LEGAL DISCLAIMER: This is NOT legal advice and I am NOT a legal professional. I have simply combed thru the many articles and information available on the issue of GDPR and have tried to summarize the main points as it relates to bloggers. As such, it is YOUR responsibility to further research this topic to ensure you and your blog are in compliance. If you are a blogger located in the EU, you will have additional criteria to meet.
PIN ME FOR LATER!
GDPR – What the Heck is it?
This isn't gonna be a long one 🙂
Ok, now that we've got the legal mention out of the way – let's talk about this GDPR thing. General Data Protection Regulation (GDPR for those of us too lazy to say the whole thing lol) – is a regulation specific to the EU (European Union) that is meant to help keep the data of EU citizens safe and secure. While this specific regulation is related to EU citizens, data protection isn't a new thing. For those of us in the US, things like keeping passwords on documents containing Personally Identifying Information (PII) – things like email address, home addresses, phone numbers, social security numbers, birthdates, etc. – are all part of data protection.
The digital age has made it even more important that we ensure safeguards are in place to protect this data against hacks and other means. The EU has very strict compliance requirements for anyone who interacts with citizens of the EU and collects their information. The GDPR will take effect on May 25, 2018, so it is important that you take action now to prevent issues later (such as heavy fines and accounts being disabled.)
Who Must Comply
Since the terminology used in most articles on GDPR are written in a manner that seems only legal peeps can understand, you might think it doesn't apply to you. Most of what you read may indicate this is only for the “big players” like major companies with an online presence or companies who are based exclusively out of the EU. Based on my understanding of everything I have read, if you are a blogger, chances are this DOES apply to you (regardless of where you reside).
More specifically, if you have an online presence and do or use any of the following, you MUST be in compliance or face possible consequences:
- Use Google Analytics (or another analytic tracking program)
- Collect email addresses
- Collect credit card information (using PayPal or other payment gateways)
Even though you may not specifically target residents of the EU with your blog content, they may come across it via a search engine. If you are using Google Analytics and have cookies enabled on your site, you ARE COLLECTING THEIR DATA and must be in compliance with this regulation.
How do I Ensure GDPR Compliance?
In a nutshell, there are three main areas you must address:
- You must have a ‘lawful basis' for collecting and processing the data.
- You must ensure you obtain consent in an obvious and transparent manner.
- You must ensure that you comply with the rules, protect the data, and be prepared to be held accountable.
Let's break this down:
1. You must have a ‘lawful basis' for collecting and processing the data.
There are six basic categories that constitute a lawful basis. Consent would be the most likely legal basis for bloggers (in my opinion). Consent means that you can legally collect and process their data because they physically gave the permission to do so. The important thing is that you are transparent about your legal basis and keep documentation of that consent (covered later on this post).
2. You must ensure to obtain consent in an obvious and transparent manner.
When you collect someone's personal information, you must be blatantly obvious and upfront about doing so. Assumed consent is not allowed. When asked to provide their email (or other information), they must be clearly informed of what they are subsequently agreeing to.
You should avoid the tactic of making consent as a precondition of a service (such as joining your email list or to download a freebie). You can still ask for emails as a means to grow your email list, however, there are specific requirements that need to be visible in those forms (discussed later in this post).
It is advisable that once you get everything on your blog in compliance (cookies, privacy statements, etc), to send out an email to everyone currently on your email list to notify them of your new privacy controls and ask them to confirm one more time to be on your list. Anyone who hasn't re-confirmed by the compliance date (May 25th), should be completely deleted from your system.
3. You must ensure that you comply with the rules, protect the data, and be prepared to be held accountable.
I've heard many newer (and some seasoned) bloggers say they'll take their chances because, in their opinion, this whole thing was meant for the “big players” like Yahoo, Facebook, and other big companies and the EU won't waste their time on us small fish. GDPR is going into effect and you should comply simply because it is the law. And if following the law and being truthful and upfront isn't your jam – maybe the possibility of 20M Euros will! Don't risk everything you've worked so hard for because of something you view as a hassle.
Specific action steps for bloggers
Like many of you, I am still reading up on all of this but here are the basic things you need to start working on to be in compliance by May 25th, 2018. In addition to that listed below, if you are a resident of the EU, you must also register with the Information Commissioners Office (ICO) and pay the 35 Euros/year fee. I also want to mention that, although you may have received emails from your current service providers (email, hosting, plugins, etc) that they are now GDPR compliant, that simply means they've ensured their own sites are now compliant and they have made upgrades to their products to enable you to use them in a compliant manner. For example, the ability to add a tickbox to an opt-in form. There are still things YOU must do to ensure your business is GDPR compliant.
In the event you are asked to show proof of consent, you must be able to do so. This can be done by showing proof of things such as your tickbox on optin forms, your disclaimer in your double opt-in confirmation email, etc.
Site Security: You must have proper security measures in place on your site. The biggest one of these is converting your site to https if you haven't already done so. Most hosting services provide added security either as part of their basic package or as an upgrade. If it isn't included in your current package, you need to invest the money into the upgrade. If your site is hacked and data is compromised, you will face the consequences.
Plugins: Ensure you delete unused plugins and keep active plugins updated.
Optin Forms/Lead Magnets: Ensure you make it clear on your opt-in forms that, by providing their email address, they understand you are adding them to your email list. You must also inform them of the exact nature of what you will be using their email for (monthly newsletter, blogging tips, sales on blogging resources, and other information specifically related to blogging and business). Ensure you provide a specific tick box for them to check authorizing you to do so. Also, ensure they can still receive the freebie item even if they don't confirm their subscription or they choose not to give consent by not checking the box.
As an example, I collect the names/email addresses of those who join my affiliate program. I give them the option to join my email list for affiliates, in which I will only send them correspondence related to being an affiliate. I then offer them the opportunity to join my regular email list to receive emails related to blogging tools and resources. I can't send them general blogging tips if they only opted into the affiliate email.
Giveaways: When conducting giveaways, do not make consent to joining your email list a requirement to participate in the giveaway. Once the giveaway is complete, ensure you delete their information from the giveaway program. Do NOT add their email to your subscriber list if they didn't give explicit consent. If you are hosting a giveaway in partnership with a brand or other third party, do NOT share participants' personal information with the third party without explicit consent. When advertising the giveaway, you MUST address this matter up front. You must have the permission of the winner before sharing their information with the brand or third party AND you must gain consent before announcing their full name and/or social handles.
Contact Forms: Most contact forms ask for a name and email address because you will need a means to respond to the person submitting the form. Once you have responded to them, you should delete their information and most importantly DO NOT add it to your email list. Your only communication should be in regard to the specific message they sent you.
Blog Comment Settings: Stop requiring visitors to provide a name and email address in order to leave a comment. You can set up the form to have those boxes available, however, do not make them “required.” If using a comment plugin, ensure you have it set to where readers aren't required to “log in” with their WordPress account, social media account, or other means. If you are worried about spam get spam protection. If you are concerned with “comment trolls” then simply set your comments to require admin approval before showing on the blog.
Email Subscribers & Email
I know many of you might be freaking out over your email lists right now! Don't worry – this stuff sounds more difficult than it really is!
1. Ensure you have double opt-in enabled for all opt-in forms.
Since you can't make opting-in as a requirement to get your freebies, you should provide the link to download or access said freebie on the response screen after they enter their email. This normally says something along the lines of “Thanks for subscribing – please check your email to confirm.” You should still have that wording on it, but also provide the freebie item.
3. Ensure the Unsubscribe button is highly visible and not intermixed with other text or links.
Under the transparency provisions of the GDPR, the information you need to give people includes:
- your intended purposes for processing the personal data; and
- the lawful basis for the processing.
Some of the other things you need may need to include in your privacy notice includes (not limited to):
- Identity and contact details of the controller (and where applicable, the controller’s representative) and the data protection officer
- Purpose of the processing and the lawful basis for the processing
- The legitimate interests of the controller or third party, where applicable
- Categories of personal data that you might collect
- Retention period or criteria used to determine the retention period
- The existence of each of data subject’s rights
- The right to withdraw consent at any time, where relevant
- The right to lodge a complaint with a supervisory authority
**You must also provide prompt notice of any data breaches that may occur.
Again, I am NOT an attorney and this is NOT legal advice!! I'm simply tried to summarize what I have taken from the resources currently available – as it relates to blogger. As I find additional information, I will update this post and notify those on my Girl Bosses Rock email list. If you would like to join my email list, you can do so here. I use this list to send out tools and resources specifically relating to blogging an online business. You can also listen to this Podcast episode from Amy Porterfield where she interviews an attorney on the subject of GDPR.