At the end of May 2018, the EU’s General Data Protection Regulation (GDPR) came into effect — and it’s something every blogger needs to take seriously. These are the new rules for anyone collecting personal data within the EU, such as email addresses, IP addresses, and more. If you’re one of the many GDPR bloggers still trying to figure out what to do, this guide is for you.

So does this new regulation apply to bloggers too? Yes, without exception.

“Apparently I have to email all my readers again to re-subscribe to my mailing list? And I’m supposedly not allowed to collect cookies anymore?!”

The internet is full of apocalyptic scenarios like these, but GDPR really isn’t that scary. You just need to work through it step by step. We’ve put together a guide on what to change on your blog to comply with the new regulation. We’ll also advise you on what to do with your existing email subscribers.

DISCLAIMER. We are not lawyers or data protection experts. Everything you read here is simply our interpretation of the GDPR regulation, from a blogger’s perspective. When gathering information, we relied on the regulation itself and how others have handled it. We reviewed several large and small bloggers and online businesses and their approaches to GDPR compliance. Don’t take this article as gospel — treat it as a guide to help you navigate GDPR in your specific situation. Right, let’s get into it!

The purpose of GDPR is to give the customer (or in a blogger’s case, the reader) greater control over their data. So the more transparent you are about how you process data, and the more control you give your readers, the more likely you are to meet all the requirements.

What Data Do Bloggers Collect from Readers

When the EU talks about data processing, they mean any data you collect about users and the ways you handle it. Personal data refers to information that can directly or indirectly identify a reader — names, addresses, phone numbers, emails, but also IP addresses and other identifiers. So if you do or have any of the following on your blog, GDPR applies to you:

• You collect email addresses — e.g. you send newsletters
• You have comments enabled on posts (especially on WordPress)
• You track user behaviour, e.g. with Google Analytics
• You have a contact form on your blog
• You use plugins that collect user data
• You run competitions and giveaways

#1 Use Checkboxes (or Another Form of Consent) Whenever a Reader Provides Data

Whenever you collect personal data from a reader, you must do so with their explicit consent. It must also be clear at the point of data collection what you’ll be using the information for. So if a reader gives you their email to receive updates, they must explicitly agree that they want to receive those updates from you.

The simplest option is to add a checkbox that gives you clear consent from the reader. It’s a bit tedious, but it covers you on all fronts. Here’s what it looks like on our site, Loudavým Krokem:

A second option is to build the consent directly into the button. For example, when signing up for a course, you confirm consent by clicking the sign-up button itself.

SAMPLE TEXT

To make things even easier, we’ve prepared a sample consent text for you. Replace the dots with a list of what you’ll be sending readers by email, and link the last sentence to your privacy policy. (You can download a privacy policy template in just a moment.)

SAMPLE CONSENT TEXT: By clicking “I agree…”, you consent to receiving ……………. If you no longer wish to receive emails, you can unsubscribe and withdraw this consent at any time via the unsubscribe link in every email. Read more about our privacy policy here.

If you collect data using standard WordPress forms, the WP GDPR Compliance plugin will do the job. If you collect emails through Mailchimp, ConvertKit, or other services, you’ll find solutions built into their platforms.

The game plan is simple: for every reader, you need a record of how and when they gave you consent to receive emails.

#2 If You Want to Be Fully Covered, Use Double Opt-In to Confirm Consent

Although GDPR doesn’t explicitly require it, having a double opt-in is highly recommended. After someone signs up for your newsletter or a course, you send them a confirmation email with a button they need to click to confirm they actually want to hear from you. If they don’t confirm, they don’t get added to the list. Why is this useful?

• You get double confirmation of consent to receive messages
• You can be sure the reader is genuinely interested in your content
• If they made a typo in their email address, you won’t end up with a useless entry in your database

Here’s what a double opt-in email looks like:

Only after clicking the confirmation button is the email added to the database and the email sequence triggered. Personal data of users who don’t give consent must be deleted from your database without undue delay.

#3 Prepare a GDPR-Compliant Privacy Policy and Publish It on Your Website

Creating a privacy policy is what people dread the most. But you don’t need to worry — we’ve prepared a template that you just need to fill in with your own details. Here’s what ours looks like. You need to create a privacy policy for every blog you run and place it in your menu (a dropdown works fine). What goes into a privacy policy:

• Who you’ve designated as the data controller
• What data you process and for what purpose
• Who else you share the data with
• How you protect the data
• Readers’ rights

In our template document, we’ve highlighted where you need to fill in your own details, and the comments explain exactly what to write. 🙂

#4 Let Your Existing Subscribers Know You’re GDPR Compliant, or Request Their Consent

Now we’re getting to the crux of the matter. You probably have dozens, hundreds, or maybe even thousands of emails in your database. So what do you do with them? Should you send everyone a new registration form to re-confirm consent? Or can you leave it as is? It depends on how well you’ve been collecting emails up until now.

1. You collected emails for a specific purpose and you’ve kept your word

If you’ve been collecting emails in a way that already aligns with GDPR requirements, you don’t need to ask for consent again. GDPR-compliant collection means you can demonstrate when, how, and for what purpose a reader gave their consent and provided their email. In that case, we believe it’s sufficient to simply let your existing subscribers know:

• How you obtained their data (where they signed up)
• What you use the data for (what you send them)
• That you now process data in accordance with GDPR
• How they can unsubscribe

Here’s how we handled it:

1. You collected emails through generic forms (or other means), or you send content that readers didn’t sign up for, or you didn’t meet other requirements during collection

If you’ve got a guilty conscience because you either didn’t obtain emails with explicit consent, or you’ve been blasting all sorts of emails to your entire database, you’ll need to get explicit consent from every single reader — if you want to keep emailing them.

This was actually our situation. On Loudavým Krokem, we primarily collected emails through competitions and travel giveaways, and we never explicitly told readers that by entering a competition they were also subscribing to our newsletter. So we asked them to consent to everything we planned to send them:

After clicking through, they land on a page where they need to tick a box explicitly confirming their consent.

#5 If You Tag Readers and Collect Emails from Multiple Forms, Plan Your Structure

Integrating GDPR into our form structure wasn’t easy, because we use quite a few of them. We have several interest categories that readers can sign up for, and we gradually tag all our subscribers (assign labels based on which we then send targeted content).

Some readers are interested in cryptocurrency, others in online marketing or online business. If someone signs up for a cryptocurrency course, under GDPR you can’t just send them an article about promoting your blog on Instagram. That’s why it’s important to track who gave you consent for what. We recommend drawing yourself a map that’s easy to follow. Here’s ours:

As you can see, we added GDPR double opt-ins to all entry forms through which a reader can sign up to our email database.

#6 “Legitimate Interest” and How to Work With It

Within GDPR, there’s a concept called “legitimate interest,” which is an exception you can use as a basis for sending emails.

For example, if someone purchases a travel mug from your shop, you can reasonably assume they’ll be interested in news from your store, and add them to your newsletter. This falls under legitimate interest for the purpose of direct marketing.

However, be careful with legitimate interest — its definition is vague, and in our opinion, it’s better to use it as sparingly as possible. Instead, explicitly request consent for sending communications.

#7 Using Cookies and Tools Like Google Analytics

If you use analytics tools to track user behaviour on your blog, such as Google Analytics, GDPR applies to you here as well.

When a reader visits your website for the first time, Google Analytics downloads cookies to their browser that help Google track the user’s activity. Cookies collect personal data in the form of identifiers that can potentially be used for indirect identification.

For this reason, you must inform visitors that you collect cookies. And not just that — they also need to know what data you collect, what you use it for, and how they can get rid of the cookies.

The easiest approach is to use a plugin (if you’re running WordPress):

• Cookie Law / GDPR Info

You must also include information about cookies in your privacy policy.

#8 Readers Can Request All the Information You Process About Them

Under GDPR, users now have a “right of access” to the information you hold about them.

Make sure you can actually access this information. Not only will you need to be able to export logs showing when and how a user subscribed and what emails you sent them, but also information about their activity on your site — for example, from Google Analytics.

Fortunately, Google has prepared tools you can use for this, including the ability to delete collected data about any individual user.

Summary

GDPR isn’t as terrifying as it seems. It actually helped us organise our email databases, improve their security, and clean out inactive subscribers. So what steps should GDPR bloggers take to ensure compliance?

• Write a privacy policy
• Have explicit consent for data processing for a specific purpose from every contact
• Be able to demonstrate when and how each reader gave consent
• Include information about third-party data processors in your privacy policy

Our Template to Help You Create Your GDPR Document

We don’t want to keep the information we spent hours putting together just for ourselves. So we’ve prepared a detailed document with a privacy policy template (GDPR) that you simply fill in and you’re done. It’s packed with notes and explanations, so even a complete beginner won’t get lost. 👇

DISCLAIMER. We are not lawyers or data protection experts. Everything you read here is simply our interpretation of the GDPR regulation, from a blogger’s perspective. When gathering information, we relied on the regulation itself and how others have handled it. We reviewed several large and small bloggers and online businesses and their approaches to GDPR compliance. Don’t take this article as gospel — treat it as a guide to help you navigate GDPR in your specific situation.