What book bloggers need to know (and do) about GDPR

I wasn’t going to write anything about GDPR because I had it in my head that everyone has already said everything that needs to be said. There are loads of blog posts out there. But then I got several book bloggers talking to me on Twitter about how they’re still confused, or they’re having trouble finding information. So I finally got convinced to put together a post specifically for book bloggers.

GDPR is a new set of privacy standards for people in Europe

Now before you see “people in Europe” and think, “Oh I’m in the US, this doesn’t concern me” keep reading. πŸ˜‰

GDPR is a bunch of laws about collecting, storing, accessing, and deleting personal information. “Personal information” includes but is not limited to: a person’s full name, email address, IP address, and more.

However, just because you’re not in Europe doesn’t mean you’re exempt. The rules protect people in Europe, which means if you’re in the US but you have a single visitor from Europe come leave a comment on your blog, then this applies to you because you’re responsible for protecting that European visitor’s data (the name/email address they probably stored on your site with the comment).

So, yeah, this means the law is kind of a bitch and we should probably treat it as if it applies to everyone in the world, because if you have to take certain precautions for European citizens then really it’s easier to just to take those same precautions for everyone.

The four key things that you need to think about and implement

Before I get into this, I of course need to say that I’m not a lawyer and the following does not constitute legal advice. The below is just my thoughts and interpretation of GDPR. If you have any serious concerns you may want to contact a lawyer.

Furthermore, the goal of this post is to be clear and concise. I’m not going to get into every single fine point about GDPR. If you’re interested in that, you can read the guide to GDPR or similar. I’m just providing a hopefully helpful overview.

Onward!

1) You need to obtain consent before storing someone’s personal information.

Let’s highlight a few areas you might be collecting personal information:

  • Contact forms. Many contact forms save a copy of the submission on your server (in addition to emailing you). Gravity Forms does this, for example. If a copy is being saved on your site, then the user’s name, email, IP address, and whatever other form fields you have are being stored.
  • Newsletter signup forms. These include an email and possibly a name/IP.
  • Giveaways. If you use Rafflecopter or some other kind of giveaway form and ask people to enter their name, email, and/or mailing address then you’re storing that information.
  • Review request forms. If you use a form for review requests and ask people to submit their name/email/etc. then you’re also storing that information.
  • Comment forms. They ask for a name/email and also store an IP address.
  • Do you have co-bloggers? You’re storing their username, name, email, and IP on your server.

Pretty much any time you ask for someone’s name/email/etc. and they’re pressing “submit” on some kind of form, you’re probably storing personal data.

The main thing here is that you need to be clear and up front with people about their data being stored. The easiest way to do this is to have some kind of required checkbox that says, “I consent to this information being stored” or “I have read and agree to your privacy policy” (which should then explain how/why/where the data is being stored). This checkbox needs to be unchecked by default so that users need to clearly see it and check it before proceeding.

If you’re using a form plugin then it’s probably quite easy to just add an extra checkbox form field to your form(s) and make it a required field.

Both my UBB Review Requests and UBB Review Submissions add-ons have been updated to include privacy policy checkboxes (they need to be enabled in the settings).

2) Have a clear privacy policy that talks about the data you store.

The privacy policy probably intimidates a lot of people because it feels like you need to write this huge wall of legal text.

The point of a privacy policy isn’t actually all that complicated. It’s a page where you just explain:

  • What personal information you collect and why you collect it.
  • Who you share this information with, if anyone.
  • How you protect this information.
  • How people can request the information or ask for it to be erased. (we’ll get to this later)

Also, one of the points of GDPR is that privacy policies should be clear, concise, and easy to read. So fuck that legal jargon!

The latest WordPress update has included a new privacy policy section in Settings > Privacy. It helps you create a privacy policy page and inserts a template for you. HOWEVER you cannot just insert this template and call it a day. The template is an excellent starting point, but that’s all it is—a starting point. It covers a totally empty WordPress install with no plugins. Now, if you’re on WordPress, I’m betting you have a few plugins. πŸ˜‰ This means you probably need to do a bit more work on your privacy policy.

Not all plugins store some kind of personal information, but many do, and if they do you need to add that to your privacy policy.

  • Using a contact form plugin like Gravity Forms? You need to mention that anytime someone submits one of those forms, all the data they submitted is stored on your site.
  • Using UBB Review Requests? You need to note that the request form data is stored on your site.
  • Do you have a newsletter opt-in form? You need to note that data submitted through that form is stored, and probably shared with a third party (the actual email provider, like MailChimp).

You need to check your plugins to see what data they are storing and add that information to your privacy policy. You can’t just insert a generic template for your policy and call it a day, because it won’t be uniquely tailored to all the plugins, widgets, and forms you’ve installed. Your privacy policy needs to cover all those things.

As a comparison, you can’t just copy and paste a generic review policy on your site. It doesn’t make sense for all book bloggers to use the same one because we all have different reading preferences, different genres/formats we prefer, etc. You need to tailor the policy to fit your requirements and preferences. Privacy policies are exactly the same. You need to look at what your own site is doing because of the plugins you use and make sure you cover all that unique information.

The general format you can use is:

{section header}

When you {take a certain action}, {personal information} is stored in order to help me {reason – display comments, read form entries, process payments, etc.}.

For example:

Review Requests

When you submit a review request on your site, your name, email, and the details of your request are saved on the server. They are stored to help me view, manage, and process your review request.

How do I “check my plugins”?

I’m afraid there isn’t a real easy way to “scan” your plugins and see which ones store data and what data that is. You just have to click through all the sections of your admin panel and look at what data is being stored. Keep an eye out for: names, emails, IP addresses, physical addresses, phone numbers, etc.

Sharing data

I’ve seen many people put that they don’t share your data with anyone, and in most cases that’s actually not true. You have to think beyond selling/trading data in sketchy ways and think about all the third party services you use. Sharing data isn’t inherently a bad thing, you just need to disclose when it’s done.

  • Do you use Akismet? Then comment information (email, etc.) is shared with Akismet.
  • Email/name/IP information is shared with your mailing list provider (MailChimp / MailerLite / ConvertKit / etc.).
  • Do you use Rafflecoper and ask people to enter their email or mailing address? Then that personal information is shared with Rafflecopter.

If you’re asking people to insert data that gets sent to a third party service then you’re sharing data with them. That’s okay, you just need to disclose it.

3) Grant people access to all the data you have about them when requested.

Under GDPR people in Europe have the right to ask you for a copy of all the data you’ve stored about them. This means all their comments, form entries, review requests, etc. — anything that’s stored on your server.

WordPress has added a tool to help with this in Tools > Export Personal Data. However, just like with the privacy policy, this only covers a totally blank WordPress installation. It will export the user’s account data, list of comments, and media uploads. But it doesn’t cover (by default) data added by plugins. Plugins do have the option of hooking into this tool and adding their own data, but not all plugins will have done that. If any of your plugins haven’t, then it’s up to you to export those form entries and any other data manually and send it to the user.

UBB Review Requests and UBB Review Submissions have been updated to add their data to the exporter.

4) Erase all the personal information you have about someone when requested.

This is exactly the same as the above point, but with erasing data instead of exporting. Again, WordPress has that tool in Tools > Erase Personal Data, but not all plugins will have necessarily added their own erasure functions to it. If they haven’t, then it’s up to you to delete their form entries and other data they may have submitted and stored on your site.

UBB Review Requests and UBB Review Submissions have been updated to erase or anonymize data when the tool is run.

Things you may have seen or heard about (in other words: “do I really need to do x, y, and z?”)

There’s really just one big point here:

Do I need to email all my subscribers and ask them to opt in again? So many people are doing this!

This one is funny.

You only need to ask people to subscribe again if you didn’t ask for their consent to be added to your list in the first place, or if you don’t have a record of that consent. If you’re using a reputable newsletter service and have always used double opt-in (where people need to confirm their subscription via email) then you already have their consent to be emailed. And most reputable newsletter services will have stored a record of that consent. In that case, you do not need to email people and ask them to re-subscribe. From what I’ve seen, this covers most book bloggers. If you’re not sure, ask your newsletter provider.

What’s kind of funny is that if you do decide to email everyone and ask them to re-subscribe because you didn’t get their consent the first time around, then you’re actually violating other EU laws that say you can’t email someone to ask to market to them unless you have their consent to do so (see electronic mail marketing in the Guide to PECR). This is another interesting read on the matter: Most GDPR emails unnecessary and some illegal, say experts.

This is all just so confusing! I’m afraid of screwing up!

Breathe.

The point of GDPR is transparency. That means not doing sketchy things with peoples’ data without telling them. Yes, there are some huge fines for violating GDPR, but:

  • They’ve also stated that the fines should be proportional to the breach. For book bloggers, any violations would likely be extremely minor.
  • But also, book bloggers are certainly not the main target for GDPR. This law mostly targets huge business like Facebook that collect and share huge amounts of personal information.

In short: GDPR is for dinosaurs and us book bloggers are mere ants. It’s extremely unlikely that book bloggers will be getting reported and fined for violations. I’m not saying you should ignore GDPR, I’m just saying:

  • Think about what your site is doing and report on it as best you can in your privacy policy.
  • Make your privacy policy easy to find and understand.
  • Don’t store any information you don’t need to, and delete any information you no longer need. Are you still storing the addresses for giveaway winners somewhere? Delete it — you probably don’t need it once you’ve mailed off the prize and it’s just a liability.
  • Just be honest and do your best.
  • Breathe.

Be honest, follow the law as best as you can, and don’t do anything malicious or sketchy or ass-holey. You’ll probably be just fine.

Questions —

You’re welcome to post any questions below and I will do my best to answer according to my knowledge, research, and interpretation, but I need to reiterate again that I’m not a lawyer and anything I say isn’t legal advice.

Photo of Ashley
I'm a 30-something California girl living in England (I fell in love with a Brit!). My three great passions are: books, coding, and fitness. more »

Don't miss my next post!

Sign up to get my blog posts sent directly to your inbox (plus exclusive store discounts!).

You might like these

58 comments

  1. Wonderful post Ashley. It is really helpful considering the way it has been written.. crisp and clear. I just have one question: Is it necessary to have SSL for the blogs now? I read someone saying that for GDPR, you need to have https. Is it?

    1. GDPR doesn’t specifically say “You need an SSL certificate” but one of the requirements is that you take steps to protect the information you store/process, and having an SSL certificate helps with that. SSL means that data transmitted through your site is encrypted, so someone can’t snoop and see what data is flowing through your site.

      I definitely would recommend getting one as they are starting to be the standard and many web hosts offer SSL certifciates for free.

  2. Thanks again Ashley, I love that you always take the time to write posts about the book blogging community. So very helpful πŸ˜›

  3. A huge THANK YOU for your words! It is always wonderful to read your posts but this one is special. The panic around hobby bloggers here in Europe, Germany especially, is huge and most of them have shut down their blogs or set them on private.

    My blog is on private too, but only because I didn’t get everything done in time. But to see, that this law is causing so much fear, worries, panic and in some cases unnecessary hysteria is simply sad. I am curious how this will continue. So many things aren’t clear really clear and even the big companies are not sure if they are correct with everything the GDPR here in the EU requires. Well, the “final examination” just begun and people are curious if and how it will work.

    If it is ok for you, I would like to set a link to this post in my upcoming GDPR news post.

    Best wishes
    Vi

    1. Yes you’re welcome to link to the post. πŸ™‚

      And you’re right – everything is really confusing. Part of the problem is that the law is vague in some areas and there’s ZERO precedent at this point. For anything in a grey area we won’t know what the right answer is until someone gets sued over it and we get a court ruling. :/

      1. That is exactly what some lawyers around here keep telling us. Sounds probably weird, but I am glad that people in other countries see it the same way. Guess, the upcoming months and years will tell. And hopefully the blog dying is stopping soon when people realize that there is enough help in the blogger community, no matter WP or Blogger, to get done what we can do.

        Best wishes
        Vi

    1. Yes the latest version of Easy Content Upgrades has a privacy policy / terms checkbox you can enable in the form builder.

      It also includes the download logs in the WordPress exporter tool, and will erase the relevant download logs via the erasure tool. πŸ™‚

      I also recommend re-wording content upgrades to be more transparent about what’s happening. For example:

      A bit misleading: “Download your free ebook now!” (but you’re also added to the mailing list, which isn’t clear)
      More transparent: “Sign up to my newsletter to get your fee ebook” (clearly a newsletter opt-in that just so happens to come with a freebie)

      Again, just all about transparency and being super clear. πŸ™‚

    1. Sorry but I’m not aware of any. The problem with generators is that they can’t know which plugins you’re using and therefore which information to include. You need to examine your own plugins, analyze what data they are correcting, and write a policy based on that unique combination of plugins.

  4. This is all very interesting. I didn’t know this was happening and I’m glad I clicked in. Some food for thought for my.

  5. Thanks for explaining this in laymen’s terms. I had already completed most of the steps but this reassured me that I’ve done the right things to prepare. You reminded me about my book review request form, which I’d completely forgotten about.

  6. So super helpful. I’ll be taking a peak at my policy and editing to make it more concise. I’ve already deleted old forms and databases linked to them. I’ve added links to some of the third party apps like Rafflecopter and their GDPR policy. So I think I’m on good shape. I just needed to double check that I didn’t forget anything. Your help on Twitter a few weeks ago was amazing and I’m ever so thankful for your knowledge.

  7. Just last week I was thinking, “I wish Ashley or someone like her will put together a lengthy but easy to understand post about this GDPR stuff” and here ya go girl. Thanks so much! I will now put together my own Privacy Policy and Disclaimers pages on my new blog–something I haven’t been able to do on my old one.

    1. Hi Ashley I’ve run into a small problem. So I used the WordPress template and I’m kinda confused as to what is the difference between the “Who we share your data with” and “Where we send your data” sections. I just put all the plugins and third-party sites I use on the first section then I just left the second section with what WordPress initially wrote (for now).

      Also, if you have some extra time can you get a peak at my policy page (https://whimsywanders.com/private-policy) and see if it’s good to go. If you don’t then it’s perfectly okay, I’m just really confused with the two sections.

      Thanks so much Ashley!

      1. Honestly I didn’t understand the difference between those either. The only thing I can think of is that perhaps “Who we share your data with” refers to you sending data to a third party who is then also storing that data. Maybe “where we send your data” is when you send data to someone and they don’t store it, but they do read it and process it. That would make sense if Akismet doesn’t actually store the emails you send it; it just processes it to decide if it’s spam or not but doesn’t store the information on their server.

        I’m not 100% sure though – that’s honestly just a guess.

        One thing to clarify in your policy: Comment Reply Notification and Simple Feed Stats are plugins installed on your site, which means you are collecting and storing the information yourself. You’re not actually sharing the information with the creators of those plugins. So I’d personally remove those from the “who we share your data with” section and put that under the “your information is collected” section instead.

          1. Hi Ashley I have another question.

            Does this mean that I can’t give content upgrades in exchange that the person who received the content upgrades also get included in my subscribers list. I hope I make sense. Thanks!

            1. Different people have different answers about this. Given the lack of legal precedent there probably is no 100% right answer. In my personal opinion, it’s still fine to do this as long as you’re being as clear as possible about what’s happening. The spirit of GDPR is transparency and no hidden subscriptions. This means it’ll come down to how you word the opt-in.

              So in my opinion, this is deceptive:

              “Enter your email to get a free ebook!”

              In that example it sounds like you just enter your email and get the ebook, but then later you realize you were “secretly” added to the mailing list as well. This wasn’t clearly conveyed.

              But I think this would be okay:

              “Subscribe to my newsletter and get a free ebook!”

              This is extremely clear about what the form is for: you’re subscribing to a mailing list. As a benefit of that, you will get a free ebook.

  8. Thank you for writing this! I now have a much better understanding of what GDPR is and what I need to do to comply. I have shared this with my fellow bloggers and in my blogger groups!

  9. Wonderful post! I was so confused about it all that I just decided not to post for a bit. I will be honest: I am a little bit nervous still, and I think my old little book blog I made when I was in high school is not equipped enough for me to handle everything. It gives me a lot fo anxiety, despite the fact I know what the intentions are. I think I’m just going to post reviews on like, my GR and FB page for now, and work on re-branding and re-working my site!

    1. Sorry but I’m not sure. πŸ™ I’m not really familiar with the Blogspot/Google commenting options.

  10. A friend of mine does this sort of thing for a living and he told me it’s the platforms who store the information not the blogger. Blogger, WordPress, Rafflecopter, Google, whatever email provider you have, etc… they are the ones legally responsible for the privacy policies. If you are going topersonally give an address to a publisher or author to send a giveaway prize that is about the only thing you have to watch out for, but I think most people ask permission for that anyway. A lot of people are considering quitting blogging because of this supposed legal respinsibility, and I think that is sad.

    1. Article 4 (18) β€˜enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

      The privacy policies aren’t even legally binding if they are not registered with the ICO, and you have to be a/company (Google, YouTube, WordPress, Yahoo email, etc… in “economic enterprise ” to even register with the ICO in the first place. The entity who owns the server is the responsible party.

    2. This article is mainly geared towards people on self hosted WordPress, and self hosted WordPress does store this personal information on the server you own (not someone else’s server). So people on self hosted are required to have privacy policies when they store information for comments, send that information to third parties like Akismet, store emails from contact forms, etc.

  11. This was by far the most thorough explanation I have read. I am going to keep it bookmarked to use as a reference. Thank you for spending so much time covering this topic.

  12. The EU is so far ahead of the U.S. in these practices, that I would, if my book blog was actually active, I would go ahead and do it. Thanks to analytics, we can see that many of us don’t only have US readers. There’s the other thing that you mentioned is that we do have readers from countries in the EU, whereas some other niches might not.

    On a different, yet still related thing at the moment, I am struggling to get my Friends of the Library Group on board with following these new rules before I even tackle it on my own blog. One might think that it’s a local library, so not an issue, yet we are a huge tourist destination for what is called “snowbirds”. Many people from other states and countries either own or rent houses here during the winter and are members of our Friends group. Trying to get the new regulations and even the older cookies one through the board is hard since they are not techy at all.

    The Library proper isn’t doing it and I get that.

    Thanks for your rundown and I totally need to update not only my blog but the plugins I have from you that are so useful!

  13. I am totally confused and worried about this.

    Where do we put this and how do we make it show up on our blog? If you already answered this, I will re-read more carefully.

    What is an SSL certificate?

    THANK YOU VERY MUCH for this post. You are amazing and appreciated.

    1. Your Privacy Policy should just be a new page in your blog. Then you can add that page to your menu.

      An SSL certificate encrypts data moving through your site. It’s when your URL starts with https instead of http.

  14. Great article, Ashley. Very informative and easily understood for any niche bloggers.

    And yes, whether you belong to the EU zone or not, if you are collecting user’s data in any manner, your blog should be GDPR Based.

    And thanks for WP version 4.9.6 – Comes with new functionality for Privacy Policies

  15. Hi, Ashely! Thanks for sharing this information with us. Very helpful. πŸ™‚

    “If you’re using a reputable newsletter service and have always used double opt-in (where people need to confirm their subscription via email) then you already have their consent to be emailed.”

    Do you happen to know if this applies to blog subscriptions, as well? I ask because I’ll be switching from a WordPress blog to a Wix-based one soon, and there’s no way to transfer my blog or its subscribers from one web host to another without manually entering each post and the subscribers’ email addresses. Otherwise, I was planning on sending a courtesy email notifying my subscribers about the change and letting them sign up via the new web host on their own.

    1. If you’re essentially just moving people who have already opted in from one platform to another, and the thing they’ll be receiving is remaining exactly the same (blog updates), then I suspect it’s fine. I think you only need to send them an email if you’ll suddenly be sending them different content as well, or using their emails in a different way.

Recent Posts

    Random Posts