Quick note; this is a meaty one! Don’t worry if you don’t have time right now, just stick a bookmark in it and come back later. Trust me, you won’t regret it! Please remember I’m not a lawyer, so please make sure you seek legal advice should you need to.
Unless you’ve been under a rock somewhere for the last few months, you’ll probably have heard of the GDPR, and be wondering what GDPR means for bloggers. GDPR for bloggers is causing a bit of a stir in the general blogging community, and with good reason.
But, before I get started on what you need to do as a blogger to get ready for GDPR I do want stress that the GDPR is a good thing. It’s a positive step for data protection for everyone, including you. Not just as a blogger, but as a human being and a general consumer.
The positives of GDPR for bloggers
GDPR compliance as a blogger will ensure that anyone on your list, or using your site moving forwards, will be doing so because they really want to. Yes, people might think twice about signing up to your list, which will probably result in a slower sign up rate, but the reality is the people who do sign up will be your true fans.
Getting ready for GDPR is a brilliant chance to clean up your mailing list and improve your email open rate. Think about it; let’s say you have 1000 people on your mailing list, and your open rate is 12% That’s 120 people out of 1000 opening your emails, reading them, and benefitting from your content. The other 880 people couldn’t give a you know what about you (soz!)
Your list might drop from 1000 subs to 120, but your open rate should dramatically spike!
Now is an epic time to start building your email list if you don’t already have one. The big email marketing companies (MailChimp, ConvertKit etc) have taken huge steps to get their services GDPR compliant, meaning if you start now you’ll be well placed to start and manage compliant lists.
You’ll increase your trust factor with GDPR too. Anyone who gets their GDPR processes in place by May 25th will inevitably look like a trustworthy source through the openness, clarity, and honesty that the GDPR requires.
What is the GDPR?
GDPR stands for General Data Protection Regulation. In short, it’s essentially an update to the current data protection laws that we have, and is a step in the right direction towards an answer to the data questions we’re facing as a modern society. It comes into effect on 25th May 2018.
Data and the protection of it is only going to become more and more important as the years go on. As technology improves and evolves, and the internet becomes even more sophisticated than it already is, data protection is becoming a huge deal.
I took a semester on Dystopian fiction at uni (bear with me, this is going somewhere) and I remember feeling like some of the older novels I was reading had somehow pre-emptively seriously hit the nail on the head.
We’re only a few years away from actual robot people serving us in shops, that’s how fast technology is moving. In more ‘real’ terms, what I’m getting at is that data protection online is a seriously big deal. The theft of personal data could literally result in you not having any money to feed your kids tomorrow.
I don’t know about you, but I don’t want on my conscience that a reader of mine has had to go through that because I didn’t protect their data well enough. Like I said, the GDPR is a good thing. It’s sensible to be thinking about it a lot, and going to every necessary length to make sure you’re compliant. But; panic, stress, and even the anger I’ve seen in some online spaces, is serving no one.
A lot of bloggers are stressing because they think they need consent for absolutely everything they do. While consent is one of the ways to be lawful in data collection and processing under GDPR, it’s not the only way. In fact, there are 6 ways.
The 6 lawful bases
Under GDPR, you can lawfully collect and process data if you;
- Have clear consent to collect/process for a specific reason.
- The processing is necessary to fulfil a contract you have with someone (I’ll get onto VA’s later this week)
- You have a legal obligation to share information
- There is a vital interest, for example, to protect life
- Public task (not relevant to bloggers)
- You can prove that there is a legitimate interest. You could argue, for example, that someone who bought your last e-book would likely be interested in hearing about your new one. Although I would argue that best practice would still be to gain clear consent to contact people.
Does GDPR affect me?
Short answer? If you’re a human, living on Earth, yes.
The longer answer is that yes, the GDPR affects you both as a consumer and a blogger, entrepreneur, or online business owner of any kind.
On the note of online business owners and entrepreneurs, let me just clear something up quickly (soap box alert). If you blog, and make any amount of money from your blog, or plan to make any amount of money from your blog, you are an entrepreneur, or business owner. If your blog is purely a hobby, you don’t ever plan to monetise it, don’t use affiliate links, and don’t have or want an email list, then the good news is you can close your browser now and get on with your day. You’re exempt.
If your blog is a hobby, then technically I believe you’re exempt even if you have a mailing list. But I would strongly suggest that if this is you, you still take some steps to make sure you’re compliant. Firstly because the GDPR is likely to be an evolving beast, and things may change over time. And secondly because, well, don’t be a dick. No one likes a dick.
What areas of my blog will be affected?
Here’s the thing, almost everyone I’ve spoken to over the last few weeks has been hyper aware of how the GDPR will affect their mailing lists. What hasn’t been spoken about much is how the GDPR affects actual websites.
GDPR for bloggers is a big deal, and there’s a few things to consider. The areas of your blog and website that you need to start thinking about will be unique to everyone, as all our blogs are different and have different elements. I’ll cover some basics that most of us have, though, as well as things like WooCommerce and sales pages.
Cookies are small files placed on a machine when a user accesses a website. There are some essential cookies which enable a site to function, and these are considered lawful under GDPR on the grounds of being necessary to provide a service (the website). Some, however, are non-essential. They allow, for example, Google Analytics to track users of the site, and lots of other things.
You need to have a cookie pop up or bar if you don’t already have one. For WordPress users, I recommend Cookie Notice by dfactory, as it’s the only one I’ve found that allows both an ‘agree’ button and a ‘don’t allow non-essential cookies’ button.
The majority of our blogs have comment boxes, which allow readers to leave comments on our posts. I don’t think I’ve ever seen a blog comment box that didn’t have at least ‘name’ and ‘email address’ as required fields to submit a comment.
The submission of a comment doesn’t require a name and email address in order for the comment to display or perform its function, so these fields really shouldn’t be required fields. You can easily turn this off in WordPress by heading to settings – discussion.
A few people have asked me if turning this off will see an increase in spam comments. In my opinion, I don’t think so. Leaving a name and email address doesn’t stop spam comments, it just creates a bit more work for them. While it might turn a few spammers off, it’s not likely. Also, your spam filter should still be picking these up.
Testimonials & plugins
If you display testimonials on your site form clients, PR’s, brands, or anyone else, you need to show that you’re protecting their data when they submit a testimonial, too.
A simple message on your submission page explaining that the information submitted is done so of their own free will, and will be used for no other purpose than the display of the testimonial should cover it.
It simply needs to be clear that you’re not going to use their details or email address for anything other than to simply display their comment, and that nothing will be shared without their permission. It also needs to be clear that they have the right to request removal of any or all of their details from your site and database at any time.
It’s worth having a look into the settings and details of all your plugins, too. Make a note of which, if any, store information from users, why they store it, if the storing is necessary, and how the information will be used.
Sign up forms and pop ups
The GDPR has some requirement that as site owners we’re able to not only track how we store and use information, but also how, when, and where we gained permission.
This creates an issue with the sue of embedded sign forms and pop up plugins, something that most of use on our sites, in sidebars, footers, and within posts.
Note: I use MailChimp, so this information relates to how plugins interact with MailChimp. I would imagine that most email marketing providers interact similarly, so if you don’t use MailChimp I’d advise you go and investigate your own provider.
Within MailChimp, for any user who signs up through a MailChimp form, information about which form they signed up through will display in their user details. People who sign up through a pop up or plugin will have their sign up source displayed as ‘API – Generic’. This poses a problem when we’re trying to track which page they signed up through.
I’m going to go into a lot more detail about MailChimp, plugins for MailChimp and pop ups, and how to re opt-in your list on MailChimp over the course of this week, so do come back on Wednesday and Friday if you need to know more about this.
The short answer to the problem, to get you started right now, is that instead of using a MailChimp embedded form in your pop ups, simply link to your form within MailChimp. This will also cover the issue that MailChimp embedded forms do not have the ability to display GDPR compliant checkboxes.
Repeat after me; “I create regular back ups of my site”. Now say it again.
Ok, let’s be real. If you’re not backing up your site, you should be! It’s easy to do, and you can simply have your back up automatically emailed to you (once a fortnight IMO) and then delete it when the next one is populated.
Click the image to grab yours now!
Do I need consent for everything?
As I said earlier, there are 6 lawful ways to collect and process data under the GDPR, so technically no. If you can argue and prove legitimate interest, for example, then that’s one way you can use data without consent.
In the case of necessary cookies required for the function of your site, again, you don’t technically need consent.
For the most part, though, for us as bloggers we will need consent for many of the things we do. In particular, storing subscribers personal information in our email marketing databases, and using that information for various purposes will require consent.
Not only will we require consent, we also can’t bundle consent. What this means is, you can no longer say “click here to download your freebie and be added to our mailing list”. You need to gain individual consent for each thing you plan to do. MailChimp offers this through GDPR tick boxes. You might consider having a tick box to allow you send a freebie, another to allow you to send marketing emails, another to send a newsletter, and any others you might need.
Even if you don’t sell to your mailing list now, or send affiliate links, if you plan to in the future you need to add these boxes now. Otherwise, when you’re ready to sell, you’ll have no one on your list who has explicitly agreed to be sent those emails.
Do I need to register with the ICO?
In short, yes. If you’re an organisation which decides how the personal information you store is processed, then you need to register.
There’s some argument that if you’re not a registered business then you don’t need to register, but having reviewed the regulation I don’t believe this to be true. If you’re in any doubt, you can take a quick quiz on the ICO’s site to see if you’re exempt from registering with them.
Registration costs £35 per year, so thankfully it won’t break the bank.
What do I need to do right now?
My suggestion is, if you haven’t already, then block some time out this week to complete a full audit of your site, plugins, and mailing list(s).
Make notes on anything you need to action, and set aside some time get those things done.
In addition to those, I also strongly recommend adding some detail to any testimonial pages you may have, and sales or WooCommerce pages.
Go ahead and disable the required name and email address fields in your blog comment boxes. Genuine users will likely still leave their name on their comments, so I wouldn’t worry about disabling the requirement. This setting is found in WordPress discussion settings, and turning off the requirement doesn’t remove the boxes, it simply removes the requirement to fill them in.
Check what sign up source information is displaying for your current subscribers. If sign up source is showing as ‘API – Generic’ then you need to think about changing how your sign up forms and pop ups are working on your site. The quickest fix is to remove the embedded form from these, and simply link to the MailChimp form.
Remember to come back on Wednesday and Friday for more information on making sure your sign up forms, embedded forms, pop ups, and MailChimp lists are GDPR compliant.
The big one that we’re all panicking about; getting our existing subscribers to re-opt in. I would say that 99.9% of people reading this will need to re opt-in your lists. Anyone who’s signed up through a plugin and their sign up source isn’t documented further than ‘API’, anyone who hasn’t given what’s called ‘granular’ consent (ticking individual boxes to agree to being emailed in various ways), anyone who has signed up as a result of a pre-checked box, o any of the other myriad ways lots of us have used to get people on our lists. All these people will need to re opt-in.
There are a couple of options within MailChimp which I’ll go into in detail this week, but essentially your options are to ask them to re consent to stay on your list, or to ask them to sign up to a new, compliant list.
Got any questions about GDPR for bloggers?
If you’re confused about anything at all, or have any questions I recorded this live Q&A and GDPR overview on Facebook that should help.
Pop over now and set your reminder so you don’t miss it. If you have any specific questions, please feel free to comment them on the video so I can make sure I answer them for you. Alternatively, you can leave your questions on this post, or email them to me.
If you know anyone who will benefit from the video, feel free to tag them and share the scheduled live.
See you Wednesday!
If you would like to join my mailing list, you can do so by clicking here, or the link in my sidebar. I send out regular emails with tips, tricks, and solutions to all your blog headaches. Full details of everything I send out via email is detailed on the sign up page. Details of how I use and store your data will be emailed to you for your approval before you are signed up to the list. There is a welcome gift for new subscribers. As at April 2018 the welcome gift is a GDPR compliance checklist to help make sure you’re ready for GDPR as a blogger.