Last week, I blogged a couple of times about the new GDPR rules that will go into force on May 25. I covered what I consider the first two steps—creating your Privacy Policy and updating your Contact forms.
Today, I’ll talk about another step in the process—updating your blog comment form.
Once again, the standard disclaimer: I am not a lawyer, and nothing I say here should be considered legal advice. I’m blogging about my own journey to get my websites GDPR-compliant. If that helps you on your own journey, very good, but you should consult a lawyer versed in GDPR if you want legal advice.
Blog Comments and GDPR
If you have a blog on your website and allow comments, then you typically require people to give some sort of personal information in order to make a comment. For example, you might require them to give a name and an e-mail address and optionally a website.
You ask for their name because that creates some accountability. Anonymous comments can be vicious comments, and that’s not what you want on your blog.
You ask for their e-mail address, even though that doesn’t get displayed, because you might want to contact them privately. And you may also have things set up so commenters can be notified by e-mail if somebody responds to their comment.
You ask for their website (if they have one) so that people can click on their names and go learn more about them.
You might also have a cookie that can fill in their info next time they want to comment.
This is all pretty innocuous stuff, but it is personal information, and therefore GDPR applies.
So you need to get permission to collect and process this personal information.
What I Did To Make this Work
A new version of WordPress (version 4.9.6) was released last Thursday, May 17. It had a number of new features that make GDPR-compliance easier. There’s a very nice and detailed review of the new features on MaAnna Stephenson’s blog here. This may be the best summary of GDPR I’ve seen yet.
One of the new features in WordPress is that the form for blog-commenters to fill out now includes a checkbox that says: “Save my name, email, and website in this browser for the next time I comment.”
That clearly tells people that their info will be stored in a cookie. Then the cookie will fill in that info next time.
So to get this working on my site, I updated WordPress to version 4.9.6. (Actually, my web developer updated it.) My understanding is that the new checkbox now automatically appears in the comment form. (You should check me on this to be sure, since I didn’t do this myself. But I don’t see any way to eliminate this checkbox from your form.)
My understanding is that there should also be a checkbox that people have to check to accept the website’s Privacy Policy. That feature is not built into WordPress, but there’s a new plugin that does the trick.
The plugin is called “WP Comment Policy Checkbox.” It inserts into the Comment form a checkbox that says: “I have read and accept the Privacy Policy.” And it adds a link to the website Privacy Policy.
If you look at the Comments page of this blog entry, you’ll see the two new checkboxes. They weren’t there a week ago. This is progress, right?
There’s Still More to GDPR
One of the major GDPR requirements is that you inform people of exactly what they’re getting into when they subscribe to your e-mail newsletter (or your blog, if they’re subscribing to your blog by e-mail).
That takes some work, but I’ll defer that to another post. I’ve spent some time today learning how to do this, and I’ve almost completed it on one of my websites. I’m not a MailChimp guru, and it’s been awhile since I spent much time looking at all its many powerful features. So I got kind of side-tracked looking at all the whiz-bang goodies. But I’m now pretty clear on how GDPR-compliance works in MailChimp. It’s not that hard.
If you want to get a running start on it, check out MailChimp’s article Collect Consent With GDPR Forms. Even if you don’t use MailChimp, this will give you a reasonably clear idea of what sort of work you need to do to get your e-mail lists up to snuff for GDPR.
.