What Does GDPR Mean For Bloggers?

How will GDPR affect Bloggers

 GDPR for bloggers

I had originally had my posts all set and planned out for this week, but after seeing so much mis-information being spread online about  GDPR for bloggers, I really needed to step in. Unfortunately for everyone I know I am not rendered speechless much, but after reading some of the absolute nonsense online I really was. In case anyone wonders why I class myself as such an authority on this I work as a programmatic media buyer for an advertising agency – so I have had to familiarise myself with GDPR pretty well. So here are some of the main ways GDPR for bloggers is going to come into play.

Mailing lists are a wonderful addition to blogs. I love getting an email to say someone has subscribed.

“So and so has recently subscribed to your blog”

So I go in and have a look to find the person and then subscribe back. One thing I noticed a while ago though, was that I didn’t get given their actual email address.

Funny that isn’t it?

That is because WordPress hold their data. When I update my site and add in my subscribe button that is where my responsibility ends. Think about it. Do you ever recall seeing a huge list of email, IP addresses and names of people subscribing to your blog? No. That is because you do not own this data. WordPress or Blogger or whoever you host your blog with own the data. Unless you go around with a pen and pad collecting email addresses and then manually keep them on a spreadsheet and email your blogs to everyone personally every time you write one – you are NOT the data controller. Big companies like WordPress, Google and Blogger will already have appointed their data controllers, be well aware of how GDPR will apply to them and be working hard on updating their privacy policies.

If you are using WordPress.org or another blogging website, it is more than likely they still hold all of the information like email addresses and IP’s in their platform. Therefore, it is their responsibility to keep it safe. Unless you actively put a retargeting pixel on your WordPress page or blog you do not need to warn users about cookies, because you are not collecting any.

Just because you put that box on your blog it does not mean that you own the data. You don’t. Data is valuable and companies are not that stupid. Comments are the same. Although you are given the email and IP of anyone who comments – this is information that is stored and kept secure by WordPress.

Cookies, IP Addresses, Adverts etc

This is where it gets a bit harder to explain. The reason big publishers are making so much noise about GDPR is because it is going to impact their advertising revenue. But this is because advertising on huge websites like the Daily Mail works in a COMPLETELY different way to affiliate or throwing in some Adsense on your blog.

Although programmatic is what I do day to day I still find it hard to explain. I am going to try my hardest so that you all understand the difference between being a data controller and not being one.

So say I’m the Daily Mail right?

First of all, sorry for all of the shit I print.

Second of all, I have all of this lovely advertising space on my website to sell. Let’s take the big banner at the top above Kim Kardashians tits. You see that one is classed as “above the fold” so is worth quite a bit.

But how on earth do I sell this?

Not many internet users are savvy to this, but there are things working in the background called ad exchanges. An ad exchange is basically a way for people and companies to buy and sell advertising space online.

So the Daily Mail use something called an SSP (supply side platform) and put their little banner space out to the open real time bidding exchange for people using DSP’s (demand side platforms) to bid on that space. Whoever wins the auction gets the space and the advert is shown. This all happens in milliseconds before the page has even loaded.

Now have you ever been browsing about on the internet and thought “HOLY SHIT HOW DID THEY KNOW I WAS LOOKING AT HOLIDAYS TO MARBELLA?”.

This is all down to cookies. Say I am a holiday website. You have clicked on my advert on the Daily Mail website, visited me but not booked anything. Good job I have set up a pixel on my website that collects a cookie when you visit. This now means that when I am buying my advertising space on the open exchange I can actually select to retarget you as someone who has visited my site before.

Clever stuff isn’t it? But why am I telling you this?

I am telling you this to show you that if you use Adsense or another third party to monetise you are in NO WAY obligated to register as a data controller. GDPR is meant to regulate huge publishers that sell their advertising inventory on the open exchange, and big brands and ad agencies that bid for the space. Unless, as a blogger, you are selling impressions on the open ad exchange through an SSP (which if you are I salute because you need a LOT of traffic to make that financially viable), then you are not the data controller.

If you use Adsense, it will be Google that collect the data, Google that store it, and ultimately Google who decide what to do with it. It is the same with WordPress and Blogger. WordPress and Blogger collect cookies from people visiting your site and are ultimately responsible for how they process it and what they do with it. Blog hosting sites are not stupid. The data of the people having a nosey around your blog is a lot more useful to them than it is to you – trust me, they wouldn’t let you be in control of it for all the tea in china.

Cookie Consent and you as a processor

Ultimately, the owner of any of the cookie data is going to be companies like WordPress. You as a blogger won’t have access to the back end data management platform that stores all of the PII information. This means that WordPress, or affiliate sites you use like Rakuten are the data controller. As a publisher, the highest authority you will have is of a data processor. This means all you need to do is make your blog compliant is make people aware that cookies are used, how, and give them the opportunity to opt out. It is the data controllers responsibility to action the right to be forgotten. If someone contacts you and asks this, be ready to contact the company collecting the cookies to get this actioned, or forward on their details to the user.

When it comes to GA, again there is no backend that you can log in to that works like a data management platform. Google hold and are responsible for the safety of all of this data. Getting a cookie consent tool set up is a great way to make sure you are covered. All you need to do is tell people what they are being tracked for and why. I’ll be adding a page to my own blog that explains what trackers are on my site and why they are then, along with links for users to log out.

There are a number of different cookie consent plug-ins that have been created for WordPress. WordPress are well aware of the effects of GDPR for bloggers so they have been planning for this for some time.

Competitions, Giveaways, Email List Etc

Again, if you are using a third party plug in to collect any data from competitions, giveaways and email lists this falls down to them. You only need to register as a data controller if you go around manually saying to someone “give me your email address’, then adding it on to a spreadsheet and using it for something in the future. 

If email addresses are collected through Mailchimp or another third party plug in or widget then they need to comply with GDPR. All of these companies have been aware of GDPR for years and have been hard at work preparing for it. It’s the same for your Gmail. If you have a list of contacts or emails in your Gmail this is in a securely hosted platform. Gmail would have thought about how GDPR effects them a LONG time ago and will be putting policies and procedures into place to make sure they comply.

Affiliate Marketing

If you run affiliate marketing on your blog then you are a bit more liable under the GDPR than others who don’t run any affiliate marketing. If you do run affiliate marketing through a network like Rakuten then it is likely they will use cookies to re-target people who click on the links. You could argue that them clicking the link infers that they have a legitimate interest, but this is probably not going to hold up very well under the GDPR. To be on the safe side, you can use a Chrome extension like Ghostery to check what trackers are appearing on your WordPress blog. If you find that your affiliate network is tracking you can add in a cookie consent plug in.

(If you want to learn more about affiliate in general – I have written a digital marketing terms guide here)


Retargeting is where it gets a little bit more interesting. Say that I want to show paid ads for my blog to people who have visited my site before. I would implement a Facebook pixel to drop a cookie on the users browser so that I can retarget them. In this instance – I still do not have access to the back end to see the cookie data, IP’s or any other Personally Identifiable Information. This means that Facebook are still ultimately the controller. However, in this case, as you are ACTIVELY collecting the data yourself as a processor, you will need to build in a consent model into your blog.

The Bottom Line

I honestly can’t believe how much scaremongering has gone on and how worried bloggers are becoming over this. Any data collected through WordPress, Blogger etc like emails isn’t actually collected by you as an individual, it is collected by them as a company. They are the data controller, and you are merely a processor, if anything.

Also when GDPR comes in they are going to have a lot bigger fish to fry with publishers and advertisers that are non-compliant to be worrying about people like bloggers. Unless WordPress, Blogger etc make a massive, MASSIVE error with their own compliance, GDPR will not affect you.

Please PLEASE can you just all calm your tits about this and stop thinking you have to register as a data controller. If anyone is still worried and wants a more detailed explanation of how it all works, feel free to reach out on Twitter

Unless you are collecting cookies using a DMP and have access to them yourself, it is unlikely you will class as a data controller. I’ve seen a lot of people telling bloggers to update their privacy policy and terms of service etc. You will be covered by the WordPress or Blogger privacy policy, so as long as it is easy to find on your layout you will be fine. A lot of the information for publishers is aimed at larger ones who buy data and collect data to retarget – but here is a simple guide I found online.

Handy Privacy Policies




If you are going to take GDPR seriously as a blogger you ay also consider getting a guide to ensure you understand the implications it will have on your online activity. Link: EU GDPR: A Pocket Guide


  1. Maria Hughes
    February 13, 2018 / 9:15 pm

    Thank you, very informative and really helped me understand the issues.
    I did suspect that the big companies WordPress etc would be the owners of the data and therefore need to be compliant. x

    • February 13, 2018 / 9:16 pm

      Absolutely shouldn’t be down to the bloggers at all. Works exactly the same way as Facebook etc. Glad it helped.

  2. February 24, 2018 / 8:49 pm

    Perfect ? thanks for the explanation looks like I have to do sod all! Just what I like ?

  3. February 26, 2018 / 1:40 pm

    Brilliant, I was ignoring everything and waiting for this kind of post. Thank you Kelly.

    • February 26, 2018 / 1:41 pm

      So so random that people think they own the data when they blog on WordPress or Blogger ??‍♀️

  4. March 13, 2018 / 10:03 pm

    Really useful post! GDPR can be a scary and to be honest a boring subject so glad you made it user friendly.

  5. March 14, 2018 / 1:03 am

    Thank you so much for this! I have seen WordPress articles telling me all these things I need to do and it’s terrifying! So from reading this i get the impression I don’t have to do anything from here? Or am I reading it wrong? X

    • kellyjackson2102
      March 14, 2018 / 6:10 am

      You don’t need to do anything Sarah. Unless you have manually built and coded the website for your blog and you collect the email addresses of subscribers on some sort of spreadsheet. All of the companies you use own the data, so I use WordPress and they own all the data.

      • March 15, 2018 / 12:40 am

        I can barely spell my own name that alone do all that! ? thank you for this there has been a lot of accidental scaremongering on this one! X

      • March 18, 2018 / 5:37 pm

        Please clarify whether you mean sites hosted by WordPress or sites that are self-hosted or both.

        • kellyjackson2102
          March 18, 2018 / 5:38 pm

          Even if you self-host your site, you do not collect first party data. Do you collect cookies from a pixel implemented on your blog that you use for retargeting purposes?

  6. CK Alvarez
    March 14, 2018 / 11:42 am

    Thank you for this post. ? so I guess, the waiting game in the blogging world is spot on! By that, i meant patience is a virtue when youre a blogger. Your post is very helpful.

  7. April 3, 2018 / 4:32 pm

    Thank you very much for this informative post. As a blogger and freelancer, I’ve been in a bit of a panic over GDPR, especially seeing as people subscribe to my blog (via Blogger’s Feedburner) and I am set to launch my monthly newsletter soon (via MailChimp). If anything, I think the clients I work with as a freelancer (and as a blogger whenever I write sponsored posts) are the ones are more likely to be affected by GDPR because they have to take my details.


  8. April 28, 2018 / 7:39 am

    Thank goodness I stumbled across this! I’ve just read a thread in a Facebook group that terrified me and that linked to a post that had that felt like a hundred things on a checklist we MUST do. Thanks for the clear, simple to read clarification!

  9. May 17, 2018 / 2:26 pm

    Thanks so much for this post! It was super helpful, I’m like an old woman when it comes to this stuff I have no clue ? x

Leave a Reply

Your email address will not be published. Required fields are marked *