Can you use Elementor in a GDPR compliant way?

Elementor compliant in WordPress websites

If you’re not a developer owl or want to/can’t spend a lot of money on a web designer to build your professional website for you, you’ve probably heard of Elementor.

The plugin is extremely beginner-friendly, visual, versatile and already has a lot to offer in the free version to build a website in no time. But what about the data protection friendliness of Elementor?

We’ll explain it to you!

We must point out that the following statements do not constitute legal advice. Therefore, we can only give you evaluations from our intensive experience with the EU legal regulations in practice and a technical assessment of the situation.

Elementor – what is it?

Elementor is a WordPress plugin from the software company Elementor Ltd. The website builder helps you build professional WordPress websites and already has more than 5 million active installations.

Using the simple drag-and-drop principle, almost any website can be created without programming knowledge.

Other advantages are:

  • Instant live preview
  • Responsive mode (to make the website tailored to desktop, tablet and smartphone)
  • 100+ Full Page Templates
  • 300+ blocks

Elementor is available in both a free basic version and a paid PRO version.

These cookies are set by Elementor

As far as we know, Elementor does not set HTTP cookies. Instead, Elementor works with LocalStorage and Session Storage. However, these are legally treated as (HTTP) cookies.

Elementor Cookies

As you can see in the screenshot, no HTTP cookie is set. Rather, it is an entry in the local storage and in the session storage of the browser. The collected data will most likely only be stored on the visitor’s local browser in December 2021 and will not be sent to Elementor, the website operator’s server or any third party.

Is Elementor GDPR compliant?

Elementor stores data in local memory.

In our opinion, the elementor “cookies” are classified as essential according to the current state of knowledge. In this case, local storage and session storage are responsible for ensuring that pop-ups, sitebars, etc. are not displayed again so that the visitor can use the website undisturbed. Whether these “cookies” are actually considered necessary is disputed.

In the following, we explain how you can use Elementor in the most privacy-compliant way possible. We assume that local storage and session storage are essential in this case.

Duty to provide information

According to ePrivacy Directive 2002/58/EC, access to browser memory is only permitted if the visitor has consented ( GDPR Article 6 (1) lit. a) or if the access is absolutely necessary in order to provide or operate the service.

In both cases, this means that European users of Elementor should provide their website visitors with detailed information on what data is stored locally in accordance with the GDPR.

Since we consider local and session storage to be essential in this case, we don’t think you need opt-in consent from your website visitors.

In order to swim in safe waters as much as possible, we recommend that you comply with the obligation to inform according to Article 13 of the GDPR. In addition to cookies, you should also refer to such data storage in your cookie notice.

The easiest and quickest way to implement this information obligation in the cookie notice is with Real Cookie Banner for WordPress. We have already completely worked out the corresponding template so that you can add the information with just a few clicks.

Data transmission to third parties

Elementor is a locally installed plug-in. No data is transmitted to third parties. However, as already mentioned, various widgets are used. Google services such as Google Maps and Google Analytics may transfer data to third parties (Google). This requires the opt-in consent of the website visitor.

🤝 Order processing contract

An order processing contract is always used when a website operator commissions services from an external company – which processes visitors’ personal data on behalf of the website operator. In short, this contract regulates the data protection-compliant handling of this data.

The obligation to conclude such a contract exists, among other things, when using Google Analytics.

The legal basis for a processing contract is Article 28 of the GDPR.

If you only use Elementor (without widgets that transfer data to third parties), we do not believe that you need a processing contract.

🔌 Integrations in Elementor

Elementor itself stores data on the user’s one local storage. However, Elementor includes various widgets such as Google Analytics and Google Maps that may transfer data to the US and set additional – non-essential – cookies.

Specific conditions would have to be met for the use of such services that transmit data to third parties (especially to insecure third countries with a poor level of data protection, such as the USA). We have written separate articles on the data protection compliant use of Google Maps and Google Analytics (MonsterInsights).

🇺🇸 No data transfer to the USA

As we have already explained, Elementor itself does not transfer any data to the USA, according to its own statements. Therefore, you are basically in a good position in terms of data protection compliance. You should be careful when using additional widgets that do transfer data to the United States.

After the end of the Privacy Shield – an agreement between the USA and the EU to regulate data protection – due to an insufficient level of data protection in the USA from the ECJ’s point of view, the USA is considered an insecure third country with regard to data protection.

Active and informed consent and a listing of the services in the privacy policy are indispensable.

Menu