There’s an important regulation coming into effect on May 25, 2018, for anyone collecting data from users in the European Union. It’s called the General Data Protection Regulation (GDPR), and you may need to be aware of it, even if you aren’t in Europe. At the very least, you must be aware of its existence and decide you need to do.
First things first. I’m not a lawyer, and this is not legal advice. It’s an alert for you to find out what’s relevant to your situation. If you want legal advice on this, it would not be a bad idea at all to consult a lawyer. It may take time, however, for lawyers to know how GDPR will impact website owners in non-European countries.
What Is The GDPR?
The General Data Protection Regulation sets down rules on how companies are to handle people’s personal information. This includes information such as IP address, cookies, location data, name, and email address, but may include more information, depending on what you collect. Information collected must be voluntary – that is, visitors must be clearly informed of the data you collect and agree to it. The request must be in clear language.
You also have to allow users to request that their data be deleted.
It also includes some pretty stiff fines for companies that don’t comply up to 4% of their global annual turnover, or €20M, whichever is greater.
In other words, they mean for this regulation to have some teeth. These fines are meant to be painful even for huge companies that have billions of euros in income each year.
Compliance can mean more than just taking someone off your list when they unsubscribe from your email list. If they want all of their information deleted, you must delete all of it. If they want to know what information you have on them, you have to share that information with them.
You also have to let users know why you want the data and how to opt out of data collection. Collection of data on people under age 16 requires parental consent.
If you want more detailed information, there are a number of sites with good writeups about GDPR, beyond the GDPR website, which may give you more details than you can handle. Try WTF Is GDPR, Stop whining, GDPR is actually good for your business, and Hubspot’s The GDPR Last-Minute Kit.
What Data Do You Probably Have As A Blogger?
As a blogger, you may have more data on your visitors than you think. Much of it will be quite generic – your statistics program that comes with your website hosting may tell you what IP address your visitors come from, and what pages they visited.
But you probably have more than that. It may be shared with third parties as well.
Do you use Google Analytics? Who runs your mailing list? What affiliate networks or ad networks are you a part of? These need to be revealed and included as a part of the consent you request.
Think about the comment section on your website. It probably asks for a name and email address at the very least, with an option to include a website link. That’s personal information right there. Of course, if you use Disqus or Facebook comments, you’ll have whatever rules they expect you to follow.
Should You Do Anything To Comply With The GDPR?
Many people outside the European Union are unsure if they need to do anything to comply with the GDPR, especially if they don’t get a lot of traffic there. The whole thing looks difficult to handle at this point.
Regardless of your need to comply, you should consider how you’re treating visitors’ data. Are you keeping it safe and using it only in the ways they expect you to?
I’m taking guidance from the various services I use. If Google needs me to put up a notice to continue using their services such as Analytics on my site, obviously I’m going to do it. Same for whatever is expected by the various affiliate networks and my email list provider. They’re far more exposed to risk than I am, so I expect them to know what is necessary. I also don’t want to lose these services. If they want me to comply, I will. I expect most of them to have requirements.
AdSense, for example, has already put out a request for publishers to link to Google’s Privacy & Terms page. It says, in part, “You are not required to seek consent for a user’s activity on Google’s sites (we obtain that ourselves when users visit our sites). We are asking only that you seek consent for your uses of our ads products on your properties.”
Google is also providing “a range of optional tools to help you with gathering user consent across your websites and apps.”
If you are targeting European users, you absolutely need to comply. If they’re an incidental part of your audience, you should have much less to worry about, although you may still need to keep an eye on how things go.
The challenge with compliance will be minimizing the number of popups about privacy. You know how much they annoy visitors. As things progress, I expect to see a lot of advice out there on how to get consent without annoying your visitors.
Can You Just Block European Users?
Some people have just considered blocking European users. It sounds easier for small businesses and blogs that very little traffic from Europe. Why go through all the trouble?
The big reason I can think of to take the GDPR into consideration and act on it is that other countries may follow. Think about how outraged people have been over the use of their data with the Facebook and Cambridge Analytica scandal. People will want to have more control over how their personal data is used.
This means more countries may pass laws similar to the GDPR. It’s better to deal with it now. This may simplify things later.
Also, the GDPR is supposed to protect European citizens no matter where they are. If they’re traveling in another country and go online, their data is to be as protected as if they were at home.
Much of this falls into good business practice anyhow. You have to get explicit permission to subscribe someone to your newsletter, for example. You should be doing that anyhow. It is a good idea to have your website served over https rather than http, which is a recommendation from Google in general now, regardless of anything else.
What Tools Can Help?
Many of the big companies you may work with are coming out with tools to help businesses deal with the GDPR. It impacts them too, after all, and they’re bigger targets than you are. They want it done right.
If you use Google products such as Analytics or AdSense, they’re working on tools for you. Some affiliate networks, such as Commission Junction, are working on tools as well.
There are WordPress plugins that can help you with GDPR compliance. Here are a few. No doubt more are coming, and it will take time to determine which are the best. Note that these may not guarantee that you are fully compliant with GDPR. They should help, however.
GDPR – Helps with consent management, privacy preferences, rights to erasure and deletion of website data, data processor settings, data breach notification logs with batch email notifications to data subjects, and more.
WP GDPR Compliance – This plugin helps make Contact Form 7 (>= 4.6), Gravity Forms (>= 1.9), WooCommerce (>= 2.5.0) and WordPress Comments GDPR compliant.
Shariff Wrapper – Many social sharing buttons transmit visitor data as soon as they visit your website. Shariff Wrapper doesn’t. I would hope that soon all share buttons stop doing this, as social media sites are decidedly impacted by GDPR, but if you’re concerned, this is an immediate solution.
GDPR Personal Data Reports – Gives visitors an automated process to request and retrieve their personal data from your site. It also allows them to request data removal and anonymizes and deletes data as appropriate.
Surbma – GDPR Proof Google Analytics – every visitor to accept or decline Google Analytics tracking.
Delete Me – Allows users to delete their own accounts on your WordPress blog.
What Am I Doing?
I’m still figuring things out myself. My process has been delayed be a MAJOR family emergency that is taking tons of time. I plan to do something, but figuring out exactly what tools I will use will take some time. I’m watching for the tools developed by companies that I work with so that I keep up with their requirements. It may become good business practice in general anyhow.