GDPR for Bloggers6

GDPR for Bloggers | What You Need to Do

written by Julie Cohn

{This information is for all bloggers, but my suggestions are for US based/non EU-based bloggers only.}

GDPR.  I’m sure you have seen this tossed around a lot lately. What the heck is it??  More than just some fancy acronym, GDPR is a new regulation every blogger and business with a business presence, particularly an online presence should know about about.  But, you need to do more than just “know” about it.  Every blogger (food, travel, lifestyle, DIY, etc) and business with an online presence needs to understand what GDPR is, how to make changes to their sites to comply with GDPR, and what will happen if they ignore it.   Read on for GDPR for Bloggers – What You Need to Do, including a compliance checklist and list of GDPR compliant apps, plugins, and tools.

GDPR for Bloggers

First things first.  A disclaimer.

I am not a lawyer, nor do I play one on the internet.  I am not offering you legal advice.  I am a United States-based lifestyle blogger, with ten years experience in blogging and social media, and advanced WordPress and social media tech skills.  I found out about GDPR about 12 months ago, and have since spent a lot of time educating myself on the requirements of GDPR and data privacy, including participating in webinars and focus groups.

I am not a data privacy expert either, nor do I claim to be, I am just an educated veteran blogger, who, as part of a large community of bloggers, actively participates in growing and educating that community to the best of my ability.  I am just a blogger who loves to help my fellow peeps.  I advise you to research and verify GDPR regulations and EU policies within your country of residence, and contact a lawyer with any legal questions you have.

Next, take this in small chunks.  It can get overwhelming.  Read a section, take notes, and then take a break.  Above all, don’t panic.  We will get through this together.

As this situation evolves, I will continue to find out more and will keep you updated, as one blogger to another.  There is a lot of false information out there, so I will try my best to cut through the nonsense and find out the facts.  Okay?  Let’s dig in.

Note: I have been getting a lot of questions about why bloggers need to comply.  Other than the fact that you are required to by the EU, as I outline below, for those of you who are professional bloggers, the #1 reason to comply with GDPR is because all the brands you work with are also required to comply.  Down the road, brands will likely only work with bloggers who have also completed GDPR compliance, as any relationship a business has with a non-compliant GDPR business partner can affect their bottom line and cause fines.  You need to do this to stay competitive and show brands you are professional.   Keeping it real here, folks.

GDPR for Bloggers4

What is GDPR?

GDPR stands for General Data Protection Regulation.   This is a regulation imposed by the European Union for protection and security of data of people who reside in a European Union regulated country.  All bloggers collect data on visitors to their sites, so even people in non-EU countries must comply with the regulations or face steep fines.

GDPR became regulation in June of 2016, but will be fully enforceable as of May 25, 2018.  The most important thing to remember is that this is for the benefit of your readers.  You value your readers and by following the guidelines of this regulation, you taking the extra step to insure your readers/subscribers data is secure.

Three key areas of how this will impact you and your readers:

  • Your readers must give consent to you to access/store their personal data immediately upon visiting your site.
  • You must clearly state that you understand your readers right to have their data deleted or “forgotten”
  • You must know what data is collected on your site, where it is stored, and what to do if there is a data breach.

This isn’t so bad, is it?  I know as a reader myself of many blogs, I know I will have a lot more respect for those blogs who take steps to protect my data, even as a US-based resident.

What Do I Need to Know About GDPR?

  • Anyone in the world who has an online presence and collects any identifiable information must comply.
  • If you are a US or non EU site that has any EU based readers/followers/traffic, you must comply.
  • If you do not sell a product on your site, but offer freebies or giveaways, you must comply.
  • If you embed ad content, affiliate links, social widgets, etc. or any third-party apps, you must comply.
  • You must know your website better than ever—how everything works, and what drives each function.
  • You must know how to keep your site and your readers data secure, and know what to do if you have a breach.
  • You must be transparent about what you do on your site, why you collect data, and how you will use that data.
  • Your readers/follower must acknowledge/allow data to be collected before they can venture onto your site.
  • Penalties and fines for non-compliance will be steep.
  • Instead of having readers/followers opt-out of cookies/data, you must allow them to opt-in to your site.

GDPR for Bloggers3

Does GDPR Apply to Me?

As a professional blogger/influencer, you have a legitimate interest in collecting influencer data on your readers/followers as a core part of running your business.  If you make money from your blog, in the form of sponsored content or products, ad revenue, link sharing, or even the sale of a product (including e-books), you must conform to GDPR regulations.  Even if you do not make money, but offer any kind of goods and services, such as any type of giveaway, sweepstakes, coupon sharing, or freebies, free e-book for signup, any place where you collect personal data, you may have to comply.  If you collect any type of data from your readers/followers, including but limited to:  name, email, address, phone, demographics, IP address, security tools, and even comments, you may have to comply.  If you use any third party apps and data processors, including: Google Analytics, ad network links, social media sharing, social media scheduling, mailing list companies (think Mailchimp/Constant Contact),  hosting companies, and others, you may have comply.

Notice I say that you may have to comply?  This is where it gets tricky.  If you are a US, Australian or Canadian-based blogger (or other non-EU country) and you are only targeting US/Australian/Canadian readers/subscribers and offering goods and services to people in US or Canadian dollars, you are not intentionally targeting EU based consumers.  In this case, a transparent privacy policy and  a pop-up allowing readers to opt-in to your site may be enough clear intent.  But…if you are a US/Australian/Canadian (or other non-EU country) and you receive international traffic, including EU-based countries, and you have EU-based consumers on your existing mailing/subscriber list, and you have ads on your site that can reach other countries, you must comply with all the requirements.

Example:  Let’s say you are a US-based blogger, but you write your blog in German, and sell e-books and accept Euros as payment for your e-books.  You are actively targeting/selling to German-based residents (an EU country) and have existing German residents on your mailing lists.  You must follow all the steps to become EU compliant, including mailing list re-opt-in…even if you are sitting in Nebraska running your business.

Another example:  You are a Australian-based travel blogger.  Not an EU country.  Cool.  You offer a free e-book for subscribers to become digital nomads all over the world, with a form for them to sign up for your newsletter in exchange.  Many of your subscribers are based out of Australia and the United States, but you also have Great Britain and Switzerland subscribers. Even though you are not taking any money for your ebook, you are collecting personal data from your subscriber list, and you are collecting cookies and Google Analytics data on your traffic.  You will have to comply with all sections of GDPR regulation.  Any blogger, anywhere in the world, even non EU countries, who collects any personal data on your readers/subscribers must comply.   According to Article 2, Section 1:

  1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

Nutshell:  If you are making money from your site and/or offering goods and services and collecting data, and there is even a hint that any of your readers/subscribers are from EU-based countries, this regulation applies to you.

What Countries Are European Union Members?

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovania
  • Spain
  • Sweden
  • United Kingdom (until March 29, 2019)
  • European Economic Area countries (Iceland, Liechtenstein, and Norway)

I Am Overwhelmed?  What Do I Do?

First, take a deep breath.  This is not as bad as it seems.  Once you do what is required to be compliant, you are done…for the most part.  And, for what it is worth, almost everyone else has to do it too.

Here is key components of what you need to do, but please read on, as there are stipulations to many of these…

  • You must have an opt-in on your site the moment your reader hits your site.
  • You must disclose to your readers what data you are collecting and why.
  • Your disclosure statement/privacy policy must be easy to read and understand.  No vague legal mumbo-jumbo.
  • You must take measures to ensure that your site is protected/secure and that the data collected is protected/secure.
  • If you have a breach of data, you must inform your readers within 72 hours of breach or risk a fine.
  • You must check all your third party apps to make certain they are complaint.  (See our list)
  • Update your Google Analytics compliance (see below).
  • You must disclose in your privacy policy/disclosure what third party apps you are using, why, and that they are compliant (to the best of your knowledge.)
  • If you collect data on health, race, religious beliefs, or genetic data, and/or you have a staff of more than 250 employees, you must appoint a separate data collection officer.
  • The regulation involves the “right to be forgotten”.  If your reader requests you delete their data, you must do so without question.
  • Make sure your newsletter/marketing automation is GDPR compliant and have existing subscribers re-opt in.
  • Verify that none of your readers is under age 16, and if they are, you must receive parental consent for them to be on your site.

Let’s Break It Down

Opt-In On Your Site

As a legal business, you are entitled to collect data to maintain your business, but to comply with GDPR, you must have an opt-in option on your site that your readers see immediately upon arrival, advising that you collect data, what data you collect, and you must receive approval from your readers (known as affirmative consent) to collect this data before they can access your site.  This can be done in the form of a pop-up, but unlike previous disclosure pop-ups, this one must allow your reader to opt-in with acknowledgement of collection of data, not opt-out.  It must also state that you use third party apps (if you do), and that those third-party apps are GDPR compliant. Note:  All opt-in forms must have blank check boxes.  You cannot have a pre-checked box that your reader/subscribers have to physically change.  Here is an example of what your opt-in may look like:

Disclosure/Privacy Policy For Your Readers

The regulation states that you must not only disclose to your readers that you are collecting data and why, but you must do it in clear, transparent, and easy to understand language.  Write your privacy policy as if you are talking to your readers in person.   The key points of your disclosure/privacy policy must include:

What data are you are collecting, who is collecting the data, and why:

You must advise your readers/followers what kind of data you are collecting, who is collecting it, and why.  Make sure you are only collecting the data you need, nothing more.  GDPR defines personal data as  “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified directly or indirectly , in particular by reference of an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental economic, cultural, or social identify of that natural person. (Article 4, Section 1)

For example, if you are collecting Google Analytics data, you should advise your readers that you use that information to operate your business and bring relevant information to your readers.  If you use a Mailchimp mailing list, you must acknowledge that you use that product to bring your readers up-to-date information about subjects they acknowledged interest in.  Be clear and honest with your readers.

Will this data be shared with anyone?

Will you share this data with blog networks, ad networks, public relations and ad agencies, or brands?  If so, state so in clear and concise language, acknowledging that you work with these blog networks, ad networks, public relations/ad agencies and brands as a normal function of your income producing business.

How this data will be stored?

You must disclose what measures you have taken to encrypt and secure your site and the data you are collecting, even with third-party apps. You must acknowledge in your privacy policy that you will keep your readers data secure (or your third-party apps will) and that if you have a data breach, you will advise your readers within 72 hours of that breach.  If you have any readers under the age of 16 (the EU age of consent), you must receive parental affirmative consent for that minor to be on your site.  If you collect any sensitive personal data (age, race, religion, medical, etc) you will have additional requirements and need to speak to legal counsel.

What to do if there is a breach of data  

If you are taking measures to keep your site secure and your readers data encrypted, yet you have a data breach, you must advise your readers/followers within 72 hours of the data breach and acknowledge this in your disclosure/privacy policy or risk fines.

What to do if your readers wish to have their data deleted/removed

Your readers should feel secure knowing that if they ask, their private data can be given to them, or will be removed/deleted in a timely manner.  Make certain you have a section in your disclosure/privacy policy for “right to be forgotten” user rights and data deletion, should your readers ask, and make certain you have some type of data retention so if your readers ask for their information, you can show them what data you have on file for them. If you only collect data from a mailing list, you can easily send them a copy of their data.  If you collect additional information, you will need to use a plugin such as

What third party apps you use and why?  You must list all the third-party apps/plugins you use that collect data or collect cookies, and you must state that you have verified these plugins as GDPR compliant (to the best of your knowledge).  What is considered a third party app?  The following is an example of some of the apps, but by no means covers all of them:

  • Google Analytics
  • Embedding links from blog networks
  • Brand website and social media links
  • Facebook Pixels
  • Email Opt-ins
  • Comments
  • Cookies
  • If you sell products or services (Ebooks, Etsy, Ebay, etc.)
  • Payment processing (Paypal, Stripe)

Mailing List/Newsletter Re-Opt-In

This one is going to sting a little.  Before May 25, 2018, you must send your mailing list subscribers an email or newsletter message advising them that they will have to re-opt-in onto your mailing list.  If they do not re-opt-in, you must remove them from your database.  Note: Before you start hyperventilating, there is a catch.  If you are a US or Canadian based blogger, and you are 100% certain that every person on your mailing list is US or Canadian based and not a resident of an EU country, you do not have to have your existing subscribers re-opt in. Yay! You must, however, have your mailing list submission form GDPR ready so that if you receive any future subscribers from EU-based countries, you are compliant.

For those who are not 100% certain your subscribers are US or Canadian based, or bloggers who live in EU countries, you will have to have your subscribers re-opt-in.  I know many of you are worried about losing existing subscribers (I am too!) but this is a requirement.  You must clearly show that your subscribers freely choose to opt-in to your mailing list and newsletter services.  It totally sucks, but look at it this way:  You are a professional.  You respect your readers and take their data privacy seriously.  You run an honest, respectable business; you are not a slouch who sells that data to Russian operatives or let’s weird third party apps like Cambridge Analytics use their data for nefarious reasons.  You collect their name, email, and IP addresses for the growth of your business and to send your readers awesome new content.  Disclosing this and allowing your readers to re-opt-in is as much for their benefit and security as yours.  Honesty is truly the best policy here, and I am sure the majority of your readers will appreciate the efforts you have made to protect their privacy.

Fortunately, third-party newsletter/marketing automation platforms have made the task of opt-in a bit easier.  The following are third-party email marketing platforms that are confirmed GDPR compliant and have tools to help you re-opt-in your subscribers:

Some MisInformation

There is so much “out there” about this issue, it can be hard to decipher what is real and not real.  Here are a few examples of false information and unrealistic solutions.

#1  I recently had someone tell me they would just geo-block people from European Union countries from their site.  She is a international travel blogger.  Take a look at the list of European Union countries below, then tell me how difficult it would be for a travel blogger to block people from those countries?  82% of her readers come from the US, but her top five countries are Canada, Australia, Great Britain, and France.  Two of those countries are EU countries.  I don’t know about you, but I don’t want to lose those followers.  Plus, if she ever wants to work professionally with any hotels, tour companies, or CVB’s from those countries, she should never block them, right?  RIGHT!

#2   A blog associate mentioned that all she had to do to be compliant with GDPR was to turn off her comments.  Wrong.  She has Google Analytics set up on her site.  She has affiliate links on her site, which may be seen by EU readers.  Even though those tools are third party apps (which also must be compliant), because she is the owner of her site, she must take steps to ensure her own site is compliant and protect her readership.

This is so freaking confusing, isn’t it?  I’ve been studying this for a year and my head still spins!

The Implications

The European Union is threatening GDPR non-compliance with stringent fines of up to EUR 20 million or 4% of your annual income, whichever is higher.  So…it does not matter if you are a Fortune 500 company or a small blogger who makes $25,000 a year,  you could still receive stiff penalties.

I know what you are thinking.  “I am a little blogger, they will not come after me.”  or “I live in the US, they cannot enforce fining me!”   Wrong.  I don’t have particulars on the logistics of how they will come after US-based businesses, but the European Union is relying on international law to enforce this regulation.  Because the EU and US government are allies, they may invoke the US government to enforce this regulation and collect fines.  Do you really want to take that risk? Plus, there is rumor that the United States will implement similar regulation, so it is best to be prepared for whatever may happen.

Third Party Apps & Compliance

The task of determining if your third-party apps, plugins, hosting companies, etc. can be overwhelming.  Honestly, in researching plugins for this article, it was difficult to find a lot of information out there.  Companies are not ready yet….but they do still have a few weeks.  I think everyone is just scrambling, just as you and I are.

The following is a list of popular third-party apps and plugins.  I will indicate if they are GDPR compliant or in the process of being compliant.  If a section is blank, I do not have an answer yet. Please refer to the links for more information, but be aware that it is your responsibility to make certain every plugin/app you use is compliant by Mary 25th, regardless of what is posted here.  I will update this list daily as I find out more information.    (If you find any apps/plugins that are compliant, please let me know.)

Contact Form 7:  (Working on compliance?)  They state that they do not keep data within their database, and if you use a tool such as Flamingo to store the data, it is up to Flamingo to be compliant.  See their statement https://contactform7.com/tag/gdpr/

Facebook:  (Working on compliance) https://www.facebook.com/business/gdpr

Flamingo:  ?

Google Analytics:  (Compliant) They are not only compliant, but offer bloggers an easy way to make their GA data secure and compliant.  Refer to the following instructions to set up your Google Analytics data retention guidelines: https://support.google.com/analytics/answer/7667196

Google Adsense:  (Compliant) Adsense advises publishers to add the following link to the Google Adsense section of the third-party apps on their privacy policy.  Make sure you add this to yours so your readers can determine which option they want for ads.  https://www.google.com/policies/technologies/partner-sites/ 

Instagram: (Working on compliance?)  They send you to Facebook.  There is rumor that Instagram will have a tool so you can download your data.  https://help.instagram.com/2000935033561463

Jetpack & Other Automattic products:  (Working on compliance): Jetpack, WooCommerce, Vaultpress, Longreads, Akismet, Gravatar, and other Automattic products are currently working toward compliancy.  https://en.support.wordpress.com/automattic-gdpr/

MediaVine: (Working on compliance) I am not a MediaVine user but am impressed that they address this so clearly.  Many of the other sites are still talking double-speak.  https://www.mediavine.com/gdpr-what-you-need-to-know/

Pinterest:  (Working on compliance) https://help.pinterest.com/en/articles/terms-service-update

SiteOrigin Page Builder:  Does not collect personal data for users on the front end.

Social Warfare:  This is an exact quote from Dustin at Social Warfare:

Social Warfare does not collect ANY personal data from the people who visit your site and click on a share button. Our buttons are merely utilizing the 3rd party share APIs of the respective networks. As soon as someone clicks a Social Warfare share button, everything that occurs after that click is handled by the social network’s API.
Our UTM tracking feature merely adds a string to the end of a shared URL so that Google Analytics can record that traffic data–Warfare Plugins does not receive, record, or track ANY of that data.

Our click-tracking feature is merely a Google Analytics event, which, again, is recorded by Google Analytics, not Social Warfare.

So it is without question that Social Warfare has full compliance with GDPR because we don’t track a single thing.

Sucuri:  Working on compliance)

Twitter:  (Working on compliance) https://gdpr.twitter.com/en.html

W3 Total Cache:

WordPress:  (Working on it, close to compliance) WordPress will have new tools to help bloggers with compliance too.   https://wordpress.org/news/2018/04/gdpr-compliance-tools-in-wordpress/

Roadmap: tools for GDPR compliance

Wordfence:

Yoast:  (Working on compliance) Yoast is clear that they collect website data, not personal data.  Make certain your readers know you use Yoast and their policy on data collection.  https://kb.yoast.com/kb/gdpr/

 GDPR for Bloggers5

Tools to Use

The following are a few tools to help with GDPR.  Note: None of these are n all-in-one solution.  Also, while I offer them as a suggested tool, it is your responsibility to make certain they comply with GDPR regulation.

My checklist:  This is a checklist to determine if you need to comply and what you need to do.  https://docs.google.com/document/d/1JsmzWz3KgiLDpj9MUPoGHZQy8FekDn9lEa94mXy3doY/edit?usp=sharing

My favorite GDPR cookie opt-in plugin:  Ginger Cookie https://wordpress.org/plugins/ginger/

WP Security Audit:  This plugin will make a log of everything that happens with your WordPress site and what data is being collected.  https://wordpress.org/plugins/wp-security-audit-log/

CookieBot Free Compliance Test:  This not the the end all/be all in compliance, but gives you an idea of the cookies your site uses. https://www.cookiebot.com/en/

EU Cookie Law:  This plugin helps with cookie consent, including option to lock scripts before consent.  https://wordpress.org/plugins/eu-cookie-law/ 

Ginger:  Another cookie consent plugin.  This one keeps a log of the consent. (Nice!)  https://en-gb.wordpress.org/plugins/ginger/

GDPR Personal Data:  This plugin allows your readers to access the personal data you are collecting on your site. https://wordpress.org/plugins/gdpr-personal-data-reports/

GDPR Plugin:  This plugin is the best I have found to assist with GDPR compliance.  https://wordpress.org/plugins/gdpr/

GDPR Cookie Compliance:  This plugin helps with the cookie consent portion of the regulation.  Do not use this as stand-alone GDPR compliance, as it does not cover your privacy policy requirements. https://wordpress.org/plugins/gdpr-cookie-compliance/

One Trust Cookie Plugin:  I have not personally used this, but this is recommended by several data privacy advisors, and I will likely use this for some of my clients sites.  There is a free version, and several paid options for larger or multi-sites.  https://onetrust.com/products/cookies/

SEQLegal Free Privacy Policy Template:  This is the best free privacy policy templates I have found, and can be customized for your needs.  This does not replace GDPR legal counsel regarding your privacy policy, so if you have any questions or concerns, please seek legal advice.  https://seqlegal.com/free-legal-documents/privacy-policy

ICO Self-Assessment Tool:  If you are UK-based blogger (only), use this tool to see if you must comply with GDPR requirements.  https://ico.org.uk/for-organisations/register/self-assessment/

Data Security Breach Response Tool Kit:  Though this is made for larger businesses, this is still useful to help your blog business prepare for a data breach. https://iapp.org/resources/article/security-breach-response-plan-toolkit/#

WP GDPR – This plugin has add-ons that work with Gravity Forms, Contact 7, Woo Commerce, and Flamingo.  (Recommended by others, but untested by me) https://wordpress.org/plugins/wp-gdpr-core/

Ten Tools Every Successful Blogger Should Use:  If you need help getting your site optimized, use these ten suggestions.  https://acorkforkandpassport.com/ten-tools-every-successful-blogger-should-use/

Does My Website USe Cookies:  Information on what cookies are and how they are used on your site. http://cookielawinfo.com/does-my-website-use-cookies/

Final Thoughts

The European Union is not out to hunt down people (I hope), they just want to keep identifiable data for residents of their countries save and secure. As an online website and/or business, if you can make a “good faith” effort to show that you have taken measures to be compliant, you should be fine.  You may not get everything correct because there are so many intricacies, but if you have made a conscience effort to comply and can show proof of that effort, you have met the requirements of GDPR.

What’s Next?

One of the key components of GDPR is having a secure site.  Although my Ten Tools post (see above, under tools)  covers security a bit, I will outline more in my next post ways to lock up your site more, to keep you and your readers data safe.

 

If you have any question, please reach out and I will try my best to answer or find the answer for you!

Three-Day Step-by-Step Workshop

For those interested, I am doing a three-day step-by-step workshop for bloggers to get ready for $20.  https://goo.gl/forms/uBrlk89SUvITQo8b2   I also have a private Facebook group where we are talking about all things GDPR.  Find me on Facebook and I can connect you.

 

Are you a US or Canadian-based blogger?  Is GDPR freaking you out?  Find out what you need to do to comply with the upcoming GDPR regulation without losing your mind, from one blogger to another.

You may also like

4 comments

Diana Hansen 05/14/2018 at 6:42 pm

Excellent information. Thank you for all your hard work with gathering this in one place and keeping it current. I am printing out the checklist and will get to work! I have been procrastinating some things with one of my newsletters and now I feel justified in the delay due to the re opt-in. lol

Reply
Julie Cohn 05/14/2018 at 7:25 pm

Thank you Diana!! ♥

Reply
Leigh Hines 05/14/2018 at 10:02 pm

Julie. Wonderful info. I got so overwhelmed I had to stop, but it will be my new bible. LOL.

Reply
Julie Cohn 05/14/2018 at 10:08 pm

Thank you Leigh! It is overwhelming, even for me.

Reply

Leave a Reply