For the last few weeks, Iโve been trying to wrap my head around the new GDPR (General Data Protection Regulation) which goes into effect on May 25, 2018. Iโm starting to get clear on how it affects me and other authors. This is my first blog post about GDPR, but I expect it wonโt be my last.
First, the standard disclaimer: I am not a lawyer and this blog post is not legal advice. This blog post is an attempt to explain in simple language what Iโve been learning. This post may not be completely accurate, but itโs my best shot.
What is GDPR and Why Should You Care?
The GDPR is a regulation created by the European Union to protect the personal data of European citizens. It applies to anyone who is offering goods and services (free or paid) to people in the European Union. That means if you have a website or blog that could ever be visited by someone from the EU, the GDPR applies to you.
You may be thinking that you donโt collect any personal data, so how could the GDPR apply to you? If you really donโt collect any private data at all, then you still need a privacy statement that says so. And that privacy statement needs to be clearly posted on your website or blog.ย
But donโt be so sure youโre not collecting any private data at all. Websites are complicated beasts with a lot of moving parts under the hood. Here are some ways you may be collecting private data on your website or blog that you may not have thought of:
- Do you have a contact form that lets people email you?
- Do you have an email newsletter list?
- Do you allow people to post comments on your blog or your website?ย
- Are you an affiliate of Amazon or Apple iBooks or any other online store?
- Do you have Facebook Like buttons? Or Twitter Tweet buttons? Or any other social media buttons?
- Do you track visitors to your site with Google Analytics or some other tracking tool?
- Do you have any sort of cookies on your site?
- Do you have a Facebook โpixelโ on your site?
- Do you use Feedburner for your blog?
- Do you use a spam protection service, such as Akismet?
And there are hundreds of other ways your blog or website might conceivably be collecting personal information.
Now, itโs not wrong to collect and use personal information. Thatโs what allows you to serve people. But when you collect peopleโs personal information, such as names or email addresses, the GDPR says that you need to provide people with basic information: Who you are, what data youโre collecting and why, how long you hold on to that data, who you share that data with, how people can find out what data youโve collected about them, how people can tell you to delete their data, and who they can contact in case they have questions.
You may be thinking this is getting complicated. Yes, it is a bit, but remember, this is for a good cause. This will benefit you. You will now be able to find out who has your personal data and what data they have. You will now be able to make them delete your personal data if you ask. Hereโs why you will get this benefit: The GDPR gives European citizens the right to control their personal data. Therefore, virtually all websites and blogs will provide that right to Europeansโand at the same time, theyโll provide the same right to everyone else in the world, including you. (There may be a few sites that will find the GDPR too onerous and will refuse to serve European citizens. But the vast majority of sites are going to follow the GDPR.)
If you have a blog or a website, there are several things you need to do to get ready for GDPR. And the deadline is May 25, so now is a good time to begin.
So what do you need to do in order to make sure your website or blog is GDPR-compliant? What actions do you need to take?
That depends on what your site does. Most authors have simple โbrochure websitesโ that will probably not take too much tweaking to get compliant.
In this blog post, Iโll talk only about the first step in the process. I donโt think you can do anything else until you take this first step.
First Things FirstโA Privacy Policy
From what I can see, the very first step is to get a good solid Privacy Policy.ย
In the old days, people put a one-line statement on their e-mail signup form that said something along the lines of โI respect your privacy and would never spam you.โย
Thatโs not good enough anymore. You need a Privacy Policy that meets the requirements of the GDPR, using the correct language. I strongly, strongly, strongly recommend getting one written by lawyers who actually know all the regulations and can keep things up to date as the laws change. Because itโs a good bet that the laws are going to continue to change over the next few years.
Hereโs a link to my Privacy Policy:ย https://www.iubenda.com/privacy-policy/901398
As you can see, itโs got some legalese built into it. I didnโt write that policy. I got it from a company named Iubenda that specializes in writing Privacy Policies for websites. They have a free Basic version. The Pro version costs $27 per year. I don’t remember the different between the Basic and Pro versions, but I paid for the Pro version. Iubenda generates the policy for you and keep it constantly up to date. If you need to make changes at any time, you can just click a few buttons and update your policy at no extra charge.ย
Hereโs my affiliate link to their site: http://iubenda.refr.cc/2N349LZ
Full disclosure: The link just above is an affiliate link. That means if you click on it and buy a Privacy Policy from Iubenda, Iโll get paid an affiliate fee for referring you. And you will get a 10% discount for the first year of service.ย
If you donโt want the discount for yourself nor the affiliate fee to go to me, Iโm OK with that. You can just use this non-affiliate link: http://iubenda.com Youโll pay full price and Iโll get nothing. I would recommend Iubenda even if they had no affiliate program, because I think they do a good job at a fair price. Iโve been using their service for quite some time and I am happy with it.
Hereโs what I like about Iubenda. When you create a Privacy Policy for your site, they show you a large list of many possible things that a website typically does. (Running an email newsletter, having a contact page, taking blog comments, allowing social media buttons, and many many more.) You select the ones your site actually does. Then Iubenda creates a custom Privacy Policy that tells what your site does. Itโs written in GDPR-compliant language. Yay!
At the end of the process, Iubenda gives you a link to your policy. They host the policy on their site, so if they ever change the language to meet new regulations, itโs always up to date. You can put that link on your own site, and youโre good.
Posting Your Privacy Policy
You need to put a link to your Privacy Policy on every page of your website. The standard place where Privacy Policy links go on a website is at the very bottom, in the footer of the page. You can see an example on this page you’re reading right now, if you scroll down to the very bottom. Youโll see a button labeled Privacy Policy that brings up a screen on this page.
How do you put your Privacy Policy button on your own site? Iubenda gives you a piece of code to do that, along with instructions. Depending on how techie you are, you may find their explanation easy or hard to understand, but any webmaster will be able to follow their directions.
If youโre using WordPress, there is a plugin named Head, Footer, and Post Injections that lets you put a link in the header or footer of every page of your site. If you donโt know how to do this yourself, then you probably have a webmaster who does. Do it promptly and then check to make sure itโs right.
If youโre not using WordPress, then whatever technology youโre using should have some way for you to put a link to your Privacy Policy on the footer of every page.
You Need a Cookie Policy Too
Along with the Privacy Policy, Iubenda will generate for you a Cookie Policy, which you also need. You should post this in a link in your footer in the same way you did the Privacy Policy. The Cookie Policy doesnโt cost anything extra and it gets created at the same time as the Privacy Policy, so the only extra work is to add the Cookie Policy link.
You can see my Cookie Policy button at the very bottom of any page of my site here.ย
And Finally You Need a Cookie Solution
Finally, you probably need to inform visitors to your site that youโre using cookies and get their consent before they do anything else on your site. Iubenda will provide you with code to do that, which you can put in the header of every page of your site. Iubenda calls their code the โCookie Solution.โ Itโs a piece of Javascript that does all the magic.
When somebody visits your site, the Cookie Solution will create a banner across the top of the page saying that your site uses cookies. The banner will ask for the visitorโs consent, and give the visitor information on how to refuse consent.ย
Thereโs more to GDPR
So far as I can tell, there are at least two more steps that most authors will need to take to get GDPR-compliant. (The two steps are to tweak your Contact page and your email newsletter signup form.) Both steps require that you have a Privacy Policy already written and that you have a link to that Privacy Policy. So get that Privacy Policy done first. Do it today. Do it now.
I havenโt yet done these next two steps, but I think I know what to do. Iโll be working on those shortly, and as soon as Iโve got them done, Iโll try to blog about it here (if I have the energy). That way, you can benefit from what I learn. And I hope that if I make any mistakes along the way, one of my Loyal Blog Readers will tell me where Iโm wrong, and again weโll all benefit.
If youโre thinking this is all a massive pain in the butt, well, I canโt disagree. I wish it were all super easy. But the reality is that this is going to take most people a few hours to get it done. And the clock is ticking.
Randy, This is very interesting, but this also seems like a lot of work to satisfy a law that does not apply to me here in the U.S. Why bother? I’m really not a fan of government telling me what to do, least of all a government outside my own. I can’t image the U.S. Government bowing to Europe and saying, “oh, yes we will do as you command.” Okay, I can see Obama doing that, but not Trump. : )
Hi Stan: I’m not a lawyer, but it looks to me like this does apply to you in the US, if you have a website providing services to EU citizens.
But who would prosecute you? The European Union is seriously going to fine me because 100 of my email subscribers are in the EU? How would they come after me? Obviously, big multinational corporations have to comply, But how can the EU prosecute a US citizen?
This comment seems like a lot of trouble just to make a dumb political point.
Seems like maybe you could just put up a message that says you don’t really care about the data of users whether thy are in the EU or not. I’m sure they will be able to find another site that does care about them. Good luck
Thank you for the way you anticipate the needs of your followers, and for your wise advice. I was both worried and clueless. You are the first person I have come across who has taken the trouble to try and put all the jargon into understandable language (I was going to say โlaymanโs language but that is no longer PC – life gets more and more complicated every day!). For family reasons I havenโt been able to escape domesticity for the last few years, my web, blog and three novels which were work in progress have suffered accordingly. I have just started all over again in time to catch up with the new legislation. Your advice has recharged my batteries!
I’ve started, and it looks like I’m on the right track. Thanks, Randy! I feel much better knowing I’m headed in the right direction.
Hey Randy,
Thanks for this post. All new info to me.
Question: What about old abandoned blogs? I had one several years ago. I cannot remember how to even get into it, but I still occasionally get spam in connection with it. Is there a way to just remove it from the blogosphere or do I have to figure out how to get back into it and update it to make it GDPR compliant?
Just shut down Comments on your old blog. Make it read-only. Then you’re good, I think… or at least you have made an attempt to comply with GDPR, which is the first step to responding to a complaint, if one is ever made.
Thanks, Randy. I’ve been working on this since last week and my blog is almost there. Just realized that my author website could use some updating, though. Thanks for taking the time to post.
It is telling that you said at least twice in your post that I would find the links to the privacy/Cookie policies at the bottom of the page. They don’t show up on the pages I’m reading.
OK – NOW they show up.
Hi Richard: I suspect that you were seeing a caching issue.
Wow! Thanks Randy….I think! LOL. I had considered ignoring all this but after reading your blog I believe I need to comply. Technology makes life complicated. I do appreciate you taking your time to let all of us know about this.
Randy, thanks for sharing this, and for sharing the link to Iubenda. I had no idea how to get started on this task of becoming compliant. I appreciate your help!
It would seem to me that all privacy concerns for me should be covered by the policy statements of wordpress, facebook and twitter. I don’t have ads on my blogsite. I haven’t to my knowledge collected addresses or any personal data. All I see in any form of analytics is the number of visits and reads. Akismet does protect my blogsite against spam, but I fail to see how that should put me at risk. I refuse to open the teaser programs on facebook that opens my contact list to their viewing so as to limit third party trollers. Reading Privacy Policies cause my eyes to roll back in my head. How am I protecting myself by putting something on my site that I have little idea whether or not I am doing it?
Hey Randy! I was doing research on this topic and a few articles in, my head was spinning. Then I came across this gem of a blog and finally understand what’s happening. Thank you for the time you’ve spent creating these blog posts and helpful advice.