What is the GDPR?

As a blogger, you may be wondering what GDPR is, if it applies to you, and if it does, what’s the minimum you have to do by the dreaded deadline of May 25, 2018 to be compliant?

If you don’t already know, GDPR stands for General Data Protection Regulation. It’s a new regulation passed in the EU (European Union) to protect EU residents’ personal information.

Before we go any further, please know that I am not a lawyer and this article should not be considered legal advice. Seek your own attorney for legal advice and/or read the official GDPR yourself.

Does GDPR Apply to Bloggers?

 

GDPR compliance for bloggers

The short answer is: if you (a blogger–or any online marketer or business person) collect and save ANY personal information of EU residents for ANY reason, regardless of where YOU live, YES, it applies to you.

This means YOU, Mr. Mississippi’s Mudslinging Manifesto! Just because you live (and sling mud) in Mississippi, you have to pay attention as well. So stop manifesting for a second and pull up a chair.

By the way, if you’re a blogger in the EU, the GDPR applies to you no matter what you do or who you do it with.

Another by the way: if you are saving anyone’s data in any way for any reason no matter where either one of you resides, you should have a Privacy Policy in place. Why? Because California has a Data Protection regulation, too. And they aren’t the only ones. Why try to figure out where everyone hangs their hat, when you could save a lot of time in the long run by simply putting up a Privacy Policy?

The Spirit of the Law

The bottom line is if you want any kind of personal information from someone in the EU, you must be transparent about what you intend to do with their data. And you must get additional consent from them if you plan to add them to any kind of general marketing email “list”.

Consent must be freely given, specific, and unambiguous. Consent for one thing doesn’t mean consent for everything. You can’t just add people to your general marketing email list.

For example, if you offer a free “thing”, like a resource guide or a webinar or a single product of any kind, you can only use their email address to send them that one thing. If you’re trying to add them to an “email list” for future communications, you have to get a separate and additional consent from them to be added to your “email list” and tell them exactly what you intend to use their personal information for.

By the way, you can’t require that they join your email list to get that freebie.

And you must make it clear and easy for them to opt out of your mailing list!

Wanna see the official GDPR in all it’s 99-article glory?

What Bloggers Need to Do Now

Get Fresh Consent from Your Current Email List

Check your email list for any EU residents. Segment your list into EU residents and non EU residents. If you’re not sure where someone resides, act like they are from the EU.

Send out a consent campaign to get consent from the EU residents. Anyone who hasn’t consented by May 24th should be deleted from your list.

Note to bloggers in the EU: you need to get fresh consent from everyone on your list. There is no need to segment your list.

What Bloggers Need to Do Going Forward

Get Proper Consent from EU Residents

Whenever you capture an EU resident’s personal information, you must give them the option to be on your mailing list. You cannot default a check box to add them to your mailing list. They have to check that box themselves.

Ask for their opt-in after you have determined they are from the EU if possible, otherwise, you will be asking everyone in the world to opt-in and well, we all know how that will go. Fewer subscribers.

Make sure you add EU residents to your EU mailing list segment.

Services like MailChimp and ConvertKit do have GDPR-compliant processes in place, but you need to review your current usage of their services to make sure you’re using the latest templates that do comply with GDPR.

Note to bloggers in the EU: You have to get permission from everyone, not just EU residents.

Make a Privacy Policy Page

The GDPR requires that you be transparent about the information you collect from people and a Privacy Policy Page is the best way to do it. Here’s mine if you want to see it.

I should note that, ethically, you should have a Privacy Policy for ALL your subscribers/commenters/customers/leads. Not just EU residents. For example, one of the best-known general data protection laws in the United States is the California Online Privacy Protection Act (CalOPPA). Any website or online service that collects or processes California residents’ data is covered by this law. So, as a CYA, you should be protecting everyone’s data that you collect.

Purpose of Privacy Policy

This page will inform a prospective email list subscriber what data you will collect from them, how you will use it and how you will protect it. You must inform them of this policy at the time you seek to collect their personal information.

What Goes in the Privacy Policy

Oh my goodness, LOTS of stuff. Luckily if you are a WordPress user, they provide a template for you to get you started. Simply go to “Settings, Privacy Policy” to edit and publish it.

Otherwise, here’s what you should include in your policy; you can even use these headings as your own:

1. Who we are

Provide the website’s name and URL and who is “large and in charge” (that’s you, silly).

 

2. What personal data we collect and why we collect it

Explain what personal data you collect (e.g. name, email address, etc.). Tell them what you use it for.  You can check the Sticky Readers Privacy Policy Page for an example.

 

3. Comments

Let your visitors know what data gets collected if they leave a comment. Below is some sample text for WordPress-based comments:

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

 

4. Media

Do you let people upload photos to your site? Then say this:

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

 

5. Contact forms

If you use a contact form, explain what personal data is captured when someone submits a contact form, and how long you keep it. For example, you could say you keep the information for a certain period for customer service purposes, but you don’t use it for marketing purposes.

 

6. Cookies

List the cookies your web site uses, including those set by your plugins, social media, and analytics. Start with this text if you have WordPress and accept comments on your site:

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

 

7. Embedded content from other websites

You know what? Just cut and paste this:

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website.

 

8. Analytics

Tell them what analytics package you use (e.g. Google Analytics, StatCounter, etc.), how users can opt out of analytics tracking, and a link to your analytics provider’s privacy policy, if any.

 

9. Who we share your data with

Name and list all third party providers with whom you share site data, including partners, cloud-based services, payment processors, and third party service providers, and note what data you share with them and why. Link to their own privacy policies if possible. We are talking about Google for Google Analytics, MailChimp or ConvertKit (or whatever email list service you use) for email contact information. Stuff like that.

 

10. How long we retain your data

Explain how long you retain personal data collected or processed by your web site. For example, you may want to say that you keep contact form entries for six months, analytics records for a year, and customer purchase records for ten years.

 

11. What rights you have over your data

Let your visitors know that they can request access, modification, and erasure of their data at any time. They also have the right to withdraw consent at any time. And you must make it clear as to how they can do that.

 

12. Where we send your data

In this section you should list all transfers of your site data outside the European Union and describe the means by which that data is safeguarded to European data protection standards. This could include your web hosting, cloud storage, or other third party services.

Having said that, most of the time, all you may need to say is this:

Visitor comments may be checked through an automated spam detection service.

And, finally …

 

13. Your contact information

Provide a contact method for privacy-specific concerns.

 

OK, that’s the safe minimum amount of information to display on your Privacy Policy Page. If you use your site for commercial purposes and you engage in more complex collection or processing of personal data, you may have to include even more information.

 

Where to Refer to Privacy Policy

Include links to your privacy policy page in your website footer, opt-in forms and anywhere else you collect their personal data.

 

So… in conclusion…

Bottom Line: GDPR Action Item Checklist

  1. Go get fresh consent from your current EU subscribers (and those whose location is unknown). 
  2. Update your data collection process to be GDPR-compliant for EU residents from here on.
  3. Setup and publish a Privacy Policy page, linking to it in your blog footer and anywhere you collect data.

The deadline is May 25, 2018.

 

The 5 Blogging Tools I Use to Save $$$, Time & Stress

Get this FREE guide to boost your productivity.

Get the FREE Guide
GDPR Compliance for Bloggers: Or Does It Apply to You?
Tagged on:     

2 thoughts on “GDPR Compliance for Bloggers: Or Does It Apply to You?

  • Terri Webster Schrandt
    May 23, 2018 at 2:38 pm
    Permalink

    This is a great article, Margaret. Sorry, your second email didn’t have this link, so I only saw the infographic. Right above this comment section on your blog should also have a blurb since I have to leave my email address and website.

    • MargaretPost author
      May 23, 2018 at 4:25 pm
      Permalink

      You are SO right, Terri! And it’s on my ToDo list as I try to follow my own instructions on making my website more compliant!

Comments are closed.