GDPR and Cookies
This post has a slightly more legal tone than technical. We aim to strike the right balance in explaining our services and your responsibilities.
By default, you don't need to include a cookie banner on your Framer site, even if you use analytics, because we don't collect any personal data from your site visitors.
However, if you add any service or script that might collect data (such as Google Analytics, HubSpot, or YouTube), it is your responsibility to add the appropriate cookie banner to your site.
As a user, it is your responsibility to ensure that your content complies with applicable laws (as stated in our Terms of Service). This includes copyrighted materials such as photos and fonts.
For more information continue reading below. Any information provided to you in this post is not legal advice and should not be relied upon as such.
GDPR
On May 25, 2018 the EU General Data Protection Regulation — also known as the GDPR — came into effect. The GDPR applies to any organization or entity (including websites) that processes the personal data of EU residents. It is important to know that the GDPR applies to you regardless of whether or not you or your business are based in the EU. If visitors to your website are in the EU, or if your marketing campaign targets or reaches EU residents, this will affect you as a website-owner. Depending on how you use your visitors’ data the GDPR may require several actions from you in order to protect the privacy and security of your website visitors. We know that it can be tricky to understand what this means in practice, so we have drafted this FAQ to help break down the privacy obligations you may have if you host a website through Framer. If you are not sure about your obligations we recommend seeking legal advice from a privacy expert.
Does the GDPR apply to me as a Framer user hosting a website?
Probably. Anyone who hosts a website that can have even a single EU visitor is impacted by the GDPR. It does not matter if you yourself are located outside the EU. This is because any organization that acts as a data controller or data processor of any EU residents’ personal data is affected by the GDPR.
What is considered to be “personal data” under the GDPR?
“Personal data” is defined broadly by the GDPR and can be any piece of information that relates to an identifiable person (the “data subject”). Examples of personal data are: name, email address, date of birth, and physical address but also profile photo’s, social media usernames, IP addresses, customer numbers, or any other information that can directly or indirectly lead to identifying a real person.
When am I considered to be the “controller” of personal data?
A data controller is a person or company that collects personal data and decides what information is collected, how that information is collected, and how that information is used down the line. The data controller has strict obligations under GDPR, and as a controller you must make sure that you have received proper consent, where necessary, before storing or using any of your website visitors’ personal data.
So is Framer considered a controller of personal data, too?
Yes. Framer is a data controller of Framer users’ personal data. Framer’s users — like yourself — who create and host Framer sites, are the data controller of personal data gathered on their sites. Personal data can be collected via form submissions, Google Analytics, or other integrations.
What is a “data processor”?
A data processor is a person or company that processes personal data on behalf of a data controller. Framer has no control over the data our users like yourself collect or how they use it. In this case you are the data controller of the information you collect via websites hosted in our service, and Framer is the data processor.
Does Framer take care of GDPR compliance for my website?
No. Framer fulfils its legal obligations to you under the GDPR but has no control over the obligations you have as a controller of your site visitors’ data. As a controller of personal data you have your own obligations to make sure that you process the personal data in accordance with the GDPR.
I collect personal data from my EU website visitors. What do I do now?
If you own websites that collect personal data from EU residents — for example through form submissions or third-party integrations that are available in our service — you have responsibilities as a data controller under GDPR. It is important to understand your responsibilities as a data controller and to make sure that you are acting in compliance with the GDPR. For example, if you are creating forms that request personal data in Framer (such as newsletter sign-ups), make sure to clearly ask for and get consent from your site visitors. Consent is required unless you have another lawful basis for processing personal data, for example if it is a legal requirement or in the public interest. It is also key to be transparent and clear with your site visitors about how you collect, store, and use their personal data. By making available a privacy statement on your website you can inform your site visitors about the way in which your website gathers, users, discloses, and manages your site visitors’ personal data.
If you are creating websites for clients that collect personal data on their websites, we recommend making sure that your clients understand their responsibilities as a controller of that personal data.
What about cookies?
We will dive into cookies a bit more below, but the GDPR does require you to get explicit consent from your site visitors before placing any non-essential cookies on their device. Framer offers its users the ability to add third-party applications to their websites, which can also include cookies that require GDPR consent through a cookie banner. By adding a cookie banner to your website your site visitors can actively give their consent to non-essential cookies.
Cookies
Cookies can be considered personal data if they can identify an individual. To comply with privacy regulations such as the GDPR, you must ask your site visitors for consent before placing “non-essential” cookies on their device.
What is an essential cookie?
Essential cookies are automatically placed on your site visitors’ device because they are required for your website to function properly. Without these cookies being used your site visitors would not be able to benefit from the services your website offers (such as session cookies that keep your users logged in, cookies that remember which items have been saved to a shopping cart, etc.)
What is a non-essential cookie?
Non-essential cookies are any cookies that are not essential cookies. Without these cookies, your site visitors would still be able to use your site properly. Examples of non-essential cookies are cookies that are used to analyse user behavior or display personalized ads.
If I use cookies on my Framer Site, how do I make sure I do this in a GDPR friendly way?
If you include third-party services on your website that use non-essential cookies you are required to ask permission before placing the cookies on your site visitors’ device. Adding a cookie banner to inform your visitors about the cookies you are using and collecting their consent is required.
What should a cookie banner look like?
Local privacy laws may require different formats for cookie banners. We advise our users to do their own research about what cookie banners should look like depending on the applicable regulations. In general, cookie banners should have all four of the following to be (GDPR) compliant: 1) accept and deny buttons, 2) auto-block cookies until user gives consent, 3) granular cookie consent option to users via Settings, and a 4) link to a Cookie Policy.
Framer Analytics
Framer comes with built-in analytics for every website. Read more about Framer Analytics. The Framer analytics provide a powerful core set of metrics and counts unique visitors, pageviews, top sources, and top pages.
How do Framer Analytics work?
When a user visits your Framer Site, we hash the IP address and user agent with a daily rotating secret (salt) that resets and deletes every day to calculate daily unique visitors. As a result, visitors who visit your site multiple times on the same day will count as one unique visitor, but if a visitor views your site on different days of the month these will count as a unique visits for each of those days.
Is any personal data collected for Framer Analytics?
No. Framer Analytics does not track, collect, or store any data or information that identifies a person. Our privacy statement outlines all data that is collected by Framer.
Are Framer Analytics GDPR friendly?
Yes. The data that is collected to provide your Framer website analytics in the Dashboard is entirely anonymized and cannot be traced back to an individual.
Do I need a cookie banner on my site in order to use Framer Analytics?
No. Framer Analytics does not use cookies and does not generate any persistent identifiers. No cookie consent is needed in order to use Framer’s built-in analytics tool. However, as a creator of a Framer Site you are responsible for ensuring that your site is GDPR compliant which includes clearly and accurately describing to your visitors what information you collect and how you use and share this information. If you use tracking cookies on your site you may need a cookie banner that is GDPR compliant.
If you want to learn more about how Framer safeguards your personal data, please see our privacy statement. In order to ensure that Framer continues to protect and secure personal data, we have obtained important security certifications such as ISO 27001 and SOC 2. Read more about these certifications and other security measures on our security page.
GDPR compliant Framer Forms
According to the GDPR you must ensure that personal data is collected for specified, explicit, and legitimate purposes and processed lawfully, fairly, and transparently. If your website collects personal data from your site visitors you have a responsibility as a “data controller”.
Framer Forms may collect personal data, such as names, email addresses, or other personal data that is submitted through the form. The specific obligations that apply to you to make your site GDPR compliant may vary depending on the situation. We recommend seeking legal advice to ensure compliance. The below principles and requirements form the foundation of the GDPR and will help you prepare for GDPR compliance:
Data minimization: collect only the data necessary for the specified purpose.
Clear purpose: clearly state the purpose of data collection and ensure it is explicit and legitimate.
Informed consent: obtain explicit, informed consent from users before collecting their data. Provide a clear option to opt-in, avoiding pre-checked boxes.
Transparency: inform users about who is collecting the data, how it will be used, and with whom it will be shared through a comprehensive privacy policy.
Data security: implement appropriate technical and organizational measures to secure the data against unauthorized access or breaches.
Right to access and erasure: allow users to access their data, correct inaccuracies, and request deletion of their data (right to be forgotten).
Data retention policy: specify how long the data will be retained and ensure it is not kept longer than necessary.
Third-party compliance: Ensure that any third parties processing the data on your behalf comply with GDPR requirements.
Documentation: keep detailed records of the data processing activities and consents obtained.
FAQ
Can my site visitor exercise their GDPR rights directly with Framer?
No. Framer will forward all GDPR requests to you, as we will be unable to assist.