GDPR FOR BLOGGERS
I am sure that by now you have heard about the GDPR and have even begun to make changes to your blog to try to comply with this new standard. I have searched for information about this, especially in regards to what we have to do, the administrators of our blog sites, and I have not found any information on how to do this concisely. I have only found general information, that to meet X you have to do Y, but they do not say exactly how to do it. That is why I decided to do this article where I will explain exactly what I did and why.
The GDPR (General Data Protection Regulation) is a data protection regulation for all European citizens that was created 2 years ago and that has already started to be enforceable as of May 25, 2018. This regulation affects all the sites of the world since it is impossible to know when a European citizen uses our sites because he or she can be on vacation or they can live in a non-European country and if they access online sites from outside Europe, the GDPR is still endorsable.
I do not want to abound much in what is the GDPR, for more information you can read the Wikipedia article on this topic General Data Protection Regulation
What are the major topics of the GDPR that affects us?
- The correct way to implement Opt-In formats to collect emails.
- Information we collect when a user makes a comment on our pages.
- The right of users to know what information we have stored from them, the right to change it or download it and the right to erase it.
- Information that the Cookies of our sites collect from users and their right to block them.
There are multiple types of online pages, such as e-commerce stores, news sites, blogs, question and answer forums, etc. And each of them manages and processes information in different ways. On this article, I’m just going to focus on my experience, which is over blog sites.
Here I must make a statement, I am not a lawyer and my advice should be taken as it is, I am only based on my experience and my advice is not legal advice. Each one is responsible for implementing what is necessary to comply with this regulation. The information presented here is only as general information so I am not responsible for what each person implements on their website. If you think you need help, contact an expert in the field.
Well, now I can begin to explain how I resolved each point.
I use the following on my WebSite
The most important of all. Here you must explain what data you collect from users, how you handle them, the rights of users in relation to their data, how you protect their data and information about cookies, as well as my contact information.
Terms of Service
Necessary to explain everything related to the use of our blog, like explaining that my website may have links that point outside my domain and that The salty Feet doesn´t have control over the content of them, the correct use of comments (very important, here it is clarified that comments can be edited, changed or deleted), prohibited uses of our content and under what law we are legally governed (our country of stay).
Here I explain what cookies are and I give links to sites where it is explained step by step how to disable them (if it is the user´s wish) for the most common operating systems and browsers.
Necessary to clarify to the users that the information that is in our site is not nor constitutes legal advice of any subject and that it only has to be used under his own good judgment, that all our content is information of general use. I also explain what affiliate marketing is and how their purchases through our site could generate a commission in our favor.
I imagine you must be thinking how do I write so many legal texts if I’m not a lawyer?
For the other policies I used different generators, just look for xxxx policy generator and you will find many options.
If you want to take my policies, copy them and use them on your site, go ahead, just be careful to read them carefully and be sure they comply with your site and make sure to delete and change any personal data that the policy contains (I have seen cases in which they copy the policy as it is and the administrators do not to even remove the name of the site from where they copied it and replace it with their own)
The correct way to implement Opt-In formats to collect emails.
Under this regulation, collecting personal information, such as names and emails, you need the express authorization of the user and explain exactly how you are going to use this information and stick to it.
The user must give their express consent, which can be by checking an acceptance box (this should not be pre-authorized) and explaining why their information is needed, explaining that they will be receiving the newsletter and that you could send them advertisements.
In addition, if you give gifts as a hook to collect emails, such as the free download of ebooks, you must give the option to download the ebook without subscribing to your mailing list. From now on, users need to have the option of obtaining promotional material that is free without being required to send them emails with advertising. To achieve this, instead of having a checkbox that gives consent for receiving the material and consent to receive emails with advertising, you must have two checkboxes, one authorizing the use of their emails to send them the free material and another checkbox where they authorize the use of their emails for marketing purposes.
I use MailChimp to collect emails, and at the time of writing this article, the checkbox in the forms of MailChimp cannot be set as necessary, so it was a bit difficult for me to add this option to my Pop Up form. The way I solved it was by adding a drop-down menu. In the first option of the drop-down menu, I left it blank, without data. I left the second option as Yes. I made the drop-down menu as necessary to subscribe. How it works is like this: Since the first option has no data, the form detects that a selection has not been made, so it is not until the user selects Yes that it is possible to select Subscribe.
Another important fact is that as you can see, I only ask for the email and not the name. The less information we collect, the better and I think, from my point of view, that only email is needed to be able to carry out marketing.
Also, there is a widget with a link to this form on my blog pages, so if a user wants to sign up he or she just needs to click on Subscribe to the newsletter and they will access this form.
It is important to note that all emails that MailChimp sends to subscribers have the option to unsubscribe which is also a requirement of this regulation.
Information we collect when a user makes a comment on our pages.
WordPress made two important changes in an effort to comply with the GDPR in its latest update. One of these changes is the addition of a checkbox in the comments section.
Save my name, email and website in this browser for the next time I comment
This is to ask permission to leave an identification cookie on the user computer with which the same user would be identified and automatically their data would be filled when making another comment on the same site.
The following checkbox is generated by the Plugin The GDPR FrameWork
This checkbox is necessary to make any comments on our sites. You must have previously written these policies and link them from the plugin control panel of The GDPR Framework. If you do not check this box, the user will not be able to make any comments.
There is something I want to share that is also very important and I have not found this anywhere else: The use of GRAVATAR.
Gravatar is part of the organization that maintains WordPress, so all site creators have a gravatar account in which their data is stored but also automatically uploads to the page of the sites where the user makes a comment on a photograph. This photograph is the one that the user registered in his / her gravatar account.
If the GDPR is about the use and protection of the data that we collect from our users then, why do we publish something as personal as a picture? When I realized this situation I configured WordPress so that the pictures do not appear (WordPress calls them Avatars) This can be done from the WordPress editor: SETTINGS -> DISCUSSION -> AVATARS -> AVATARS DISPLAY -> SHOW AVATARS
When you disable this box, the photos of the users of the comments disappear. Although they look very nice, I prefer to avoid complications with the new regulation.
The right of users to know what information we have stored from them, the right to change or download it and the right to erase it.
As I mentioned a few moments ago, WordPress made two important changes to comply with the GDPR, and one of them was the incorporation of two new tools:
Export Personal Data
Erase Personal Data
These are found in the WordPress Tools editor
If a user makes a request to see what data is stored on our website through the contact form or by any other means, you need to fill in his email and another one will be generated where the user is asked to confirm their request. We must follow the same steps to generate the deletion of the user’s data.
From what I have seen, most of the information saved from users is in the comments they have made on our sites.
The GDPR FRAMEWORK Plugin creates a page that is called Privacy Tools, with which users can do this themselves, and the plugin is responsible for sending an email to the administrator to record the request of users.
First, the user must identify himself with his email, once this is done the plugin generates an email with a link that is deactivated within 15 minutes after the email is sent With this link, users can download their information or delete it.
I want to point out that after performing some tests, if the user’s email is from Hotmail, Hotmail automatically rejects it, it is not received, or at least that happened to me. It is not the first time something similar happened to me with Hotmail emails, that’s why I barely use it.
Information that the Cookies of our sites collect from users and their right to block them.
This is probably the most complicated point, at least for me, to solve.
In theory, in order to comply with the GDPR, you must give the user the option to block all cookies that are not essential for the correct use of our site. There should be a banner with all types of cookies that could be used (the consent should be before these cookies are loaded and not later). If the user does not consent, these cookies should not be loaded and he should enjoy the site in a normal way.
Think Google Analytics, Facebook Pixel, YouTube cookies, etc …
There is a lot of information that our plugins could be gathering from users without us noticing. Google Analytics cookies are necessary to know the performance of our sites, and if you advertise on Facebook, Facebook Pixel is necessary.
This can be counterproductive with our users, since normally when anyone says “you authorize me to be monitoring you” the answer will surely be no, they will be scared because they are not used to having to authorize everything and they are not well informed on how marketing works.
This is done under the assumption that if a user does not want the cookies of a certain site then he or she won’t want them from other sites and this can be achieved by configuring the internet browsers.
I also took this path, the plugin I am using is the Cookie Bar, which generates a banner that you should have saw if it was the first time you visited my site.
As you can see, I give the user the option to learn how to block all cookies in the most used browsers.
Another thing I did was to anonymize the information that Google Analytics collects from users.
Google Analytics collects, among other things, the users IP, with which you can know from which part of the world they visit us. The IPs consist of 4 sections of numbers as follows: 074.125.224.072 (this is one of the of Google´s IPs). The way to anonymize this information is to eliminate the last three numbers, in such a way that it would be 074.125.224.XXX. In this way, Google analytics can still know where they are visiting but with less accuracy, like not knowing from which city they are visiting us, but Google can still detect from what country and state they are coming from.
The way I did this was as follows:
You need the PlugIn HEAD AND FOOTER SCRIPTS INSERTER, you can easily insert scripts (instructions) in your websites with this plugin.
In the Head section insert the following code
ga (‘set’, ‘anonymizeIp’, true);
and voila, one less problem with the GDPR
If you want to make a complete scan of the cookies you use, try the site cookiebot.com
Personally I think that WordPress needs to catch up with the GDPR in relation to cookies, and provide us with some tool within the WordPress base commands for the user to select which cookies to block and which to pass without the procedure being so complicated, and make it as simple as possible so as not to scare away users.
So, with these procedures are we fulfilling 100% with the GDPR?
Probably not. There are some points that are ambiguous, others, somewhat more complicated, especially for those who conduct electronic commerce and are not located within the EU, since they should necessarily have to hire a representative within the EU called Data Privacy Officers. This service is certainly not free and can be very complicated for those who want to start in e-commerce and do not have much capital.
Until I can find a simpler solution for cookies and that is free (there are plugins that perform the complete scan of the websites and generate a multiple option banner for users to choose which cookies to allow and which not and due to their complexity they require payment) I will continue with the banner as a notice of the cookies.
If you want to receive articles like this in your email subscribe to my NewsLetter