GDPR for Bloggers – What You Need to Know and Do

GDPR for Bloggers

There's probably a good chance you've seen the word GDPR thrown around on social media the past few weeks, and you've seen people asking what they need to do about it.  In this post I'm going to break it down as simple as possible and tell you exactly what you need to do about it.

Click here to download

What is GDPR?

GDPR stands for General Data Protection Regulation.  It is a European law to help protect personal information for anyone that is a member of the European Union (just think all of Europe…).

This regulation protects the collection of personal information in Europe, but also controls exporting European personal data outside of Europe.  So if you have a blog, and you live anywhere outside of Europe, this affects you too (assuming some of your readers come from Europe).

What personal information is covered by the GDPR?

According to the European Commission, “Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

If you are a blogger this could include:

  • Names and email addresses on your email list
  • Comments (emails) on your blog posts
  • Processed payment info if you sell stuff from your blog (names, addresses, etc)

Don't overthink this one.  If you're a blogger, it's probably names and emails that you're collecting.

Do I need to do anything with my existing email list?


If you already have an email list that people double opted-in to join you're fine.  Key points to remember with your email list are:

  • Use double opt-in.  This means that after they give you their email address on your website to join your mailing list, you send them an email that has a button that confirms their subscription.  Almost every email automation service has this feature.  Just make sure it's turned on.
  • Include a one-click unsubscribe button. Once again almost every email automation service includes this (it's required under U.S. law anyway so most don't give you a choice).

How to safely collect emails from lead magnets

A big question is how to do “freebies” or lead magnets?

Here's the big no-no for lead magnets…

Put in your name and email and get instant access to this free checklist, webinar, ebook, or whatever, and then automatically add them to your mailing list. BAD.

Put in your name and email and get instant access to this free checklist, webinar, ebook, or whatever, include small text in the popup that says “by downloading this you agree to receive our emails”, and then automatically add them to your mailing list. Also BAD.

Here's the safe way to do this.

Put in your name and email to join our email list, community, newsletter, and we'll send you a checklist, webinar signup, whatever along with weekly emails and updates.  GOOD. Make it clear they are joining your mailing list and what they will receive.

Also do not have any pre-checked boxes.  You might have seen in the past a lead magnet pop-up for something and a little box checked below that says something like “You agree to receive our marketing emails.” This is not allowed under “unambiguous consent”.

What is Unambiguous Consent?

GDPR recital 32 states that consent can be given through “conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.”

This means, that by taking an action, such as clicking a box or link to accept, or continuing to browse, the consumer is providing consent—as long as it is clearly and prominently disclosed that this consent allows you to drop cookies, process consumer information, and states the intended uses.

The safe way to do this is use a plugin like Cookie Notice.  Really easy to use and will help you stay GDPR compliant.  Just make sure you adjust the wording accordingly to state what data you collect and why.

What is Legitimate Interest?

Legitimate Interest is a very fuzzy part of the GDPR.  I'm NOT going to make this more complicated than it needs to be.  If you use the cookie plugin and make it clear what type of personal data you're collecting you should be fine.

Basically the “legitimate interest” argument is for marketers trying to gather personal information without asking for it upfront.  Like gathering cookie data or IP info without explicitly stating that you're doing it.

If what you're doing sounds sneaky, then ask for consent. If it’s truly harmless processing, make a strong case for minimum impact on your customers and website visitors.

Sending emails of your recent blog posts would qualify as “legitimate interest”.  However, selling directly from your emails is not considered legitimate interest if the user did not opt-in for that specific purpose.

Your data is stored securely

If you don't have https at the front of your blog domain you need to contact your hosting provider and get that taken care of.  Https shows that you have a secure certificate for your site which encrypts user data.

Fancy techy stuff there.

Just make sure you have https.

Make sure your third party apps and plugins are GDPR compliant

Check your hosting provider, plugins, apps, or other software that you use with your blog to make sure they are GDPR compliant.

With all the changes, many of these blogs and services are posting that they are GDPR compliant.  If you can't clearly see they are compliant, send them an email and find out (that's also a good email to save for safe record keeping).

What do I need to do for the Facebook Pixel?

If you have the Facebook Pixel installed on your website you'll need to disclose that information in your cookie popup or on your privacy policy.  You'll need to disclose what type of data you're collecting and what you will be using it for.

If you use an email list or CRM data to create custom Facebook audiences for advertising you'll need to ask for permission from your email subscribers or you will have to remove their email from your custom audience upload.

Remember, consent has to be given, it cannot be implied.  Saying, “If you do not respond to this email you are giving consent” is NOT allowed under GDPR.

Update your privacy policy

If you don't have a privacy policy you need one.

Update – WordPress 4.9.6 has made some GDPR compliant changes.  You'll still need to create a Privacy Policy, but you can find some privacy changes under Settings in the WordPress dashboard.

In your privacy policy make it clear that you can provide any users the personal data you collect about them if they ask for it, and you can quickly delete it if they ask for it to be removed.

Here is where I got mine:

It's like $30. But you'll sleep better tonight.

Things to make clear in your privacy policy (which are auto generated if you use a service):

  • Mention what data you collect (names, emails, etc…)
  • What you use the data for
  • Who you share data with
  • How people can request the data held on them.  This is called a “Subject Access Request”.
  • How people can request data to be deleted.

If you use the Privacy Policies generator I use you'll just fill in some prompts and it will create the policy for you.  Then you can read through it and make sure it includes the info listed in the bullet points.  You can add whatever info is missing.

Update – With WordPress 4.9.6 under Tools you can now export personal data for specific users or erase personal data for users.  This is now GDPR compliant!

The most important things to remember

  1. Create a Privacy Policy page for your blog and link to it in your footer.
  2. Use https if you are not already.
  3. Double opt-in your email lists.
  4. Get a cookie notification plugin.
  5. Ask your hosting provider and plugins (that store user data) if they are GDPR compliant.

If you have any other questions you should join our Facebook Group!  It's the best blogging group in the universe for learning tips and strategies for your blog.Join our Facebook Group

What is GDPR and what do you need to do about it as a blogger? This ultimate resource guide will tell you simply what you need to know and do to stay compliant. The General Data Protection Regulation is starting May 25, 2018 and it affects all blogs and websites that have any readers in Europe. #BloggingTips #Blogging #BloggingLaws

newest oldest most voted
Notify of
Thomas phiri

thanks for sharing great post so helpful

Daren Hillhouse

Thank you for sharing. I appreciate it. I wanted to share with you some of the tools that I found to help me accomplish this. The first one is the Privacy Policy. I found a website that will generate a privacy policy, once you fill in some information. It’s free, and says it’s compliant with gdpr law. I also started using WordPress Cookie Notice. It’s another free plugin. You fill out some basic information. I have only set up a mailing list on one of my sites, and I’m using Sendin Blue it’s free for small users. They… Read more »

Chantal Steele

Super helpful – thanks!


Wow thank you so much for all this important information