GDPR. The letters that strike fear and apprehension in a lot of bloggers. As bloggers, we want to make sure that we are covering ourselves as much as possible legally and to comply with privacy laws to avoid lawsuits.
Learn what GDPR is and how to implement GDPR compliance for bloggers with recommendations from a lawyer to cover yourself legally on your blog or website.
Please note that while Mariam is a lawyer, her answers in this interview do not constitute legal advice. She is providing recommendations only.
Who Is Mariam Tsaturyan?
Mariam is a licensed and practicing attorney in the USA.
She started her blog FreelanceAndMarketing.com as a hobby but quickly realized it could become an actual business, which helped when she made the decision to close her law office to stay home with her son.
She put her legal skills to good use and now helps other bloggers by providing legal recommendations and legal templates in her shop.
What follows are answers to common questions about GDPR and Mariam’s recommendations:
What is GDPR?
GDPR stands for General Data Regulation Policy and it’s a regulation that came out of the European Union (EU). The GDPR aims to control and give power back to individuals as it relates to data collection on that individual.
There are certain guidelines and that businesses and websites must follow when collecting personal data on the individual. Under GDPR there are several new or expanded rights that individuals have and can exercise those rights anytime.
Does GDPR affect websites outside the EU?
Yes. The GDPR affects any website, regardless of whether it’s in the EU area or not, if that website gets even 1 visitor from the EU area. Under these terms, any and all websites must comply with GDPR.
What do I need to do to comply with GDPR?
These are the most prominent new and expanded rights that GDPR brought with it. These were rights given to the individual whose personal information is collected. Some of those rights are:
- The right to be informed
- Right of access
- Right to rectification
- Right to object
- Automated individual decision-making, including profiling
A Cookie Notice is meant to notify website visitors that your website collects cookies. According to the GDPR interpretes data, cookies are considered data. Therefore, you need consent for collecting cookie information.
When using a Cookie Notice, make sure you provide a way for your readers to revoke access to cookies they have previously granted. Look for the settings in the plugin you choose (see the link for the one BAM uses – FREE!).
If I am GDPR compliant am I also CCPA compliant?
Mostly yes, but there are still some CCPA specific actions you need to take. So for the most part, if you prepared your site to be GDPR compliant, then it’ll be a lot easier to be CCPA compliant because a lot of the requirements are similar.
How does GDPR differ from the CAN-SPAM Act?
CAN-SPAM regulation and GDPR are separate regulations targeting different things. Sure, there are some interloping aspects, but they address different things.
GDPR is about data collection by businesses and websites of regular individuals. This data can be collected by any means on the website, through email optins, Google Analytics, Facebook Pixel, ad networks, surveys, etc.
CAN-SPAM is about regulating commercial email messages, not just bulk emails, despite the popular belief. But, all commercial emails. Commercial means any email that is sent with the purpose to promote a service or good, or sell such service or good. Under CAN-SPAM, there are no exceptions for business to business emails. Every single email, if even remotely commercial in nature, falls under CAN-SPAM and must comply.
There are some basic requirements that you need to meet to avoid a very hefty penalty for CAN-SPAM violations. Let’s briefly mention the requirements, but I won’t go into too much detail because I don’t want to detract from the main topic of GDPR.
- Do not use false or misleading headers
- You must tell recipients where you’re located (an actual valid physical address)-virtual mailboxes are NOT compliant
- You cannot use misleading or deceptive subject lines (read no clickbait)
- Provide a clear method for recipients to opt out of your emails
- Honor their opt-outs promptly
- Identify the message as ad or promotional content, and more.
What counts as personal data for GDPR?
Data is defined very broadly under the GDPR. According to GDPR, data can be any information that relates to an identified or an identifiable natural person. So what does this mean exactly?
It means that simple things like name, last name, address, birthday, phone number, identity numbers are clearly personal data because these identify a person.
However, the GDPR goes beyond that because it also counts information that could identify a person. For example, an IP address if combined with an actual address or birthday could identify a person. So more obscure things like an IP address, cookies, browser preferences, analytics data, location could also be considered personal data because that information, especially if combined with another piece of data, could easily identify a person.
Does GDPR affect how I ask for opt ins?
Yes. The GDPR affects how you get people from the European Union (EU) region into your email list. So the common practice has been to offer a free resource or a freebie, and when the visitor wants to get this free resource, they sign up to download it, and automatically become part of your email list.
However, after the GDPR went into effect, you can no longer do this, at least to people from the EU region. Under the GDPR rules you add someone to your email list. This means that when someone from the EU region signs up to get a freebie from you, you are not allowed to add them to your list, unless you retained their consent.
This consent can be received through the use of features such as radio buttons, drop down options, checkboxes (that are not required), and if used properly, then double optins as well.
Double optins means that when a visitor signs up through one of your opt in forms they must first confirm their email address by email before being added to an email list or to receive a follow-up email (within the rules of receiving emails consent).
The process is that when someone signs up for your free resource, you want to ask them explicitly whether or not they want to join your email list, and then you also need to get consent for them to receive promotional emails (if you do promotional content).
A simple way to understand GDPR compliance, for me at least, is to treat your subscribers as actual individuals. Think about it, would you want someone to add you to their email list and then start blasting off promotional emails your way?
I bet you’ll be annoyed at the very least. As an individual you and I and everyone else want to have a say whether they are a part of an email list or not. Think along those lines and compliance shouldn’t be an issue.
How do I make sure my plugins are GDPR compliant?
This is a little bit of a technical question. I’ll answer to the best of my ability. So when you’re setting up plugins, some of them will have features that ask you whether you want the plugin to record users or save user information after you deactivate or delete the plugin.
So the trick is that you don’t want any data retained. If there is an option like that in your plugin that gives you choice whether to retain data or not, or to delete data after deactivation, always choose that.
Moreover, don’t collect more data than necessary. If you don’t need a last name, phone number or a date of birth for example, then don’t ask for these.
Many reputable plugins will list if their plugins are GDPR compliant. It is your responsibility to check the compliance or data storage (privacy) even if they don’t mention GDPR compliance. YOU are responsible for all storage of data of your visitors regardless of how or where the data is collected so choose your plugins wisely and intentionally.
What do I need to do if my site is hacked?
Unfortunately, no matter how careful we are, if someone is determined to hack your system, they probably can. Let’s fact it, even secure institutions like banks and large department stores get hacked, so our blogs aren’t much of a challenge.
First, you have to make sure that despite the fact that a determined hacker could break into your site, you still take active measures to protect your site and the data contained.
This means keeping your plugins updated, changing your passwords often, not logging into your website from a public computer, having password secured access to your website. Basically, take all reasonable safety precautions.
If, after your efforts, your site gets hacked, you have to notify the appropriate authorities immediately. More importantly, you have to report the breach to everyone whose data might have been compromised within 72 hours. This is a very hard limit timeline.
Don’t take chances and debate whether you should tell your subscribers that your site has been compromised. You absolutely must report.
To test to see if your site has been hacked, try using Sucuri (free – just enter your URL) to see if any warnings appear. If warnings do appear, notify your blog host right away to figure out next steps.
To prepare for the potential of being hacked, make sure to back up your site regularly. You can either use backups created by your host (look into if your blog host offers this service) or use a plugin like Updraft (free and paid versions).
What legal pages do I need on my blog for GDPR?
You must list the rights that individuals have under GPDR, provide them a method to get in touch with you, and essentially exercise their GDPR rights if need be.
To see a full list of recommended legal pages for your blog, check out this post on legal page templates for your blog.
Need Help Getting CCPA And GDPR Compliant?
See how I may be able to help you (and possibly at a discounted rate!) on getting GDPR and CCPA compliant here.
Also check out an interview with Mariam about CCPA compliance for bloggers!
Was this helpful? Share it or save it to reference later!