Is GDPR rattling your cage?
In a previous post I tackled GDPR head-on. Now D-Day has finally arrived, it seems the blogging and marketing community is in a complete frenzy trying to interpret the new regulations affecting how EU residents data is treated.
The majority of noise seems to be centred around the controversial rules regarding opt-in forms and gaining consent. It also seems there’s still a ton of confusion around personal blogs and what to do to make your website GDPR compliant.
In this post I try to clear up some of the misconceptions around what’s permissible with opt-in forms under GDPR, and provide suggestions for tools to help your website become GDPR-compliant. Don’t worry, you’ve got this!
The closest I get to being a qualified legal professional is an A-level in Law. This post is therefore NOT intended as legal advice. It’s merely my take on GDPR after copious research and speaking directly with representatives of the UKs ICO. Please do your own due diligence and speak with a professional legal adviser to clarify your position on GDPR.
This post contains affiliate links. I may make a commission if you buy a product or service through such a link. Please see my Affiliate Disclosure for further information.
GDPR – Email list Armegeddon?
Let’s start with a joke. “Does anyone know a good GDPR consultant?” “yes!” “can you forward me their details?” “no”.
I’m trying to see the positives regarding GDPR, but, understandably, many bloggers and online marketers are not at all happy with the new changes regarding ‘active’ consent.
To recap, this means your website visitors must be able to access any freebies or bonus content without being forced to join a newsletter list. In short, yes, this allows them to ‘hit and run’, meaning they get the goodies but you can’t contact them again without their explicit consent.
The oft-touted, and obvious, solution is a checkbox. The reality? Checkboxes lower your conversion rates. People are overloaded with newsletters and in-box junk. If given the choice, they’re much more likely to grab their ‘free lunch’ and disappear into the ether.
The kicker is – and I’ve been told on several occasions by the UK’s Information Commissioner’s Office – that you simply cannot bundle two permissions, regardless of how explicit the wording seems on your opt-in form.
Let’s look at an example based on wording I saw touted as being acceptable under GDPR on a recent blog post by a prominent voice in the online marketing community:
“Get our newsletter and get instant access to the free PDF!”
Sadly, however much wishful thinking is employed, this is still not GDPR-compliant, folks. It’s forcing the visitor to agree to two separate data processing requests bundled together within a single consent or action.
In this instance, the PDF can’t be freely accessed without signing up to a newsletter! They must be separated out. This is where the dreaded checkbox comes in.
We may not like it, and it may feel really unfair to marketers or bloggers, or anyone trying to build their email list (believe me, I hear ya!) but this of no concern to lawmakers. GDPR is about end user rights, protecting them from unwanted spam and unnecessary requests for data.
The ICO have made it pretty clear, to me at least; if you’re offering something for free, it should be given freely with nothing expected in return and the minimal amount of data processed and stored in order to deliver it.
This also means you should delete the visitor’s data immediately after delivering the freebie if they’ve opted not to receive your newsletter! Yep, that’s deleting their details completely from your email service provider in a timely fashion and never contacting them again.
Comply or die?
If someone is telling you otherwise, however well meaning, or worse, simply appearing to do nothing about complying, then it’s worth looking at their motives. If they’re an email service provider, a software provider in a related field or a prominent blogger making a significant living with an email list built on the back of freebie opt-ins, it’s obvious this news is probably not very welcome.
I’m signed up to a ton of newsletters and it’s staggering how many well-known ‘6 and 7-figure bloggers’ have still not amended opt-in forms, privacy and cookie policies or re-permissioned their lists for GDPR-compliant consent.
If these guys – with budgets for professional legal advice – aren’t taking GDPR seriously, it’s small wonder many of us little guys might be tempted to follow their lead and ignore what needs to be done.
At the end of the day, it’s really up to you. Comply, or die? Well, let’s not get too gloomy. Yes, the rules are for everyone – and yes, that means anyone with a small, personal blog too – but we know the Policy Police (I made that term up) neither have the capacity or inclination to go after us little guys, for now at least.
In time, however, we may start to see more small-timers being hit up for infringements, but I suspect this will come in the form of a warning and guidance on how to comply within a time-frame rather than anything too severe. It all remains to be seen, however. Do you want to be the guinea pig?
What many people are failing to acknowledge is that while authorities may be slow to react, private individuals now have increased powers to serve litigation and class actions against anyone mishandling their data. If this isn’t an incentive to fix your compliance gaps, then I don’t know what is.
A re-cap and GDPR compliance checklist for bloggers:
Here’s a recap of what you need to do as a blogger and website owner:
- Run a data audit and figure out all the places you potentially process and store user data, such as:
- Newsletter sign-ups
- Website Cookies
- Email contact and associated service providers (Gmail, Mailchimp, ActiveCampaign, Mailerlite, Convertkit etc)
- Website contact forms
- Blog comments (including external comment systems like Disqus)
- Website Analytics (Google, Bing, Statcounter etc)
- Social media sharing and tracking (Pinterest, Facebook, Youtube, Vimeo, Twitter, Linkedin, slideshare, Wistia, Addthis, Sharethis, etc)
- Advertising and Affiliate Network tracking (Shareasale, Clickbank, Rakuten, Google ads, Facebook ads etc)
- Website plugins that process user IP addresses and data (Wordfence, Akismet, Jetpack, Disqus etc)
- Website shared hosting (Siteground, Bluehost, Squarespace etc)
- Online shops and e-commerce integrations (Shopify, Woocommerce, Gumroad etc)
- Membership sites and plugins (Memberpress, Optimizepress etc)
- Chatbots (Drift etc)
- Survey integrations (Typeform, Surveymonkey etc)
2. Document your data handing. For each instance you’ll need to figure out and (ideally) document:
- What data is being stored (email address, first name, IP address etc)
- Where is this data being stored (on your server or on a third party’s server situated somewhere else?)
- Do you really still need to store it? If not, do you have an easy way to delete or request for it to be deleted?
Note: You can no longer use implied consent as a basis for accepting cookies e.g wording such as “by continuing to use this website you agree to the use of cookie” – this is a no-no. The user must explicity consent to cookies and be informed that they have the option to decline them.
5. Go HTTPS. Are you encrypting your website data via a secure SSL connection? It’s much easier than you think! See Tip #7 below!
6. Provide a way for users to contact you to request which of their data is held and processed, to have that data amended or deleted (from third parties too) and to be able to take that data away in a recognised format (PDF, spreadsheet etc) or transfer data to another third party. Keep a record of all data requests and ensure they’re responded to within one month. Note: you can no longer charge for these requests. See Tool #3 below!
7. Establish grounds for consent for all ongoing data collection and processing. For the majority of bloggers, that means ‘active’ consent in the form of a checkbox, or affirmative action like clicking a button etc. If you have paying clients or have entered into a contract or sold goods or services, ‘legitimate interest’, may be valid. Consult a lawyer for guidance.
8. Stop automatic opt-ins on the back of freebies and gated content. You really can’t offer a freebie as an incentive to a visitor, then add them to your newsletter list with the expectation of contacting them again without consent. They must agree to you doing so in a clear, unbundled singular consent.
Like it or not, things are changing and it’s going to take a while to navigate the new regulations and figure out what regulators will tolerate in practice. In the meantime, it’s clear many bloggers are still really struggling to get to grips with all the things needed to be done to become GDPR-compliant. Don’t panic, even if you’re late to the party, now is better than never! These tools will help your website become GDPR compliant:
Eight tools to help bloggers nail GDPR compliance
The UK’s Information Commisoner’s Office (ICO) issued this comprehensive and informative checklist to help Data Controllers figure out the steps they need to be GDPR compliant. While aimed primarily at small to medium businesses, the rules still apply to individuals with blogs and websites, so it’s a really worthwhile walk-through to get a feel for what’s expected of you. If you’re not sure about a question, hit the checkbox for more information.
Again, while aimed primarily at businesses, Email Service Provider Mailjet’s online GDPR Quiz is a useful tool for helping bloggers and email marketers get a broader understanding of how they’ll need to comply.
It’s incredibly easy to set up and allows you to manage and keep track of any data requests in one place. The free option offers one basic form, which is good for one website, though you’ll need to remember to check in manually to look up any data requests. The Pro option allows you to add your own branding and colours, along with automated email notifications and support services.
I’m currently using this WordPress plugin to add a GDPR-compliant checkbox to my contact form and comments. A neat feature is the ability to embed a request form (via a shortcode) onto a page of your website so visitors have the ability to request access to their information. It also keeps a log of all requests. There’s also a handy checklist of all the places you might need checkbox affirmation.
GDPR regulations dictate that website owners are now obligated to protect visitor data using encryption. If you haven’t already, it’s time to move to HTTPS by installing a secure SSL certificate. Not sure what this is? Take a look up at your browser’s URL address right now. See that little green padlock with the word ”secure” next to it? Well, it means exactly that: your data is secure and encrypted. Meaning it’s unreadable by any sneaky interlopers other than your computer’s server and mine.
I highly recommend hosting your website with Siteground because they’re the best shared host for bloggers and make it super duper easy to install a Let’s Encrypt SSL certificate for FREE. Do not pay for an SSL certificate! Let’s Encrypt is a recognised and trusted Certificate Authority, backed by the likes of Google. If you have hosting covered and simply want to install a Let’s Encrypt certificate in minutes – totally free – you can do this via SSL For Free. I’ve even created a little tutorial to help you out (you’ll need to pause it periodically as it runs quite fast!):
This is probably my favourite GDPR tool as, let’s face it, handling Cookies in a GDPR-compliant way, is a complete minefield. This brilliant tool creates a Cookie declaration for your website. Simply insert the code into your website’s header and it automatically scans for all cookies. The process can take up to 24 but you’ll have a handy dandy list of cookies conveniently sorted under ‘Preferences’, ‘Statistics’, ‘Marketing’ and ‘Unclassified’.
Next you’ll need to select the style of pop-up that will show to visitors. Choose from a variety of placements including a central modal covering all content to a more discreet bar at the top or bottom of screen. You can even select how users provide consent (Active or Explicit – explicit is the way to go under GDPR).
Isn’t that the coolest? Your visitors simply check the appropriate checkboxes according to which cookies they wish to accept. The best part? It’s totally free for one user with one website and a premium subscription available with more options.
9. HOT OFF THE PRESS!!!! Sharethis have just announced a new Cookie Management solution!!!
Lengthening the list, Sharethis GDPR compliance tool is an all-in-one Cookie consent management tool. It’s as easy as signing up to Sharethis then inserting a line of HTML code to your site’s header. You can elect to show to everyone or just EU visitors who will be presented with a pop-up allowing them to view, manage and accept Cookies. The list of vendors is pre-populated with members of industry body, the Interactive Advertising Bureau (IAB). It’s ideal if your site only uses plugins and services pertaining to members of the IAB, but sadly isn’t customisable for other providers.
Wrapping it up
GDPR doesn’t have to signal the death knell for email lists. Yes, you’ll possibly need to work harder to get people to sign up for your newsletter and marketing emails, and certainly more creative with your opt-in incentives, but you can bet your boots those that do sign up won’t be freebie seeking randos. Who isn’t in favour or that?
And when it comes to GDPR compliance, it’s important to remember that it’s more than just a process. It’s a behavioural shift. Just know that no single tool can make you compliant and until firm protocols are established, it’s hard to say with any certainty what will fly under the radar and what won’t. Do what you can to adhere to the regulations but don’t stress out over it, focus on building your blog and biz and making great content your readers will love.