For the last few weeks, I’ve been trying to wrap my head around the new GDPR (General Data Protection Regulation) which goes into effect on May 25, 2018. I’m starting to get clear on how it affects me and other authors. This is my first blog post about GDPR, but I expect it won’t be my last.
First, the standard disclaimer: I am not a lawyer and this blog post is not legal advice. This blog post is an attempt to explain in simple language what I’ve been learning. This post may not be completely accurate, but it’s my best shot.
What is GDPR and Why Should You Care?
The GDPR is a regulation created by the European Union to protect the personal data of European citizens. It applies to anyone who is offering goods and services (free or paid) to people in the European Union. That means if you have a website or blog that could ever be visited by someone from the EU, the GDPR applies to you.
You may be thinking that you don’t collect any personal data, so how could the GDPR apply to you? If you really don’t collect any private data at all, then you still need a privacy statement that says so. And that privacy statement needs to be clearly posted on your website or blog.
But don’t be so sure you’re not collecting any private data at all. Websites are complicated beasts with a lot of moving parts under the hood. Here are some ways you may be collecting private data on your website or blog that you may not have thought of:
- Do you have a contact form that lets people email you?
- Do you have an email newsletter list?
- Do you allow people to post comments on your blog or your website?
- Are you an affiliate of Amazon or Apple iBooks or any other online store?
- Do you have Facebook Like buttons? Or Twitter Tweet buttons? Or any other social media buttons?
- Do you track visitors to your site with Google Analytics or some other tracking tool?
- Do you have any sort of cookies on your site?
- Do you have a Facebook “pixel” on your site?
- Do you use Feedburner for your blog?
- Do you use a spam protection service, such as Akismet?
And there are hundreds of other ways your blog or website might conceivably be collecting personal information.
Now, it’s not wrong to collect and use personal information. That’s what allows you to serve people. But when you collect people’s personal information, such as names or email addresses, the GDPR says that you need to provide people with basic information: Who you are, what data you’re collecting and why, how long you hold on to that data, who you share that data with, how people can find out what data you’ve collected about them, how people can tell you to delete their data, and who they can contact in case they have questions.
You may be thinking this is getting complicated. Yes, it is a bit, but remember, this is for a good cause. This will benefit you. You will now be able to find out who has your personal data and what data they have. You will now be able to make them delete your personal data if you ask. Here’s why you will get this benefit: The GDPR gives European citizens the right to control their personal data. Therefore, virtually all websites and blogs will provide that right to Europeans—and at the same time, they’ll provide the same right to everyone else in the world, including you. (There may be a few sites that will find the GDPR too onerous and will refuse to serve European citizens. But the vast majority of sites are going to follow the GDPR.)
If you have a blog or a website, there are several things you need to do to get ready for GDPR. And the deadline is May 25, so now is a good time to begin.
So what do you need to do in order to make sure your website or blog is GDPR-compliant? What actions do you need to take?
That depends on what your site does. Most authors have simple “brochure websites” that will probably not take too much tweaking to get compliant.
In this blog post, I’ll talk only about the first step in the process. I don’t think you can do anything else until you take this first step.
First Things First—A Privacy Policy
From what I can see, the very first step is to get a good solid Privacy Policy.
In the old days, people put a one-line statement on their e-mail signup form that said something along the lines of “I respect your privacy and would never spam you.”
That’s not good enough anymore. You need a Privacy Policy that meets the requirements of the GDPR, using the correct language. I strongly, strongly, strongly recommend getting one written by lawyers who actually know all the regulations and can keep things up to date as the laws change. Because it’s a good bet that the laws are going to continue to change over the next few years.
Here’s a link to my Privacy Policy: https://www.iubenda.com/privacy-policy/901398
As you can see, it’s got some legalese built into it. I didn’t write that policy. I got it from a company named Iubenda that specializes in writing Privacy Policies for websites. They have a free Basic version. The Pro version costs $27 per year. I don’t remember the different between the Basic and Pro versions, but I paid for the Pro version. Iubenda generates the policy for you and keep it constantly up to date. If you need to make changes at any time, you can just click a few buttons and update your policy at no extra charge.
Here’s my affiliate link to their site: http://iubenda.refr.cc/2N349LZ
Full disclosure: The link just above is an affiliate link. That means if you click on it and buy a Privacy Policy from Iubenda, I’ll get paid an affiliate fee for referring you. And you will get a 10% discount for the first year of service.
If you don’t want the discount for yourself nor the affiliate fee to go to me, I’m OK with that. You can just use this non-affiliate link: http://iubenda.com You’ll pay full price and I’ll get nothing. I would recommend Iubenda even if they had no affiliate program, because I think they do a good job at a fair price. I’ve been using their service for quite some time and I am happy with it.
Here’s what I like about Iubenda. When you create a Privacy Policy for your site, they show you a large list of many possible things that a website typically does. (Running an email newsletter, having a contact page, taking blog comments, allowing social media buttons, and many many more.) You select the ones your site actually does. Then Iubenda creates a custom Privacy Policy that tells what your site does. It’s written in GDPR-compliant language. Yay!
At the end of the process, Iubenda gives you a link to your policy. They host the policy on their site, so if they ever change the language to meet new regulations, it’s always up to date. You can put that link on your own site, and you’re good.
Posting Your Privacy Policy
You need to put a link to your Privacy Policy on every page of your website. The standard place where Privacy Policy links go on a website is at the very bottom, in the footer of the page. You can see an example on this page you’re reading right now, if you scroll down to the very bottom. You’ll see a button labeled Privacy Policy that brings up a screen on this page.
How do you put your Privacy Policy button on your own site? Iubenda gives you a piece of code to do that, along with instructions. Depending on how techie you are, you may find their explanation easy or hard to understand, but any webmaster will be able to follow their directions.
If you’re using WordPress, there is a plugin named Head, Footer, and Post Injections that lets you put a link in the header or footer of every page of your site. If you don’t know how to do this yourself, then you probably have a webmaster who does. Do it promptly and then check to make sure it’s right.
If you’re not using WordPress, then whatever technology you’re using should have some way for you to put a link to your Privacy Policy on the footer of every page.
You Need a Cookie Policy Too
Along with the Privacy Policy, Iubenda will generate for you a Cookie Policy, which you also need. You should post this in a link in your footer in the same way you did the Privacy Policy. The Cookie Policy doesn’t cost anything extra and it gets created at the same time as the Privacy Policy, so the only extra work is to add the Cookie Policy link.
You can see my Cookie Policy button at the very bottom of any page of my site here.
And Finally You Need a Cookie Solution
Finally, you probably need to inform visitors to your site that you’re using cookies and get their consent before they do anything else on your site. Iubenda will provide you with code to do that, which you can put in the header of every page of your site. Iubenda calls their code the “Cookie Solution.” It’s a piece of Javascript that does all the magic.
When somebody visits your site, the Cookie Solution will create a banner across the top of the page saying that your site uses cookies. The banner will ask for the visitor’s consent, and give the visitor information on how to refuse consent.
There’s more to GDPR
So far as I can tell, there are at least two more steps that most authors will need to take to get GDPR-compliant. (The two steps are to tweak your Contact page and your email newsletter signup form.) Both steps require that you have a Privacy Policy already written and that you have a link to that Privacy Policy. So get that Privacy Policy done first. Do it today. Do it now.
I haven’t yet done these next two steps, but I think I know what to do. I’ll be working on those shortly, and as soon as I’ve got them done, I’ll try to blog about it here (if I have the energy). That way, you can benefit from what I learn. And I hope that if I make any mistakes along the way, one of my Loyal Blog Readers will tell me where I’m wrong, and again we’ll all benefit.
If you’re thinking this is all a massive pain in the butt, well, I can’t disagree. I wish it were all super easy. But the reality is that this is going to take most people a few hours to get it done. And the clock is ticking.
Stan Williams says
Randy, This is very interesting, but this also seems like a lot of work to satisfy a law that does not apply to me here in the U.S. Why bother? I’m really not a fan of government telling me what to do, least of all a government outside my own. I can’t image the U.S. Government bowing to Europe and saying, “oh, yes we will do as you command.” Okay, I can see Obama doing that, but not Trump. : )
Randy Ingermanson says
Hi Stan: I’m not a lawyer, but it looks to me like this does apply to you in the US, if you have a website providing services to EU citizens.
susan hubbard says
But who would prosecute you? The European Union is seriously going to fine me because 100 of my email subscribers are in the EU? How would they come after me? Obviously, big multinational corporations have to comply, But how can the EU prosecute a US citizen?
Shannon Doyle says
This comment seems like a lot of trouble just to make a dumb political point.
Seems like maybe you could just put up a message that says you don’t really care about the data of users whether thy are in the EU or not. I’m sure they will be able to find another site that does care about them. Good luck
Carenza Hayhoe says
Thank you for the way you anticipate the needs of your followers, and for your wise advice. I was both worried and clueless. You are the first person I have come across who has taken the trouble to try and put all the jargon into understandable language (I was going to say ‘layman’s language but that is no longer PC – life gets more and more complicated every day!). For family reasons I haven’t been able to escape domesticity for the last few years, my web, blog and three novels which were work in progress have suffered accordingly. I have just started all over again in time to catch up with the new legislation. Your advice has recharged my batteries!
Cara Putman says
I’ve started, and it looks like I’m on the right track. Thanks, Randy! I feel much better knowing I’m headed in the right direction.
Jenny Cary says
Hey Randy,
Thanks for this post. All new info to me.
Question: What about old abandoned blogs? I had one several years ago. I cannot remember how to even get into it, but I still occasionally get spam in connection with it. Is there a way to just remove it from the blogosphere or do I have to figure out how to get back into it and update it to make it GDPR compliant?
Nicolas Nelson says
Just shut down Comments on your old blog. Make it read-only. Then you’re good, I think… or at least you have made an attempt to comply with GDPR, which is the first step to responding to a complaint, if one is ever made.
Julie Carobini says
Thanks, Randy. I’ve been working on this since last week and my blog is almost there. Just realized that my author website could use some updating, though. Thanks for taking the time to post.
Richard Brockelsby says
It is telling that you said at least twice in your post that I would find the links to the privacy/Cookie policies at the bottom of the page. They don’t show up on the pages I’m reading.
Richard Brockelsby says
OK – NOW they show up.
Randy Ingermanson says
Hi Richard: I suspect that you were seeing a caching issue.
Debbie Lynne Costello says
Wow! Thanks Randy….I think! LOL. I had considered ignoring all this but after reading your blog I believe I need to comply. Technology makes life complicated. I do appreciate you taking your time to let all of us know about this.
Jeanne Takenaka says
Randy, thanks for sharing this, and for sharing the link to Iubenda. I had no idea how to get started on this task of becoming compliant. I appreciate your help!
Charles Huff says
It would seem to me that all privacy concerns for me should be covered by the policy statements of wordpress, facebook and twitter. I don’t have ads on my blogsite. I haven’t to my knowledge collected addresses or any personal data. All I see in any form of analytics is the number of visits and reads. Akismet does protect my blogsite against spam, but I fail to see how that should put me at risk. I refuse to open the teaser programs on facebook that opens my contact list to their viewing so as to limit third party trollers. Reading Privacy Policies cause my eyes to roll back in my head. How am I protecting myself by putting something on my site that I have little idea whether or not I am doing it?
Isabela Powers says
Hey Randy! I was doing research on this topic and a few articles in, my head was spinning. Then I came across this gem of a blog and finally understand what’s happening. Thank you for the time you’ve spent creating these blog posts and helpful advice.