Introducing Sparkle 2.6: GDPR!

by Duncan Wilcox — May 25, 2018

Image: SpaceX

We’re incredibly happy to release Sparkle 2.6, it has major privacy and performance enhancements, in addition to great new features.

Three short months after the 2.5 release, during which we released a healthy number of fixes and updates, we’re feeling really good about Sparkle 2.6.

When you build a website by hand coding it or using pre-built templates, every feature, optimization and layout detail, every browser workaround or bug fix is an artisanal job, something that is lost when you start over with a new website. Striking a great balance between an understandable user interface and building an efficient site is extremely complex, but it is paying off big time with Sparkle. Every fix, every solution, every optimization applies to all past and all future Sparkle websites.

Our work on Sparkle 2.6 has been focused on three main areas: improving privacy for your site visitors, improving performance of Sparkle sites, other improvements to the interface and to published sites.

In light of the GDPR, improving privacy has been the driver for this release, and it has forced us to ship a little early, so we’re missing the translation of a few words in Spanish, Chinese and Japanese, we’ll get around to them soon. Also the documentation hasn’t been updated, but we’re working on releasing a documentation update soon.

Privacy and compliance

So this post is in part about getting your site ready for GDPR (DSVGO in Germany), the General Data Protection Regulation, which becomes enforceable today, May 25th 2018.

The first thing to get out of the way is, all this doesn’t constitute legal advice. Also there are a number of compliance steps, I’ll only be covering what your site needs. You will need to consult a privacy expert in your jurisdiction to ensure your business is fully compliant.

Judging by the number of browser tabs open on the subject, I have been in full immersion for a couple months now. I don’t know that I’m particularly more expert about GDPR, but what felt like an incoherent, fuzzy, arbitrary law now feels more like an opportunity to improve personal data privacy on the web, starting from your Sparkle site.

The first thing to realize is the vast majority of small website owners isn’t doing anything at all with personal data, let alone anything wrong. However some things might have been implemented in an incomplete or insufficiently rigorous way, so it’s time to tighten it up.

The website owner is going to be responsible for compliance, and whether that’s you or your client, there are a few technical things that help.

Sparkle now scores 100% on the Swedish Internet Foundation privacy checker tool, one of the most advanced on the web. This means your website by default is more respectful of your visitor privacy.

To get a full score you will need to add SSL, which you can get from your web host, and configure the HTTP Strict Transport Security on your server. You should definitely set up SSL, particularly if you have a form which communicates data back to you.

Sparkle has best in class in privacy compliance, confirming and extending its lead in privacy matters, thanks to this combination of improvements:

  • • all third party content is blocked until cookie consent
  • • embedded code is by default subject to activation after cookie consent
  • • fonts are now only ever stored in the local site, not referenced from Google fonts
  • • the page address is by default not leaked when loading third party content

Cookies

A Sparkle site is static and does not set cookies. If your site contains social media elements, Youtube/Vimeo video, Google Analytics and some kinds of embedded content, Sparkle encourages you to set up the privacy banner to inform users about cookies set by those third party element, and blocks the content until the user expresses consent.

The consent has to be stored in order to avoid showing the banner on every page the user visits, so this consent is stored in a cookie. This cookie is of the technical kind, a user preference, meaning its use doesn’t require approval according to the current ePrivacy Directive (“cookie law”), and since it isn’t personal data it isn’t covered by GDPR.

A privacy policy is always a good idea, even if you state that no user data is collected.

Analytics

While analytics services do profile site visitors, the applicable ePrivacy Directive only requires that you “conspicuously provide the option for obtaining informed consent, provide a means for the withdrawal of consent and guarantee, via prior blocking, that no tracking is performed before the user has provided consent”.

For more detailed information, you can read more about cookies vs GDPR (extreme summary: GDPR doesn’t apply to cookies).

Email addresses and contact forms

A common feature of a Sparkle website is a contact email address or contact form, which constitutes personally identifying information. Under GDPR the visitor email address is acquired under the legal ground of contractual necessity. While you not be in a contract with your site visitor yet, the broad meaning is you need to use the email address/phone number provided by the visitor to reply to their inquiry, so you don’t need to ask for consent.

Consent is a different legal ground for processing, which is required to cover processing of additional personal information not strictly required to perform the contract. So if your form requires other personal information, you might need to ask for consent for processing of that data, which you can do by using a checkbox in the contact form, and linking to your privacy policy to inform the visitor of how the information will be processed, presumably just saying that any data provided will only be used to answer the request.

In other words GDPR does not prevent you from doing business or force users to jump through hoops to contact you, you just need to be forthcoming about what you do with the data. You are only going to have to request express consent if the data is sensitive in nature (for example religious/sexual/racial/medical), or if you are doing “sketchy” or unexpected stuff with the data.

Mailing lists

Superficially a mailing list is little more than an email address, however all commercial mailing list/newsletter services will track user activity (opening the email, clicking on links in it, etc). This requires express user consent to comply with GDPR, and GDPR requires you store proof of consent.

Most mailing list providers such as Mailchimp provide specific tools, so it’s best you use their services directly as they have designed them, unless you know how to deal with storing proof of consent as defined in GDPR.

Google fonts 

Web fonts are loaded from the web. The whole point of web fonts is to be able to load a typeface that’s not available on your system. Google’s fonts project has been a useful and pragmatic way of referencing and using freely available fonts.

With privacy concerns however some users have been questioning how Google processes the visitor IP address.

Unlike say a Youtube video, if you blocked loading web fonts until after a user has expressed consent, the site would look very different.

When pressed, Google employees referred to Google’s overall privacy policy, which is unsatisfactory to many.

We don’t have a clear enough understanding of how this will turn out, but in doubt we have moved all fonts to always be self hosted on your website. This ensures the visitor IP address is never leaked.

Privacy policy

You should have a privacy policy. My only suggestion here is to seek legal advice, or get a canned privacy policy from Iubenda.

Once again I’m not a lawyer and this doesn’t constitute legal advice.

Performance

Privacy is necessary but also a bit boring. Now about something more exciting.

We vastly improved the performance of sites published by Sparkle 2.6, generally achieving a perfect 100% score on Google’s PageSpeed Insights, an important metric for Google search’s ranking algorithm. Specifically Sparkle is now:

  • • deferring loading of resources that delay page rendering
  • • inlining critical CSS
  • • encoding fonts in the more compact woff and woff2 file formats
  • • always compressing images with a higher compression algorithm

Someone I know just bought a new Wordpress site, for a cool $5000. Needless to say the site leaks information like a sieve and has this very cool PageSpeed score:

We are still tweaking Sparkle’s code generator for some edge cases, but the improvement is already significant, often hitting 100 / 100 on PageSpeed Insights.

Other improvements

Finally we added these great new features to make Sparkle an all around better website builder.

A new publishing engine, faster and more compatible with web hosts

Sparkle used to use a very safe algorithm to determine whether an uploaded site was changed, which included running a small piece of PHP code on the server to determine a file fingerprint. This ended up being overkill, so we’re now using a much faster size and timestamp indicator to detect changed files, and the publishing is now single pass most of the time (as opposed to multi-pass upload/backup/move for existing files).

A publishing cache, to limit image re-generation

Sparkle used to regenerate all images every time you published a site, even if they were unchanged. This was so the image could be compared to the one on the server, and not uploaded if unchanged. This ended up being very slow with growing sites, so Sparkle now uses a persistent publishing cache, which lets us always use the slower compression algorithm because it’s less frequently used. At the cost of a bit of additional disk space (which you can control from the new preferences window), Sparkle is now much faster at generating the site.

Per-page language designation

You can now have multiple pages in different languages. When you configure the translation for each page in the page settings, Sparkle produces a so called hreflang attribute on pages. Search engines will be able to read this connection and improve the search experience for users who are using your other site language.

Text style for checkboxes and radio buttons

It is now possible to style the font, size and color of checkboxes and radio buttons.

The option to hide sidebar thumbnails

For large sites the thumbnail organization for each page can be daunting. We are seeing a lot of growth of Sparkle sites, so this is a first step in helping manage.

An in-Sparkle text search window

A straightforward text search for text in the Sparkle file.

The option to make radio buttons required

Checkboxes have had the required option since their introduction. Radio buttons can now also be made required, so you can have a default state with no radio checked and force a choice.

90 new web fonts built-in

We updated our font index to include 90 new fonts.

An improved custom font installer

When adding custom fonts you can now pick multiple font files or a whole folder. Sparkle will also open either TTF or woff/woff2 format font files, and convert format internally for your website.

We hope you enjoy 2.6, let us know!

Download Sparkle 2.6

Sparkle is striving to become the best visual tool to create websites.

We will soon be adding more articles with example websites and more thoughts on visual web development.

Please check out the documentation for an idea on how Sparkle can help create websites visually, or download the free trial.

If you have any questions or feedback please get in touch.

This site uses cookies. Some are essential to make our site work; others help us improve the user experience and display third party content. By using the site, you agree to our site sending these cookies. Read our privacy policy to learn more or opt out.