Making sense in a post-GDPR blog space
DISCLAIMER: This is not legal advice. You should seek your own legal counsel on your responsibilities under the GDPR. We cannot be held liable for any advice taken from this article.
So, now that this is out of the way, let's see what the GDPR is.
What is the GDPR?
"The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU."
On December 15, 2015, following three years of drafting and negotiations, the European Parliament and Council of the European Union reached an informal agreement on the EU GDPR.
The aims of the GDPR are:
1. To reinforce data protection rights of individuals
2. Facilitate the free flow of personal data in the digital market
3. Reduce the administrative burden.
What that means, in as few words as possible, is that it is a new law/regulation that makes sure the big companies do not abuse our private info for their own shady purposes. And if they do, then there is a common legislation to act upon.
Does GDPR apply to me?
Yes, you have to keep GDPR in mind, when your online business is based in Europe, or you do business with Europeans. GDPR spans B2B and B2C relations, regardless of size. So bloggers fall in the "apply" category as well.
There is some conflict regarding legal entities that do not engage in economic activity (4.18). From our point of view though, even if you do not make any money from your blog, you should still be GDPR compliant as it also states that this includes "partnerships or associations". Those could mean e.g. your google analytics or facebook like button that makes money for them. So play it on the safe side.
But, I'm not located within the EU!
Your site should be GDPR compliant if even one EU citizen can access it. Unless your site is completely blocked for those Europeans, it still needs to be GDPR compliant. (There is also the question of what happens if this European is not on EU soil. There, it gets complex!)
Is it good?
Yes, it is. It gives some rights on the end user's private data, back to the end user. If you have ever tried to remove your facebook account (and probably failed miserably), you will be able to do so from 25th of May, 2018 onwards. (YAY!)
So, why is GDPR so bad?
Just like with other laws, the motives are noble, but the actual technical implementation is unclear on many points. For small and specialized businesses, like e.g. a blog, some rules might be difficult to implement and even be counter-productive.
But why does everyone panic?
Have you seen people erasing their blogs and shouting out "THE END IS NEAR", yet? If not, don't worry, you will. This is all due to the fines that come with the GDPR.
The legislation states that the fines for not complying are up to €20M or 4% of the annual revenue cycle (whichever is bigger). Sure, after seeing this number, you get a panic attack. This is what law firms and assorted "consultants" will tell you if you ask them to handle your case (and pay them of course).
Got your attention? Great! Now, please take notice of the "up to" and the comparison between €20.000.000 and 4% "whichever is bigger". The case where 4% of the annual revenue is bigger than 20 million euros is when the company has an annual revenue of HALF A BILLION euros! This is not your blog they are talking about. These are big corporations that up to now, were abusing your private data to sell ads and produce human behavioral statistics to sell to governments and other big corps.
There is a whole paragraph on fines and between others, it mentions, that the fines are analogous to the size of the business and the gravity of the situation. (check it out for yourself on paragraph (148) here)
According to the European Commission, the process of whacking you for non-compliance is as follows:
So, don't panic. The legislation is here to make the internet a safer place, not to start the "Bloggers Behind Bars" movement (BBB for short). It is still early and the legislation hasn't come into effect just yet. The industry will slowly adapt to the legalese and provide actual solutions to the technical problems the new laws introduced.
Of course, that does not mean you do not have to do anything. Au contraire!
What can YOU do to make your blog GDPR compliant
To approach it simply, there are three main things a blogger needs to understand first:
- Know your personal data - clearly, understand what you and your partners capture and process (we are one of those partners).
- Be accountable - ensure you and your partners are accountable for personal data
- Provide transparency & control - to your users (in many cases this means asking for consent)
Let's delve a little deeper.
Under GDPR, personal data is any information relating to an "identifiable person".
Identifiable information includes such things as a name, ID number, location, ethnicity or political standing. Data doesn't have to be confidential or sensitive to qualify as "personal".
For a typical blog, these Personal data would include:
- Blog post comments data (name, email, IP)
- Traffic stats plugins/tools such as Google Analytics
- 3rd party hosted services such as Jetpack, Bloglovin' and Disqus
- Email signup forms such as Mailchimp or FeedBurner
- Contact forms
- Facebook / Instagram / twitter everything (buttons, likes, feeds, whatever)
- Issues relating to the location of your web host. E.g. data is transferred to servers outside the EU
- Any plugins that you use will also need to comply with the GDPR rules. As a site owner, it is your responsibility to make sure that every plugin can export/provide/erase user data it collects in compliance with the GDPR rules.
The same goes for the services you use. Make sure they are GDPR-compliant. In case they are not, you must either drop them or make sure they behave to the data they gather, in a GDPR-compliant way by signing a Data Protection Agreement between you and them (DPA). This is needed because you are responsible for all the data you handle (even if they are provided to you by a third party tool).
You still have to get consent for cookies as you did anyway (you did, didn't you?). But now, GDPR just raised the bar. Instead of simple cookie banners, under GDPR you need to use a consent tool to obtain this cookie consent. Technically, your site should NOT set any cookies before the user gives her consent.
A great (and totally free) consent tool can be found here (or at the links at the bottom of the post).
So, what do I do?
Then, you will need to make sure you display a privacy notice every time you gather private data.
Re-request consent from your email list
Another thing you might want to do is re-request consent from the owners of the email addresses on your email list. Your email list service should provide such functionality.
Contact 3rd party services
We can confirm that InLinkz is fully compliant!
Make sure your site is served over https instead of HTTP. Contact your host if you are not sure how to go about it. You will need an SSL certificate. Most hosts will be able to provide you one for free. For more techie bloggers, you can check Let's Encrypt
Make sure they are compliant as well (they might manage data in ways you do not want). And of course update as soon as possible.
Check your site for trackers
And what shouldn't I keep doing (that I probably do)
- Auto opt-ins! Everyone should have to express their consent (yep, click that box) to opt-in.
- Give away freebies to get email addresses for one purpose then use them for another. If you gained email addresses this way you should go out to re-validate consent or you may be in breach of GDPR. Normally, your GDPR-compliant email-list service already has this functionality.
- Share data with anyone else who wasn't declared at the point where data was provided, for example, give your giveaway's email addresses to other bloggers without having explicit permission from the email address owners.
- Stop collecting data where not necessary, for example, contact form/comments.
"What about YOU?", you say!
InLinkz by nature is a consent-based platform, users specifically give consent to enter campaigns and the data they provide is only ever shared with the owner of the campaign. So InLinkz acts as a Data Processor on behalf of the customer (Data Controller).
What have we done so far
- Contact: You can now contact us directly via firstname.lastname@example.org to discuss any specific concerns
- New Data Processing Agreement: Since we store data in the USA (in an EU Privacy Shield-Compliant facility) we will be updating our agreement with EU customers detailing how we process their data
- Right to be forgotten: As it has always been, you can request all your data to be removed. For linkup hosts, you already have the power to delete entrants if they exercise this request to you directly.
- Consent: Improved the ability to obtain additional consent via checkboxes in the Add Link page.
- 3rd Parties: Helping customers understand the 3rd parties that we have data processing agreements with (i.e. MailChimp, Google Analytics, etc)
- DPIA: We have conducted a Data Protection Impact Assessment and it is available to authorities if requested.
- Written this blog post: to make sure you do not panic and go erasing any linkup you have! Linkups are still a great way to bring engaged traffic to your blog and let your users contribute to your content and exposure!
Final thoughts on GDPR.
While it may now seem that the sky is falling on our blogging heads, the GDPR is actually a welcomed change. The last time something similar was drafted was back in 1995, called the Data Protection Act. And the online world has changed dramatically since then. At that time, "blog" wasn't even a word.
With the GDPR, control of the individual's private data is given back to the individual. The big corps are required to have accountability over our data and their actions on it and trust will slowly build up from now on between each level of existence in the online world (consumer, reader, blogger, BigCorp, etc)
Panic is a bad advisor and deleting your email list or your Linkups, will not instantly make you GDPR-compliant. You just need to make it clear to your readers that you respectfully ask for their info.
Up to now, big corps snatched our precious PII for their gain, resulting in a general feeling of distrust. Building trust back to our beloved internet will only make it better and safer for all of us!
Think we are missing something?
Feel free to let us know in the comments or just send us an email and we'll update ASAP!
- The GDPR monster text itself
- Ghostery - tracker detection
- Let's encrypt - Free ssl certificates
- Consent tool from Quantcast (free)