What is GDPR?
In 2016, the European Commission approved a new General Data Protection Regulation (GDPR) which came into effect on 25th May 2018. In summary, the GDPR states that any website that collects or stores data related to an EU citizen, must comply with the following:
- Tell the user who you are, why you collect the data, and how long it will be stored.
- Get clear consent before collecting any data
- Let users access/delete their data
- Let users know if data breaches occur
Under GDPR, personal data is any information relating to an “identifiable person.” This includes such data such as name, ID number, location, ethnicity or political party. Data doesn’t have to be confidential or sensitive to qualify as “personal.” For most blogs, personal data could be collected via:
- Blog post comments data (name, email, IP)
- Analytics / traffic tools like Google Analytics
- 3rd party plugins
- Email signup forms
- Contact forms
- Location data logged by your web host
According to the GDPR most bloggers are considered data controllers by collecting personal data, while data processors include services like comment plug-ins, web hosts, Google Analytics and more.
The key points of GDPR
“Lawfulness, fairness and transparency”
Under the GDPR, you must satisfy at least one of six criteria before your data processing is considered “lawful.” Consent, one of the most applicable criteria for bloggers, is where the user has specifically agreed, typically with a checkable box, that you may use their data in a specific way. Consent must be “explicit and freely given,” meaning that acquiring it must be simple and involve a clear “opt-in” action. For example, you’d be in violation if you use pre-checked newsletter sign-up boxes when a user registers an account. Users must also be able to withdraw consent as easy as it is to give it. The withdrawal mechanism should be visible, easy to understand, simple, and immediately available, for example, an email unsubscribe link. Withdrawals should be honored within 10 days under US law and within 30 days under EU law.
Despite this, it can be lawful to process personal data without consent if it is in your legitimate interest as a data controller to do so. For example, some situations, such as preventing fraud or restoring backups if a technical issue occurs, might be impossible to gain consent in advance.
“Fairness” means that the data is used reasonably, given your relationship with the user. If you are being transparent (see below) about how you will use the data, then most likely you will be using it “fairly.” Unfair examples would include hiding your identity, having lengthy legalese to hide the true purpose of data collection, and collecting data in an unethical manner.
With “transparency” you are expected to be open and honest about what data you collect and what you propose to do with it.
You must only use personal data for the specific purposes that you have declared. You may not collect data for one purpose, and then go on to use it in a different way. For example, you cannot ask for an email address to post a comment and then start sending them promotional emails, unless it’s clear that when you ask for the email that this is what you intend to do.
You can only collect the minimum amount of data needed to achieve the stated objective. If you wanted to send a newsletter to someone, you would need an email address and possibly a name, but to collect a phone number, mailing address, and income would be extraneous and you would need to be clear as to why this data is needed to send newsletters.
You must take all reasonable steps to ensure that any data you collect is accurate and kept up-to-date. Risks to data privacy are increased when data contains inaccuracies. Thus, all inaccurate data should be corrected, addressed, or deleted immediately.
You can only hold personal data for as long as is needed to achieve the stated objective.
Data should not be retained for any longer than required to achieve the purpose for which you collected it. Also, keep in mind that if you’re still storing customer data that was collected many years ago, there is a high likelihood that some or all of the data is now inaccurate.
“Integrity and confidentiality”
You must process and store personal data in a secure manner. You are responsible for guaranteeing protection against unauthorized access, loss, alteration and disclosure.
Finally, individuals’ have certain rights under the GDPR that you must adhere to.
- A right to be informed: Gives a person the right to know what information is being stored about them.
- A right to access and portability: A person can request their information is an easily downloadable format at any time, as well as use or transfer the data to another service.
- A right to rectification.
- A right to be forgotten: Allows a person to request that their personal information about them is completely erased.
- A right to restrict processing.
- A right to object.
- A right to fair treatment when subjected to automated decision making and profiling.
What happens if I don’t comply?
The maximum fine for non-compliance is 20 million Euro ($24m) or 4% of global revenue, whichever is higher. Higher fines can be imposed for a data breach. Even though a blogger being fined is extremely unlikely, the GDPR’s goal is to make the internet better and safer for everyone.
Who is responsible for GDPR?
Nearly everyone is responsible for enforcing GDPR. Even if you are not based in the EU the GDPR can affect you. The law protects consumers inside the EU, regardless of where the data controllers are located. Thus anyone who starts a blog which is accessible to EU consumers might be affected by the regulation. Even if you are not a business, the law applies to you. The GDPR is about what you do with other people’s data, not about what type of entity you are. Anyone that collects personal data is considered a data controller, whether an individual, a group of people, or a business.
Thus, as a blogger, you might feel that you’re not collecting people’s personal data.
However, you are responsible to enforce the GDPR if you are:
- Collecting Email Addresses
If you invite people to give you this information — such as on a mailing list sign-up or via an online contact form — then you have a responsibility for that data.
- Using WordPress (or Another Content Management System)
WordPress does many things for you automatically without having to configure it everytime, some of which might include collecting personal data. Blog commenting, by default, requires names and email addresses in order to comment and sets a cookie, all of which are considered personal data. Further, many of the plugins most likely collect some type of personal data.
- Using Any Type of Web Tracking or Profiling
Google Analytics, Facebook’s conversion tracking pixel, or Mailchimp tracking links all collect personal data.
- Using a Web Host That Logs Visitors’ IP Addresses
Your web server most likely is collecting IP addresses of visitors for security purposes, which is personal data as defined by the GDPR.
How Some Bloggers Can Avoid GDPR
The key factor to if GDPR applies to you is whether or not you collect personal data. However, there are other factors that can apply that may cause an exemption. The GDPR has a “territorial scope” which applies to where your intended consumers are based. If your blog does not fall within GDPR’s territorial scope none of the requirements or fines apply to you. If you are a blogger within the EU then you are within the territorial scope. If you are outside of the EU but “offer goods and services to data subjects in the Union” then you are also within the scope. (Keep in mind that blogging is considered a service by data regulators.) However, if you are targeting a non EU audience then you would be outside of the scope. For example, if you have a blog about “perks for New York City residents” then you would be outside of the scope. However, a blog about traveling to New York City most likely would be within the scope since EU residents would be included in those that might travel to New York City.
What should I do to make my blog GDPR compliant?
Since GDPR applies to a majority of bloggers out there, you have a few options:
- Do Nothing (aka “Wait and See”)
As a blogger, you are unlikely to come to the attention of the data regulators unless you experience a specific data breach or someone makes a complaint. Doing nothing lets you see how rules are being enforced and how to be compliant in particular situations. However, you do open yourself up to a fine if you are hacked and have done little to comply with the regulations.
- Implement Some Quick Wins
- Complete GDPR Compliance
Ideally, full compliance is the best situation, although it might cost time and effort to implement.
Ways to comply to GDPR
- Hire a Lawyer
If you are unsure about your compliance, it’s always worth hiring a lawyer, even for a few hours to review the issues specific to your situation. When assessing your possible financial exposure, a few lawyers hours looks like a great value.
- Review your WordPress site
WordPress Core is now GDPR compliant and it seems like Google’s Blogger will be soon as well. Other pieces of your site to review:
- Ensure that WordPress and all your themes and plugins are updated to the latest version. Enable automatic updates if possible. Remove plugins that are no longer maintained.
- Most plugins should be compliant however, a simple way to update basic forms like contact or comment plugins is to add a required checkbox to let users consent that the submitted data will be collected and stored. Similarly, any type of email collection should provide an unsubscribe link and let users know what has been collected and how it is used.
- Check your third party APIs that might collect data. Some third party APIs might surprise you. For example, Google Fonts collects personal data.
- If you have concerns regarding a plugin you have running, check with the developer directly to see how they plan to handle GDPR.
- Encrypt Your Data / HTTPS
Part of the regulation requires personal data to be stored securely. While not explicitly recommended, it’s always smart to encrypt traffic (by using https) as you are responsible for protecting that data. As a positive side effect, your site will rank higher in search.
- Outline what types of data you collect, what processors might need access to it, and how you intend to use it.
- Describe the cookies used on your blog.
- Detail data security measures.
- Show individuals what they are consenting to, how they provide consent and how they may withdraw their consent in the future.
- Explain the rights that individuals have over their data (see above)
A new privacy page feature was added in WordPress 4.9.6, which allows you to have a privacy page on your site and display on login and registration. Alternatively, a simple tool like iubenda can be used for more complex sites.
- Be Clear on Consent
This will usually mean having checkable “consent” boxes on all sign-up forms. Things to consider:
- People must be able to know what they are consenting to.
- Consent must be given as an opt-in, do not use a pre-checked box. Any consent checkbox must be unchecked by default
- You must only use the information gained for the reasons you gave when consent was given.
- Use “double opt-in” options if possible. Double opt-in requires the user to confirm their initial request before being added to your mailing list. It will also serve as a record to when consent was given.
- It must be as easy to withdraw consent as well. Unsubscribe links are standard fare on most email collection tools.
- Offer Data Portability
Any site that collects data must also offer the ability to for the user to download it and take the data elsewhere. New features for data portability were added in WordPress 4.9.6. Site owners can now export a file with a user’s personal data as well as erase a user’s personal data.
- Stop Collecting Data You Don’t Need
The more data you collect, the more data you’re responsible for storing, protecting, and acquiring consent for. Do you need a mobile number to send someone a newsletter? If you can’t figure out why you’re asking for a particular piece of data, don’t ask for it. And if you have data that you don’t need (or can’t justify), now is the time to securely dispose of it.
- Check Your Google Analytics Configuration
Google recently launched data retention settings for Google Analytics, which give you the ability to set the amount of time data is stored before it is automatically deleted. You can quickly check your settings under Admin → Property → Tracking Info → Data Retention. In addition, to use Google Analytics’ cookies that are non-intrusive, do not implement the User ID functionality (this is disabled by default), but take advantage of the anonymize IP function (also disabled by default) which hides part of visitors’ IP addresses when data is stored.
The GDPR is a pretty comprehensive regulation for privacy across the Internet. We can expect new cases, guidelines and information to appear as these things are constantly changing. We will continue to monitor the GDPR, but most likely implementing the suggestions above will cover you from a variety of issues that could possibly arise. While the United States does not specifically have any blanket privacy laws, the State of California has recently implemented a similar measure to GDPR, the California Consumer Privacy Act (CCPA) which while has some similarities to compliance for GDPR also has some new issues. We will go over the CCPA in another post.