GDPR: Does Your Blog Need To Be Compliant?

  • 175
  •  
  • 1.1K
  •  
  •  
  •  
  •  
    1.3K
    Shares

GDPR compliance has caused stress in the blogging community – bloggers are scrambling to get compliant. How many of you have stopped to ask whether or not your blog is required to BE compliant? I initially assumed I needed compliance, too, but the criteria for who needs to be compliant isn’t so black and white.

Read on to understand who the GDPR applies to and take the GDPR Compliance Test at the end of the post to determine where your blog stands.

A FEW WORDS BEFORE WE BEGIN

Before we begin, seeing as this post does cover topics of a legal nature, I want to be sure to preface everything to come with the following disclaimer:

I AM NOT A LAWYER AND THIS POST IS NOT TO BE CONSIDERED LEGAL ADVICE.

Instead, this post should be considered informative or instructive in nature so that you can better address your own individual questions with regards to GDPR compliance. I highly recommend you discuss any of your own legal questions or any courses of action you may take with regard to GDPR compliance of which you are not 100% certain with a qualified and licensed legal professional.

Now with that out of the way … prepare yourself. There’s legalese ahead and a lot of information to cover. I promise, I’ll do my best to make it easy to understand.

TERRITORIAL SCOPE

Before I started to actually investigate this specific question, I’d already spent weeks researching, outlining, and writing an ebook about GDPR compliance for bloggers. As an early part of that research, I had read GDPR Article 3 on Territorial Scope.

  • (1) This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
  • (2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
  • a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  • b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
  • (3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

After reading it, I quickly concluded that most blogs will fit this description and since any blog could be visited by someone in the EU the GDPR definitely applied, and then I continued on with other avenues of my research. It wasn’t until after I’d written over 6000 words on the topic that I came across Recital 23 which says:

1 In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. 2 In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. 3 Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

The statement “Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention” immediately caught my attention. Does this mean that data controllers and processors outside of the EU were not necessarily subject to GDPR? I went looking for more information to determine whether this was so.

In my search for clarification, I came across this post from Washington DC based law firm Wiley Rein LLP, in which it says this:

Under the first prong, the GDPR explains that having a commerce-oriented website that is accessible to EU residents does not by itself constitute offering goods or services in the EU. Rather, a business must show intent to draw EU customers, for example, by using a local language or currency. Article 3(2) appears to adopt a sliding scale approach as opposed to a bright-line rule, and there is little guidance so far on how to interpret this provision.

However, the CJEU has considered when an activity is “directed at” EU Member States in other contexts. A similar requirement can be found in Article 15 of Regulation 44/2001, known as the Brussels Regulation, which deals with contract disputes involving more than one country. In that context, a joint declaration by the EU Council and the Commission states that “the mere fact that an Internet site is accessible is not sufficient of Article 15 to be applicable, although a factor will be that this Internet site solicits the conclusion of distance contracts and that a contract has actually been concluded at a distance.”[2] In Pammer v. Schulter (C-585/08), the CJEU found that it was necessary to show that the trader has “manifested its intention to establish commercial relations with consumers from one or more other Member States.” To facilitate the application of this test, the CJEU offered a number of criteria to be considered, such as a clear statement by the trader on the website that its goods or services are offered in one or more Member States mentioned by name; the paid inclusion in search engines accessed from particular Member States; or “the international nature of the activity at issue; … telephone numbers with the international dialing code; use of a top-level domain name other than that of the Member State … mention of an international clientele composed of customers domiciled in various Member States.”

Under the second prong of Article 3(2), businesses monitoring the behavior of individuals in the EU also are subject to the GDPR’s requirements. The Recitals specifically contemplate tracking individuals online for purposes of creating profiles, “particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.”

The GDPR also applies wherever EU Member State law applies by virtue of public international law. The Recitals provide a single example: a diplomatic mission or consular position. While that case is limited, the rule in public international law established by the Permanent Court of International Justice in Lotus is that a country has any extra-territorial jurisdiction it claims so long as there is not a public international law rule prohibiting the assumption of jurisdiction. Thus, the EU potentially could expand the GDPR scope in the future using this provision.

Wanting multiple sources I went searching and found this document from international law firm Bird & Bird, which backs up the position in the post from Wiley Rein LLP. Not quoting it here for the sake of brevity but you can follow the link to read it for yourself, should you choose to.

WHAT DOES “MONITORING BEHAVIOR” MEAN?

If you’re sharp, you caught mention about GDPR applying to entities who control or process data outside of the EU if they engage in monitoring behavior of individuals. But what does monitoring behavior mean? To answer this, I found this post from the law firm Field Fisher pointing me to Recital 24 which says:

1 The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. 2 In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

CAN YOU SAY ALL OF THAT IN ENGLISH PLEASE?

That is a bit difficult to read, isn’t it? Here’s an easier to understand summary of what we’ve found so far.

  • Simply having a website accessible to people within the EU does not automatically make you subject to GDPR.
  • To be subject to GDPR you must show intent to target people within the EU.
  • GDPR applies to any business that monitors the online behavior of people within the EU.
  • Monitoring behavior requires the processing the personal data of individuals in order to make decisions for them or predict personal preferences, attitudes, or behaviors.

To determine whether or not a business intends to target people within the EU, these factors, among others, may be considered:

  • Use of a language of an EU member state if it’s different from the language of your home country.
  • Use of the currency of an EU member state if it’s different from the currency of your home country.
  • Use of a top-level-domain of an EU member state.
  • Public mention of customers based in the EU, be it in a list of clients perhaps or a testimonial.
  • Targeting advertisements to consumers within the EU.

Most of this is fairly straightforward, however, we should absolutely discuss the point about the GDPR applying to businesses that monitor people’s behavior, because this could apply to you.

SOFTWARE AND SERVICES THAT MAY MONITOR BEHAVIOR

To determine whether your blog is subject to the GDPR, you need to understand if you’re using any software or services that monitor the behavior of individual people.

There are far too many actual services for me to list them all, so instead I’ve broken this into a list of categories where I’ll give a couple of examples under each. This list may not be 100% comprehensive but should cover the majority of the types of services you’ll need to examine and also give you a solid idea of what you should be looking for with regard to any other software or services that you make use of that might be monitoring behavior.

Additionally, for some of these examples, I’ll give you some general advice to making changes so that they would not be considered to be monitoring behavior of individuals.

ANALYTICS

Examples: Google Analytics, Matomo (formerly Piwik)

Analytics software & services such as Google Analytics and Matomo generally offer the ability to anonymize the IP addresses of blog visitors so that it no longer identifies unique people. Making use of these anonymization features removes them from being considered as monitoring behavior of individuals.

SECURITY / FIREWALL

Examples: Sucuri, NinjaFirewall

Some security / firewall software & services, but not all, offer the ability to anonymize the IP addresses of blog visitors in the same way that analytics packages do. Doing so also removes them from being considered as monitoring the behavior of individuals. You’ll need to check into your solution to see if this option is provided and if not, change to one that does.

CONTENT DELIVERY NETWORKS (CDN)

Examples: Cloudflare, Amazon CloudFront

CDN services may include additional services besides distributed delivery of your static content, such as security / firewall features. If your CDN offers these kinds of additional services, you’ll need to investigate whether they monitor behavior of individuals as part of that service. If your CDN does monitor behavior, you’ll need to check if they give you the ability to anonymize data or disable the monitoring if your goal is to not require GDPR compliance.

Cloudflare, for example, includes security services as a part of their CDN service. These security features make use of a cookie called __cfduid. Cloudflare does not store personally identifying information through this cookie. It is used to identify a device that has accessed your site previously so that it can avoid being challenged by the security features when accessing your site in the future. As Cloudflare is not monitoring behavior with this cookie, there are no concerns that using their service will force you to have to comply with the GDPR.

AD NETWORKS

Examples: Mediavine, AdThrive

Ad networks, such as Mediavine and AdThrive, don’t generally monitor behavior or collect data but the 3 rd parties who have contracted with them to have ads displayed
certainly do – there are exceptions of course like Google Adsense who collect data directly.

The important thing to note here is that to be able to avoid the need for GDPR compliance you need to configure things so that you are not displaying targeted ads to
people within the EU. This way, there’s no personal information being processed on individuals within the EU – keeping you from becoming subject to the regulation.
I am personally familiar with Mediavine and know that they offer this capability. If you’re using a different ad network, you’ll need to check with them whether they offer this ability or not. If your ad network does not give you this option, you’re left with three options.

  • Become compliant with GDPR.
  • Change ad networks to one that does give you this ability.
  • Block all traffic to your site from the EU.

Make the decision based on which is alternative is likely to be the least expensive in the
long run – weighing the costs of compliance versus the potential income loss of the
other options.

SOCIAL SHARING PLUGINS

Examples: Social Warfare, Sassy Social Share

When it comes to social sharing plugins like Social Warfare or Sassy Social Share you’ll need to do some investigation into whether they process identifiable information on people. Some simply implement the interfaces provided by the various social networks that are used to share content to them and do no processing of personal information of their own. Any information gathering that takes place, is done so by the site that has been shared to – of which the user would already have logged into an account in order to share content. The responsibility for data processing here belongs on the social network.

You will still want to investigate the software / service that you make use of to be certain they they do not collect any data. For example, I’m fairly certain that AddThis makes use of their own cookies and tracking, so you’ll want to be certain that whatever system you use does not.

I know that – at least according to statements from their developers – that neither Social Welfare or Sassy Social Share do any tracking or storage of data on their part.

ANTI SPAM SOFTWARE

Examples: Akismet

The 800lb gorilla in the area of anti spam software for WordPress is Akismet. Akismet, however, is a cloud based service that collects a host of data and presents a problem if you wish to remain free from being subject to GDPR. There’s a few strategies that don’t cause GDPR problems that you might employ to deal with anti spam software concerns – either turn off comments entirely or block people in the EU from leaving comments.

EMAIL LIST MANAGEMENT

Examples: Convert Kit, Mailerlite

Email list management services, such as Convert Kit or Mailerlite, are where we run into the biggest obstacle in avoiding the need for GDPR compliance. Services such as these make use of email tracking features that monitor what emails your subscribers open, how many times they’ve read the email, if they’ve clicked any links within the email, if the email has been deleted, etc…

These capabilities most definitely are monitoring behavior of individuals as the information presented is tied directly to an email address. There’s no way to anonymize this data and the services don’t generally offer the ability to not collect this kind of information.

In order to avoid GDPR requirements and make use of a service like this, you’d have to implement a check at the time of the online form submission where you determine the user’s country based upon IP address. If they’re within a GDPR protected country, you refuse their submission with a polite message stating something about not accepting subscriptions from GDPR countries. This solution requires the ability to write some Javascript code.

GDPR COMPLIANCE TEST

That’s certainly a ton of information that we’ve covered to determine whether or not you are subject to the GDPR as a blogger. I’ve put together a test to help you navigate through it all and determine your blog’s GDPR status and give you advice to modify your blog, where needed, if your goal is to not require compliance.


1: Are you based inside of the EU?

  • Yes – Stop here. You are required to comply with the GDPR.
  • No – You may not be required to comply with the GDPR. Go to 2.

2: Does your blog in any way target people within the EU? (Refer to list of considerations above)

  • Yes – Stop here. You are required to comply with the GDPR.
  • No – You may not be required to comply with the GDPR. Go to 3.

3: Does your blog use any form of analytics software or services?

  • Yes – You may be required to comply with the GDPR. Go to 3A.
  • No – You may not be required to comply with the GDPR. Go to 4.

3A: Have you anonymized your analytics data?

  • Yes – You may not be required to comply with the GDPR. Go to 4.
  • No – Anonymize your analytics data. Go to 4.

4: Do you use web firewall or security software that processes IP addresses?

  • Yes – You may be required to comply with the GDPR. Go to 4A.
  • No – You may not be required to comply with the GDPR. Go to 4B.

4A: Have you anonymized the data in your firewall / security software?

  • Yes – You may not be required to comply with the GDPR. Go to 5.
  • No – Anonymize your firewall / security software data. Go to 5.

4B: Consider installing a firewall or security software on your blog to help protect your site against possible attacks. Go to 5.


5: Do you use a Content Delivery Network that processes personally identifying information?

  • Yes – Change CND providers to one that doesn’t process personal information. Go to 6.
  • No – You may not be required to comply with the GDPR. Go to 6.

6: Do you use a Email List Management service that includes email tracking features?

  • Yes – You may be required to comply with the GDPR. Go to 6A.
  • No – You may not be required to comply with the GDPR. Go to 7.

6A: Can you move your Email List Management to a service that doesn’t include email tracking features?

  • Yes – You may not be required to comply with the GDPR. Go to 7.
  • No – Stop here. You are required to comply with the GDPR.

7: Do you use a Email List Management service that includes email tracking features?

  • Yes – You may be required to comply with the GDPR. Go to 8A.
  • No – You may not be required to comply with the GDPR. Go to 9.

7A: Can you move your Email List Management to a service that doesn’t include email tracking features?

  • Yes – You may not be required to comply with the GDPR. Go to 9.
  • No – Stop here. You are required to comply with the GDPR.

8: Do you allow comments on your blog?

  • Yes – You may be required to comply with the GDPR. Go to 8A.
  • No – You may not be required to comply with the GDPR. Go to 9.

8A: Do you use Anti Spam filtering?

  • Yes – You may be required to comply with the GDPR. Go to 8B.
  • No – You may not be required to comply with the GDPR. Go to 8C.

8B: Block comments from the EU. Go to 9.

8C: Install spam filtering and block comments from the EU. Go to 9.


9: Do you monetize your blog through and ad network?

  • Yes – You may be required to comply with the GDPR. Go to 9A.
  • No – You may not be required to comply with the GDPR. Go to 10.

9A: Does your ad network allow you to turn off targeted ads to people in the EU?

  • Yes – You may not be required to comply with the GDPR. Go to 10.
  • No – You may be required to comply with the GDPR. Go to 9B.

9B: Change to an ad network that allows you to turn off targeted ads to people in the EU. Go to 10.


10: Do you use any other products or services on your blog that could be construed as monitoring the behavior of individuals?

  • Yes – You may be required to comply with the GDPR. Go to 10A.
  • No – You may not be required to comply with the GDPR. Go to 11.

10A: Can you modify, remove, or replace all such products or services with ones that do not monitor individuals online behavior?

  • Yes – You may not be required to comply with the GDPR. Go to 11.
  • No – Stop here. You are required to comply with the GDPR.

11: If you’ve made it to step 11 without being told to stop, the odds are high that your blog does not fall under the jurisdiction of the GDPR. Congrats!


CLOSING

Ultimately, the answer to the question of whether or not the GDPR applies to bloggers is “it depends”. If you made it through the test above to step 11 – with or without having to make adjustments to your blog to get there – without hitting a “stop”, then the chances are good that you aren’t subject to GDPR requirements.

If you found this post helpful, I’m also now offering an ebook – The Blogger’s Guide To Avoid Being Subject To GDPR that expands on this subject matter and includes detailed strategies you can implement to keep your blog from being subject to GDPR – including custom Javascript code that you can implement with ANY email list service to filter out subscribers from EU countries. This means NO interruption to your ability to offer email based freebies in exchange for receiving email subscriptions. This script alone is more than worth the $10 asking price. I offer a 30% affiliate commission on referral sales of the ebook for anyone interested in becoming an affiliate.

As I said earlier in this post – if you have questions regarding whether or not the GDPR applies to you, I highly advise you speak with an attorney. Hopefully, if nothing else, this discussion has given you information you can use to ask the right questions.

Also, be sure to pin it to Pinterest and subscribe to my email newsletter to stay updated on future blogging tech tips like this one. Also, be sure to let me know what you think in the comments below. Thanks for reading!

GDPR: Does Your Blog Need To Be Compliant?

GDPR: Does Your Blog Need To Be Compliant?
GDPR: Does Your Blog Need To Be Compliant?


  • 175
  •  
  • 1.1K
  •  
  •  
  •  
  •  
    1.3K
    Shares

Robert Partridge

After spending 20+ years working in the tech industry and teaching tech courses to college students, Robert now provides professional IT & WordPress support services to bloggers and blogs about the technical side of blogging. Contact him on Twitter, Google+, or via this blog's contact form.

1 Response

  1. Kristen says:

    Fantastic post— super informative. Thank you so much!

Leave a Reply

Your email address will not be published. Required fields are marked *