GDPR & What It Means For Bloggers.
Obviously I am not a lawyer and take no responsibility for the information in this post. This guide is written purely as advice based on my own understanding and research and it is entirely your responsibility to make your own choices and changes.
The GDPR deadline is looming and businesses and bloggers alike are panicking. This guide will hopefully put your mind at ease that it doesn't need to be the big ball ache everyone is claiming it is and make it easy for you to implement the changes you need. I have already begun the steps to make my blog and businesses compliant with GDPR and take it from someone who likely is collecting a hella lot more data than you are - it can be a few small changes that take you up to date.
Here's my guide to GDPR and what it means for bloggers for the complete novice;
What is GDPR?
General Data Protection Regulation, or GDPR for short, is a regulation in EU law that protects data protection and people's personal information. It comes into affect next Friday May 25th and affects all companies, businesses, organisations, charities and anyone that collects any kind of personal data. Whilst it's a EU regulation, when the UK leaves the European Union the changes will still apply and the UK government is currently drawing up a very similar set of laws themselves.
It's designed to protect the personal information of individuals better and to replace and update old regulations. The main focus of the change is to make it more obvious what people are signing up to, making it clearer what information you are providing and make it easier to request that information.
There's a great infographic designed by the European Commission that explains it in laymen's terms which you can view here.
How does it affect bloggers?
If you've clicked on your post you're either just nosey and want to understand the changes better, or more likely, you're a blogger yourself confused about what the rules mean for you and if you need to do anything to comply.
Chances are, sorry, but you do. A lot of bloggers have thought because they make no or little money from their blogs or because they don't have a newsletter, that the changes don't apply to them but soz, they do. All websites have to comply with the GDPR changes no matter what the purpose of the site and there's a real chance your blog collects more data than you've realised.
If you have a mailing list, it applies. If you use Google Analytics or a similar traffic tracking system, it applies. If you allow comments on your blog, it applies. If you have advertisers on your blog, it applies. If you have a contact me form, it applies. If you use a third party widget like Bloglovin, it applies.
Why do you need to comply?
It's going to be law short and sweet. The maximum fine for non compliance is a cool 20 million Euros and sure, the changes are more important and more taxing for big companies and multi million pound organisations but even the smallest fish need to make sure they've made the appropriate changes.
The change is a good thing, it's going to protect consumers and protect data and be an all round great thing - it's just a lot of admin. Most people have stuck their heads in the sand and now with a week to go we're trying to get it all done. Of course it's unlikely on May 26th there'll be someone knocking on your door with a warning about your cookies banner but it's best to make the changes, make them soon whilst the information is hot off the press and it shouldn't take you too long.
So let's get into exactly what you need to do;
Cookies:
Cookies are little data files that collect small chunks of information and nearly all websites use them. Some websites use loads, some hardly any at all but there's a real chance you have them on your blog even if you've never given it a second thought before. Cookies track things like when you visit a website and will store that information and remember if you visit that site again and that data is stored.
Websites have always been required to alert visitors to the fact they have cookies in use but it didn't have as heavy an influence as it does under GDPR. Now it is imperative you let your blog viewers know that cookies are in use and, as with everything under GDPR, it needs to be in their face.
If you don't already have a cookie banner at the top or bottom of you site or as a pop up when someone visits your site you need to have one in place. Hopefully you will have seen my cookie banner at the top of my website and agreed to it's use. A lot of blog platforms will make it really easy for you to insert a cookies banner. Squarespace for example which I use has a pre built cookies banner (although it was a bit ugly and I edited it's design with code) and Wordpress has a free widget you can install.
GDPR is striving to stamp out the 'assumption' that consent is given - it needs to be explicitly given and you need to be able to prove that so your cookie banner needs to adhere. There are plenty of templates for how to word your cookie banner and you can easily see examples on lots of other blogs but you essentially need to spell out to your visitors; there are cookies used on this site for XYZ reasons and by clicking X or I agree or Submit or Ok (whatever your button is) you are agreeing to this data being collected.
SSL certificate:
Secure sites are all the more important under GDPR so it's worth checking if yours is or not. The easiest check is to type https:/ before your website address and see if it sends you to that site, not http. Chances are your site is already secure and if it isn't it can be really easy to change. Squarespace for example gives you a free SSL certificate but you need to make sure users are directed to it - for some reason mine was directing them to the less secure version but it's literally the click of a button to change.
If you're not sure how to get an SSL certificate you can read this handy How To guide.
Third Parties:
Quite a lot of blogs will be using third party widgets or add ons that are collecting data on your behalf and it would do you good to check their GDPR changes and what they are doing to comply.
If you use Bloglovin widgets that require visitors to sign up via their email, if you use Disqus commenting that publishes people's emails and names or if you use Google Analytics that tracks traffic and user behaviour then you are using third parties that all collect personal informtation.
Most of the time you won't have to do anything yourself to get these third party widgets to comply as they're already making the changes themselves but it's worth a read of what they're doing to keep it legal and review your own arrangement with them - I have included a link to each platforms GDPR information above.
Passing on of information:
The passing on of information should basically stop when GDPR is enforced unless you have given explicit consent to agree to it. There's a real chance with your blog that you don't pass on information to other parties but there's some circumstances where you might, or where you might have questions so it's worth a mention all the same.
If you run a giveaway on your blog for example which is sponsored by a company, quite often they will ask for the list of emails who signed up to the giveaway or competition. This passing on of information is frowned upon under the new changes and if you are required to give the information to the sponsorship company then you need to make it entirely obvious the entrants are agreeing to that. In this circumstance you should make it clear in the sign up form that the entrants information will be passed onto the company working on the giveaway/competition and by entering, the individual gives their explicit consent they agree to that. There should be no hiding of information in the small print, it should ideally be the first thing they read and should be written again by the submit/enter button and if you can have a two point consent that's even better.
However, in some cases information is acceptable to be shared and that's when the data cannot be identified back to an individual. For example, lots of bloggers (myself included) will share their monthly or yearly traffic on their website and often in media kits that are passed on to potential clients. This information is acceptable to share under GDPR because the information is not identifiable to a certain individual and no attempt should be made to identify them.
Mailing List:
Lots of bloggers have newsletters and mailing lists these days and there are big changes when it comes to complying under GDPR. The idea behind mailing lists is that there has to be explicit proof that the user signed up themselves, knowing what they were signed up to and what they would receive from you. If there's even a whiff of a chance they didn't know what they signed up to then you're breaching the rules.
If you have a mailing list that had to confirm and authenticate their sign up to your newsletter for example and you can prove their consent then you shouldn't have to change much about your form. However, lots of people are suggesting you send everyone on your mailing list another authentication email to update their preferences, let them know what data you hold on them and make doubly sure they know what they have signed up to.
If you had a mailing list who signed up to your monthly newsletter on fashion but you have lately changed it to fortnightly lifetsyle content then you do need to email them all again, explaining what you intend to send them and give them the chance to opt in or opt out. There can be NO presumed consent and they need to know what they have committed to with no grey areas.
If you have a mailing list from your blogs newsletter and then you decide to set up a freelance business and transfer the mailing list to send them marketing emails you in breach of the regulations.
If you have an old newsletter that you don't use and don't send out anymore, you need to delete the mailing list securely until all traces of the personal data are removed and should you want to re start it, your subscribers would need to sign up again.
If you haven't got a mailing list but you decide maybe you'd like to start one, you need to make the authentication process GDPR compliant. You need to outline exactly what you are offering, how often they will receive content from you, what you'll be sharing (newsletter, marketing, giveaways etc) and how you will use their data. The more authentication processes the better so an initial sign up confirmation plus a follow up email confirmation would be ideal and you need to make sure the unsubscribe option is very easy to find on all content.
Advertising:
Lots of blogs, myself included, have advertisers who pay to sit on your sidebar and be promoted by yourself. You would not believe the amount of personal data you hold on your advertisers when you think about it from names, email addresses and blog URLs to social media handles and even payment information in lots of cases.
If you do have advertisers you need to get in contact with them and outline exactly what information you hold and how you use it and secure it. You need gain consent for you to store that data or for them to request it's removal and you need to secure any spreadsheets or invoices you have for them.
For any future advertisers you will need to have a form that tells advertiser sign ups what information you require, how and why you store it and gain their explicit consent that allows you that right. My advertisers will be receiving information with me in the next week.
Privacy Statement:
The single most important GDPR change you need to make in my opinion. Privacy statements on websites have always held weight but now it's essential under the new regulations that you have one, and that it's clear for visitors to your blog.
You can read my privacy statement here and it's available easily on my blog, plus made obvious on my cookies banner and on the footer of every page of my site. There's also another link on every comment form to make it crystal clear what my site uses and what data it holds.
Every blog should now have a privacy statement which should be easy for viewers to find and clearly outline your data collection. There are a million and one templates for you to create a GDPR compliant privacy statement but the best one I found is this one from Thrive but you can also have one created for you via Iubenda.
You should essentially outline;
- Your use of cookies.
- What third party services you use.
- What data you hold and how you hold it.
- The visitors right to request, view and delete their information
So there we have it, a (hopefully) easy to read and understand GDPR guide for bloggers, for the changes you need to put in place and the checks you need to make. If you also run a business on the side of your blog, for example and Etsy shop or a freelance copyrighting business, or photography you need to make sure they are compliant too.
If you have any questions, or think I should have covered something else, please don't hesitate to email me or DM me and I'll try and help in the best way I can! It needn't be scary or too much hassle, just a few changes to make sure you're tip top legal and protecting the people who visit your site.
So last reminder, what's your GDPR checklist as blogger?
- Update your cookies banner.
- Check your SSL certificate.
- Write your privacy policy.
- Research your third party providers.
- Update your mailing list.
- Contact your advertisers.
- Put in place GDPR compliant sign ups for future advertisers/collaborators/mailing list subscribers.