There's probably a good chance you've seen the word GDPR thrown around on social media the past few weeks, and you've seen people asking what they need to do about it. In this post I'm going to break it down as simple as possible and tell you exactly what you need to do about it.
What is GDPR?
GDPR stands for General Data Protection Regulation. It is a European law to help protect personal information for anyone that is a member of the European Union (just think all of Europe…).
This regulation protects the collection of personal information in Europe, but also controls exporting European personal data outside of Europe. So if you have a blog, and you live anywhere outside of Europe, this affects you too (assuming some of your readers come from Europe).
What personal information is covered by the GDPR?
According to the European Commission, “Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
If you are a blogger this could include:
- Names and email addresses on your email list
- Comments (emails) on your blog posts
- Processed payment info if you sell stuff from your blog (names, addresses, etc)
Don't overthink this one. If you're a blogger, it's probably names and emails that you're collecting.
Do I need to do anything with my existing email list?
If you already have an email list that people double opted-in to join you're fine. Key points to remember with your email list are:
- Use double opt-in. This means that after they give you their email address on your website to join your mailing list, you send them an email that has a button that confirms their subscription. Almost every email automation service has this feature. Just make sure it's turned on.
- Include a one-click unsubscribe button. Once again almost every email automation service includes this (it's required under U.S. law anyway so most don't give you a choice).
How to safely collect emails from lead magnets
A big question is how to do “freebies” or lead magnets?
Here's the big no-no for lead magnets…
Put in your name and email and get instant access to this free checklist, webinar, ebook, or whatever, and then automatically add them to your mailing list. BAD.
Put in your name and email and get instant access to this free checklist, webinar, ebook, or whatever, include small text in the popup that says “by downloading this you agree to receive our emails”, and then automatically add them to your mailing list. Also BAD.
Here's the safe way to do this.
Put in your name and email to join our email list, community, newsletter, and we'll send you a checklist, webinar signup, whatever along with weekly emails and updates. GOOD. Make it clear they are joining your mailing list and what they will receive.
Also do not have any pre-checked boxes. You might have seen in the past a lead magnet pop-up for something and a little box checked below that says something like “You agree to receive our marketing emails.” This is not allowed under “unambiguous consent”.
What is Unambiguous Consent?
GDPR recital 32 states that consent can be given through “conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.”
This means, that by taking an action, such as clicking a box or link to accept, or continuing to browse, the consumer is providing consent—as long as it is clearly and prominently disclosed that this consent allows you to drop cookies, process consumer information, and states the intended uses.
The safe way to do this is use a plugin like Cookie Notice. Really easy to use and will help you stay GDPR compliant. Just make sure you adjust the wording accordingly to state what data you collect and why.
What is Legitimate Interest?
Legitimate Interest is a very fuzzy part of the GDPR. I'm NOT going to make this more complicated than it needs to be. If you use the cookie plugin and make it clear what type of personal data you're collecting you should be fine.
Basically the “legitimate interest” argument is for marketers trying to gather personal information without asking for it upfront. Like gathering cookie data or IP info without explicitly stating that you're doing it.
If what you're doing sounds sneaky, then ask for consent. If it’s truly harmless processing, make a strong case for minimum impact on your customers and website visitors.
Sending emails of your recent blog posts would qualify as “legitimate interest”. However, selling directly from your emails is not considered legitimate interest if the user did not opt-in for that specific purpose.
Your data is stored securely
If you don't have https at the front of your blog domain you need to contact your hosting provider and get that taken care of. Https shows that you have a secure certificate for your site which encrypts user data.
Fancy techy stuff there.
Just make sure you have https.
Make sure your third party apps and plugins are GDPR compliant
Check your hosting provider, plugins, apps, or other software that you use with your blog to make sure they are GDPR compliant.
With all the changes, many of these blogs and services are posting that they are GDPR compliant. If you can't clearly see they are compliant, send them an email and find out (that's also a good email to save for safe record keeping).
What do I need to do for the Facebook Pixel?
If you use an email list or CRM data to create custom Facebook audiences for advertising you'll need to ask for permission from your email subscribers or you will have to remove their email from your custom audience upload.
Remember, consent has to be given, it cannot be implied. Saying, “If you do not respond to this email you are giving consent” is NOT allowed under GDPR.
Here is where I got mine: https://privacypolicies.com/
It's like $30. But you'll sleep better tonight.
- Mention what data you collect (names, emails, etc…)
- What you use the data for
- Who you share data with
- How people can request the data held on them. This is called a “Subject Access Request”.
- How people can request data to be deleted.
If you use the Privacy Policies generator I use you'll just fill in some prompts and it will create the policy for you. Then you can read through it and make sure it includes the info listed in the bullet points. You can add whatever info is missing.
Update – With WordPress 4.9.6 under Tools you can now export personal data for specific users or erase personal data for users. This is now GDPR compliant!
The most important things to remember
- Use https if you are not already.
- Double opt-in your email lists.
- Get a cookie notification plugin.
- Ask your hosting provider and plugins (that store user data) if they are GDPR compliant.