Blogging, GDPR-tips, Tech Tips

GDPR for Bloggers; What do you Need to Know?

Quick note; this is a meaty one! Don’t worry if you don’t have time right now, just stick a bookmark in it and come back later. Trust me, you won’t regret it! Please remember I’m not a lawyer, so please make sure you seek legal advice should you need to.


Unless you’ve been under a rock somewhere for the last few months, you’ll probably have heard of the GDPR, and be wondering what GDPR means for bloggers. GDPR for bloggers is causing a bit of a stir in the general blogging community, and with good reason.


But, before I get started on what you need to do as a blogger to get ready for GDPR I do want stress that the GDPR is a good thing. It’s a positive step for data protection for everyone, including you. Not just as a blogger, but as a human being and a general consumer.



The positives of GDPR for bloggers

GDPR compliance as a blogger will ensure that anyone on your list, or using your site moving forwards, will be doing so because they really want to. Yes, people might think twice about signing up to your list, which will probably result in a slower sign up rate, but the reality is the people who do sign up will be your true fans.


Getting ready for GDPR is a brilliant chance to clean up your mailing list and improve your email open rate. Think about it; let’s say you have 1000 people on your mailing list, and your open rate is 12% That’s 120 people out of 1000 opening your emails, reading them, and benefitting from your content. The other 880 people couldn’t give a you know what about you (soz!)


Your list might drop from 1000 subs to 120, but your open rate should dramatically spike!


Now is an epic time to start building your email list if you don’t already have one. The big email marketing companies (MailChimp, ConvertKit etc) have taken huge steps to get their services GDPR compliant, meaning if you start now you’ll be well placed to start and manage compliant lists.


You’ll increase your trust factor with GDPR too. Anyone who gets their GDPR processes in place by May 25th will inevitably look like a trustworthy source through the openness, clarity, and honesty that the GDPR requires.



What is the GDPR?

GDPR stands for General Data Protection Regulation. In short, it’s essentially an update to the current data protection laws that we have, and is a step in the right direction towards an answer to the data questions we’re facing as a modern society. It comes into effect on 25th May 2018.


Data and the protection of it is only going to become more and more important as the years go on. As technology improves and evolves, and the internet becomes even more sophisticated than it already is, data protection is becoming a huge deal.


I took a semester on Dystopian fiction at uni (bear with me, this is going somewhere) and I remember feeling like some of the older novels I was reading had somehow pre-emptively seriously hit the nail on the head.


We’re only a few years away from actual robot people serving us in shops, that’s how fast technology is moving. In more ‘real’ terms, what I’m getting at is that data protection online is a seriously big deal. The theft of personal data could literally result in you not having any money to feed your kids tomorrow.


I don’t know about you, but I don’t want on my conscience that a reader of mine has had to go through that because I didn’t protect their data well enough. Like I said, the GDPR is a good thing. It’s sensible to be thinking about it a lot, and going to every necessary length to make sure you’re compliant. But; panic, stress, and even the anger I’ve seen in some online spaces, is serving no one.


A lot of bloggers are stressing because they think they need consent for absolutely everything they do. While consent is one of the ways to be lawful in data collection and processing under GDPR, it’s not the only way. In fact, there are 6 ways.



The 6 lawful bases

Under GDPR, you can lawfully collect and process data if you;


  1. Have clear consent to collect/process for a specific reason.
  2. The processing is necessary to fulfil a contract you have with someone (I’ll get onto VA’s later this week)
  3. You have a legal obligation to share information
  4. There is a vital interest, for example, to protect life
  5. Public task (not relevant to bloggers)
  6. You can prove that there is a legitimate interest. You could argue, for example, that someone who bought your last e-book would likely be interested in hearing about your new one. Although I would argue that best practice would still be to gain clear consent to contact people.


Pin Me

What do we need to know about GDPR as bloggers ? I've covered all bases. Everything you need to know about being GDPR compliant and GDPR compliance as a blogger even if you don't have a mailing list.



Does GDPR affect me?

Short answer? If you’re a human, living on Earth, yes.


The longer answer is that yes, the GDPR affects you both as a consumer and a blogger, entrepreneur, or online business owner of any kind.


On the note of online business owners and entrepreneurs, let me just clear something up quickly (soap box alert). If you blog, and make any amount of money from your blog, or plan to make any amount of money from your blog, you are an entrepreneur, or business owner. If your blog is purely a hobby, you don’t ever plan to monetise it, don’t use affiliate links, and don’t have or want an email list, then the good news is you can close your browser now and get on with your day. You’re exempt.


If your blog is a hobby, then technically I believe you’re exempt even if you have a mailing list. But I would strongly suggest that if this is you, you still take some steps to make sure you’re compliant. Firstly because the GDPR is likely to be an evolving beast, and things may change over time. And secondly because, well, don’t be a dick. No one likes a dick.



What areas of my blog will be affected?

Here’s the thing, almost everyone I’ve spoken to over the last few weeks has been hyper aware of how the GDPR will affect their mailing lists. What hasn’t been spoken about much is how the GDPR affects actual websites.


GDPR for bloggers is a big deal, and there’s a few things to consider. The areas of your blog and website that you need to start thinking about will be unique to everyone, as all our blogs are different and have different elements. I’ll cover some basics that most of us have, though, as well as things like WooCommerce and sales pages.




Cookies are small files placed on a machine when a user accesses a website. There are some essential cookies which enable a site to function, and these are considered lawful under GDPR on the grounds of being necessary to provide a service (the website). Some, however, are non-essential. They allow, for example, Google Analytics to track users of the site, and lots of other things.


You need to have a cookie pop up or bar if you don’t already have one. For WordPress users, I recommend Cookie Notice by dfactory, as it’s the only one I’ve found that allows both an ‘agree’ button and a ‘don’t allow non-essential cookies’ button.


Alongside a pop up or bar, you also need to have a cookies policy. The policy should state what you use cookies for on your site, and give the user details for how they can disable the use of cookies in their own browser. It should also state that by continuing to use your site and having cookies enabled, they are consenting to their use. As with all you policies going forwards, the wording needs to be clear. What this means is that anyone reading it should be able to understand it, and it shouldn’t be ambiguous or full of terms only experts understand.



Blog Comments

The majority of our blogs have comment boxes, which allow readers to leave comments on our posts. I don’t think I’ve ever seen a blog comment box that didn’t have at least ‘name’ and ‘email address’ as required fields to submit a comment.


The submission of a comment doesn’t require a name and email address in order for the comment to display or perform its function, so these fields really shouldn’t be required fields. You can easily turn this off in WordPress by heading to settings – discussion.


A few people have asked me if turning this off will see an increase in spam comments. In my opinion, I don’t think so. Leaving a name and email address doesn’t stop spam comments, it just creates a bit more work for them. While it might turn a few spammers off, it’s not likely. Also, your spam filter should still be picking these up.



Pin Me

What do we need to know about GDPR as bloggers ? I've covered all bases. Everything you need to know about being GDPR compliant and GDPR compliance as a blogger even if you don't have a mailing list.



Testimonials & plugins

If you display testimonials on your site form clients, PR’s, brands, or anyone else, you need to show that you’re protecting their data when they submit a testimonial, too.


A simple message on your submission page explaining that the information submitted is done so of their own free will, and will be used for no other purpose than the display of the testimonial should cover it.


It simply needs to be clear that you’re not going to use their details or email address for anything other than to simply display their comment, and that nothing will be shared without their permission. It also needs to be clear that they have the right to request removal of any or all of their details from your site and database at any time.


It’s worth having a look into the settings and details of all your plugins, too. Make a note of which, if any, store information from users, why they store it, if the storing is necessary, and how the information will be used.



Sign up forms and pop ups

The GDPR has some requirement that as site owners we’re able to not only track how we store and use information, but also how, when, and where we gained permission.


This creates an issue with the sue of embedded sign forms and pop up plugins, something that most of use on our sites, in sidebars, footers, and within posts.


Note: I use MailChimp, so this information relates to how plugins interact with MailChimp. I would imagine that most email marketing providers interact similarly, so if you don’t use MailChimp I’d advise you go and investigate your own provider.


Within MailChimp, for any user who signs up through a MailChimp form, information about which form they signed up through will display in their user details. People who sign up through a pop up or plugin will have their sign up source displayed as ‘API – Generic’. This poses a problem when we’re trying to track which page they signed up through.


I’m going to go into a lot more detail about MailChimp, plugins for MailChimp and pop ups, and how to re opt-in your list on MailChimp over the course of this week, so do come back on Wednesday and Friday if you need to know more about this.


The short answer to the problem, to get you started right now, is that instead of using a MailChimp embedded form in your pop ups, simply link to your form within MailChimp. This will also cover the issue that MailChimp embedded forms do not have the ability to display GDPR compliant checkboxes.



Site backups

Repeat after me; “I create regular back ups of my site”. Now say it again.


Ok, let’s be real. If you’re not backing up your site, you should be! It’s easy to do, and you can simply have your back up automatically emailed to you (once a fortnight IMO) and then delete it when the next one is populated.


Site back ups, obviously, will contain all, most, or some of the data from your site. A back up might include things like blog post comments, and sales records form WooCommerce. This is all personal data that is now being stored somewhere other than your site, so you need to make sure you explain this in your privacy policy.



Click the image to grab yours now!

GDPR for Bloggers Ultimate Compliance Pack




Do I need consent for everything?

As I said earlier, there are 6 lawful ways to collect and process data under the GDPR, so technically no. If you can argue and prove legitimate interest, for example, then that’s one way you can use data without consent.


In the case of necessary cookies required for the function of your site, again, you don’t technically need consent.


For the most part, though, for us as bloggers we will need consent for many of the things we do. In particular, storing subscribers personal information in our email marketing databases, and using that information for various purposes will require consent.


Not only will we require consent, we also can’t bundle consent. What this means is, you can no longer say “click here to download your freebie and be added to our mailing list”. You need to gain individual consent for each thing you plan to do. MailChimp offers this through GDPR tick boxes. You might consider having a tick box to allow you send a freebie, another to allow you to send marketing emails, another to send a newsletter, and any others you might need.


Even if you don’t sell to your mailing list now, or send affiliate links, if you plan to in the future you need to add these boxes now. Otherwise, when you’re ready to sell, you’ll have no one on your list who has explicitly agreed to be sent those emails.



Do I need to register with the ICO?

In short, yes. If you’re an organisation which decides how the personal information you store is processed, then you need to register.


There’s some argument that if you’re not a registered business then you don’t need to register, but having reviewed the regulation I don’t believe this to be true. If you’re in any doubt, you can take a quick quiz on the ICO’s site to see if you’re exempt from registering with them.


Registration costs £35 per year, so thankfully it won’t break the bank.



What do I need to do right now?

My suggestion is, if you haven’t already, then block some time out this week to complete a full audit of your site, plugins, and mailing list(s).


Make notes on anything you need to action, and set aside some time get those things done.


Download and install the Cookie Notice by dfactory plugin, and get started on your policies. You’ll need a privacy policy and a cookies policy at the very least. I also recommend a terms of service policy or terms of use policy. I have a pack of policies and how to guides going on sale this week (Wednesday) which will cover all the areas you’ll need as a blogger. The pack will include a customisable privacy policy, cookies policy, T&C’s template, guidelines and templates for opt-in form wording, double opt-in email wording, and guides for MailChimp to ensure you’re compliant. There will also be a checklist of tasks to complete before 25th May.


In addition to those, I also strongly recommend adding some detail to any testimonial pages you may have, and sales or WooCommerce pages.


Go ahead and disable the required name and email address fields in your blog comment boxes. Genuine users will likely still leave their name on their comments, so I wouldn’t worry about disabling the requirement. This setting is found in WordPress discussion settings, and turning off the requirement doesn’t remove the boxes, it simply removes the requirement to fill them in.


Check what sign up source information is displaying for your current subscribers. If sign up source is showing as ‘API – Generic’ then you need to think about changing how your sign up forms and pop ups are working on your site. The quickest fix is to remove the embedded form from these, and simply link to the MailChimp form.


Remember to come back on Wednesday and Friday for more information on making sure your sign up forms, embedded forms, pop ups, and MailChimp lists are GDPR compliant.


The big one that we’re all panicking about; getting our existing subscribers to re-opt in. I would say that 99.9% of people reading this will need to re opt-in your lists. Anyone who’s signed up through a plugin and their sign up source isn’t documented further than ‘API’, anyone who hasn’t given what’s called ‘granular’ consent (ticking individual boxes to agree to being emailed in various ways), anyone who has signed up as a result of a pre-checked box, o any of the other myriad ways lots of us have used to get people on our lists. All these people will need to re opt-in.


There are a couple of options within MailChimp which I’ll go into in detail this week, but essentially your options are to ask them to re consent to stay on your list, or to ask them to sign up to a new, compliant list.



Got any questions about GDPR for bloggers?

If you’re confused about anything at all, or have any questions I recorded this live Q&A and GDPR overview on Facebook that should help.


Pop over now and set your reminder so you don’t miss it. If you have any specific questions, please feel free to comment them on the video so I can make sure I answer them for you. Alternatively, you can leave your questions on this post, or email them to me.


If you know anyone who will benefit from the video, feel free to tag them and share the scheduled live.

See you Wednesday!



If you would like to join my mailing list, you can do so by clicking here, or the link in my sidebar. I send out regular emails with tips, tricks, and solutions to all your blog headaches. Full details of everything I send out via email is detailed on the sign up page. Details of how I use and store your data will be emailed to you for your approval before you are signed up to the list. There is a welcome gift for new subscribers. As at April 2018 the welcome gift is a GDPR compliance checklist to help make sure you’re ready for GDPR as a blogger.


Like what you’ve read? Why not follow me over on Facebook, Twitter, Instagram and Pinterest!

10 thoughts on “GDPR for Bloggers; What do you Need to Know?

  1. Gosh this is so useful! I have several questions including:

    Is it enough to say that people might get “marketing” emails form me? Or do I need to be specific and say e.g. affiliate links? If more specific is needed, what other sorts of things would I need to say?

    I hold email addresses of a number of bloggers following a shout out for opportunities to guest post on a UK blogger crowdsourcing Facebook page. I put them all into Airtable so I could track what posts I have completed and who I need to contact for each one. Does THAT count as holding someone’s data? I was planning on continuing that table to track who and where I have guest posted for… (does that even make sense?!)

    Thank you so much for this and for the live (and for the welcome gift) – you have no idea how helpful it has been!

    1. I’m so glad it’s helped! Yes you can say marketing as long as you the expand upon what this is in your double opt in email or privacy policy. Airtable is absolutely something you need to document in your privacy policy,a s it’s online and therefore is digital data storage xx

  2. Lots of great information here. Unfortunately, I’ve just fallen foul of the tick box thing on your comments section because I forgot to tick it and now my comment has been lost and needs to be written again (I don’t know if this is something that can be fixed?)

    I think my privacy policy is almost ready to go, I just need to add a section about cookies, which I’m planning to do tonight. I had no idea about the ICO thing though – I need to do some research into that because I’ve never even heard of it before! This is the thing that worries me – I always try to make sure I’m following the rules and doing the right thing, but there’s so much that you might be doing something wrong without even knowing it! Eeek. But I’ll definitely be bookmarking this page for future reference.

    And someone else obviously appreciated having all of this info in one place too because they added it to the BlogCrush linky! Feel free to collect your “I’ve been featured” blog badge 🙂 #blogcrush

    1. Oh that’s so lovely to hear, I’m just glad it’s a helpful post! I think it’s easy to be scared by the new guidelines, but as long as we’re all seen to be making an effort to be compliant I’m sure we’ll be just fine x

  3. Hello! You mention having a cookie policy as well as pop up. Where would you put the cookie policy? Should I create a separate page with this type of info?

    Also re turning off the comment name/email – if people turn this off how will it impact on backlinks? I use comments on other blogs post I have enjoyed to make blogger friends but also to gain backlinks. Will we still be able to do this?

    Thanks for the advice – these are only my first thoughts on a quick read of this so I’m sure I’ll be back with more questions!

    1. Hey Victoria – yes you’ll need a cookie policy. The plugin can create a standard one for you but you’ll need to customise it. I do have a GDPR pack that has all the templates for all the various policies you need (in the shop) and if you use code GDPR30 you’ll get the whole package for £30 (valid until 9/5/18). If you do a quick google search, or check out other bloggers policies on their sites, you’ll get a good idea of what you need to include.

      With backlinks, turning off the name and email requirement on comments doesn’t remove the boxes, it just removes the requirement. So you and visitors tonyour site can still leave your nams and URLS if you want to.

      I’ll be live on Facebook on Wednesday on my VA page and answer your questions then too.

  4. Great summary post. I’ve looked at all of mine already, but I’m still using embedded forms through mailchimp (and sumome pop up because the mailchimp one is huge and covers the whole screen).. I’ve always had double opt in, and only ever send my newsletter so I’ve just made sure my forms state what they’re signing up to, and pointing to my privacy policy for more information. One of my embed forms is part of the space on my front page, so I’m not sure whether I can change that.

    What I don’t understand is why getting rid of the API sign up method needs to be done? Surely, if everything else is clear, then I’m covered?

    The alternative is to have a button that clicks through to the sign up page? That works for my embedded form replacement under posts, but not in my front page space – it wouldn’t fit the space I have

    1. The API thing is because we’re supposed to be able to track exactly which page/form a user signed up through. In all honesty, the ICO aren’t likely to penalise us for things like this IMO, but I’m not legally trained so don’t take my word on it. The ICO’s record for actually handing out huge fines is minimal at best, and in my opinion they’ll be targeting those who’ve made no effort to be conpliant rather than those of us who’ve taken all the steps we possibly can x

Leave a Reply

Your email address will not be published.