GDPR for bloggers
I had originally had my posts all set and planned out for this week, but after seeing so much mis-information being spread online about GDPR for bloggers, I really needed to step in. Unfortunately for everyone I know I am not rendered speechless much, but after reading some of the absolute nonsense online I really was. In case anyone wonders why I class myself as such an authority on this I work as a programmatic media buyer for an advertising agency – so I have had to familiarise myself with GDPR pretty well. So here are some of the main ways GDPR for bloggers is going to come into play.
Mailing lists are a wonderful addition to blogs. I love getting an email to say someone has subscribed.
“So and so has recently subscribed to your blog”
So I go in and have a look to find the person and then subscribe back. One thing I noticed a while ago though, was that I didn’t get given their actual email address.
Funny that isn’t it?
That is because WordPress hold their data. When I update my site and add in my subscribe button that is where my responsibility ends. Think about it. Do you ever recall seeing a huge list of email, IP addresses and names of people subscribing to your blog? No. That is because you do not own this data. WordPress or Blogger or whoever you host your blog with own the data. Unless you go around with a pen and pad collecting email addresses and then manually keep them on a spreadsheet and email your blogs to everyone personally every time you write one – you are NOT the data controller. Big companies like WordPress, Google and Blogger will already have appointed their data controllers, be well aware of how GDPR will apply to them and be working hard on updating their privacy policies.
If you are using WordPress.org or another blogging website, it is more than likely they still hold all of the information like email addresses and IP’s in their platform. Therefore, it is their responsibility to keep it safe. Unless you actively put a retargeting pixel on your WordPress page or blog you do not need to warn users about cookies, because you are not collecting any.
Just because you put that box on your blog it does not mean that you own the data. You don’t. Data is valuable and companies are not that stupid. Comments are the same. Although you are given the email and IP of anyone who comments – this is information that is stored and kept secure by WordPress.
Cookies, IP Addresses, Adverts etc
This is where it gets a bit harder to explain. The reason big publishers are making so much noise about GDPR is because it is going to impact their advertising revenue. But this is because advertising on huge websites like the Daily Mail works in a COMPLETELY different way to affiliate or throwing in some Adsense on your blog.
Although programmatic is what I do day to day I still find it hard to explain. I am going to try my hardest so that you all understand the difference between being a data controller and not being one.
So say I’m the Daily Mail right?
First of all, sorry for all of the shit I print.
Second of all, I have all of this lovely advertising space on my website to sell. Let’s take the big banner at the top above Kim Kardashians tits. You see that one is classed as “above the fold” so is worth quite a bit.
But how on earth do I sell this?
Not many internet users are savvy to this, but there are things working in the background called ad exchanges. An ad exchange is basically a way for people and companies to buy and sell advertising space online.
So the Daily Mail use something called an SSP (supply side platform) and put their little banner space out to the open real time bidding exchange for people using DSP’s (demand side platforms) to bid on that space. Whoever wins the auction gets the space and the advert is shown. This all happens in milliseconds before the page has even loaded.
Now have you ever been browsing about on the internet and thought “HOLY SHIT HOW DID THEY KNOW I WAS LOOKING AT HOLIDAYS TO MARBELLA?”.
This is all down to cookies. Say I am a holiday website. You have clicked on my advert on the Daily Mail website, visited me but not booked anything. Good job I have set up a pixel on my website that collects a cookie when you visit. This now means that when I am buying my advertising space on the open exchange I can actually select to retarget you as someone who has visited my site before.
Clever stuff isn’t it? But why am I telling you this?
I am telling you this to show you that if you use Adsense or another third party to monetise you are in NO WAY obligated to register as a data controller. GDPR is meant to regulate huge publishers that sell their advertising inventory on the open exchange, and big brands and ad agencies that bid for the space. Unless, as a blogger, you are selling impressions on the open ad exchange through an SSP (which if you are I salute because you need a LOT of traffic to make that financially viable), then you are not the data controller.
If you use Adsense, it will be Google that collect the data, Google that store it, and ultimately Google who decide what to do with it. It is the same with WordPress and Blogger. WordPress and Blogger collect cookies from people visiting your site and are ultimately responsible for how they process it and what they do with it. Blog hosting sites are not stupid. The data of the people having a nosey around your blog is a lot more useful to them than it is to you – trust me, they wouldn’t let you be in control of it for all the tea in china.
Cookie Consent and you as a processor
Ultimately, the owner of any of the cookie data is going to be companies like WordPress. You as a blogger won’t have access to the back end data management platform that stores all of the PII information. This means that WordPress, or affiliate sites you use like Rakuten are the data controller. As a publisher, the highest authority you will have is of a data processor. This means all you need to do is make your blog compliant is make people aware that cookies are used, how, and give them the opportunity to opt out. It is the data controllers responsibility to action the right to be forgotten. If someone contacts you and asks this, be ready to contact the company collecting the cookies to get this actioned, or forward on their details to the user.
When it comes to GA, again there is no backend that you can log in to that works like a data management platform. Google hold and are responsible for the safety of all of this data. Getting a cookie consent tool set up is a great way to make sure you are covered. All you need to do is tell people what they are being tracked for and why. I’ll be adding a page to my own blog that explains what trackers are on my site and why they are then, along with links for users to log out.
There are a number of different cookie consent plug-ins that have been created for WordPress. WordPress are well aware of the effects of GDPR for bloggers so they have been planning for this for some time.
Competitions, Giveaways, Email List Etc
Again, if you are using a third party plug in to collect any data from competitions, giveaways and email lists this falls down to them. You only need to register as a data controller if you go around manually saying to someone “give me your email address’, then adding it on to a spreadsheet and using it for something in the future.
If email addresses are collected through Mailchimp or another third party plug in or widget then they need to comply with GDPR. All of these companies have been aware of GDPR for years and have been hard at work preparing for it. It’s the same for your Gmail. If you have a list of contacts or emails in your Gmail this is in a securely hosted platform. Gmail would have thought about how GDPR effects them a LONG time ago and will be putting policies and procedures into place to make sure they comply.
(If you want to learn more about affiliate in general – I have written a digital marketing terms guide here)
Retargeting is where it gets a little bit more interesting. Say that I want to show paid ads for my blog to people who have visited my site before. I would implement a Facebook pixel to drop a cookie on the users browser so that I can retarget them. In this instance – I still do not have access to the back end to see the cookie data, IP’s or any other Personally Identifiable Information. This means that Facebook are still ultimately the controller. However, in this case, as you are ACTIVELY collecting the data yourself as a processor, you will need to build in a consent model into your blog.
The Bottom Line
I honestly can’t believe how much scaremongering has gone on and how worried bloggers are becoming over this. Any data collected through WordPress, Blogger etc like emails isn’t actually collected by you as an individual, it is collected by them as a company. They are the data controller, and you are merely a processor, if anything.
Also when GDPR comes in they are going to have a lot bigger fish to fry with publishers and advertisers that are non-compliant to be worrying about people like bloggers. Unless WordPress, Blogger etc make a massive, MASSIVE error with their own compliance, GDPR will not affect you.
Please PLEASE can you just all calm your tits about this and stop thinking you have to register as a data controller. If anyone is still worried and wants a more detailed explanation of how it all works, feel free to reach out on Twitter.
Handy Privacy Policies
If you are going to take GDPR seriously as a blogger you ay also consider getting a guide to ensure you understand the implications it will have on your online activity. Link: EU GDPR: A Pocket Guide