You have likely heard of GDPR and the looming May 25, 2018 “deadline. The General Data Protection Regulation otherwise known as the GDPR applies to most websites and failing to comply could mean potentially facing some serious financial consequences.
But what all do you need to do to comply?
To comply with the GDPR you need to do more that update your email forms, you need to be able to prove consent for the information you collect and provide your audience with the ability to access their personally identifiable information. (don’t worry I’ll explain what I mean by information you collect and personally identifiable information in sec)
In this guide I’m going walk you through what you need to know about the GDPR and how it affects your website as well as the action steps you should likely take to ensure you are complying.
Keep in mind:This guide is for informational purposes only and does not constitute legal advice or form an attorney client relationship between you and I. I am not liable for any losses or damages related to actions or failure to act related to the content in this website. If you need specific legal advice consult with an attorney who specializes in your subject matter and jurisdiction.
This page may contain affiliate links. Meaning I receive commissions for purchases made through those links at no cost to you. Please read my disclosure for more information.
To get a better idea of what we’re talking about today check out the video below:
If you have a website that can be accessed by people located in the European Union, then yes GDPR applies to you.
You see, it doesn’t matter if your target audience isn’t EU residents. It applies to any company that processes information (I’ll explain more about this in a second) from someone located in the EU.
For example, a American studying abroad in France (so located in the EU) enjoys the rights and freedoms provided by the GDPR.
This means that pretty much every website needs to comply with the GDPR.
So it’s important to know what it is and which parts apply to bloggers, which is what I’ll be covering in this chapter.
The GDPR aims to protect a person’s fundamental right to protection of their personal data and hold companies accountable for infringing on this right.
Because unfortunately big companies have not only had data breaches but then have not been telling those impacted right away, sometimes they don’t tell people their data was compromised, until years later.
The list could go on...and I’m sure as a consumer yourself, companies failing to inform you of breaches is frustrating to say the least.
Now, I know as a blogger you care a lot about your audience and helping them as much as possible and you’ve also probably never had a data breach but, don’t you want your audience to know that you would never be shady like that?
Of course you do, so you want to be transparent with them in terms of the data you collect, how you collect, what you do with it, and the reasonable measures you take to protect that data which is really all the GDPR is asking you to do.
And yes the GDPR does mean you, even though you aren’t located in the EU.
The territorial scope includes the processing (aka collecting) of personal data of those located in the EU by those not established in the EU where it relates to the offering of goods or services, even if those goods and services are free (like say, offering a content upgrade).
It also applies to any monitoring of behavior that takes place within the EU, so for example, tracking their behavior on your site.
Now let’s dig in to some of the terminology I’ve been using so you can understand exactly what I mean.
Straight from the GDPR:
Personal data” means any information relating to an identified or identifiable natural person…..such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical physiological, genetic, mental, economic, cultural, or social identity of that natural person
AKA information/data such as names, email addresses, IP addresses. If you’ve ever dived into the Audience section in Google Analytics then you know you can see information like, where users are based, their gender, interests, age, etc.
That is a lot of information and while you may not be able to tie it to a specific person, the way you could with someone on your email list, under GDPR you need to let your audience know that you collect it.
From the GDPR:
Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction;
Basically, if you are collecting information by way of, comment forms, email forms, or analytical tools (which are the most likely cases for bloggers) then you are processing data.
Hopefully at this point you understand that as a blogger you do collect and process data, now you need to make sure you are doing it legally under GDPR.
There are six legal grounds for processing data:
As a blogger you’re going to primarily be dealing with the first two, and possibly the sixth if consent or necessity might not be appropriate.
Consent to the processing of personal data must be a “freely given, specific, informed, and an unambiguous indication” of the person’s wishes made by “a statement or by a clear affirmative action.”
Let’s Break that down:
Freely Given: you can’t require consent as a precondition.
For example, if you offer a content upgrade you can't require them to consent to be on your email list in order to get that free content upgrade.
Specific, Informed: They have to know what they are consenting to, which means you need to explain what data/information you are collecting, the reason you are collecting that information, and how you plan to use that information.
This is going to require a bit of forethought, because data can often be used multiple ways. For example, you can use email addresses to form retargeting campaigns via Facebook Ads, but if you didn’t ask for consent to use the data this way, it doesn’t matter that you have the email addresses you can use them to retarget on facebook.
A Statement or Clear Affirmative Action: They easiest way to show an unambiguous indication of their consent is to have them take action.
For example, you can’t have a checkbox with a statement of consent pre-checked.
The GDPR specifically states that “Silence, pre-ticked boxes, or inactivity” does not constitute consent.
Additionally, a person has the right to withdraw consent at any time and it must be as easy to withdraw consent as it was to give consent.
You might be thinking that as a blogger you don’t enter into contract with your audience, but in reality every time you make a sale you are agreeing deliver the product, it’s a contract of sorts.
The same could be said for delivering a content upgrade.
It’s important to keep in mind that where the data is necessary to perform a contract, does not mean you can use that data for other purposes, in that instance you’d need additional consent.
For example, if someone buys a product, you cannot automatically add them to your newsletter email list. You would need them to consent to being added to the newsletter (don’t worry I go over how to deal with this in Chapter 6)
At a glance the main things that are impacted are growing your email list, running ads, selling products, and analyzing traffic and conversions.
Keeping in mind that in most instances where consent is required, if you didn’t ask for the consent at the time you got the data, you’ll need to go back and ask for it again.
Consent requires you to either reframe how you’re promoting your email list (with a focus on the newsletter rather than the content upgrade) or add a check box or double opt in option.
If you like to run retargeting campaigns in Facebook (or other platforms) you’ll need consent to use the data in this way.
A lot of information being gathered by Google Analytics may not intrude on an individuals privacy, however, you’re still going to need to make sure they are aware you use such a tool. You’ll need a disclosure on your site (which you should have had already) and notify them usually via a cookie information banner (more on this later).
If you are collecting more than the necessary information to deliver your product, for example if you’re collecting a phone number as well, then you’ll need consent.
GDPR applies to you if persons in the EU are able to access/enter information on your site
To legally collect data (from persons in the EU) you will need consent or demonstrate it’s necessary to perform a contract (like deliver a content upgrade)
Consent must be clear and demonstrated by an action, silence or pre-checked boxes do not constitute consent
Now, that we established in Chapter 1 that the GDPR basically applies to everyone, you might be wondering what your options are in terms of complying.
You might also be wondering what’s the worst that could happen if you decided to ignore the GDPR, ignorance is bliss right?
Wrong. The more you know the better decisions you can make.
There have been lots of different options thrown around on how you can comply and some rest on more solid ground than others, I’ll be covering them in this chapter.
Regarding consequences, while there are some potentially hefty fines you might still choose not to comply simply because of the likelihood of you actually being caught might be low. I’ll be covering what fines might apply and how enforcement is set up in this chapter as well.
Action Tip: Blocking EU IP addresses: https://www.sitepoint.com/how-to-block-entire-countries-from-accessing-website/
While it requires more work than just blocking EU traffic from your site (aka geoblocking) it’s likely your safest bet.
It’s also probably wise to take action now as we’re likely to see more laws like the GDPR enacted in the future, if you’re eventually going to have to do it anyway, may as well do it now.
Ultimately what action you take will depend on how willing you are to face the risks of noncompliance.
While infringing on certain parts of the GDPR carry only a 10,000,000 EUR or 2% of total worldwide gross income, most of the sections that bloggers would be dealing with have a much higher fine.
Infringing on the sections bloggers are most likely to be dealing with such as consent can be subject to a fine of 20,000,000 EUR or 4% total worldwide gross income (whichever is greater). However this is in accordance with another part of the GDPR, the proportionality part.
Pursuant to Article 83, paragraph 2, when deciding on the amount of an administrative fine, due regard must be given to:
The nature, gravity, and duration of the infringement
Whether the infringement was intentional or negligent
If there was any action taken to mitigate the damage suffered by data subjects (people)
The degree of responsibility taking into account any technical or organization measure that were implemented
Because of the potential fines it may be a good idea to form an LLC or some other corporate entity to protect your personal assets. Talk to an attorney and an accountant to help you figure out which type of business entity would best suit your needs.
WilkMazz is an awesome law firm that works with creative entrepreneurs and can help you with business formation. They’re just like you, but lawyers.Katherine from The Bookkeeping Artist is an accountant (but not like a regular accountant, she’s a cool accountant) that can help you figure out which business entity would be best. You can reach out to her through her website or via email at: Katherine@BookkeepingArtist.com
It's probably best to make an effort to comply.
One of the biggest concerns with bloggers is that the GDPR is going to severely limit their ability to build their email lists since the old way of offering a content upgrade in exchange for adding them to your list in now out the window.
However, the GDPR is actually doing you a huge favor, because the people on your list are going to be far more engaged, which means an increase in conversions and a decrease in the cost of your email marketing service.
I’ll cover all of the benefits of GDPR for you in this chapter.
Let’s get real if someone has to actually say yes I want to be on your list after getting your freebie, you’re going to want to make sure that freebie is so awesome they’d be crazy not to sign up for your list.
And since we know there are going to be some people that don’t comply and are still doing it the lazy bait and switch way, it’s going to make your content and freebies stand out even more.
The people that end up on your email list are the ones that want to be there, they took action to make sure they end up on your email list, which is awesome.
Because they want to be there they are going to be happy to hear from you.
It will likely lead to higher open rates, higher click rates, and more conversions. And more conversions = more money. Winning!
As I already mentioned more engagement=more sales, but that may not be the only way you’ll be making more sales due to changes you make because of GDPR.
While it’s not clearly spelled out in the GDPR one of the articles listed on the GDPR website seemed to imply that consent can be made a condition of receipt (ex. receiving a content upgrade) if there is “sufficient incentive to justify such conditionality (e.g. that a cheaper service is being provided in exchange for consent.)”
So in theory, if you instead made your content upgrades cost money, for example $5 or offered them for free if they chose to subscribe to your list, you could potentially earn more from those choosing to just buy the content upgrade and skip being added to your list.
As a reminder: this is an interpretation of GDPR and may not be 100% correct, remember this guide is for informational purposes only and does not constitute legal advice.
GDPR is going to result in a more engaged list helping to make every penny you pay your email marketing service count more.
Before you can make the necessary changes to comply with GDPR you’re going to have to know what information you are collecting.
And even if you don’t think you are collecting anything but a name and email address chances are you are collecting other information as well.
If you use Google Analytics, or allow commenting, or have Facebook pixel installed, then yes, you are collecting other information.
I’ll be going over the most common tools bloggers use and the information that is being collected in this chapter so you can figure out what applies to you.
Keep in mind that not only do you want to take action to be GDPR compliant but you want to make sure the tools you use are GDPR compliant as well.
Chances are you’re using plugins for a reason and a lot of times that reason can be collecting various data. You’ll want to review the tools you use to make sure those tools are compliant in protecting data. You’ll also need to determine what data you’re processing and what you’re doing with the data.
For example, I have the following plugins installed on one of my websites:
Out of all those, these are the only ones potentially collecting and processing data:
But I also know that I use SamCart to process sales and WordPress for people to comment on my site, they’ll get added to the list as well.
Since these are tools I’m using I need to not only look at them for the data that is being processed but also making sure they are GDPR compliant in terms of keeping that data secure.
Now it’s time to dig in and see what data is being collected by these tools. Fortunately because all of these tools need to be GDPR compliant as well, they likely have information to help you.
Pretty much every blogger uses some sort of analytics tool to help them with a number of tasks. Because these are analytics tools it’s not surprising that they collect data, here is a bit more information about what data common tools like Jetpack and Google Analytics Collect.
Jetpack put together a great resource for their users (like you and I) to help us comply with GDPR, below is the list of various information Jetpack may collect on your behalf, keep in mind it may not all apply to you, it depends what parts of Jetpack you are actually using. I highly recommend you review this resource, linked above.
Chances are the information Google Analytics collects will be similar to Jetpack, so if you use both you’re probably just collecting the data twice.
If you do any sort of direct marketing like running ads on Facebook, depending on how you do it you may need to gain consent to collect information used for direct marketing purposes.
For example, if you use the Facebook Pixel to create custom audiences you are collecting personal information through the pixel to formulate that custom audience and you need consent to do so.
Before we get into getting consent for various blogging practices, which I’ll cover in Chapters 5-7, let’s dig into figuring out exactly what kind of data is being collected with these tools.
Straight from Facebook’s FAQ’s, the Facebook pixel collects 5 types of data:
While most people injected a bit of code from Pinterest to set up their business account, it might not realize that, that bit of code helps Pinterest and your website communicate.It helps you to see how many visitors are clicking to your site from Pinterest as well as conversion rates on any ads you may run. If you are using the data to track conversions then yes you are collecting data and you’ll need consent to do so, which is clearly outlined in Pinterest’s new Advertising Services Agreement, in particular you should pay attention to EXHIBIT A: Pinterest Data Sharing Addendum.
If you have an email list then you are definitely collecting personal data, namely, email addresses. However, you might be collecting other information as well, such as names and conversion rates.
Below is a list of personal data you are likely collecting through various list building strategies.
Convertkit or MailChimp or Other Email Marketing Services
Name, email address
Name, email address
Name, email address
Keep in mind that while names and email addresses are likely the most common forms of personal data you collect, if you ask for additional information like a phone number or birthday that is additional personal data you are collecting.
Most blogs have a “contact” page, that often includes a form for users to fill out in order to contact you. Plugins like Contact Form 7 or Ninja forms are usually used for these purposes.
Whatever information you collect in such a form is likely personal data and will require complying with GDPR where those located in the EU could be filling it out.
Below is a list of additional forms that you may be using to collect personal data on your site.
Name, email address
Name, email address, website
Name, email address, website, etc.
Name, email address
If you sell products on your site, the tools you use may be processing data for various reasons, like processing payments, or delivering the product. So take a look at the tools you use to sell your products and take note if you use them for anything else.
For example, if you have it set up that when someone buys something they get added to your email list. This is something that under GDPR you are going to need consent to do so you’ll want to make sure the service you use has this functionality.
Below is a list of some payment/product processors to help you get started.
SamCart (what I use, offers the ability to add checkboxes that can be used for consent)
Stripe (Information on Stripe & GDPR)
In addition to knowing what data you collect, you also need to know how long you are keeping the data.
For example, in the case of your email list, you usually stop keeping the information once they unsubscribe or have their information deleted.
Google Analytics on the other hand has you set up how long the data is to be retained, I believe the default is 26 months, which is what I set up.
This is something you might also check when reviewing what data you are collecting with various tools
Look through all of your plugins and blogging tools to determine which ones collect data, then make sure you know how long the data is retained, and how you are using the data.
The GDPR ensures that data subjects (people on your site) have the right to know what data is being processed and the right to protection of that data.
Which means you have to disclose what what data you’re collecting, how you’re collecting it, and why/how you’re using the data.
GDPR requires that you include on your site:
Keep in mind that in providing this information you must provide it in a way that is “concise, transparent, intelligible and easily accessible form, using clear and plain language”
So no using legalese, which means writing this out yourself is just fine, possibly even better.
For a little more information with some sample text, you need look no further than wordpress:
I was able to get my site GDPR-compliant within two hours, including time spent watching the videos.
The GDPR requires you to get consent to add people to your list and as we covered in chapter one, that consent must be "freely given, specific, informed."
Which means the old way of trading a content upgrade or lead magnet in exchange for adding them to your email list is out the window. Because if you are offering a freebie you cannot precondition receiving the freebie on them agreeing to be on your email list.
Most people think this means you have to add a check box for consent to your forms, and while that is one solution, it's not the only one.
Before we cover what you can do, let's make sure you understand what you can no longer do under GDPR.
As explained you can't offer a freebie and then pull a bait and switch to add them to your list. But don't worry this doesn't mean the content upgrade is dead or that all that time you spent creating content upgrades for each post is wasted.
It just means you have to do things a little differently from now on, I'll talk about what you CAN do in just a bit.
I know what you're thinking, if you have to add a check box, fine, pre-checking it will work right?
Consent must be an affirmative action and the GDPR has explained that pre-ticking boxes or silence do not constitute consent. So while you can use checkboxes in obtaining consent, you can't pre-check them.
This is really getting into some of the nitty gritty.
Maybe, you've been really good all along about getting consent for people to join your email list. So you have this great list, but now you want to use that list to run retargeting campaigns on Facebook.
If you didn't get consent to use the email addresses for the purpose of targeting them on Facebook, then you can't use the email addresses aka data in that way.
Because remember, consent must be specific and informed. People can't agree to what they don't know about.
Consent must also be "presented in a manner which is clearly distinguishable from other matters" So blanket consent for everything won't work either.
Ok, so this is the one place I plan to use geolocation, to figure out who I need clear consent from.
While the safest bet is to have your entire list consent and that route could be a great way to clean your list, if you are worried about cleaning your list too well, you can segment by EU based subscribers and just ask them.
I know that only a very small percentage of my list is based in Europe, so before the May 25th deadline I will be reaching out to them specifically to ask for consent. But moving forward with any new subscribers I will be sure to get proper GDPR consent.
Convertkit has made it easy to segment your list based on location, and many other email marketing servicers have as well.
Convertkit: Getting Consent from Existing Subscribers
ActiveCampaign: Getting Consent from existing Subscribers
Mailchimp: GDPR Compliance Information
MailerLite: GDPR Forms for Consent
Thrive Themes came out with a great article explaining that if you reframe your offer, by offering Newsletter as a Service, rather than focusing on your freebie, you don't need to add a checkbox for consent.
Checkboxes are just one way in which you can gain consent, where signing up for your email list isn't the main offer. This approach of reframing your offer still allows you to offer free downloads but changes your approach to it to avoid the dreaded checkbox.
Here is what Shane Melaugh from Thrive Themes had to say:
If you ultimately decide that you want to utilize check boxes to prove consent, the next step is ensuring you know how. Below I've gathered the information on how to add checkboxes to some of the most popular Email Marketing Service Providers.
Keep in mind when choosing the language for your checkboxes that it must be specific, clear, and unambiguous and not lumped into one giant general consent, where you can contact them in anyway. A statement such as "I would like to receive newsletters from [site]" could work, but if you also wanted to use the email address for something else you would need an additional checkbox.
Adding checkboxes with Thrive Leads:
As a reminder the checkbox CANNOT be pre-checked.
It depends on how you framed you're offer and what they are "confirming"
Cookies are a little different from other methods of processing data, most significantly because they can't always be used to identify a specific person.
However, when cookies can identify an individual then, they are processing personal data and are within the scope of GDPR.
Because of the rules of consent, a simple "by using this site, you agree to accept cookies" will not work.
A cookie banner is most often displayed at the top or bottom of the screen and explains what cookies are being used on the site and why. You then must accept the use of the cookies, or customize which cookie are allowed and which are not.
Here are a few examples of sites using cookie banners:
Now, cookies that are necessary for the site to function do not require consent but other cookies do.
For example, I use Thrive Themes for my sites, and the cookies it uses are necessary for my site to function. Now fortunately, Thrive has updated it's tools so that the cookies no longer collect any Personally Identifiable Information (PII), but it's good to know you're covered either way.
Just like consent with your email list, it must be freely given, clear, informed, and unambiguous. Consent cannot meet those standard unless you provide the information on the cookies being used, the data being processed, and the purpose of processing/collecting the data.
Additionally, you need to ensure that it is as easy to withdraw consent as it was to give consent.
Cookie banners are usually set up by using a plugin designed for this purpose. However, if you use a platform other than WordPress you will need to see what that specific platform offers in the way of a cookie banner.
For example, Squarespace has an easy tutorial on how to set up a cookie banner for your site.
If you use wordpress, it's a matter of deciding which plugin is best, when evaluating plugins make sure you stick to ones that are GDPR compliant.
Magnet4Blogging reviewed 4 different cookie plugins noting that UK Cookie Consent did not play well with Thrive Architect. So if you use Thrive Themes, like I do, it's probably best to steer clear of that plugin.
If you're using any sort of tool on your site collects personal data through cookies that isn't necessary for the functioning of your site, you need consent and can obtain it via a cookie banner.
If you get audited or accused of not complying with GDPR, you will need to be able to show that you did in fact comply and had consent to process and retain the data.
However, when it comes to proving consent for your email address there is a bit more to it, I'll explain how you can show consent to be on your list in this chapter.
Most tools out there in becoming GDPR compliant have built in functionalities so you can show that the people on your list consented to be there. In the videos below I walk you through how to show consent with Thrive Leads and Convertkit.
Check with the tools you use to see what sort of new functionality they've built in to comply with GDPR.
Under GDPR individuals falling within the scope of the new law have the right to have their data be forgotten/erased.
Because the right to revoke consent and be forgotten needs to be as easy to invoke as it was to give consent. So just how do you do that? That's what I'll cover in this chapter.
To remove personal data submitted through wordpress, for example, if they left a comment on a post. You will need to go to Tools > Erase Personal Data. Enter the email address of the person requesting erasure and it will send them a notification to verify the request.
If you receive a request from an email subscriber you will have to take action through your email marketing service.
For example, Convertkit has a form you simply fill out.
Though different companies may provide different solutions. For example, MailChimp has said that when you delete a subscriber they will delete all traces of personal information:
And truth be told, once GDPR is enacted we'll better understand how it will be enforced and likely see additional features added to the tools we, as bloggers, use on a regular basis.
Chances are the tools you use have provided you with the ability to implement Right to Be Forgotten under GDPR.
What did you think of this guide? Was there anything I missed?
Let me know by leaving a comment below.
And that's it for GDPR for Non EU Based Bloggers: The Definitive Guide.