Hello happy site owners and webmasters!
This week’s tips are all about GDPR.
There are 6 steps you need to take, and I’m going to detail them out for you in this guide.
Listen to the Podcast
Watch the replay with more news on the GDPR plugins
Join us for the next party, every Tuesday night, 8pm ET / 5pm PT on the BlogAid Facebook page
Subscribe to Tips Tuesday
Tips Tuesday is my weekly roundup of site success tips including: WordPress, SEO, speed, security, blogging, and so much more.
It’s offered as a post, podcast, and livestream.
- Subscribe to BlogAid News and my blog posts – to get Tips Tuesday delivered right to you. Be sure to check the extra box for the posts!!!
- Subscribe to the Podcast – on iTunes, Stitcher, and more
- Come to the live party – join me LIVE every Tuesday night on the BlogAid Facebook page for a recap and discussion and Q&A of the week’s tips and breaking news.
Let’s jump into this week’s special edition on GDPR tips.
I’m not a Lawyer
First, let’s get the disclaimer out of the way.
- I’m not a lawyer and I’m not offering legal advice about GDPR.
- The tips in this post are focused on U.S. bloggers who do not target EU citizens directly, and are specifically limited to the majority of my followers who are mainly craft/lifestyle/foodie bloggers, plus webmasters who are mostly designers and developers or site services professionals.
- These tips may not be everything you need to know about GDPR. This post is for informational purposes only and is not to be considered legal advice.
- I encourage you to do your own research and run your policies by a cyber lawyer.
- I will constantly be working on BlogAid to make it GDPR compliant.
I will also be updating this post with new info as it becomes available.
See the Changelog at the bottom.
GDPR Tools in WordPress
WordPress 4.9.6 was released as of May 17, 2018
It includes a new set of GDPR Tools in the core.
It’s a good start, but not enough. And even with these tools, there are things for you to do.
READ: WordPress 4.9.6 New GDPR Tools for more.
In brief, this is what the new GDPR Tools in WordPress includes:
- Add functionality to assist in creating comprehensive privacy policies based on the data your site collects
- Admin tools to document consent given by users
- New Privacy admin page in the Tools menu to confirm user request for data and export anonymizing of personal data and email request confirmation
Many of the plugins already available are attempting to replicate some of these processes. And, some of those plugins have extra functions that are overkill for the needs of most bloggers, and honestly, a little scary in what they allow to be done to your site with regard to security.
Overview of 6 Steps You Need to Take
to be GDPR Compliant
- Document all the ways you collect personal data on your site and any 3rd party vendors you share it with.
- Determine your legal basis for the right to process that personal data with regard to the Lawful Grounds rules section of the GDPR.
- Determine the best places to post your new policies on your site.
- Determine the best ways to gather consent from visitors and supply requested info on how you track them, as well as a way to anonymize that data on request. This will likely involve plugins.
- Develop a system to safeguard all data you collect.
Okay, let’s dive into details for each of these steps.
Audit How You Collect Personal Data
I was shocked to discover all the places I keep data that has to be GDPR compliant!
Collected data falls into 2 categories:
- site follower – usually anonymous, like IP addresses
- client data – email or other more personally identifiable data
U.S. companies do not have to make IP address collection data privacy compliant as of May 2018.
Neither do they have to be fully GDPR compliant about email addresses
However, most of the entities that help you collect this data are either becoming fully GDPR compliant, or are becoming Privacy Shield Certified, which is a special US/EU privacy certification.
See links in the Policy section for entities that are compliant.
IP Address Collection
Following is a list of all entities that may collect IP addresses of your site visitors.
- Email List service – Mailchimp, Aweber, Convert Kit
- Google Analytics
- Facebook Pixel Tracking
- Ad network tracking
- Affiliate link tracking
- Host provider – via server logs, including those you can see and download like AWStats, Webalizer, and raw access logs
Email Address Collection
Following is a list of all entities that may collect or retain email addresses of your site visitors and/or clients.
- Comment forms – such as those at the bottom of a blog post. These may be held in your WordPress database, or a 3rd party comment vendor
- Gravatar – on comments, if the visitor has an email connected to it, so it can bring in their profile image
- Contact form – some, like Gravity Forms, retain the form info in your WordPress database
- Email List service – like MailChimp, Aweber, Convert Kit
- Facebook Ads – via Pixel Tracking script
- E-contracts signing – like SignNow
- Webinar registration – via vendors like GoToWebinar
- Payment gateways – like PayPal, Stripe
- Membership sites – whether on your own site or a 3rd party vendor
- eStore sites – email, shipping, and other personal info may be held in your WordPress database or 3rd party eStore vendor
If you offer services or products, you may also keep a list of your clients in your own spreadsheets or other docs or apps.
That data could be held in the following:
- Google Drive, CRM (Content Retention Management app), financial reporting such as Quickbooks, membership site
- If kept on your computer in a spreadsheet or such, it might also be held at your cloud backup service, like Carbonite
- Your email provider service – like Gsuites, GoDaddy, Rackspace, and Gmail – if you keep client info in your Contacts list
All of the above collected data must be GDPR compliant for security.
More on that in Step 6.
Step 1 Task:
- Make a list of all the ways you store data on your site visitors and clients.
Determine your legal basis for the right to process personal data.
This is the GDPR stuff that is making bloggers frantic.
It’s all about consent to obtain someone’s personal data, and exactly what you plan to do with it.
The last part of that is called “personal data processing” in GDPR lingo.
Legal grounds for the lawfulness of personal data processing impacts:
- Cookie tracking of any kind, including for analytics.
- Email marketing – even something as simple as an optin to your newsletter
- The policies you need to place on your site and what you disclose in them.
- Ensuring site visitors have a way to see and modify the data you collect on them.
There are 6 legal grounds spelled out by i-SCOOP which is the entity that provides publications, training, and resources for digital business and process.
You need to read all 6 legal grounds for yourself.
The 2 legal grounds that all site owners will want to become the most familiar with for your marketing type are:
- Legitimate Interest
If you run a service/product based business, you will also want to read up on:
- Contractual necessity
To be GDPR compliant, you have to let all site visitors know that you are gathering data on them.
There is a HUGE difference between the new GDPR directives and the older EU ePrivacy Directive, which involved the simple “cookies are in use” notification that has been around for years.
The EU ePrivacy Directive only requires that you let folks know you are using cookies.
The GDPR requires that you actually document each consent, and that no tracking occurs prior to you obtaining that consent.
So, you need methods that help you notify and obtain that consent documentation. More will be discussed on this part of it in the Plugins section.
The more anonymous data you’re collecting might include:
- IP address
- Cookie tracking
Note that this info could be tracked without the visitor’s prior knowledge.
In other words, they would have to take steps to block that type of info from being tracked via their browser or other app prior to visiting your site.
Once they get to your site, you have to let them know such tracking will be in play.
If they want to leave, they can. Or, they can click a consent that you supply if they want to stay.
There are several plugins available for this type of notification, and they will be covered in the Plugins section later in this guide.
The more personal data you might want to collect could include:
- Email address
- Street address, phone number, website URL
Note that visitors have to take explicit action to give you the above info that is more personally identifiable, like filling out a form of some kind.
You don’t have to get prior consent of course, because this type of data collection requires that the visitor take additional action.
This type of data collecting comes into play with comment forms too. That is one of the notifications that the WordPress GDPR Tools are supposed to provide.
Email Marketing Consent and Legitimate Interests
Note: This is a deep topic and you would do well to consult those who cover it more fully, and specifically for the type of email marketing you do.
Your email list is your pot of gold.
And these rules are the GDPR things that could change how you conduct that part of your business.
The new rules state that you have to obtain explicit consent to collect an email address for a specific purpose.
Let’s visit a few quick examples to get an idea of the different ways this could play out.
Scenario 1 – One List Only
You have one email list, and it is only for your newsletter.
This is easy.
This particular scenario falls under Consent and the Legitimate Interests rule.
Scenario 2 – One List and One Segment
You have one main email list, and a segment off that list to send your blog posts via RSS-to-email.
Perhaps you included a checkbox for folks to get on the main list and the segment.
By checking that box, the subscriber gave explicit consent for both. They could also update their info on that list and/or unsubscribe from either or both.
For this scenario, you will need to provide a checkbox for the segment, which is not checked by default. In other words, subscribes must take an extra step to subscribe to the main list and the blog post segment.
You can’t automatically place them on any segments.
This particular scenario falls under the Consent and Legitimate Interests rules.
Scenario 3 – Product or Service Purchase
Let’s say you purchased my DIY SEO course.
It is a member site and has its own email list.
Just by purchasing, you are automatically subscribed to the member site and the list.
You can unsubscribe to either/both at any time.
After the service, I will ask you if you want to be placed on those special email lists so I can keep you updated with the latest changes that affect your site security, speed, or HTTPS status.
This particular scenario falls under the Consent and Legitimate Interests rules too.
Extra freebies, ethical bribes, and lead magnets beyond your main list – these are the biggies for GDPR compliance.
I cover a LOT of site success topics on BlogAid.
Let’s say I want to target visitors with a specific interest, like site speed.
On any of my posts in the Speed category, I could offer a special, free optin to get more info that is exclusive to those who provide me with their email address for that specific thing.
Fine, no problem with GDPR compliance.
The visitor is giving me explicit consent to collect their email address to send them something helpful with their site performance.
Here’s what will get you into GDPR trouble.
Most serious email marketers will take the email address from that freebie optin and then use it for:
- Their main email list
- Offers beyond the freebie
- Targeted audiences on social media, like Facebook ads
To do that, and be GDPR compliant, they have to get explicit consent to use that email for all these other purposes.
And this is where things get fuzzy in how consent is collected.
Do you put it:
- on that specific optin form as a link to a policy page
- on the page/widget where the form resides
- in checkboxes on that option form (I seriously doubt anyone will do this, just sayin’)
You can still do your email marketing, you just have to be transparent.
That’s the whole point of GDPR.
As long as you explain to folks what they are signing up for, and they give consent, you’re all good.
I’m seriously glad the GDPR will help bring an end to me and you being signed up to 10 lists when we had zero knowledge that would happen, and gave no such consent for the list owner to do so.
If this type of scenario is at the heart of your money making, then I would strongly suggest you seek out a GDPR email marketing specialist for more in-depth help.
This type of scenario falls under both Consent and Legitimate Interest rules, and there is a LOT of grey area there.
Because so much money is at stake with this, I’m 100% positive U.S. bloggers will carry on discussions well past the May 25, 2018 implementation about how best to manage this part of GDPR. So, continue to read all you can about it.
Specific EU Citizen Email Consent
This is another really big GDPR deal.
Up until now, you didn’t have to obtain more than a casual consent to gather an email address from your site visitors.
But now, you’ll likely be required to obtain fresh consent from EU citizens, based on your new policies.
Be prepared to:
- Check with your list service provider (MailChimp, Aweber, etc) to provide a list of email addresses that can be identified as belonging to an EU citizen or citizen of Great Britain.
- Send an email just to those folks, asking for renewed permission.
- If they don’t reply, then you must remove them from your email list.
Now, all that is a little tricky.
I’ve seen folks say you have to create a whole new list to retain documentation that you have fresh consent. But I don’t think that’s the best way to do this. You may be able to find another way to document that they gave you consent anew, and retain them on your original list.
Be sure to do your own homework on this, as there are many methods for it. You’ll need to see which one works best for your needs.
Step 2 Task:
- List your legal basis to process personal data.
- Check the way you gather email addresses now.
- Determine if you need to make a change as to how you use those email addresses.
Create policy documents based on the data collection and processing rights you use.
Now that you know what data you collect, where you process and hold it, and the legal grounds you need to claim for processing that data, you’re ready to create the info you want to publicly post on your site.
Policies and Statements can include:
- A pop up consent button that you are tracking anonymous data, like IP addresses, and other cookies. (More about this in the Plugins section.)
- Affiliate commission notification
Resources for Policy Text
Ensure you follow these guidelines for your policy text:
- DO NOT copy/paste the docs word for word, no matter where you get them.
- Edit to suit your specific needs.
- Include all of your data processing uses/methods. Those will vary by site and by how you do your marketing.
Where to Get Well-Vetted Policy Templates
I HIGHLY recommend the How to be GDPR Compliant (aff link) course from Katie Hornor.
It is specifically created for US based bloggers and solo-preneurs.
Webmasters Jim and Shelley Merchant recommended it to me and the rest of my webmasters. And I am so very grateful for them vetting this course first, and saving me so much time, that I’m including their affiliate link for it. So, please do support the folks who are helping me help you!!
This course will make all the GDPR stuff make more sense to you. And there are tutorials specifically on the email marketing stuff, plus bonus materials from additional experts on that.
I found the policy templates that are included to be worth the price alone.
And because I found these templates to be all I needed, I have not vetted other sources for free ones.
If you intend to use free policies or worse, just copy from other sites, keep this in mind – this is all legal stuff. Somebody could come after you over it.
The legal requirements for one site may be wildly different from another site. So, that’s just one more reason not to simply scrape and paste.
Privacy Shield Compliant Vendors
Each of the vendors listed below are fully certified.
In your policy, you can link to the vendor’s policy, if you call out your vendor by name.
- MailChimp https://mailchimp.com/legal/privacy/
- Aweber https://www.aweber.com/privacy.htm
- Convert Kit https://help.convertkit.com/article/661-compliance-with-gdpr
- Google – all products https://policies.google.com/privacy
- Cloudflare https://www.cloudflare.com/privacyshield/
- Gravatar – owned by Automattic, makers of WordPress https://automattic.com/privacy/
- Facebook https://m.facebook.com/about/privacyshield
- A2 Hosting https://www.a2hosting.com/about/policies#Terms-Of-Service
- SiteGround https://www.siteground.com/term/140.htm
All companies who are certified can be found on the Privacy Shield Framework site’s list.
Please contact me if you have info on this.
UPDATE 5/8/18: MediaVine will be providing a pop up for consent, and so visitors can opt out. No details given yet in their post from 5/7/18 about it. My guess is that it will come via their plugin.
This could cause a bit of a mess for site owners, who will still need to offer their own pop up to get consent for all other tracking.
Thanks to Renee for the heads up (in the comments).
Thanks to Marilyn for the heads up (in the comments)
If you work with an agency, please do keep us updated!!
Determine the best places to post your new policies on your site.
You’d think this would be simple and you could just put links anywhere. Well you can.
But there are some SEO link considerations.
- Link placement matters.
Keep in mind that Google indexes your site navigation.
If you have more than one menu location, the one at the very top is considered the most prominent, and given more SEO weight. The one in the footer area is considered the least prominent. This could be in a footer widget, or at the end of page, where your copyright notice is.
Using sub-links under your About page or such will also drop their importance of those links.
Links in any widget area also carries less SEO weight than links in the content or top menu areas.
- Some plugins create a page for you that has all of the info you hold on your site. Some plugins allow you to link to a page you created. Just ensure that all of these links go to the same place, with the same info. See more in the Plugins section.
Link Close to Need
If it’s for an optin in a widget area, many plugins don’t allow any place for adding a link like that.
And that’s one of the main reasons why I customized a plain form from my list service. You can have a designer style it to look just like whatever a plugin template gives you too. Doesn’t cost much for either.
Step 4 Tasks:
- Include your 3rd party vendors and other uses of personal data that are unique to your site and marketing.
Determine best ways to gather consent and supply requested info.
If you run ads on your site, you will recall the hoohaa a few years ago about having to place a “cookies in use” notification on your site.
GDPR is that same thing, on steroids.
Now you have to immediately notify visitors that you use tracking methods on your site, even if it is just Google Analytics. Most of the notification plugins that have been around for the last couple of years can do that.
But, that’s not enough anymore.
There are 3 major changes with GDPR compliance with regard to cookie tracking.
- Tracking scripts and cookies must be turned off until you get explicit consent from visitors.
- The visitor consent must be recorded in a way that you can retrieve it and prove consent.
- All data gathered from the visitor must be retrievable on demand, with the option to modify or delete it.
WordPress 4.9.6 will have tools in the core to help with these changes. But, they may only work with a limited number of ways you track visitor data.
Some standalone plugins already have these features built in. But, those, and new plugins, may change once WP 4.9.6 is released.
But, it’s still likely that an additional, standalone plugin will be the best way to do all this.
Just be super careful which plugin you use!!!
- Some plugins use trickery to get the consent, like the visitor just scrolling down the page without clicking anything. That is NOT explicit and clear consent!!
- Or, some plugins have an option to only show the notification on the home page. That won’t cut it either.
You’ll find more about GDPR related plugins in the Plugins section later in this guide.
Step 5 Tasks:
- Determine how you want to notify site visitors – what works best for you: a header banner, pop up, footer banner?
- Research notification plugins:
- Give you flexibility with notification options (like where it will appear), the message you want to display.
- Ensure that there is no trickery.
- Ensure that the consent is recorded.
- Ensure that all collection scripts are turned off until consent is given.
Develop a system to safeguard data you collect.
The GDPR regulations require that all data collected, by you and your 3rd party vendors be kept safe.
Here’s what that means.
You, as the site owner, are now ultimately responsible for guaranteeing the safety of the data you collect on your site visitors – all of it.
That is HUGE!!!
And it starts with securing your site fully. Forget about any plugin doing this adequately.
It’s time to get super serious about your site security.
You harbor the following visitor info in your database:
- Commenters – all of the info collected in the comment form including name, email, and website URL
- Comment reply notification – same info as above
- IP address – spam filters for comments and contact forms
- Contact Forms – some, like Gravity Forms, retain all info entered into all fields of the form
- Security plugins – IP addresses
You are solely responsible for keeping all that data safe!
Keep in mind that most hacks are invisible. A hacker could already be stealing this data and you would never know they are there.
Find all of the security holes on your site, including at the host level, well below your site files. No plugin is going to do that!
Also keep in mind that your site backups also contain this data. Those files need to be transferred and held securely too.
That’s one of the reasons I like the combo of UpdraftPlus and Amazon S3. You can encrypt the transfer of data from your host to secure file storage.
If you are sending backups to your own computer, that’s a whole other security concern.
Client Data Security
If you sell products or offer services, you may retain client data off your site as well.
That data needs to be secured too.
Client data may be held in:
- Google Drive
- CRM (Client Rentention Management) service
- Your computer disk
- Your computer backup service – like Carbonite
- Your email service provider – like Gmail, GSuites, GoDaddy, Rackspace
I would STRONGLY suggest that you consider holding as much of this info on something like GSuites, as it is likely far more secure than your computer.
I would also STRONGLY recommend that you get super serious about your own computer and device security. That includes your phone, if you have your email connected to it. Connecting over free wi-fi is dangerous! If you travel, consider getting a VPN service so you can connect more securely.
Vendor Data Security
You are also responsible for what 3rd party vendors you allow to have access to any data you collect on your site.
Those vendors can include:
- Google Analytics
- Ad agencies
- Plugins with cloud storage, like spam filters that trigger on IP addresses
See the links in Step 3 for many popular vendor’s Privacy Policies.
Step 6 Tasks:
- Secure your site
- Secure your client data, no matter where it is held
- Secure your computer and devices that are connected to email
- Make a list of the vendors you share data with and get links to their Privacy Policies
Plugins for GDPR
WordPress 4.9.6 will have GDPR Tools to help with some of the tasks that other standalone plugins may or may not carry. For instance, a privacy statement in the native comment system. You’ll want WordPress to handle that.
And, standalone plugins may adopt the new GDPR code that will become part of the WordPress core.
There are several plugins that may help you implement all phases of GDPR compliance.
There are also several plugins that are a bit scary to me, as far as site security.
And, there are plugins that hold user data on your site in ways and places you may not be aware.
NOTE: I have not vetted all of the plugins listed below, and will update this post as I do.
Please wait for the new GDPR Tools coming in WordPress 4.9.6 before installing or making changes to ANY of these plugins!
Plugins that Hold User Data
There are several plugin types that may hold user data in your database.
- Contact forms (not all, but some)
- Comment reply email notification
- E-comm related
- Membership related
You’ll need to be mindful of these when creating your policies and statements.
2 Types of GDPR Plugin Functionality
There are 2 main functions you need on your site.
- A way to notify visitors that tracking is in play and a way for them to give consent and that consent to be recorded.
- A way to retrieve the consent list and modify it. Some plugins only allow you as the admin to do this. Some plugins allow the visitor to do this, and those are the scary ones, as they allow visitors to make changes to your database.
Even if you only use Google Analytics, or any other sort of analytics or cookie tracking, you need to notifiy visitors and get their consent.
Following is a list of the plugs that me and my followers and webmasters have compiled.
I have not personally vetted each of these plugins yet.
NOTE: Most of these plugins block tracking scripts from running until consent is given by the viewer. That means they can still see your site, but no tracking will take place, and some content may not be shown to them. Some plugins offer an option to refuse cookie tracking and allow visitors to keep poking around your site.
This plugin has been around for years and most all of my clients who run ads from agencies on their sites use it.
It provides a pop up button for notification and consent that cookies are in use and the look of it is fully customizable.
It also blocks tracking scripts from running until consent is given.
However, as of 5/6/18, the plugin page says that their GDPR compliance is under review. I believe that has to do with the way they track the consent. And that may be affected by the new GDPR Tools coming in WordPress 4.9.6.
Has many customizable options, maybe too many, as some don’t ensure all visitors see the notice, like showing on home page only. It inherits your theme styles and can be customized from there.
The latest version also has GEO IP support, which auto detects the visitor’s country. So, it may only show the notification to visitors from EU countries.
It does not specifically state that it blocks scripts until consent is given. But, it does have an option to accept the consent if the visitor scrolls the page. I’m not sure if that is truly GDPR compliant.
There are a couple of concerns I see with this plugin.
First, you’re going to have to end up on the paid program at some point, as the free version only covers 100 pages.
Where is the documentation held – in your database or in their cloud storage? I don’t know if you will have access to the consent documentation if you are on the free version. In other words, if you decide to leave and try another method, will you be able to take your documentation with you?
It has a configurable banner that displays to first-time visitors, meaning it is already tracking their IP even before consent is given. However, it blocks all other cookies until consent is given.
User Data Request Plugins
These are plugins that allow users to request the data you hold on them.
In my opinion, these types of plugins:
- may be overkill for most U.S. bloggers
- will likely only show the info you hold directly on your site, not at your vendors
- may be a security issue and allow visitors to make changes to your database
If a user requests their info be anonymized, you have 30 days to comply and reply to them.
FYI, seriously consider using a link to your contact form rather than putting your email address on the Privacy Page. That will help cut down on spam. If you do use a plain link, trying to trick bots with the word “at” or “dot” hasn’t worked for years. Bot learned to read that a long time ago. Use a real, working link and install the Email Address Encoder plugin instead. It obfuscates your email address to bots, but humans can read and use it just fine.
Use the following plugins at your own risk, and do your own homework on them!
You need to be super, duper careful about placing such plugins as these on your site!!!!!
This is especially true if you run a membership site or e-comm site.
Some plugins like this allow visitors to change info in your database, including anonymizing personal info related to a purchase. You’ll never know who bought what if they request to do that!
Check to ensure how these plugins allow:
- users to request their info
- users to delete their info
- whether records can be deleted from your database
Here’s what I have found available so far.
- Create and configure cookie notice
- Allow users to enable/disable services that track them
- Allow users to remove all personal data from your site
- Allow users to remove email from Mailchimp service
- Allow admin to delete particular user’s data
- Allows users to request all of the data you’re are holding on them
- Allows users to erase their data from your site, except your database
- User data held in the database will be anonymized
- Native integration for Gravity Forms, and Contact Form 7
Need More Help?
I will constantly be updating this post as new info and tools become available.
Please check the section you need help with first, to see if it has been updated. You may find your answer quickly.
Due to the legalities of all this, I do not offer a GDPR compliance service. And, I will not respond to “pick my brain, quick question” emails on this topic or reply to them on social media except in the exclusive groups for my site audit and webmaster clients. Everything I know about GDPR is in this post.
But, I sure can help you with site security via an audit! And we can speed things up for you while we’re at it.
Plus, I can help with your secure backup strategy too.
See all of my site services here.
Changelog of Updates
- WordPress 4.9.6 release delayed to May 17, 2018. (at top of post in WP 4.9.6 section)
- MediaVine will provide a pop up for consent. (near bottom of Step 3 section)