GDPR for Non-EU Based Bloggers: The Definitive Guide - Elizabeth Stapleton
Elizabeth Stapleton
Share! (your friends will thank you)

GDPR for Non-EU Based Bloggers: The Definitive Guide

You have likely heard of GDPR and the looming May 25, 2018 “deadline. The General Data Protection Regulation otherwise known as the GDPR applies to most websites and failing to comply could mean potentially facing some serious financial consequences.

But what all do you need to do to comply?

To comply with the GDPR you need to do more that update your email forms, you need to be able to prove consent for the information you collect and provide your audience with the ability to access their personally identifiable information. (don’t worry I’ll explain what I mean by information you collect and personally identifiable information in sec)

In this guide I’m going walk you through what you need to know about the GDPR and how it affects your website as well as the action steps you should likely take to ensure you are complying.

Keep in mind:This guide is for informational purposes only and does not constitute legal advice or form an attorney client relationship between you and I. I am not liable for any losses or damages related to actions or failure to act related to the content in this website. If you need specific legal advice consult with an attorney who specializes in your subject matter and jurisdiction.

This page may contain affiliate links. Meaning I receive commissions for purchases made through those links at no cost to you. Please read my disclosure for more information.

To get a better idea of what we’re talking about today check out the video below:

Contents

Chapter 1 

GDPR 101 - What It Means for Bloggers

Chapter 2

Your Options and the Consequences for Not Complying

Chapter 3

How GDPR Can Get You a More Engaged Audience

Chapter 4

How to Review the Data You Collect

Chapter 5

How to Comply with Your Privacy Policy

Chapter 6

How to Get Consent with Your Email Forms

Chapter 7

How to Get Consent with a Cookie Banner

Chapter 8

How to Prove Consent with The Tools You Use

Chapter 9

How to Provide Right to Forget or Right to Erasure

Chapter 1

GDPR 101 - What it Means for Bloggers


If you have a website that can be accessed by people located in the European Union, then yes GDPR applies to you.

You see, it doesn’t matter if your target audience isn’t EU residents. It applies to any company that processes information (I’ll explain more about this in a second) from someone located in the EU.

For example, a American studying abroad in France (so located in the EU) enjoys the rights and freedoms provided by the GDPR.

This means that pretty much every website needs to comply with the GDPR.

So it’s important to know what it is and which parts apply to bloggers, which is what I’ll be covering in this chapter.

The Basics

The GDPR aims to protect a person’s fundamental right to protection of their personal data and hold companies accountable for infringing on this right.

Because unfortunately big companies have not only had data breaches but then have not been telling those impacted right away, sometimes they don’t tell people their data was compromised, until years later.

Some examples:

  • Uber
  • Target
  • Equifax

The list could go on...and I’m sure as a consumer yourself, companies failing to inform you of breaches is frustrating to say the least.

The headlines necessitating the GDPR

Now, I know as a blogger you care a lot about your audience and helping them as much as possible and you’ve also probably never had a data breach but, don’t you want your audience to know that you would never be shady like that?

Of course you do, so you want to be transparent with them in terms of the data you collect, how you collect, what you do with it, and the reasonable measures you take to protect that data which is really all the GDPR is asking you to do.

And yes the GDPR does mean you, even though you aren’t located in the EU.

The territorial scope includes the processing (aka collecting) of personal data of those located in the EU by those not established in the EU where it relates to the offering of goods or services, even if those goods and services are free (like say, offering a content upgrade).

It also applies to any monitoring of behavior that takes place within the EU, so for example, tracking their behavior on your site.

Now let’s dig in to some of the terminology I’ve been using so you can understand exactly what I mean.

What is “data”

Straight from the GDPR:

Personal data” means any information relating to an identified or identifiable natural person…..such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical physiological, genetic, mental, economic, cultural, or social identity of that natural person

AKA information/data such as names, email addresses, IP addresses. If you’ve ever dived into the Audience section in Google Analytics then you know you can see information like, where users are based, their gender, interests, age, etc.

That is a lot of information and while you may not be able to tie it to a specific person, the way you could with someone on your email list, under GDPR you need to let your audience know that you collect it.

What does “processing data” mean

From the GDPR:

Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction;

Basically, if you are collecting information by way of, comment forms, email forms, or analytical tools (which are the most likely cases for bloggers) then you are processing data.

How does it apply to bloggers?

Hopefully at this point you understand that as a blogger you do collect and process data, now you need to make sure you are doing it legally under GDPR.

There are six legal grounds for processing data:

  • 1
    Where the data subject/person/user has given consent
  • 2
    Where it’s necessary for performance of a contract with the data subject/person
  • 3
    It’s necessary for compliance with a legal obligation
  • 4
    Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • 5
    Processing is necessary for the performance of a task carried out in the public interest
  • 6
    Processing is necessary for the purposes of the legitimate business interests so long as they aren’t outweighed by fundamental rights and freedoms of the data subject

The GDPR specifically states that “Silence, pre-ticked boxes, or inactivity” does not constitute consent.

Additionally, a person has the right to withdraw consent at any time and it must be as easy to withdraw consent as it was to give consent.

Necessary Data to Perform a Contract

You might be thinking that as a blogger you don’t enter into contract with your audience, but in reality every time you make a sale you are agreeing deliver the product, it’s a contract of sorts.

The same could be said for delivering a content upgrade.

It’s important to keep in mind that where the data is necessary to perform a contract, does not mean you can use that data for other purposes, in that instance you’d need additional consent.

For example, if someone buys a product, you cannot automatically add them to your newsletter email list. You would need them to consent to being added to the newsletter (don’t worry I go over how to deal with this in Chapter 6)

Blogger Actions Impacted

At a glance the main things that are impacted are growing your email list, running ads, selling products, and analyzing traffic and conversions.

Keeping in mind that in most instances where consent is required, if you didn’t ask for the consent at the time you got the data, you’ll need to go back and ask for it again.

Growing an email list

Consent requires you to either reframe how you’re promoting your email list (with a focus on the newsletter rather than the content upgrade) or add a check box or double opt in option.

Direct Marketing (ads)

If you like to run retargeting campaigns in Facebook (or other platforms) you’ll need consent to use the data in this way.

Analyzing Traffic and Conversion

A lot of information being gathered by Google Analytics may not intrude on an individuals privacy, however, you’re still going to need to make sure they are aware you use such a tool. You’ll need a disclosure on your site (which you should have had already) and notify them usually via a cookie information banner (more on this later).

Selling Products

If you are collecting more than the necessary information to deliver your product, for example if you’re collecting a phone number as well, then you’ll need consent.

Bottom Line: 

  • GDPR applies to you if persons in the EU are able to access/enter information on your site

  • To legally collect data (from persons in the EU) you will need consent or demonstrate it’s necessary to perform a contract (like deliver a content upgrade)

  • Consent must be clear and demonstrated by an action, silence or pre-checked boxes do not constitute consent

Need even more help?

If after you finish the guide you find yourself needing some extra help, I've got you covered! Here's what's Included:

-Action Plan Checklist
-Email scripts to send to current subscribers
-Step by Step video tutorials (using Convertkit, Thrive -Leads, and WordPress)
-The template for my privacy policy
-How to adapt list building strategies to be GDPR compliant

Chapter 2

Your Options and the Consequences for Not Complying


Now, that we established in Chapter 1 that the GDPR basically applies to everyone, you might be wondering what your options are in terms of complying.

You might also be wondering what’s the worst that could happen if you decided to ignore the GDPR, ignorance is bliss right?

Wrong. The more you know the better decisions you can make.

There have been lots of different options thrown around on how you can comply and some rest on more solid ground than others, I’ll be covering them in this chapter.

Regarding consequences, while there are some potentially hefty fines you might still choose not to comply simply because of the likelihood of you actually being caught might be low. I’ll be covering what fines might apply and how enforcement is set up in this chapter as well.

Blocking Traffic from the EU & Why That’s Not a Great Idea

Pros:

  • Proactively avoiding GDPR

Cons:

  • Voluntarily minimizing your reach
  • VPNs can mask locations making location based blocking inaccurate
  • Likely going to see other laws come into play that have the similar requirements

Taking Action to Make Your Site Compliant

While it requires more work than just blocking EU traffic from your site (aka geoblocking) it’s likely your safest bet.

It’s also probably wise to take action now as we’re likely to see more laws like the GDPR enacted in the future, if you’re eventually going to have to do it anyway, may as well do it now.

Pros:

  • Minimizes your risk
  • check-square-o
    Provides transparency to your audience

Cons:

  • Requires a little bit of work (like reading this guide)

Weighing the Consequences of Ignoring GDPR

Ultimately what action you take will depend on how willing you are to face the risks of noncompliance.

Fines

While infringing on certain parts of the GDPR carry only a 10,000,000 EUR or 2% of total worldwide gross income, most of the sections that bloggers would be dealing with have a much higher fine.

Infringing on the sections bloggers are most likely to be dealing with such as consent can be subject to a fine of 20,000,000 EUR or 4% total worldwide gross income (whichever is greater). However this is in accordance with another part of the GDPR, the proportionality part.

Proportionality

Pursuant to Article 83, paragraph 2, when deciding on the amount of an administrative fine, due regard must be given to:

  • The nature, gravity, and duration of the infringement

  • Whether the infringement was intentional or negligent

  • If there was any action taken to mitigate the damage suffered by data subjects (people)

  • The degree of responsibility taking into account any technical or organization measure that were implemented

Protect Your Assets

Because of the potential fines it may be a good idea to form an LLC or some other corporate entity to protect your personal assets. Talk to an attorney and an accountant to help you figure out which type of business entity would best suit your needs.

WilkMazz is an awesome law firm that works with creative entrepreneurs and can help you with business formation. They’re just like you, but lawyers.

Katherine from The Bookkeeping Artist is an accountant (but not like a regular accountant, she’s a cool accountant) that can help you figure out which business entity would be best. You can reach out to her through her website or via email at: Katherine@BookkeepingArtist.com

Bottom Line: 

It's probably best to make an effort to comply.

Chapter 3

How GDPR Can Get You a More Engaged Audience


One of the biggest concerns with bloggers is that the GDPR is going to severely limit their ability to build their email lists since the old way of offering a content upgrade in exchange for adding them to your list in now out the window.

However, the GDPR is actually doing you a huge favor, because the people on your list are going to be far more engaged, which means an increase in conversions and a decrease in the cost of your email marketing service.

I’ll cover all of the benefits of GDPR for you in this chapter.

Requires You to Do/Be Better

Let’s get real if someone has to actually say yes I want to be on your list after getting your freebie, you’re going to want to make sure that freebie is so awesome they’d be crazy not to sign up for your list.

And since we know there are going to be some people that don’t comply and are still doing it the lazy bait and switch way, it’s going to make your content and freebies stand out even more.

Only the Best People for Your List

The people that end up on your email list are the ones that want to be there, they took action to make sure they end up on your email list, which is awesome.

Because they want to be there they are going to be happy to hear from you.

It will likely lead to higher open rates, higher click rates, and more conversions. And more conversions = more money. Winning!

More Sales

As I already mentioned more engagement=more sales, but that may not be the only way you’ll be making more sales due to changes you make because of GDPR.

While it’s not clearly spelled out in the GDPR one of the articles listed on the GDPR website seemed to imply that consent can be made a condition of receipt (ex. receiving a content upgrade) if there is “sufficient incentive to justify such conditionality (e.g. that a cheaper service is being provided in exchange for consent.)”

So in theory, if you instead made your content upgrades cost money, for example $5 or offered them for free if they chose to subscribe to your list, you could potentially earn more from those choosing to just buy the content upgrade and skip being added to your list.

As a reminder: this is an interpretation of GDPR and may not be 100% correct, remember this guide is for informational purposes only and does not constitute legal advice.

Bottom Line: 

GDPR is going to result in a more engaged list helping to make every penny you pay your email marketing service count more.

Need even more help?

If after you finish the guide you find yourself needing some extra help, I've got you covered! Here's what's Included:

-Action Plan Checklist
-Email scripts to send to current subscribers
-Step by Step video tutorials (using Convertkit, Thrive -Leads, and WordPress)
-The template for my privacy policy
-How to adapt list building strategies to be GDPR compliant

Chapter 4

How to Review the  Data You Collect


Before you can make the necessary changes to comply with GDPR you’re going to have to know what information you are collecting.

And even if you don’t think you are collecting anything but a name and email address chances are you are collecting other information as well.

If you use Google Analytics, or allow commenting, or have Facebook pixel installed, then yes, you are collecting other information.

I’ll be going over the most common tools bloggers use and the information that is being collected in this chapter so you can figure out what applies to you.

Keep in mind that not only do you want to take action to be GDPR compliant but you want to make sure the tools you use are GDPR compliant as well. 

Start by Looking at Your Plugins

Chances are you’re using plugins for a reason and a lot of times that reason can be collecting various data. You’ll want to review the tools you use to make sure those tools are compliant in protecting data. You’ll also need to determine what data you’re processing and what you’re doing with the data.

For example, I have the following plugins installed on one of my websites:

  • AdInserter
  • plug
    Akismet Anti-Spam
  • plug
    Better Search and Replace
  • plug
    Contact Form 7
  • plug
    Convertkit
  • Google Analytics Dashboard for WP
  • King Sumo Giveaways
  • plug
    Pretty Links
  • plug
    Really Simple SSL
  • plug
    Revive Old Posts
  • plug
    Short Pixel Image Optimizer
  • Social Warfare/Social Warfare Pro
  • Thrive Leads
  • plug
    Thrive Ovation
  • plug
    Tracking Code Manager
  • plug
    Yoast SEO
  • plug
    Thrive Apprentice
  • Jetpack by WordPress

Out of all those, these are the only ones potentially collecting and processing data:

Plugins that collect and process data


  • Contact Form 7
  • plug
    Convertkit
  • plug
    Google Analytics Dashboard for WP
  • plug
    Jetpack by WordPress
  • plug
    KingSumo Giveaways
  • Thrive Apprentice
  • plug
    Thrive Leads
  • plug
    Thrive Ovation
  • plug
    Tracking Code Manager (used for the Facebook Pixel)

But I also know that I use SamCart to process sales and WordPress for people to comment on my site, they’ll get added to the list as well.

Since these are tools I’m using I need to not only look at them for the data that is being processed but also making sure they are GDPR compliant in terms of keeping that data secure.

Now it’s time to dig in and see what data is being collected by these tools. Fortunately because all of these tools need to be GDPR compliant as well, they likely have information to help you.

Analytics

Pretty much every blogger uses some sort of analytics tool to help them with a number of tasks. Because these are analytics tools it’s not surprising that they collect data, here is a bit more information about what data common tools like Jetpack and Google Analytics Collect.

Jetpack - Privacy Notice for Visitors to User’s Sites

Jetpack put together a great resource for their users (like you and I) to help us comply with GDPR, below is the list of various information Jetpack may collect on your behalf, keep in mind it may not all apply to you, it depends what parts of Jetpack you are actually using. I highly recommend you review this resource, linked above.

  • Information provided by a visitor/data subject/ person to your site
    • Follower and Subscriber Information
    • Site Comments
    • PollDaddy Survey Responses
    • Order & Shipment Information
    • Other Information Entered on the Site
  • Information Automatically collected
    • Technical Data from a Visitor’s Computer and Etcetera (like the IP Address, browser information, etc.)
    • Visitor Interactions
    • Location information
    • Akismet commenter information
    • Polldaddy response information
    • Intense debate commenter information
    • Information from cookies and other technology

Google Analytics

Chances are the information Google Analytics collects will be similar to Jetpack, so if you use both you’re probably just collecting the data twice.

  • Device data
  • Location Information
  • Cookies
  • Demographics (age, gender)
  • Interests
  • User interactions (such as how long they are on the site, bounce rate, if they are a new or returning visitor etc.)

Direct Marketing

If you do any sort of direct marketing like running ads on Facebook, depending on how you do it you may need to gain consent to collect information used for direct marketing purposes.

For example, if you use the Facebook Pixel to create custom audiences you are collecting personal information through the pixel to formulate that custom audience and you need consent to do so.

Before we get into getting consent for various blogging practices, which I’ll cover in Chapters 5-7, let’s dig into figuring out exactly what kind of data is being collected with these tools.

Facebook Pixel

Straight from Facebook’s FAQ’s, the Facebook pixel collects 5 types of data:

Facebook also uses cookies and provides detailed information about what cookies do and how they use the information in their cookie policy.

Pinterest Code

While most people injected a bit of code from Pinterest to set up their business account, it might not realize that, that bit of code helps Pinterest and your website communicate.

It helps you to see how many visitors are clicking to your site from Pinterest as well as conversion rates on any ads you may run. If you are using the data to track conversions then yes you are collecting data and you’ll need consent to do so, which is clearly outlined in Pinterest’s new Advertising Services Agreement, in particular you should pay attention to EXHIBIT A: Pinterest Data Sharing Addendum.

Email Marketing

If you have an email list then you are definitely collecting personal data, namely, email addresses. However, you might be collecting other information as well, such as names and conversion rates.

Below is a list of personal data you are likely collecting through various list building strategies.

Service

Data Collected

Convertkit or MailChimp or Other Email Marketing Services

Name, email address

Giveaways (KingSumo)

Name, email address

Thrive Leads

Name, email address

Keep in mind that while names and email addresses are likely the most common forms of personal data you collect, if you ask for additional information like a phone number or birthday that is additional personal data you are collecting.

Contact

Most blogs have a “contact” page, that often includes a form for users to fill out in order to contact you. Plugins like Contact Form 7 or Ninja forms are usually used for these purposes.

Whatever information you collect in such a form is likely personal data and will require complying with GDPR where those located in the EU could be filling it out.

Below is a list of additional forms that you may be using to collect personal data on your site.

Service

Data Collected

Contact Forms

Name, email address

Comments

Name, email address, website

Thrive Ovation

Name, email address, website, etc.

Thrive Apprentice

Name, email address

Sales Tools

If you sell products on your site, the tools you use may be processing data for various reasons, like processing payments, or delivering the product. So take a look at the tools you use to sell your products and take note if you use them for anything else.

For example, if you have it set up that when someone buys something they get added to your email list. This is something that under GDPR you are going to need consent to do so you’ll want to make sure the service you use has this functionality.

Below is a list of some payment/product processors to help you get started.

How Long Do You Keep the Data?

In addition to knowing what data you collect, you also need to know how long you are keeping the data.

For example, in the case of your email list, you usually stop keeping the information once they unsubscribe or have their information deleted.

Google Analytics on the other hand has you set up how long the data is to be retained, I believe the default is 26 months, which is what I set up.

This is something you might also check when reviewing what data you are collecting with various tools

Bottom Line: 

Look through all of your plugins and blogging tools to determine which ones collect data, then make sure you know how long the data is retained, and how you are using the data. 

Chapter 5

How to Comply With Your Privacy Policy


The GDPR ensures that data subjects (people on your site) have the right to know what data is being processed and the right to protection of that data. 

Which means you have to disclose what what data you’re collecting, how you’re collecting it, and why/how you’re using the data.

Your Privacy Policy on your website is where you do this.

If you didn’t already have a “Legal” page with a privacy policy, you definitely should have one now.

To get your Privacy policy up to GDPR standards you’re going to have to include the information you should have gathered up in chapter 4.

What Should Be Included in Your Privacy Policy:

GDPR requires that you include on your site:

  • What data you are collecting
  • Why you collect it (your reason must be “specified, explicit, and legitimate and not further processed in a manner that is incompatible with those purposes”)
  • The legal basis for collecting it
  • How long you retain the data
  • User’s rights to the data (right to be forgotten)
  • How you use cookies

Keep in mind that in providing this information you must provide it in a way that is “concise, transparent, intelligible and easily accessible form, using clear and plain language”

So no using legalese, which means writing this out yourself is just fine, possibly even better.

Where You need to Link to Your Privacy Policy:

To make this information easily accessible you should include a link to your privacy policy in several places on your site such as:

Menu/Footer

Opt-in Forms

Really anywhere, where they are submitting information is a good place to include a link to your privacy policy.

For a little more information with some sample text, you need look no further than wordpress:

Bottom Line: 

  1. You need a privacy policy
  2. It should include information on the data you collect, why you collect it, how long you retain that data, and how a user can implement their right to be forgotten
  3. You should link to it in multiple places

Need even more help?

If after you finish the guide you find yourself needing some extra help, I've got you covered! Here's what's Included:

-Action Plan Checklist
-Email scripts to send to current subscribers
-Step by Step video tutorials (using Convertkit, Thrive -Leads, and WordPress)
-The template for my privacy policy
-How to adapt list building strategies to be GDPR compliant

Chapter 6

How to Get Consent with Your Email Forms


The GDPR requires you to get consent to add people to your list and as we covered in chapter one, that consent must be "freely given, specific, informed."

Which means the old way of trading a content upgrade or lead magnet in exchange for adding them to your email list is out the window. Because if you are offering a freebie you cannot precondition receiving the freebie on them agreeing to be on your email list.

Most people think this means you have to add a check box for consent to your forms, and while that is one solution, it's not the only one. 

What You Can NO Longer Do Under GDPR:

Before we cover what you can do, let's make sure you understand what you can no longer do under GDPR.

Content Upgrade Bait and Switch

As explained you can't offer a freebie and then pull a bait and switch to add them to your list. But don't worry this doesn't mean the content upgrade is dead or that all that time you spent creating content upgrades for each post is wasted. 

It just means you have to do things a little differently from now on, I'll talk about what you CAN do in just a bit.

Pre-check Boxes

I know what you're thinking, if you have to add a check box, fine, pre-checking it will work right?

Wrong.

Consent must be an affirmative action and the GDPR has explained that pre-ticking boxes or silence do not constitute consent. So while you can use checkboxes in obtaining consent, you can't pre-check them.

Use the Data for More Than What was Agreed

This is really getting into some of the nitty gritty. 

Maybe, you've been really good all along about getting consent for people to join your email list. So you have this great list, but now you want to use that list to run retargeting campaigns on Facebook.

If you didn't get consent to use the email addresses for the purpose of targeting them on Facebook, then you can't use the email addresses aka data in that way. 

Because remember, consent must be specific and informed. People can't agree to what they don't know about. 

Consent must also be "presented in a manner which is clearly distinguishable from other matters" So blanket consent for everything won't work either. 

Getting Consent from Your Current List

Ok, so this is the one place I plan to use geolocation, to figure out who I need clear consent from. 

While the safest bet is to have your entire list consent and that route could be a great way to clean your list, if you are worried about cleaning your list too well, you can segment by EU based subscribers and just ask them. 

I know that only a very small percentage of my list is based in Europe, so before the May 25th deadline I will be reaching out to them specifically to ask for consent. But moving forward with any new subscribers I will be sure to get proper GDPR consent.

Convertkit has made it easy to segment your list based on location, and many other email marketing servicers have as well.

You Don’t Necessarily Have to Add Checkboxes

Thrive Themes came out with a great article explaining that if you reframe your offer, by offering Newsletter as a Service, rather than focusing on your freebie, you don't need to add a checkbox for consent. 

Read the Thrive Themes Article.

Checkboxes are just one way in which you can gain consent, where signing up for your email list isn't the main offer. This approach of reframing your offer still allows you to offer free downloads but changes your approach to it to avoid the dreaded checkbox. 

Here is what Shane Melaugh from Thrive Themes had to say:

What to do If You Choose to Implement Checkboxes

If you ultimately decide that you want to utilize check boxes to prove consent, the next step is ensuring you know how. Below I've gathered the information on how to add checkboxes to some of the most popular Email Marketing Service Providers.

Keep in mind when choosing the language for your checkboxes that it must be specific, clear, and unambiguous and not lumped into one giant general consent, where you can contact them in anyway. A statement such as "I would like to receive newsletters from [site]" could work, but if you also wanted to use the email address for something else you would need an additional checkbox. 

Adding checkboxes with Convertkit

Adding checkboxes with Thrive Leads:

Why Your Double Opt In Might Not Work

It depends on how you framed you're offer and what they are "confirming"

Bottom Line: 

  1. If you have people based in the EU on your email list, you need to make sure you have express consent for them to be on your list
  2. Moving forward it's best to get consent from everyone being added to you list
  3. There are different ways to get that consent and a double opt-in may or may not work depending on how you set up your offer.

Chapter 7

How to Get Consent with A Cookie Banner


Cookies are a little different from other methods of processing data, most significantly because they can't always be used to identify a specific person. 

However, when cookies can identify an individual then, they are processing personal data and are within the scope of GDPR. 

Generally speaking, bloggers use cookies that work behind the scenes to help them get insights on how people use their site.

Because of the rules of consent, a simple "by using this site, you agree to accept cookies" will not work. 

To get consent for the use of cookies most sites use a cookie banner.

What is a Cookie Banner

A cookie banner is most often displayed at the top or bottom of the screen and explains what cookies are being used on the site and why. You then must accept the use of the cookies, or customize which cookie are allowed and which are not. 

Here are a few examples of sites using cookie banners:

source: ahrefs.com

source: www.zalando.fr/

Why You Need a Cookie Banner

If you use tools like Google Analytics or a Facebook pixel, that use cookies to track and pull in information then you need to let visitors to your site know. 

Now, cookies that are necessary for the site to function do not require consent but other cookies do. 

For example, I use Thrive Themes for my sites, and the cookies it uses are necessary for my site to function. Now fortunately, Thrive has updated it's tools so that the cookies no longer collect any Personally Identifiable Information (PII), but it's good to know you're covered either way.

Consent with a Cookie Banner

Just like consent with your email list, it must be freely given, clear, informed, and unambiguous. Consent cannot meet those standard unless you provide the information on the cookies being used, the data being processed, and the purpose of processing/collecting the data. 

So on you websites "legal" page, you may also want to add a "cookie policy" that details that information, which you link to in your cookie banner. 

Additionally, you need to ensure that it is as easy to withdraw consent as it was to give consent.

Setting up a Cookie Banner

Cookie banners are usually set up by using a plugin designed for this purpose. However, if you use a platform other than WordPress you will need to see what that specific platform offers in the way of a cookie banner.

For example, Squarespace has an easy tutorial on how to set up a cookie banner for your site. 

If you use wordpress, it's a matter of deciding which plugin is best, when evaluating plugins make sure you stick to ones that are GDPR compliant.

Magnet4Blogging reviewed 4 different cookie plugins noting that UK Cookie Consent did not play well with Thrive Architect. So if you use Thrive Themes, like I do, it's probably best to steer clear of that plugin. 

If you want something that makes updating your cookie banner more automatic you can use paid plugins such as CookieBot or Cookie Control v8.

Bottom Line: 

If you're using any sort of  tool on your site collects personal data through cookies that isn't necessary for the functioning of your site, you need consent and can obtain it via a cookie banner. 

Chapter 8

How to Prove Consent with The Tools You Use


If you get audited or accused of not complying with GDPR, you will need to be able to show that you did in fact comply and had consent to process and retain the data. 

With your privacy policy and cookie banner, they sort of self prove that you took the steps necessary to inform and legally process whatever data you collected.

However, when it comes to proving consent for your email address there is a bit more to it, I'll explain how you can show consent to be on your list in this chapter.

Most tools out there in becoming GDPR compliant have built in functionalities so you can show that the people on your list consented to be there. In the videos below I walk you through how to show consent with Thrive Leads and Convertkit.

Bottom Line: 

Check with the tools you use to see what sort of new functionality they've built in to comply with GDPR. 

Chapter 9

How to Provide Right to Be Forgotten/Right to Erasure


Under GDPR individuals falling within the scope of the new law have the right to have their data be forgotten/erased.

Because the right to revoke consent and be forgotten needs to be as easy to invoke as it was to give consent. So just how do you do that? That's what I'll cover in this chapter. 

Within your privacy policy you should have included where users can send a request to be forgotten. Once you receive the request you must process it in a timely manner. 

To remove personal data submitted through wordpress, for example, if they left a comment on a post. You will need to go to Tools > Erase Personal Data. Enter the email address of the person requesting erasure and it will send them a notification to verify the request.

If you receive a request from an email subscriber you will have to take action through your email marketing service. 

For example, Convertkit has a form you simply fill out. 

Though different companies may provide different solutions. For example, MailChimp has said that when you delete a subscriber they will delete all traces of personal information:

And truth be told, once GDPR is enacted we'll better understand how it will be enforced and likely see additional features added to the tools we, as bloggers, use on a regular basis. 

Bottom Line: 

Chances are the tools you use have provided you with the ability to implement Right to Be Forgotten under GDPR.

Over to you...

What did you think of this guide? Was there anything I missed? 

Let me know by leaving a comment below. 

And that's it for GDPR for Non EU Based Bloggers: The Definitive Guide.

In this guide I’m going walk you through what you need to know about the GDPR and how it affects your website as well as the action steps you should likely take to ensure you are complying. #blogging

Leave a Comment:

KN says

Hi Liz,

Love your guide. I’d like to add a couple of comments which I don’t think I explicitly heard or read. I’m not a lawyer either and this is just my personal opinion:
1. A fine is the end of the road, not the beginning. Action for most breaches flows from a complaint. If you look at the ICO website for instance (the ICO being the organisation in the UK responsible for enforcing GDPR), someone with a complaint will need to first try to resolve it directly with the organisation responsible. As I understand it, the ICO will only deal with complaints once this has been exhausted. (If you notice you’ve been hacked or your customers’ data ends up in the wrong hands some other way, this is when you clearly need to take action yourself immediately).
2. The decision on how to protect your assets is about more than GDPR. Liability could come from other sources.
3. If you clearly are not marketing to EU customers and you are not in the EU yourself, then the provisions of GDPR with respect to sales and marketing (i.e. the mailing list parts) might not apply to you. However, you still have to be able to defend your position on this, so you need to do some research if you feel it might be relevant.

I’m in the EU, and I’m finding that, on the whole, this is proving to be a very good way of sorting out those who see changes in the business climate as opportunities from those who just see it as an extra burden on them. I’m making notes!

Reply
    Elizabeth Stapleton says

    Hi KN,

    I actually am a lawyer, so I did do some hefty research for this guide, but I don’t really practice any more.

    1. yes! It’s not zero to 100 in a snap, and even if you get to the point of being fined there is a proportionally part to it, so if you’re a small business and assuming you made some effort to comply, the fine will reflect that. I could only see a small business facing a huge fine as a symbolic gesture if they were grossly negligent.
    2.Yes, but I know some people that decide against incorporating in some form because of cost, GDPR is just one more reason to do it so that personal assets are protected.
    3. If people from the EU end up on your site and email list, then GDPR is applied to you, those based in the EU have the right to their personal data no matter where it is being processed. I don’t market to the EU but I still had about 1% of my list from the EU. Though I hope my guide helps people figure out what course of action is right for them.

    I think GDPR is a good thing for business and those that don’t see it that way are likely doing something a tiny bit shady. As a consumer, I would love for the US to pass something similar, though some states already have some great data protection laws.

    Reply
KN says

Oh gosh, I’m REALLY sorry I made an assumption about your experience! I should have been much more careful about that.

With regard to point 3 – I had read about recital 23 and commentaries on it and I was just going to go into it, but it would be a deep rabbit hole because fundamentally yes, the rights of people in the EU are still covered and, even if the exception suggested in recital 23 holds (which only applies to marketing activities and probably not, for example monitoring), then it’s probably risky to rely on it in practice.

I definitely agree it’s a good thing and also that some other jurisdictions have some sound laws.

Reply
    Elizabeth Stapleton says

    No worries, I joke that I’m a recovering attorney 😉

    Reply
Caitlin says

Thank you so much for this, Elizabeth!! I definitely have a lot to do, but this helped me understand it finally. I really appreciate how much time and research you put into this!

Regarding consent from emails – if I say, “Subscribe to my email list, you’ll score bonus content and freebies!” And then have a subscribe button, that should be compliant because they understand they are signing up for the service of newsletters? If I decide down the road to advertise, then I need a checkbox for consent for that with the subscribe button? I was still a little confused on how to get consent for advertising (I think because I haven’t gotten into that).

Thanks again!
Caitlin

Reply
    Elizabeth Stapleton says

    It depends on why type of advertising you’re doing where and how you ask for consent, you can cross that bridge when you come to it, but I think you’re on the right track.

    Reply
Heather says

Thank you so much! This was the best post regarding GDPR that o have found. You did an amazing job communicating this complicated situation and making it simple for us! You’re awesome!

Reply
    Elizabeth Stapleton says

    You’re so welcome, glad it helps!

    Reply
Gary @ Super Saving Tips says

Thanks for a helpful guide!

“If you use wordpress, it’s a matter of deciding which plugin is best, when evaluating plugins make sure you stick to ones that are GDPR compliant.” In order to be GDPR compliant, does the banner just have to notify people, or does it need to prevent people from accessing the site unless they agree? And do you need checkboxes for different tiers of cookies? I’m finding the cookie plugins to be very confusing.

Reply
    Elizabeth Stapleton says

    Ideally, you want one with checkboxes for different tiers of cookies, but at the very least you want one that notifies people and that they must do something to get rid of, for example, exit out of it or say okay. You don’t want one that disappears without them taking some kind of action.

    Reply
Add Your Reply