You’ve probably heard about it: GPDR – the European data privacy act which is about to turn the whole Internet upside down on May 25, 2019. At first, you probably thought that since you are not located in Europe, the GPDR requirements didn’t apply to you. But then you realized that GPDR is (in practice) applicable to everyone, regardless of country.
You may have searched the Internet looking for how to comply, given the fact that everybody technically has to comply, and you could be fined up to €20 million for not doing so. But no doubt, you realized how complicated it is and gotten lost in all of the legalese and jargon that you need to understand in order to follow the guidelines.
We know we did.
So in order to help everybody, we’ve gone through the guidelines and come up with the simplest, most straightforward way to comply with the requirements. Now, GPDR is a very complicated subject, and if you’re not a small blogger or small business, you will likely need a much more comprehensive solution than what we discuss in this article.
This article is purely intended for bloggers and small businesses that are not located in Europe – mostly, this article is targeted toward the USA. Also, please note our disclaimer: we are not lawyers, and this is not legal advice, so it is recommended that you contact a lawyer to ensure that you are properly complying with all GPDR requirements that apply to you.
GPDR for bloggers in the United States and non-European countries
So you have a blog, and you make a little bit of money out of it. You know that as a blogger, the EU can technically find you up to 4% of your revenue if you don’t follow the requirements. What you do?
We’ll here’s our step-by-step guide…
Before We Start: How Much Risk Do You Have?
Your exposure to GDPR depends on what kind of information you have. Answer the following questions:
- Does your website target children?
- Do you collect any extremely personal information, like Social Security numbers and genetic information or something similar?
- Does your web operation involve more than a couple of people?
- Do you run an e-commerce store with processing in-house?
If you answered yes to any of those questions, you have a greater level of exposure to GDPR than this article is intended for. Search the Internet for more information, or consult an expert.
If you haven’t secured your site yet, or if you have any malware, make sure you’ve solved those problems first. You can read Best WordPress Plugins and Services for Malware Removal.
Why you need the information;
what types of information you collect;
if you provide that information to third parties;
how long you will keep the information (we will talk about this later);
how a user can view or remove that information (we’ll look at this more later)
It is important to determine your data retention period — how long you will keep user information (generally, 12-36 months) — as you will need to comply with this and delete information at the designated time.
Step Two: Check Your Platform
Choose which of the following you are using:
If you use WordPress, do the following:
- Download and install the GDPR plugin from here. The plugin will do several things, including providing consent messages and allowing people to delete and view their data.
- You can use the ‘telemetry tracker’ feature to help you determine what your plugins are recording.
If you use Drupal, things are a bit more complicated than they are for WordPress, since there’s no fully working plugin.
If you have Drupal 8, you can download a GDPR plugin here. It’s in alpha state, so you have to be careful when installing it on your site. If you have Drupal 7, you can download a set of two plugins: GDPR consent and GDPR export. Both are alpha as well.
In addition to the fact that these are all in alpha state, none of them provide all of the functionality necessary. Even with all of the plugins, you are missing significant functions, you will need to do several things manually. GDPR consent and export only work with registered users. Here’s what you would need to do on top of these modules in order to be compliant:
- You will need to provide a way for users to delete their own information — you can do this with Drupal directly in permissions.
- You will need to manually delete all personal information that is older than your data retention period.
If you use an open source e-commerce plugin, or an e-commerce solution you have much more exposure to GDPR. That’s especially true if credit card information passes through your servers.
But even if you use a third party payment provider like Paypal, if you are storing information like addresses, names, etc. you have significant exposure to GDPR. In that case, we strongly recommend you find a specialist who can help you make the proper updates and changes to comply with GDPR.
If you have your own platform, or something that’s not listed here, you will need to determine what information you are collecting. If you’re just showing content, and not taking any information from users (beyond IP addresses and cookies) you should be able to comply by doing the following:
- You will need to manually delete cookies and IP data according to your data retention period.
If you have a user registration or collect any information beyond IP addresses and cookies, you will have additional requirements. You should seek out an expert to help you.
Step Three: Deal With Third Parties
The most complicated part of GDPR compliance for small blogs and websites/businesses is the fact that you are responsible for third party tools that you use.
Some of the third parties you have to be concerned about include:
- Advertising companies, ad networks like Google Adsense
- Analytics providers like Google Analytics
- Plugins for WordPress, Drupal, etc., including Disqus and social media plugins like Facebook, Twitter
- Mailing list services like MailChimp
We will take a look at what needs to be done for the most common of these. For any others, you can contact the provider for information on GDPR compliance.
Google Analytics (or another analytics provider)
You probably use Google Analytics on your site. In order to comply with GDPR, here’s what you need to do:
- Set your data retention period in GA. To do this, go to your Analytics account; then, go to the Admin section, and under your Property, click on Tracking Info. Then click Data Retention, and select the data retention period you chose in step 1.
- You may want to turn on IP anonymization in Google Analytics.
- Google plans to put a tool out for people to delete their Google Analytics data — you will need to link to it when it becomes available.
- Make sure you notify people that you are using cookies to track them in the cookie consent popup (which you would have set up in step 2, depending on your platform).
MailChimp (or another mailing list provider)
If you use MailChimp you’re in luck — MailChimp has built in GDPR compliance, but you will have to do a few things:
- Make sure double opt-in is turned on and make sure the new GDPR compliant signup forms are enabled;
- Make sure that the text in your emails and other content accurately describes the information you are collecting;
- Here’s the hard part: previously collected contacts may not comply — you will need to email your contacts and get them to opt in again (I know, what a ridiculous pain)…Read this for more information.
If you use a MailChimp competitor, they probably have similar options. Make sure that whoever you are using 1) has GDPR compliant forms, 2) has GDPR tools so that users can view and remove their information. If they don’t, we suggest you switch to MailChimp, as you’ll (unfortunately) have to get all your users to re-opt-in anyway.
Adsense adds another layer of complexity for compliance with GDPR. There is quite a bit of disagreement over what you have to do/can’t do with Adsense in order to comply — and Google is not really helping.
Google plans to add tools for compliance with GDPR, but we’re days out from the deadline, and there’s nothing of substance from them. Until they do release their tools, here’s what we recommend:
- Technically, you need to stop any ads from appearing until the user has consented to cookies, but that’s absurdly complicated for a U.S. site
- Disable interest based ads (warning: this will severely affect your profits). To do that, login to Adsense, go to Interest based ads -> Allow & block ads -> Advanced settings; from there, you can disable interest based ads.
For Other Ad Networks
For other ad networks, what you do depends on what they provide. Remember the following rules, however:
- You cannot show interest based (personalized) ads to EU users unless they specifically opt in. That means, you will need to have a popup that asks people if they want to see personalized ads before you show any. There’s some debate as to whether you have to show the content if they say ‘no’.
- You can show contextual ads (non-personalized) at any time, but users must agree to any tracking before you do it.
Many ad networks are providing their own guidelines, and introducing functionality to help you comply.
Disqus, Social, and Other Plugins
Disqus and social plugins have generally implemented their own GDPR compliance. If you don’t use any APIs or single sign on with these third parties, you don’t have to do much here. Here’s what you should consider:
- Link to all of the privacy policies of these third parties; and if you have a cookie popup on your site, make sure that mentions that these third parties collect cookie information;
- You need to link to the information removal tools for your plugins;
- If you are using APIs or SSO, you will need to contact the providers for guidance
For now, you shouldn’t have to do anything in relation to social share buttons, as the companies will probably provide GDPR compliance embedded into the buttons, but you should keep an eye on this.
Unfortunately, all of these changes are likely to significantly reduce your RPMs from EU users. Even if you choose to do nothing, and wait until things are more ironed out, your ad networks and other providers are likely to make changes that will affect you.