Disclaimer: I am not a lawyer and this is not legal advice. This is my interpretation of what I have read so far. However, I am not a lawyer or a legal expert and as such I can not be held liable for any advice taken from this article.
There’s a very hot topic going on around Europe these days – the General Data Protection Regulation, GDPR in short – a new law that will be enforced starting the 25th May 2018. It will affect everyone who deals with personal data of EU citizens – and yes, that means mailing lists, cookies and tracker data from services like Google Analytics. This is not my normal topic on the blog, but since most of us bloggers will be affected I believe it’s important. I’ve also been working closely on the GDPR with a company I work for, I know a few things about this and I wanted to share with my blogger friends.
What is the GDPR?
The GDPR is a law that will replace the current Data Protection Directive. Its aim is to bring back the power over their personal data to individuals. It will apply to everyone processing data of EU citizens. By processing I mean even the mailing list, or the comment section on the blog. Also the cookies your website stores and the data you retain through Google Analytics. So even if you are a blogger based in the US but you have audience from the EU (and probably most of you do), you’ll need to comply to the GDPR.
What data is covered?
Any data that can lead to the unique identification of a natural person is considered personal data and is covered by the GDPR. Name, address, e-mail address, gender, birthdate and even IP address and some cookies. You think that as a blogger you don’t “process” such data? Think again. Are any of your readers/buyers from a country in the EU? Most websites will have such visitors, because…it’s the Internet, so it’s available to everyone. Also:
- Do you have a mailing list?
- Do you have a comments section in which you require the first name & the e-mail address?
- Are you using Google Analytics (or another form of analytics, like Hotjar etc.)?
- Do you have ads that store cookies on the users computer?
- Maybe you sell something on your website (even just digital products with PayPal as the only payment option)?
- Or do you have membership options on your website(free membership options are included, since you’ll automatically collect at least a name and an email of the user)?
If you answered yes to at least one of the questions above, the GDPR applies to you.
Pay special attention to your data processors
As a blogger you will be a “data controller” and the plugin owner will be the “data processor”. Both have to be GDPR compliant and both have to answer when they are not. But as a data controller you are also responsible for how you choose your data processor. This also goes for the mailing list provider (i.e. Mailchimp, Mailpoet etc), your analytics provider and so on. Especially us WordPress users are tempted to add lots of plugins to enhance the functionality of the website. You need to take care that the plugins you use are GDPR compliant.
For example, Mailchimp is already preparing tools to help with GDPR compliance, so check their website and see if you need to make any changes to your subscription form.
Lawfulness of processing
There are six legal basis which make data processing lawful according to the GDPR and they are described in Article 6. Quoted below is paragraph 1 of this article.
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Most bloggers will find their legal basis in one of the first three cases – consent, contract or legal obligation. If you are a blogger who doesn’t sell any products, like me, then you’ll most likely go with consent.
Mailing lists, analytics and more, they all require a data subject’s consent. What exactly does this mean? In terms of definition, consent is defined in Article 4 of the GDPR as follows:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Article 7 also goes into more details with provisions that say you have to be able to demonstrate consent. Withdrawing consent should be as easy as giving it. If there is a contract conditional on consent, “freely given” still stands. Finally, consent requests have to be clear, they cannot be bundled with other matters. Also it can definitely NOT be a pre-ticked box. As in the old trick of having “I agree” already ticked cannot be done anymore.
Another example of “NOT like this” would be to add a customer who buys something to your mailing list automatically. You have to separately ask him/her if they would like to also get a newsletter from you. Also, it would be preferable to make sure your customers understand that if they say no, there will be no negative implications regarding the purchase.
If you have a mailing list obtained in a “not like this” way, you need to re-acquire consent. Otherwise, stop sending those people the emails after the 25th of May, or you risk a pretty big fine.
There are already a few options as tools for cookies consent. I haven’t seen one as a WordPress plugin, but hopefully we’ll have it in the near future.
Types of cookies and what to do about them
There are a few types of cookies and a user has to choose to which he agrees. For example, the cookies that are strictly necessary for the functionality of the website cannot be switched off since the site wouldn’t work. They also do not store any personal data. There are also cookies for performance and analytics. A visitor has to be able to switch these off. Yes, unfortunately if they do you will not be able to properly monitor your websites performance. You will not be able to see who visits. A solution I have read about would be to anonymize the IP addresses of your visitors. That way there will be NO way of knowing who the person who visited you is, or even where they are from. Hence, the data won’t be in the scope of the GDPR.
Another category is that of functional cookies. These are usually provided by third parties like Vimeo. A user has to be able to switch them off, but of course if they do they won’t be able to access the tools from that third party. Of course it’s important that visitors can find the form they used to switch cookies on or off just as easily in case they change their mind. The example with the functional cookies should give you an idea why. Maybe a visitor wants all cookies except the essentials off. Then they realize they can’t view a movie on Vimeo that’s on your website. So they might want to change their settings. Obviously you want to let them do this fast.
I could probably go on for hours. Or write more posts on the subject. But since I’m not a legal expert, I don’t want to give people wrong advice so I’ll stop at this for now. If you have more questions/ideas or if you feel like something I wrote is not OK, please write it in the comments.
The GDPR is supposed to be looked at as an opportunity. I’ll admit for now, as a blogger, I’m more tempted to see the downside – the extra work, the risk of not being able to know how may people access the website and so on. I also think that many people who have never heard of this law will feel a tad bit confused when asked for consent for all the cookies or for extra marketing and emailing. But at the same time, as a data subject, I see the benefits as well. If the GDPR is properly enforced we should be saying goodbye to unsolicited marketing emails, with our data being shared with companies we’ve never heard of and more. Scandals like the one with Cambridge Analytica should be more and more rare.
What are your takes on the GDPR?
I hope you found some helpful tips in this blog post. If you did, please help us by subscribing to our newsletter. Or if you’re not the e-mail type, follow us on any of our social media channels, or leave us a comment below.