GDPR and bloggers: What Compliance entails for Bloggers
The General Data Protection Regulation or GDPR has been in effect since May 25, 2018. This was the largest and most extreme regulation in regards to data and privacy in a long time. The GDPR is a European Union regulation, which also includes the United Kingdom.
To truly understand and know how you can be compliant with GDPR, it’s important to understand what the purpose of GDPR is, and why it came into existence. GDPR’s main purpose is to give individuals more control over their own data and how businesses and companies out there are collecting this data, why are they collecting it, and for what reason. To learn more about GDPR and bloggers, and what GDPR is you can read this detailed post here on SmartBlogger.
Disclaimer: Even though I am a licensed and practicing attorney in the United States, I am not your attorney. Nothing on my website should be construed as legal advice. Your presence on my site does not create an attorney-client relationship or privilege. Every piece of content I present to you is for educational and informational purposes only. If you need specific legal advice, please consult with an attorney in your area.
Who must abide by the GDPR rules
Who is bound by GDPR? Or to put it more simply, who must follow the rules set forth in GDPR?
Anyone who collects and processes data from anyone located in the EU region. Collecting and processing data are actually key phrases for GDPR purposes. This data generally refers to data that can be personally identifiable for the individual in question. It can be a name, email, phone number, IP address, data collected from cookies, geotags and more. Some data on its own might not be personally identifiable, but when you combine it with something else, it becomes so.
Almost every single website out there collects and/or processes data nowadays in one way or another. Here is a non-exclusive list of instances when you collect data:
- Email sign up forms
- Google Analytics
- Cookies
- Facebook pixel
- Comments
- Contact form, etc.
If you’re a website, and you do any of the above, then you collect data. Therefore, if you ever collect data from someone who’s in the European Union region at the time, then you’re bound by the GDPR rules.
All in all, it’s my personal opinion that every site should make the effort to abide by GDPR, especially when compliance is so much easier and cheaper and noncompliance. If and when you get in trouble because of GDPR rules, the fines are so hefty that you don’t want to think about not complying.
Under the GDPR changes, you can no longer automatically add a person to your general email list simply because they wanted a freebie. The accepted and common practice before was to offer an irresistible free resource, also called freebie, lead magnet, etc. When the individual in question wanted to get your resource, they had to enter their email address. The second their email address was entered, they became part of your list. You would send them marketing emails, sales emails, your newsletters, etc.
Is the workaround really a solution or more of a problem?
When the GDPR went into effect, many people, bloggers, and companies decided that in order to not deal with GDPR issues, they are simply going to stop doing business with anyone from the EU region.
These companies and bloggers hired expensive personnel, equipment, and technology to geotag people that the European region geotags will be excluded from dealings.
Other steps that these companies that people adopted was monitoring the IP addresses. If the IP address was in the EU region, then they would simply exclude that person.
However, this is where this becomes problematic. First of all, the GDPR does not allow you to circumvent it. It specifically forbids you from profiling people. Profiling includes excluding people based on their location due to tagging geolocation or IP address.
So in trying to avoid dealing with GDPR, and not be subject to it, you end up violating GDPR laws.
Secondly, IP addresses are notoriously untrustworthy and inaccurate when it comes to figuring out the location. Any hacker or tech-savvy individual will be able to create fictitious IP addresses. So if the IP address is not always accurate, then you’re risking violating GDPR yet again.
In all honesty, GDPR compliance is not difficult. It’s more time consuming trying to come up with methods to circumvent it, rather than comply. So let’s make a pact today that we’re going to treat our websites as if law and the legal issues are important, and we’re going to do everything in our power to comply.
GDPR and bloggers: how this regulation applies to bloggers
GDPR changed many things in the privacy law when it relates to data. This privacy policy changes also affected bloggers and online entrepreneurs. Due to GDPR, the way bloggers and entrepreneurs approach email list building changed drastically.
After the implementation of GDPR, bloggers and entrepreneurs must follow certain policies and rules, especially when it comes to building their email list.
Any time you collect data from anyone located in the European Union area, you have to remember that the data subject has several rights and privileges under GDPR.
Some of those rights are:
- The right to be informed
- Right of access
- Right to rectification
- Right to object
- Automated individual decision-making, including profiling
Most of these rights and privileges are common sense and fairly easy to comply with. The one key method of thinking about compliance is to think of your subscribers as people. As a person, you should have the right to choose what happens to you and your data.
When you think of compliance, keep that piece of common sense information in mind. When you think of subscribers, don’t forget that they are individuals behind the data. As an individual yourself, you would want to have a choice and say in what happens to your own data. When you think of GDPR compliance in these terms, compliance takes a whole different meaning, and you’ll realize it’s not as complicated or difficult as you may have thought.
The right to be informed
The right to be informed refers to the data subject’s right to know what is happening to their data, who it is being shared with, and for what purpose is it being used, etc.
This is not an unusual right to be given to the data subject. Any individual person would want to have this kind of information in relation to their own data and how it’s being used.
The right to access
The right to access means that the data subject has a right to request their data from you to see what you’re doing with it. Moreover, you, as the data controller, must make that data available to the data subject within 30 days of such a request.
The right to rectification
The right to rectification refers to the data subject’s right to make sure their information is correct and up to date. You have to provide a means for the data subject to update their information. Moreover, you must have a system in place to make sure that you follow up from time to time to correct any wrong information.
All of these rights and rights are closely related to each other. In simple terms, an individual has a right to know and have access to what information you’re collecting from them, for what purpose, how long you’re gonna keep it, whether you’re gonna share it with third parties or not, if so, who, etc.
GDPR compliant email list for bloggers
One area that bloggers felt the effect of GDPR the most was email list building and email marketing. As mentioned above, previously you could just offer a freebie, and anyone who signed up to get that freebie would have been added to your list automatically. Once on your email list, you could go ahead and send them promotional emails, newsletters, etc.
However, after the enforcement of GDPR, certain rules and regulations came forth. Now to be able to build an email list and have an email marketing system in place, you have to show valid and express consent from the data subject who agreed to be added to your email list.
Things to Do Before Adding Anyone to Your Email List
You have to properly set up your email service provider (i.e. ConvertKit, MailerLite, ActiveCampaign). You have to come up with a system that allows you to properly segment your subscribers and separate the section from whom you’re supposed to ask for express consent before you can add them to your email list.
If you want to find out all the different ways you can ask and receive express consent, then read GDPR for Bloggers post.
Make sure your optin forms are GDPR compliant. This means that you need to ask for permission and state the purpose for wanting to add them to your list, and mus give your subscriber or the data subject the choice to decide for themselves.
This can be done with a checkbox, radio buttons, or dropdown permission. Any of these options will work. However, in the case of a single checkbox, you have to make sure it’s not mandatory. Your checkbox must be optional so that people who do not check that box can still move forward.
You should have a link to your privacy policy on all your optin forms and landing pages. Not just on the footer, but close to the actual sign up button for the freebie that you’re offering in exchange for their email address.
Your privacy policy needs to be GDPR compliant as well. There are new rights that you must include in your privacy policy. You need to state the type of data you’re collecting, the purpose for your need for the data, where you’re going to store it, for how long you’re going to store it, etc. A Privacy Policy is mandatory for every single website that deals with any kind of individual data. Free policies online or plugin generated privacy policies are simply not good enough. These generators and online templates do not contain many of the key terms that you need. To get a GDPR and other privacy law compliant Privacy Policy visit my legal shop or read my detailed post as to what policies you need and what these policies must contain and state to be legally compliant.
Figure out whether you want to ask for consent from your European Union visitors only, or from everyone (my preferred approach).
Your privacy policy must include cookie policy notice, advertisement notice, and a way to reach you in case your readers or visitors have questions, comments, or even complaints.
Your sign up process must include a method where you ask for consent for specific purposes. For example, you can send one email to the person who wants to get your freebie that delivers your freebie. However, if that person is from the EU area, you can’t add them to your email list. You must ask for express and specific consent before you can add them to your email list and start sending newsletters or marketing emails.
Things to Do After Someone Signs Up to Your Email List
Your email service should be properly set up before you start getting sign-ups. So once a person signs up to your list, you will have them sorted in proper segments or groups so you know which segment is the one who did not consent to be on your email list.
This way you know that you must only email the “no consent” segment of people the one email that delivers the freebie. You can’t and shouldn’t email them further because you have no consent to do so. You can ask for express consent in the freebie email that you deliver.
Aside from getting consent, you have to be able to keep track and record of data that you collect from your email subscribers. This is a necessary part of GDPR compliance. You can keep this record in a spreadsheet or in different software that has the capability to track that kind of data.
After someone consents to be a part of your email list, you can send them your welcome email series and start nurturing them as your most valuable assets. If you need help to come with creating your welcome email series, then check out my step-by-step instructions here.
Conclusion
GDPR compliance for bloggers is and should remain a priority. It is not something that you can choose to comply or not. It’s a regulation, and everyone who satisfies the categories for applicability must comply.
GDPR compliance is not complicated for bloggers, but it can be confusing if you’re not familiar with the requirements or the methods for complying. If you need a quick reference guide, download the free GDPR Cheatsheet for Bloggers & Entrepreneurs linked to below to have a quick reference guide. If you liked this post, share it with others and pin it on Pinterest.