GDPR for Bloggers and Why You Need to Make ChangesThe new General Data Protection Regulation, or GDPR, is designed to protect privacy but it looks like a nightmare for webmasters in Europe.
The new General Data Protection Regulation, or GDPR, is designed to protect privacy. Still, it could be a nightmare for web admins whose sites deal with EU citizens. The new Single Data Protection Act will majorly change Europe's privacy laws. It will replace the outdated Data Protection Directive from 1995.
GDPR compliance isn't just for European companies. GDPR applies to businesses of all sizes, regardless of whether you have 1 or 10,000 employees and where you or your company is based. If you offer products and services to European customers, then GDPR will apply to you.
GDPR Doesn't apply to me
A simple operation of storing an IP address on your web server logs constitutes processing of a user's personal data, for which you need to obtain permission. Some additional ways in which even a standard WordPress site might collect user data include (but are not limited to):
- User registrations
- Comments
- Contact form entries
- Analytics and traffic log solutions
- Any other logging tools and plugins
- Security tools and plugins
All of these will need to be reviewed for compliance.
How much will it cost?
The biggest change to the law is the increase in the amount of money regulators can fine companies who do not comply - up to 4% of their global turnover or 20 million Euros, whichever is greater.
This threat is certainly big enough to frighten companies into changing their data dealings.
What types of privacy data does the GDPR protect?
Basic identity information such as name, address, telephone and ID numbers
- Web data such as IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
What Do I have to Do?
There are still no established guidelines on what a website must do to comply with these rules, including those from Google and Facebook. With only a few months left to comply with the new rules, here is what I have determined.
Disclaimer: I'm not a lawyer, and I'm not providing you with legal advice. Contact your legal counsel for help interpreting and implementing the GDPR. This article is only for entertainment purposes and amounts to my interpretation of the GDPR.
If you are unfamiliar with GDPR, here are a few key points. The full text can be viewed on the Information Commissioners website
Informed, Explicit Consent
Gaining valid consent is one of the crucial changes GDPR makes to collecting and processing personal data. A website must ask for a visitor's express consent before storing any information about the user, including IP address. Implied Consent is no longer enough, and messages such as "By using this site, you accept cookies" will not comply with the new regulations. Consent must be given via affirmative action, such as clicking an opt-in box or setting preferences. Under GDPR, if there's no valid consent option, it does not count as consent.
Freely given consent
You are forbidden to withhold products, services or access to a site or page if a user does not consent, except in such cases where such information is strictly necessary. For example, suppose a user does not consent to provide name, address and payment information. In that case, preventing them from placing an order is acceptable. However, It is forbidden to require users to accept tracking cookies to view a site or provide an email address to download a free document.
Under the GDPR, consent requires a clear affirmative action and must be demonstrated by the controller
Specific consent
You cannot just ask a user to accept cookies anymore, as there are various types of cookies. You must ask for separate consent for analytics cookies, session cookies, shopping cart cookies, etc.
This also applies to any personal data you request; you must be specific about what it is used for, and you MUST not use it for any purpose outside that. For example, an email address on a contact form cannot be subscribed to a mailing list. When a user subscribes to a mailing list, you cannot subscribe to further marketing unless you obtain separate consent.
Consent must be made by affirmative action. Pre-ticked boxes or any other method of default consent are not allowed, so at least those pesky "Click here to not receive marketing emails" and "Tick this box to opt-out of data harvesting" checkboxes will be a thing of the past. Hopefully.
Withdrawl of Consent
It must be as easy to withdraw consent as it is to give it. Even after you have gained consent to process an individual's data, it must be easy for them to change their preference. For example, if you ask for consent via an opt-in box, an opt-out must be equally visible.
In summary:
- Consent needs to be informed.
- Consent is an act that needs to be given by a statement or a clear act.
- Consent needs to be freely given.
- Consent needs to be specific, per purpose.
- Consent needs to be an unambiguous indication.
- Consent needs to be distinguishable from other matters.
- The request for consent needs to be in clear and plain language, intelligible and easily accessible
Cookies
Consent must be sought before storing any cookies, so current implied or "opt-out" consent will be increasingly hard to prove as lawful consent under the strengthened requirements of GDPR. This means that most sites showing banners with messages that do not ask for permission, merely asking the user to leave if they do not accept, will fall foul of the new law.
This site uses cookies. By continuing to browse the site, you agree to our use of cookies.
Messages like this will not be compliant, so website owners will have to update their plugin settings and policies to be compliant.
Auditing
The GDPR specifically state that you must be able to prove that you have received Consent from an individual.
"Where the processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data."[GDPR Article 7, Paragraph (1)]
This means that when a user has consented to provide personal data, a record must be kept of this, which can be audited on request within 30 days.
The ICO also states that we need to:
Keep records to evidence consent - who consented, when, how, and what they were told.
It doesn't give any information about the conditions of the consent. Do we have to record consent and a copy of the entire privacy policy every time someone accepts a cookie? That could be unworkable and costly for many smaller websites. How do we personally identify individuals to record consent if they do not provide names and addresses? Does the IP address uniquely identify an individual? It could be a VPN, proxy, gateway or similar connection.
Privacy Policy
Your privacy policy must include details of what personal data is stored, where it came from, who you share it with, and why you need to store it. Users must be informed about the reason for storing personal information to make an informed consent decision.
You should have procedures to list all individuals' rights, including how to delete personal data or provide data electronically and in a commonly used format. These procedures should be planned and updated to show how requests are handled within the new time scales and provide any additional information.
Do Not Track
For many years now, browsers have had a facility where they can send a Do Not Track header, which should prevent tracking cookies and turn off any tracking or analytics. To be clear, Do Not Track means do not track me in any way, shape or form. Another key point of GDPR is that this is now enforceable. If a user sends a Do Not Track header, and you track them, you are in breach of GDPR.
How do I Comply with GDPR
That is the million-dollar question for which there is no clear-cut answer. As a general rule:
- Analyse every inch of your website and identify all the areas where personal data can be recorded. This includes server logs, Analytics, Adsense, comment forms, signups, and registration pages.
- Websites must be cookie and logging-free from the beginning. Cookies and data logging can only be stored AFTER you have obtained valid consent.
- If a user consents to submit an email address to leave a comment, you CANNOT add that email address to a mailing list.
Google Analytics
Before you think that somehow Google will look after the GDPR side for you - think again. Google is certainly taking steps to be GDPR compliant, but remember that using Google doesn't erase your own GDPR responsibilities.
If you use Google Analytics, you use the analytical cookies to process the personal data of your website visitors. To anonymise the IP address for all hits sent from a single tracker, add the following to your tracking code to set the anonymizeIp field to true on the tracker. This will make sure you are not collecting any identifiable IPs.
ga('set', 'anonymizeIp', true); I've yet to obtain a clear, definitive response to my queries, which is all required for analytics to be compliant.
Google Adsense
Google Adsense is a potential minefield. As of writing update on 22 May 2018, Google's information is limited, their "workaround" does not work as intended, and I've yet to receive a reply to my queries.
Google states that you can opt out of personalised, or interest tracking, adverts across your account in the settings. This should show basic adverts based on the page's content, as Adsense used to do. This does not work; targetted adverts are still served, and adverts still set multiple cookies. Both of these violate GDPR, so I have blocked adverts, required consent, and then shown them. Closer to the deadline, Google will fix these issues.
Server Logs
I have found no practical solution here except to turn off logging entirely. Server logging is unconditional, meaning it cannot be turned off for some and on for others.
From what I can tell, you are allowed to collect and store personal data as part of web server logs to detect and prevent fraud and unauthorised access and maintain the security of your systems.
The processing of personal data to the extent strictly necessary and proportionate to ensure network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping 'denial of service attacks and damage to computer and electronic communication systems.
If you don't have a legitimate need to store these logs, you should turn off logging on your web server.
Further Reading
- Guide to the General Data Protection Regulation
- Preparing for the GDPR
- General Data Protection Regulation
- The GDPR cookie consent and customer centric privacy
- Google Analytic and GDPR - Is it compliant?
- GDPR compliance tools in WordPress
- GDPR - Guide to Compliance
Conclusion
GDPR is a complex regulation; your organisation must develop the right roadmap to comply.
While this post focuses on Google Analytics, these steps also apply to other digital analytics and marketing vendors. Each organisation is different, and there is certainly more than you'll need to do to comply, so we'd love to hear about your challenges.
Please share your tips, concerns, and questions in our comments section below to continue the conversation about how to progress towards GDPR compliance.
