created a simple shortcode you can benefit:

[uncode_privacy_consent id="youtube" logic="include"]Your Media[/uncode_privacy_consent]

Cache Plugins

It’s important to highlight the changes regarding the use of cache plugins. If you want to take advantage of the GDPR features please note that it is no longer possible to use an aggressive cache that convert all pages of your site into static content. For example, a page containing a video must vary (be dynamic) depending on whether consent is expressed or not.
In Uncode, if you use WP Rocket, you can automatically exclude from cache pages that have a consent dependant element and the consent is active. The page will be not served as cached page and may vary based on user choices. To activate this feature paste this code in your Child Theme functions.php:

<?php
add_filter( 'uncode_checking_consent', 'uncode_append_to_consent', 10, 2 );
function uncode_append_to_consent( $bool, $consent_id ){
 add_filter( 'do_rocket_generate_caching_files', '__return_false' );
};

If you use other good cache plugins you should have an option to exclude selective pages from the cache, alternatively you can use the function above with the proprietary filter of your plugin.

For developers

If you need to implement a custom consent and code some actions based on this consent you can use a function like this:

if ( uncode_toolkit_privacy_has_consent( 'your-custom-consent-id' ) ) {
  // We have the consent, so run my custom code
} else {
  // We don't have the consent, show a fallback
}

The same function is available in Javascript:

if ( uncode_toolkit_privacy_has_consent( 'your-custom-consent-id' ) ) {
  console.log( 'We have the consent!' );
}

Important

It’s important to note that it is the responsibility of every company or website owner to prepare their sites for GDPR compliance. It is not the duty of any framework used to create and manage a websites compliance, solely. In almost all cases a lot of manual fine tuning will be needed. Generally speaking, that means there is no use in asking “Is WordPress GDPR compliant?” or “Is Uncode GDPR compliant?”. For example, Uncode itself will never be violating the GDPR criteria as it does not collect any data. It is a powerful tool to create websites, and the end users website is what will collect data and the data collected will be different for every usecase.

Activating this plugin does not guarantee that an organisation is successfully meeting its responsibilities and obligations of GDPR. Organisations should assess their unique responsibilities and ensure that extra measures are taken to meet any obligations required by law and based on a data protection impact assessment.