GDPR for Bloggers and Why You Need to Make Changes

The new General Data Protection Regulation, or GDPR, is designed to protect privacy but it looks like a nightmare for webmasters in Europe.

The new General Data Protection Regulation, or GDPR, is designed to protect privacy, but it looks like it could be a nightmare for webmasters whose sites have dealings with citizens of the EU. The new single data protection act will make major changes to all of Europe's privacy laws and will replace the outdated Data Protection Directive from 1995.

GDPR compliance isn't just for European companies. GDPR applies to businesses of all sizes, regardless of whether you have 1 or 10,000 employees, and regardless of where you or your company is based. If you offer products and services to customers located in Europe, then GDPR will apply to you.

GDPR Doesn't apply to me

A simple operation of storing an IP address on your web server logs constitutes processing of the personal data of a user, for which you need to obtain permission. Some additional ways in which even a standard WordPress site might collect user data include (but are not limited to):

• User registrations
• Comments
• Contact form entries
• Analytics and traffic log solutions
• Any other logging tools and plugins
• Security tools and plugins

All of these will need to be reviewed for compliance.

How much will it cost?

The biggest change to the law is the increase in the amount of money regulators can fine companies who do not comply - up to 4% of their global turnover or 20 million Euros, whichever is greater.

This threat is certainly big enough to frighten companies into changing their data dealings.

What types of privacy data does the GDPR protect?

Basic identity information such as name, address, telephone and ID numbers

• Web data such as IP address, cookie data and RFID tags
• Health and genetic data
• Biometric data
• Racial or ethnic data
• Political opinions
• Sexual orientation

What Do I have to Do?

There are still no established guidelines of what a website would need to do to comply with these rules, including from the likes of Google and Facebook. With only a few months left to comply with the new rules, here is what I have been able to determine.

If you are not familiar with GDPR here are a few key points to consider. The full text can be viewed on the Information Commissioners website

Informed, Explicit Concent

Gaining valid consent is one of the crucial changes that GDPR is making to the collection and processing of personal data. A website must ask for a visitor's express consent before storing any information about the user, including IP address. Implied Consent is no longer enough and messages such as "By using this site, you accept cookies" will not comply with the new regulations. Consent must be given via affirmative action, such as clicking an opt-in box or setting preferences. Under GDPR if there's no valid consent option it does not count as consent.

Freely given consent

You are forbidden to withhold products, services or access to a site or page if a user does not give consent, except in such cases where such information is strictly necessary. For example, if a user does not consent to provide name, address and payment information then it is acceptable to prevent them from placing an order. It is however forbidden to require users to accept tracking cookies to view a site or to provide an email address to download a free document.

Under the GDPR, consent requires a clear affirmative action and must be demonstrated by the controller

Specific concent

You cannot just ask a user to accept cookies anymore as there are various types of cookies. You must ask for separate consent for analytics cookies, session cookies, shopping cart cookies and so on.

This also applies to any personal data you ask for, you must be specific about what it is used for and you MUST not use it for any purpose outwith that. For example, an email address on a contact form cannot be subscribed to a mailing list, and when a user subscribes to a mailing list you cannot then subscribe them to further marketing unless you obtain separate consent.

Consent must be made by affirmative action. Pre-ticked boxes or any other method of default consent are not allowed, so at least those pesky "Click here to not receive marketing emails" and "Tick this box to opt-out of data harvesting" checkboxes will be a thing of the past. Hopefully.

Withdrawl of Consent

It must be as easy to withdraw consent as it is to give it. Even after you have gained consent to process an individual's personal data it must be easy for them to change their preference. If you ask for consent via an opt-in box, for example, an opt-out must be equally visible.

In summary:

1. Consent needs to be informed.
2. Consent is an act: it needs to be given by a statement or by a clear act.
3. Consent needs to be freely given.
4. Consent needs to be specific, per purpose.
5. Consent needs to be an unambiguous indication.
6. Consent needs to be distinguishable from other matters.
7. The request for consent needs to be in clear and plain language, intelligible and easily accessible

Cookies

Consent must be sought before storing any cookies, so current implied, or "opt-out" consent will be increasingly hard to prove as lawful consent under the strengthened requirements of GDPR. This means that the majority of sites that currently show banners with messages which do not ask for permission, merely ask the user to leave if they do not accept will fall foul of the new law.

This site uses cookies. By continuing to browse the site, you are agreeing to our use of cookies.

Messages like this will not be compliant, so website owners will have to update their plugin settings and policies to be compliant.

Auditing

The GDPR specifically state that you must be able to prove that you have received Consent from an individual.

"Where the processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data."[GDPR Article 7, Paragraph (1)]

This means that when a user has consented to provide personal data, a record must be kept of this, which can be audited on request within 30 days.

The ICO also states we need to:

Keep records to evidence consent - who consented, when, how, and what they were told.

It doesn't really give any information about what conditions the consent is recorded. Do we have to record consent, along with a copy of the entire privacy policy every time someone accepts a cookie? That could be unworkable and costly for many smaller websites. How do we personally identify an individual to record consent if they do not provide names and addresses, e.g. server logs - IP address may or may not be unique to an individual. It could be a VPN, proxy, gateway or similar connection.

Privacy Policy

Your privacy policy must include details of what personal data is stored, where it came from, who you share it with and crucially why you need to store it. Users must be informed as to the reason for storing personal information so that they can make an informed consent decision.

You should have procedures to list all the rights individuals have, including how to delete personal data or provide data electronically and in a commonly used format. These procedures should be planned and updated to show how requests are handled, within the new time scales, and provide any additional information.

Do Not Track

For many years now browsers have had a facility where they can send a Do Not Track header which should, in theory, prevent tracking cookies and disable any tracking or analytics. To be clear, Do Not Track means do not track me in any way shape or form. Another key point of GDPR is that this is now enforceable. If a user sends a Do Not Track header, and you track them, you are in breach of GDPR.

How do I Comply with GDPR

That is the million-dollar question for which there is no clear-cut answer. As a general rule:

1. Analyse every inch of your website and identify all the areas where personal data can be recorded. This includes server logs, Analytics, Adsense, comment forms, signups, and registration pages.
2. Websites need to be cookie and logging-free from the very beginning. Storage of cookies and logging of data can only occur AFTER you have obtained valid consent.
3. If a user consents to submit an email address to leave a comment, you CANNOT add that email address to a mailing list.

Google Analytics

Before you think that somehow Google will look after the GDPR side of things for you - think again. Google is certainly taking steps to be GDPR compliant but remember that using Google doesn't erase your own GDPR responsibilities.

If you use Google Analytics, you use the analytical cookies to process the personal data of your website visitors. To anonymize the IP address for all hits sent from a single tracker, add the following to your tracking code to set the anonymizeIp field to true on the tracker, this would make sure you are not collecting any identifiable IPs.

ga('set', 'anonymizeIp', true);

I've yet to obtain a clear definitive response to my queries that this is all that is required for analytics to be compliant.

Google Adsense

Google Adsense is a potential minefield. As of writing update on 22 May 2018, Google's information is limited, their "workaround" does not work as intended and I've yet to receive a reply to my queries.

Google state that you can opt out of personalised, or interest tracking, adverts across your account in the settings. This, according to my understanding, should show basic adverts based on the content of the page, like Adsense used to do. In practice this does not work, targetted adverts are still served and adverts still set multiple cookies. Both of these violate GDPR so for the time being, I have blocked adverts, require consent and then shown them. Hopefully, closer to the deadline Google will fix these issues.

Server Logs

I have found no practical solution here except to disable logging entirely. Server logging is unconditional, meaning it cannot be turned off for some and on for others.

From what I can tell you are allowed to collect and store personal data as part of web server logs to detect and prevent fraud and unauthorized access and maintain the security of your systems.

The processing of personal data to the extent strictly necessary and proportionate to ensure network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping 'denial of service attacks and damage to computer and electronic communication systems.

Recital 49 (excerpt)

If you don't have a legitimate need to store these logs you should disable logging on your web server.

Further Reading

1. Guide to the General Data Protection Regulation
2. Preparing for the GDPR
3. General Data Protection Regulation
4. The GDPR cookie consent and customer centric privacy
5. Google Analytic and GDPR - Is it compliant?
6. GDPR compliance tools in WordPress
7. GDPR - Guide to Compliance

Conclusion

GDPR is a complex regulation and your organization must develop the right roadmap towards becoming compliant.

While the focus of this post is Google Analytics, these steps also apply towards other digital analytics and marketing vendors. Each organization is different and there are certainly more than you'll need to do for compliance, so we'd love to hear about your challenges.

Please share your tips, concerns, and questions in our comments section below to continue the conversation about how to progress towards GDPR compliance.