As a blogger, you might have heard of the GDPR by now.
GDPR stands for General Data Protection Regulation and it’s an EU regulation that enhances the rights to the protection of personal data of individuals based in the EU and came into effect in May last year.
The GDPR has introduced a new set of obligations, rules, rights, and requirements that you have to meet to be in compliance.
These include but are not limited to:
- How you can legally obtain users’ consent to process their data
- Disclosure of how you plan to gather, store or process personal data
- A plethora of obligations that you and your external providers have to uphold
- An array of rights that you need to guarantee to your users.
The list goes on and on, and all these provisions of the GDPR are legally binding.
Because the vast majority of bloggers have subscribers, followers or blog visitors from the EU, there is no way around it: you can’t point-blank ignore GDPR compliance.
As a blogger, you must assess whether the GDPR applies to you and your blog and if so, what you need to do to comply with the GDPR and specifically, with GDPR consent requirements.
In this post, we will tackle the issue of obtaining users’ consent for data processing the right way. I will walk you through what you need to know and do to comply with GDPR consent requirements.
But before we dive in, please let me quickly remind you of my disclaimer.
Although I’m a lawyer specialized in International and EU Law (LLB, LLM, PhD) by profession, this guest post is meant for educational and informational purposes only. It doesn’t constitute legal advice and doesn’t create an attorney-client relationship. Carly and I will not be held liable for any losses or damages caused by acting or failing to act on the ground of the content of this guest post. Should your circumstances require, I encourage you to seek legal advice through other avenues. Please read my full disclaimer for further information.
(THIS POST PROBABLY CONTAINS AFFILIATE LINKS. OUR FULL DISCLOSURE POLICY IS REALLY BORING, BUT YOU CAN FIND IT HERE.)
DOES THE GDPR APPLY TO YOU?
First things first, you need to figure out whether the GDPR actually applies to you.
So many scaremongering articles about the GDPR, its hefty fines, and the serious repercussions for non-compliance have been going around for months now.
But there is no real need to worry about all of this if the GDPR might not even apply to you in actuality, is there?
So, let’s clarify this once and for all.
First of all, yes, the GDPR does apply to bloggers because blogs process personal data in the form of names, email addresses, IPs, cookies, location, and other personal information.
The GDPR applies of course to all bloggers based in the EU. So, if you’re based in the EU, it goes without saying that you MUST comply with all the requirements under the GDPR.
But in addition to that, the GDPR also applies to bloggers who are not based in the EU if they offer goods or services to individuals in the EU, irrespective of whether a payment is required; or if they monitor the behavior of individuals in the EU as long as their behavior takes place in the EU.
The interpretation of these provisions is quite complex and has led to a ton of misconceptions and conflicting advice over the past months. The European Data Protection Board came to the rescue by releasing some guidelines on the territorial scope of the GDPR in November 2018.
If you would like to learn more about the extent of the application of the GDPR to your blog, you can take my FREE legal course for bloggers.
But, for the purposes of this post, it will suffice to say that these provisions, read in conjunction with recitals 23 and 24 of the GDPR, mean that if you’re based outside the EU, then you’re only bound by the GDPR if
- you target people from the EU, or
- monitor their behavior through tracking techniques consisting of profiling and retargeting.
In layman’s terms this means that the mere fact that you happen to have a few subscribers from the EU or that you can see some EU visitors through Google Analytics, it does NOT automatically make you subject to the GDPR if you don’t expressly target individuals based in the EU.
At the same time, you need to be aware that if you have visitors from the EU and you make use on your blog of behavioral ads or plugins, pixels, or widgets such as for example the Facebook pixel which is quite common among bloggers, then you may be bound to the GDPR.
If you have an email list and you use progressive profiling or similar techniques to tag or segment your list in order to deliver to your subscriber’s emails that are more relevant to them and you have subscribers based in the EU, then you may be bound to the GDPR.
And I could go on and list many other scenarios where no matter where you’re based, the GDPR may still apply to you.
To simplify things, for the purposes of this post, we will presume that you need to comply with the GDPR consent requirements because either:
- You’re based in the EU, or
- You’re based in the US, Canada, Australia, or elsewhere outside the EU but you target individuals based in the EU or you monitor their behavior, or
- You want to comply with the GDPR even though you’re not required by law.
The third scenario sounds crazy, right? But it’s actually more common than one may think. In fact, there are several reasons why you as a blogger may want to comply with the GDPR including
- Ethically, you agree with the standards of privacy and data protection introduced by the GDPR and want to ensure the same standard to all your users.
- You are requested to do so by partner brands, ad networks, and affiliate programs TOS.
- You’d like to make your blog look more professional and less like a “newbie blog”.
- You’d like to kickstart your compliance in view of similar data and privacy regulations coming to force soon, such as for example, the California Consumer Privacy Act – expected January 2020.
CONSENT AS LEGAL GROUND FOR PROCESSING DATA
Your journey to GDPR compliance should begin with Article 6.1 which comprises a series of conditions for personal data processing. Organizations, companies, and individuals must meet at least one of them if they want to legally process personal data of users based in the EU.
Of these legal bases, consent is perhaps the most important and relevant to bloggers, so we’ll focus on consent requirements.
CONSENT REQUIREMENTS UNDER THE GDPR
As far as consent is concerned, the GDPR says that processing personal data of individuals in the EU is not lawful unless they have given you explicit consent to do so.
How you obtain consent is very important. That’s why it is crucial to know what passes as consent in the eyes of the GDPR so you can get it legally.
Consent must have the following key elements to pass the GDPR litmus test as per Article 7:
- It must not be forced but given freely
- It must be unambiguous, that is the language used is easy to understand and clear
- It must be informed, which means the visitor should be given the reason for processing information
- It must be specific, which implies that it should apply to a given kind of data processing
- You should get it using an affirmative action that’s clear
- It must be granular and you cannot bundle separate matters. If you process data for different purposes, you need to obtain separate consent for each matter
- It can be withdrawn at any time. It should be as easy to withdraw as to give consent
- Parental consent is needed if the visitor, reader or user is aged 16 or younger. In some EU countries, the minimum age of consent can be lowered but never below 13.
Related: 7 Things Successful Bloggers Know
MEANS TO OBTAIN CONSENT LAWFULLY
Consent can be obtained in many ways, including electronic means, written declaration or by simply checking a box.
Collecting consent using a written declaration
To get legal consent this way, the written declaration must use simple and clear language and be presented in a way that’s intelligibly distinct from other matters. It should also be delivered in an easily accessible and comprehensible form.
Using electronic means or checkboxes
This is a familiar way of obtaining user consent. However, to become compliant with the GDPR consent requirements:
- The consent itself should be given freely, specific and through affirmative action.
- You shouldn’t use pre-checked boxes
- The visitor must check the boxes to consent
- Inactivity, unchecked boxes or silence means that you can’t process applicable data
- You can’t bundle separate matters so you need to have a separate box for each matter.
HOW TO MEET GDPR CONSENT REQUIREMENTS ON YOUR BLOG
Now that we know the key elements consent must have under the GDPR, we will specifically focus on how to obtain valid consent to perform data processing on your blog.
In fact, every time you want to process personal data on your blog, you will have to first obtain consent and every time, this consent must meet the key elements we have mentioned earlier in order to be lawful under the GDPR.
We will see what this means for the data processing activities you, as a blogger, are likely to undertake on a regular basis.
- Using cookies for browsing behavior tracking, affiliate links, or other cookies that are not strictly necessary
- Sharing personal data with third parties such as ad networks and social media networks
- Allowing users to comment on your blog
- Having contact forms on your blog
- Running an email list for newsletters, RSS campaigns and/or email marketing.
This is because the GDPR mandates that you provide your users with detailed information at the time of obtaining consent or collecting processing data. This includes how you plan to store, process or share their personal data, the obligations you must uphold, their rights under the GDPR, and much more.
Here we’re going to see how to obtain consent when using cookies that are not strictly necessary and sharing personal data with third parties such as ad networks and social media.
So, by applying the key elements of consent to this type of data processing, we can make out the following:
- Consent to cookies must involve some form of unambiguous positive action, such as for example, checking a box or clicking a link
- You cannot let non-strictly-necessary cookies run before obtaining consent from your users
- You need to make sure that your users fully understand that their positive action will result in non-strictly-necessary cookies being set, and they have taken a positive action
- According to the ICO, which is the supervising authority in the UK, simply continuing to use your website cannot be considered a positive action
- Since, under the GDPR, it must be as easy to withdraw as to give consent, you should provide a way for users to easily revoke cookies
So, to summarize, one way to obtain cookie consent in a manner that is GDPR compliant is by having a pop-up notice that meets all the requirements above.
This is how my own pop-up notice looks like.
But please note that the pop-up notice above is what is shown to my EU users as I have two different notices depending on whether my users are based in the EU or outside the EU, i.e. depending on whether they’re covered by the GDPR or not.
Please also note that initially, the position of the supervising authorities and the EU institutions themselves on how to obtain cookie consent lawfully seemed to be considerably less strict. The interpretation of the GDPR provisions has been stricter in recent formal communications, guidelines, and case-law. This is to say that if you’ve read conflicting advice about the proper way to obtain consent for cookies, it might not be necessarily wrong depending on when it was issued.
Related: 8 Ways Blogging Has Changed My Life
Comments & contact forms
When users leave a comment on one of your blog posts or fill out a contact form on your blog, you are collecting and processing their personal data, such as for example, name and email address.
To comply with the GDPR, you need to leave the box for acceptance unchecked.
You can have a look at my own comment system below as an example.
The same consent requirements apply to your subscribe forms.
In order for your subscribe forms to be GDPR compliant, you need to make sure that
- you have one or more checkboxes to obtain granular and separate consent for each matter
- checkboxes are not pre-checked
- joining your email list is not a precondition to receive a freebie.
A signup form to join your email list, compliant with GDPR, will look like this one below.
Freebies & marketing emails
So far it was pretty straightforward. Things get a bit more complicated when you offer a freebie to entice your users to join your newsletters.
This is because when you have a form requesting an email address in exchange for your freebie, you are only obtaining consent from your users to processing their personal data to send them the freebie.
By entering their email address, your users are not automatically giving you consent to be added to your email list and therefore you cannot add them.
If you also want to add them to your email list, you need to request separate consent for this purpose because as we have seen earlier, consent under the GDPR needs to be “granular”.
You can request separate consent for different purposes in the same subscribe form as long as each consent request is distinguishable from one another.
You cannot bundle them.
You can achieve this in two different ways:
- The first option; subscribe form with separate checkboxes
You create a form like this one below for your freebie and you then add a separate checkbox to obtain consent from your users to add them to your email list and send them marketing emails.
In the example below, my freebie was my free 5-day email course but you can do the same with a free checklist, report, guide, printable, e-book or whatever you wish to offer as a freebie.
You make a form for your freebie and within the form, you add a checkbox for your marketing emails.
Under the GDPR, you are no longer allowed to make subscribing to your list a condition to redeem your freebie.
You can’t have the checkbox pre-checked or a system where if your users don’t check the box for your marketing emails, they can’t continue.
This means that if they don’t check the checkbox for your marketing emails, you will need to send them your freebie but you won’t be able to add them to your email list.
This first option is pretty easy to implement but it comes with the huge downside that you would reduce your chances of growing your email list by offering the same choices to users who are not based in the EU and are therefore not covered by the GDPR.
By displaying the same checkboxes to all your users regardless of whether the GDPR applies to them or not, you will basically reduce your chances to grow your email list when there is no actual need since the law doesn’t require you to do so for users who are not based in the EU.
- Second option; show a separate page to your EU users
This is currently my favorite way to request separate consent. I do so by using a GDPR feature in ConvertKit.
In your account settings in ConvertKit, you have some GDPR compliance options to request consent from your subscribers.
If you check the 3rd checkbox in the GDPR options, as shown below, ConvertKit will determine whether your users are based in the EU or not by their IP address and will treat them differently.
If your users are based in the EU, ConvertKit will show them this page after they have subscribed to your form to redeem your freebie.
With this option, you won’t have to change anything directly within your subscribe form.
Everything happens after your users subscribe. Of course, if they don’t check the checkbox consenting to receive your marketing emails, you won’t be able to add them to your email list.
But in this scenario, this will only apply to your users based in the EU. Your other users won’t even ever see this form obtaining consent for your marketing emails and you can add them to your email list because the GDPR doesn’t apply to them.
This option will allow you to grow your email list much faster. The downside is that people may think you are not GDPR compliant since the GDPR form will only show to users based in the EU.
That’s why, whenever possible, I mention on my blogs that things may show differently depending on where my users are based.
Just a few words on double opt-in as there is this myth that it’s a requirement under the GDPR.
Nope. The GDPR does not require double opt-in per se for data processing to be lawful.
A single opt-in remains one of the most convenient legal ways to obtain consent that’s GDPR compliant.
However, double opt-in is a great way to keep proof of consent. The GDPR does require that you document how you obtain consent. Because the burden of proof sits squarely in your court, double opt-in is a godsend for bloggers.
In other words, you can activate this method of obtaining consent to store proof that the visitor has actually given you consent. But if you have other evidence of obtaining consent, then you can definitely decide to turn double opt-in off if that works best for your email marketing.
CLOSING REMARKS ON GDPR CONSENT REQUIREMENTS FOR BLOGGERS
As a blogger, you can’t really ignore the GDPR.
With the risk of fines up to €20M (or 4% of global turnover, whichever is greater), lawsuits, and formal complaints to the EU supervising authorities; plus the chain reaction of other privacy regulations that the GDPR has initiated; there is just too much at stake.
If you’re a new blogger, the GDPR might not apply to you depending on the circumstances of your blog. But if you’re an established blogger who uses intermediate to advanced blogging and marketing techniques, then chances are the GDPR applies to you regardless of whether you’re based in the EU or somewhere else.
Depending on your risk tolerance, you can make an informed decision on whether – and to what extent – you intend to comply with GDPR provisions and set of obligations. But ignoring the GDPR altogether would be one of those blogging mistakes you don’t want to make.
If you’d like to learn more about the GDPR, take my FREE legal course for bloggers.
If you need some help with your compliance, you can take my premium GDPR Compliant Blog course and get your blog compliant in 48 hours or less. You can use coupon code CARLY10 at checkout to snag a 10% discount!
Lucrezia is the co-founder of Blogging for New Bloggers & Tinylovebug.com + a trained lawyer & university lecturer (LLB, LLM, Ph.D. in international and EU law). She has helped 1,000+ bloggers make their blog GDPR compliant. She offers legal courses and provides done-for-you templates specifically designed for bloggers to create easy-to-read, highly effective, and FTC + GDPR compliant legal pages. You can enroll in her FREE legal course for bloggers here.