GDPR Compliance. Our Official Take.

Last Update: May 23, 2018

As many of you are very much aware of, there is a GDPR regulation being instituted by the EU (European Union) on May 25th, 2018. After this, their new privacy and personal data regulations become enforceable under the EU laws.

Today I want to open a discussion on the entire GDPR, what it is, what it means to you and your business, and discuss some of the major benefits and flaws that I interpret from these new regulations. I also want to offer you some solutions that you can implement on your website.

What is GDPR?

First off, let’s discuss exactly what the GDPR changes means to you or someone who runs a website. The General Data Protection Regulation (GDPR) is a law created within the EU, for people within the EU to help folks protect their data and privacy.

Here is a quote from Wikipedia, outlining the GDPR regulations.

"It addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU."

Then it goes on to state:

"Personal data may not be processed unless it is done under a lawful basis specified by the regulation, or the data controller or processor has received explicit, opt-in consent from the data's owner—which may be withdrawn at any time."

And then is summed up.

"A processor of personal data must disclose what data is being collected and how, why it is being processed, how long it is being retained, and if it is being shared with any other parties. Users have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances."

So companies will now be obligated to provide you with a mechanism to delete personal data from within their platforms.

This is something that has conventionally been VERY difficult to do within larger social media platforms like Facebook, which has almost to a certain degree held us hostage with our personal data and has led to major issues like the Cambridge Analytica abuses.

You can learn more about the new regulations from the official GDPR website.

https://gdpr-info.eu/

It blankets all the topics relevant to it, but there is a lot of remaining ambiguity and confusion which has led to widespread discussions online between webmasters, people sharing their private information, large corporations, and legal entities across the world.

I want to cover a few of these, again though, I don't want to undermine the importance of any regulation or update. They are all very important for you to understand, and if required, implement within your website/operations.

How Does the GDPR Impact You?

This is not global legislation, but it impacts companies around the world. The US and other sovereign companies are starting to rely on the EU in many respects to lead Internet regulations to protect consumers as well as personal and private information.

Although you may be located somewhere else, there is the potential that someone on your website will be visiting it from the EU, so it automatically becomes relevant. So you could either block all EU users from your website, handle visitors from the EU differently, or you could adopt the new GDPR regulations.

I personally think that adopting these regulations for the entirety of your website is the most efficient and natural approach and we fully support it. As a website owner it is important that you care about personal information and how it is managed, the same way you care about your how other companies use your personal data.

That is the approach all major corporations and social media platforms are following.

The Key Issues With GDPR?

There are many positives that come with the GDPR, particularly I have outlined 5 core issues I can see resulting from the new regulations implemented by the EU.

  • Billions of resources spent. According to Wikipedia (and a few other sources online), it is estimated that the average company will end up spending $100,000 getting their Privacy Policy, along with their operations in line with the GDPR. Not to mention people hours, that are often times not tallied, but there have been probably millions of hours spent on conversations by WA members alone. Although privacy is very important and it is always good to move the conversation in the right direction, that is not time well invested in my opinion.

  • Smaller companies don't have the resources to properly implement. Although it would be a nice idea for every company and independent blogger to have a legal team that can help you bring your entire operations in line with GDPR, most people simply don't have access to the money or time required to implement such a stringent process. Because of this, there is going to be such a diverse set of GDPR approaches in the online world that this I believe is going to create actual confusion for the EU authorities that are hoping to implement and enact it.

  • Could Hurt Customers. Much of the personal data collected and used is for the good. Companies are using this data to make your experience much better, succinct and enjoyable within their platforms. When "fear of use" comes into play, which it does with stark warnings on websites, people refrain from sharing this information that is important to companies. As a result, user experience suffers.

  • An alternate country's regulation could create conflict. An example of this would be the FTC (United States Fair Trade Commission) creating conflicting regulation that could either mitigate, override, or even challenge some EU laws. As a company owner, blogger, affiliate...who's regulations do you follow? New Zealand has a new privacy bill that is currently working it's way through government so it will be interesting to see what sort of impact this has.

  • Ambiguity. There isn't a concise response from the EU on many issues, some of them surround the IP issues and whether that constitutes as personal data and under what circumstances. But with a bill this size and companies operating across a breadth of different industries and using many layers of technology, data, and 3rd party application interfaces, the wording of the GDPR is getting conflated very quickly (and understandably).

With change, comes frustration. This is certainly going to be the case with GDPR and this will continue into the foreseeable future as companies try to figure out the specifics of this, and in many cases, the specifics of the data within their companies, and how to laymanize the internal processes that are sometimes complex.

What About Google Analytics (and other plugins)?

There is much dilemma about plugins such as the ones provided to you by Google Analytics, Autoresponder companies, and any other company that ends up storing what could be deemed as personal data. Let's look at a few and open the idea of WHO is actually collecting the personal data, and whether it is actually personal data.

Google Analytics. Are you storing data if you have Google Analytics in place which is tracking your traffic and activity. This is where it can get a bit confusing. Since you are in essence providing Google access to your customer information, you probably want to acknowledge that in your privacy policy, but is this really personal data?

IP address surely is not a personal identifier. Nor is a referring source of traffic. An IP identifies some information about you, but there is no way to determine personal data about someone without the data from an Internet Service Provider (ISP). In other words, the ISP would need to have a data breach in order for them to be able to somehow cross-reference an IP to a person. Something that is not your responsibility.

However, it’s important to know that IP addresses are accessed by many people.

Consider a family of 4 all accessing the Internet while at home, or 1000’s of people accessing the internet at Starbucks everyday through one IP address. It’s next to impossible to identify who is behind a device to personally identify them. It’s still important to disclose that an IP address is collected whether it’s personally identifying or not.

You may be logged into your own Google Account, and this information is then personal data that Google can connect to a particular user. They can match details from Google Analytics, to those of a Gmail account, or YouTube activity or absolutely any entity or search behaviors on Google's incredibly far-reaching network. This information could then be bundled for a much more granular and demographically targeted advertising experience.

But YOU, the website owner are not storing data, certainly not personal data. And this one example is why this GDPR roll out is presenting lots of confusion.

And this leads me to...

It Won't Hurt to Mention Stuff, But Could it to Exclude?

You have a few choices, and ultimately 99.9% of the blogger world is going to be safe from this. At the end of the day, you are ALLOWED to store personal data, the EU just wants you to disclose it. And what you do with that data is also important.

I want to emphasize that companies storing people's information online is not bad, it is normal and it is required for the Internet to work, and any established company, blog, social network, to be able to operate and offer you a decent experience. It is nothing to be embarrassed about if you do store data and it surely is better to lean towards the "disclose everything even close" approach.

If you are storing someone’s email or name on your website (and in your database), disclose that you are, and where this takes place, and what you are doing with that data.

If you are using a service like Aweber to collect and store emails, disclose that to your visitors as well within your Privacy Policy, even though it is not you storing this data. Either way, in this case you would be fine, but you are better off leaning towards the "mention it if you think it might be" approach.

You likely do not have a legal counsel and if you do, they are likely going to be just as baffled as you by this.

Where Your Site May Collect Data (or have it in proximity).

There are some common ways in which you may be collecting data or performing activities on your website that result in the collection of personal data. These can/should be considerations when you go to construct your privacy policy and disclosures on your website.

Some of thee common locations where personal data may be collected are:

  • Lead/Squeeze Pages

  • Comments

  • Surveys

  • Widgets/Plugins

  • Analytical Tools

  • Local Marketing Campaigns

There are others of course. As you build out your website you should make an ongoing effort to keep your website privacy policies up to date with your activities. In many cases, this won't happen very often, if at all. For other more technical and complex websites where storing personal data is required and used, you may have more frequent changes.

Removal and Export of Personal Data from your Website

WordPress has new privacy settings which allow the website owner to erase (delete) personal data related to any user. If a visitor to your website who has left a comment, or created an account with your site, wants to have their information deleted, then you have a facility to do that. Likewise, under GDPR regulation website visitors can request to have their data exported and given to them, there is also a facility to do that. We will be creating some training on this, but you can find these settings in the latest version of WordPress by clicking on:

Tools >> erase personal data Tools >> export personal data

There is an email verification process that is required so that the user verifies they are in-fact who they say they are. Once verified there will be an option to EXPORT or DELETE the personal data. With the latest version of WordPress you have the data export and removal tools required to make sure you can remain GDPR complaint in a situation where a user who’s provided you with personal data wants to retrieve and/or delete their data.

Explicit Consent

A privacy policy is a great first step towards transparency for anyone visiting your site interested in how you handle data. However, for those who are providing potentially identifiable data in the form of entering an email address, name or comment etc, need to provide you with explicit consent.

What this means is that they need to check a box before leaving you a comment for example. This box cannot be already checked by default, they have to perform an action to check a box which will explicitly opt them into accepting your privacy policy. If they do not with to do this, then they do not need to participate in your site.

There are many plugins out there that will add these little check boxes to your comment areas and/or contact forms, but one we found quite functional is called “WP GDPR Compliance” and it can be installed from your WP Admin area by clicking on “Appearance >> Plugins >> Add Plugins”. Do a search for “WP GDPR Compliance”, install and activate it.

WP GDPR Compliance

There are a few simple settings in this plugin that you can tweak.

The settings are found under “Tools >> WP GDPR Compliance” from your main menu in the admin area of your site. Y

ou can change the wording of your message and update the page that it points to, pretty simple stuff here to get your website requiring consent to your data storage and privacy policy before a user can provide you with any potentially identifying information or data.

Now let's talk Privacy Policy.

Your Updated Privacy Policy

I have some good news for you. First, this GDPR stuff isn't bad. It may be a little confusing, but that is simply because like all bloated legislation like this there are many moving parts, and there is a lot of ambiguity in certain areas of it.

Second, I have created an updated Privacy Policy that you can use as a framework for your privacy policy on your website. We obviously cannot create a “catch all” privacy policy for millions of websites, but this is a good start. It is based on the criteria that the EU is after in terms of explaining how personal data is collected, how it is used on your website, and why it is used on your website.

Additionally, this is written in a way that a layperson can understand. No longer is the Privacy Policy supposed to be a technical document, it is a document written for the average person.

So please head over to the SiteContent => Templates section. You will see a template called Privacy Policy, which is the updated GDPR version.

SiteContent TemplatesThen you will want to modify this, make it your own based on the personal data you are collecting (if any), how you are using this personal data, and publish to your website to replace your existing privacy policy.

And as always, if you have any questions about the new GDPR updates, how it will impact you, opinions, suggestions, or insights, please leave them below.

Welcome to the new world of Internet Privacy.

Join the Discussion
Write something…
Recent messages
Kyle Premium Featured Comment
Just as an updated, the latest version of Wordpress includes GDPR ready features which will mitigate any need for a plugin. You can find more details here, including how to set this up.

https://wordpress.org/news/2018/05/wordpress-4-9-6-privacy-and-maintenance-release/

This will be much preferred than using a 3rd party plugin as it is native to Wordpress and built directly into the platform..
Reply
PhilipC1 Premium
Brilliant, thank you Kyle. Since all this, I got three cookie plugins and thinking which one I don't need. I guess now WordPress has a standardized way so that if we use WP, as bloggers, we are naturally GDPR OK.
Reply
bpais1 Premium
This is great, Kyle. I've got too many plugins already!

Jim
Reply
Debs66 Premium
Kyle this has worked for me and I have to admit the one I did add in was wrong and lucky for me site support as they were helping me told me that the plugin I had added in wasn't needed. I now use this one. Thank you for the update.
~Deborah :)
Reply
TitaWorks Premium
Thanks, Kyle....
Reply
ChristinaAsh Premium
ok so just so we are clear ...I now do not need a pop up cookie plug in privacy thing on my site?!? please say yes because I really really have been resisting adding this.
Reply
JerryHuang Premium
That's awesome. Thanks for the update Kyle!
Reply
SquidooSlfMstr Premium
Any tutorial on what "GDPR" settings to enable / how to enable them?

Thanks for this post, Kyle!
Reply
NWTDennis Premium
So good to hear this. Kind a makes sense that WP would help simplify the process.
Reply
SquidooSlfMstr Premium
HI Deborah:
What settings did you enable in WordPress 4.9.6? Or, did you find any tutorial on what to do after updating to this "GDPR" WordPress?

Thanks,
Charlie
Reply
Kyle Premium
Word press just released this on the day that the GDPR was initiated. So it is here now, you can just use the natively built in function into Wordpress now instead of using a 3rd party plugin.
Reply
SquidooSlfMstr Premium
So, after updating to this WP we don't have to do anything else?
Reply
Debs66 Premium
Hi, Charlie, so sorry for the late reply.
@Loes and @mozmary have also added in some extra posts on all this Gdpr. I would pass by them and check out what else they have added also. Great Ladies to follow and full of info that they share with all of us too.

~Debs :)
Reply
SquidooSlfMstr Premium
No worrries!
Thanks for informing me of the "Great Ladies."
-C
Reply
VeronicasLuv Premium
I'll admit it... I just read your post.

When I first started to read it, it just seemed to be "too much" for me. But to my surprise, I was able to understand the majority of what you wrote, Kyle.

I'll take a look at the link and make the necessary changes.

I appreciate you, Carson, and teh team for always keeping us informed and making every effort to make any changes that are needed easier for us to implement.
Reply
mechidor Premium
Hi Kyle,

You mean we don't need any GDPR plugin with the latest version of WP 4.9.6? I am a bit confused about this.
Reply
MozMary Premium
yep, that's what I meant by 'privacy by design' yet people like omot are still telling people to go get this plugin

btw I just got cookied into a member's WA homepage when I visited his site without accepting any cookies - spooked me as I thought I was already cookied into WA, and I didn't give consent - see how consent paranoia is taking over with the over reaction of europe

ps it's how europe defines IP address for this law, not Canada/US and they do consider it personal data - again privacy by design google chrome has an extension for that
Reply
RubyCantu Premium
Awesome. Gonna read that and implement
Reply
kevdelahaye Premium
Yep I just activated a new website and the GDPR is included in the setup automatically
Reply
NWTDennis Premium
Thank you for confirming.
Reply
marycmiller Premium
Kyle, last year this time I took a training course for my employer on digital marketing. And the gentlemen running the course told us about a new regulation in Canada, that sounds similar to the GDPR, it is called CASL (I believe), and it is an anti-spamming law. Is also states that to email someone you need there consent. This consent I believe if I remember right could be verbal, implied, and/or written. The consent is only good for 2 years and you have to re-do consent after that time. Again, we were taught that in order to collect email addresses we had to have a check box stating they agreed to communication from our business. I am assuming that if I put the new privacy policy on my site and include a permission check box that needs to be checked before email and personal info can be stored on the site, will protect me from both regulations.

I may not have the finer details of CASL correct, I just remember the conversation surrounding it because it was going to be a new regulation as of July 2017.
Reply
MozMary Premium
it's similar to gdpr but not exactly the same, eg the 2 years thing is not necessary to re-do consent, but certainly people don't have the right to email someone with marketing unless they consented to it - there's a number of ways to do that however, doesn't have to be a plugin. Privacy policy, yes update that. But personal data for website routine tasks and email marketing are two different things.
Reply
WriggleNose Premium
Thanks for the template. I updated my websites.

In the section regarding third parties for newsletter, I hyperlinked to the privacy policy page for my service (in my case, aWeber); since we are telling them to refer to that policy as well, I suggest others provide a hyperlink as well, so you know your readers are getting to the right place. :-)

Another tip for others with multiple websites, once I customized the new template more to my business, I saved it as a template of my own, which made it that much quicker to update my other websites' policies.
Reply
carolC2 Premium
kyle,
I just came back online and did not know about this update to the privacy policy. Is it to late for me to do this since it was do on the 24th? I was quite predisposed with the loss of our 6 year old pup and his brother is sick now. Sorry I was not here to do this. what can I do about it now?
Carol
Reply
ChristinaAsh Premium
Just do it now, its fine. Lots of people have not done everything now. i would suggest also checking this post out and following the links. its been hectic and chaos here so its kind of good that you arrived after most of the details where ironed down
Reply
LeeMcQuay Premium
Carol, I am leaving you 3 links to training for the new GDPR.
Loes provided training on the plugin. Marion did training on the privacy policy Mary provided training for Google Analytics GDPR I hope this helps.

I am SO sorry to here about your pup. When they are like our family members the pain is the same when loosing them as it is when loosing a 2 legged family member. I hope the brother gets better.
Reply
carolC2 Premium
LeeMcQuay,
Thanks, I will follow them to see where they lead. I went to the site for doing this but was at a loss when I got there. "Not the most internet friendly person", if I get stuck I will holler!!! someone will answer from this great community. Again, thanks.
Have a great weekend
Carol
Reply
SalRobins Premium
I’m not going to delete it...yet, but I know people who have deleted their accounts and been furious at finding out their photos etc are still owned by Facebook and they couldn’t get them back.
These are interesting times.
As I’m in Aus I don’t suppose it will apply to me yet. But hopefully it will follow to the rest of the world!

I just completed my website’s About Sal post and my Privacy Policy page. My brain is fried haha!
It’s all good though. All very easy to follow and understand, so thanks!
Reply
ToLiNoLi Premium
It applies to anyone on planet earth if you collect data and an EU citizen visits your website, there is no escape. If this citizen complaints about your website at the EU then you risk being put on their list and get fined... the chance is small, but would you take the risk to receive a high fine?
Reply
ChristinaAsh Premium
I heard about that which is why I have very very very few photos there .
Reply
SalRobins Premium
I was referring to being able to get all of my data back from Facebook if I delete my account as I'm outside of the EU..I understand the rest of it.
Thanks.
Reply
Vixmag Premium
Thanks for clarifying. I have installed the plugin and have the tick box above my comments box. Just wondering do we need to keep the old privacy policy as well as it says at the end -

We may make changes to our Privacy Policy in the future, however, the most current version of the policy will govern our processing of your personal data and will always be available at the following URL.

I assume we put the URL of our original privacy policy and call this one the updated version to meet new EU regulations or something? Not sure
Reply
ChristinaAsh Premium
This new privacy policy replaces the old one , leave it alone publish it , than after its published you can grab the url and edit it directly from your website dashboard
Reply
ChristinaAsh Premium
Also you should delete your old one OR copy / paste this one right over the old one .
Reply
Vixmag Premium
Brilliant thank you Christina :)
Reply
AlexEvans Premium
Hi Kyle thanks for the definitive insights, all the online communities seem to be a buzz with everything GDPR, so much information, the good , bad and fake news.
The interesting thing is that the majority of internet users have no idea what it is all about. The legislation seems to be a beuracrates paradise, no one can make head nor tail of it due to its cumbersome nature, law firms are going to be in for a bumper harvest as it is bedded in and tested.
For folks that are conducting legitimate business, business as usual, If collecting data perhaps segmenting folks who claim European citizenship, could become order of the day.
Reply
Kyle Premium
This would fix the issues with media, this is geared more towards privacy. Freedom of speech and opinion is an entirely different conversation and it is far more tricky as different countries have different legislations.
Reply
Jeannah Premium
Thanks a lot Kyle for this info. It has helped me get a better handle on this GDPR stuff which I have been seeing all over the web lately. and was having a bit of difficulty understanding. This was really helpful and written in language I could understand.. I took my time and got the plugin installed successfully and my Privacy Policy updated successfully too. Glad that's done.. thanks again.
Reply
Kyle Premium
Glad I could offer you this insight Jean. :)
Reply
THuggans Premium
Thanks so much for this Kyle! I honestly have been ignoring it because I did not understand but you made it easier!

Also shout out to @loes for this plugin training program
Reply
DynamicDavid Premium
Is there a way that we can add our affiliate ID to the WA Privacy Statement at:
https://www.wealthyaffiliate.com/privacy/

Can we follow this with a_aid and our WA affiliate id?

That way, if someone visits that page from a link on our Privacy Statement then we get credit should they become a WA member in the future.

WA provide web hosting for us, and as such some data is shared, and the WP guidelines suggest that we should link to the WA privacy statement. I know it is not strictly personal data as we know it, but some of it is considered as personal data so I am erring on the side of mentioning it and be done with it approach and as you say 'but you are better off leaning towards the "mention it if you think it might be" approach.'

Thanks.
Reply
mbouteiller Premium
Well this is an interesting take. I think I like this. I'd be interested in seeing the responses.
Reply
dksomers Premium
Would it be advisable to include an Explicit Consent paragraph to the Privacy Policy as follows

Website Comments
When someone visits [YOURSITE.com], there may be an ability to submit comments on particular articles or pages. When comments are submitted, you are entitled to use aliases or information that completely hides your identity. When a comment is submitted, the relevant details (name, email, website) that you provide are stored. These details are stored so that we can display your comment back to you, and to anyone viewing the comment sections on the site. We do not verify information entered nor do we require verification. We do, however, require explicit consent.

Explicit Consent
When someone visits [YOURSITE.com], our privacy policy highlights transparency in data handling. In entering an email address, name or comment, etc., you need to provide us with explicit consent. This means that you will need to check a box, before leaving any information, thus signifying that you understand and accept our privacy policy.

Kyle, your comment would be helpful.

Keith
:
Reply
PhilipC1 Premium
I have a tick box on my comments bu tI think that is only for if people want their name and email and site address recorded but no pop uup asking for consent I don't believe. If you find out, would you mind letting me know in Private Message please??

- Philip.
Reply
PhilipC1 Premium
I just went onto Live Chat to ask the same question as you.

It seems Wordpress or WP GDPR Compliance plugin - whichever it was - as a tick box already by the comments section. That is enough.

Far as I CAN see we don't need to do anything further with this. Hope this helps.
Reply
borisxy Premium
Thanks this is a very useful. What about subscribe forms such as feeds or follow by email? This information collect 3 rd services, not a website direct.
Reply
PhilipC1 Premium
That info should be covered in Kyles Privacy Policy template in Site Content. It details what these plugs etcc do with such info. It states the users can check out their privacy policy page to know more. Its not our responsibility what these other agencies do with this info - best to my knowledge.
Reply
dksomers Premium
Kyle,

After all the hand-wringing and lack of info from here and there---I knew you would come through for us. You and your WA Team are our authority figures.

If anything else pops out of the woodwork, I know you will check it out and then pass it on to all of us! Sometimes life gets tedious, but usually the best thing to do is to keep heading toward the goal.

I will return to your post in the morning and do my part when I am fresh. Thank you for your hard work to bring this help forward for us to understand and use!

I guess that there will be 10's of thousand of keyboards clattering before midnight Friday, May 25, 2018.

Goodnight, Kyle
Keith
Reply
Kyle Premium
There are 100's of millions of keyboards clattering, many of which are going to be implementing things that could stifle consumer activity, without truly offering that additional layer of privacy to consumers.

All of the websites that are operating are operating in the same sort of way, there are just going to be consent hurdles all of the internet now that are going to become an nuisance if anything.

I am all for privacy concerns though and there is a lot of good that has come out of this, in particular the discussion about privacy.
Reply
ToLiNoLi Premium
Thanks Kyle,

This is one of the reasons Wealthy Affiliate is the number one University out there, as you really care about our businesses and are taking the time to help everyone out. Bravo!

I like to add to this blog that it also counts for anyone who collected data from EU citizens before this new GDPR regulation takes effect.

What is your take on to those businesses saying they simple block EU citizens from accessing their websites? If an EU member would use a vpn, these businesses would still be affected, right?

Stefan, ToLiNoLi
Reply
SalRobins Premium
Thanks Kyle. As a newbie to all of this, considering a Privacy Policy and EU regulations hadn’t even entered my head!
This was very easy to read and understand, so I’ll have no problem with adding what you’ve suggested to my brand new website.
I’ve never had my own website before, so I’m finding all of this privacy and legislation speak a bit daunting!
Having said that, I agree with the EUs new regulations and it’s good that the rest of the world are following.
Does this mean that I’ll be able to demand that all of my information be returned if I delete my Facebook account?
Reply
sheikave Premium
Not at all think of it, a general update of we uses our visitors' data. There are some simple rules that you can find online.
Reply
Kyle Premium
This definitely does mean that you can demand all of your account information from Facebook if you are located in the EU. I believe Facebook may be allowing all users this access and the right to be forgotten as well.

The GDPR applies to people within the EU, which has created even more confusion here as most companies have found it easier just to comply with these regulations and adopt them for everyone.
Reply
GiuliaB Premium
Kyle, as ever, thank you so much for providing us functional tools to make the upgrade to GDPR compliance less scary. If I may just mention one thing, I wish you'd posted all this a few days ago, rather than less than 24hrs (UK time) to kick off time. But hey, tomorrow I shall roll up my sleeves and get to work.

Giulia
Reply
Kyle Premium
There have been plenty of discussions taking place and I wanted to wait to full form my position and overview. You have lots of time though, although this is implemented tomorrow, you will have time to implement this.
Reply
tommo1968 Premium
Thanks guys for the help in sorting out this ambiguous problem.

I was on Aweber today looking at what they are saying and it seems unless you can prove that a subscriber used a double opt in and consented to being on your list you may be forced to remove them.

This is normal practise for web forms etc as that's how it works but if importing lists collected on other platforms you need to be sure your subscriber opted in properly.

I don't know how they would police all this data I suppose it will take a subscriber complaining to put focus on you so is it worth it?

It is also not responsible for us to assume Aweber and other platforms will do the GDPR policy for us as its a joint venture we are the data controllers using them as data processors so in essence we need to be vigilant.

Under the terms of GDPR we need to be able to contact our subscribers if a breach of data happens. So make sure you backup your lists and secure them properly under GDPR guidelines.

The work of an online marketer never ends......:(
Reply
carpediem1 Premium
Thanks for the update Kyle. Even though I am glad you are updating the privacy policy, I think you are wrong in assuming that IP addresses in general are not considered personal data in the EU.
The European Court of Justice has declared in 2016 that not only static but even dynamic IP addresses are personal data.

Hosting providers in Germany need to offer order data processing contracts for website owners as they are backing up the websites.
I would be really glad if you would look into this once again because we Europeans need to be able to show a contract with our hosting company if our data inspectorate is asking us. If we can't show one, we will get fines.
For us here in the EU there is lots of work to do to make our website "secure". We need to have a contract with Google and our auto-responder (aWeber is not up-to-date yet. So far only Mailchimp and Getresponse offer a contract).
Conc. Analytics: IP-adresses need to be shortened (anonymized) before being transferred to Google. You can't even use the common Social Share Buttons any more because they transfer data to Social Share Companies before the website visitor can opt-out. And yes - we need to give the visitor an opt-out opportunity.
In short, as I have been working on this stuff for over 2 months now, I really would be glad if we could have a contract with WA as our hosting company just to make sure we can show this to our authorities.
Thanks so much in advance

Sibylle
Reply
Kyle Premium
We will investigate this.
Reply
Chrissies Premium
Thank you so much for removing some of the mystery about GPDR Kyle.

I installed the plugin which you recommend, but it does not seem to add boxes to my Aweber contact form or to my Sumo banner at the top of the page, do you know if it will do that please?

Also in the plugin there is a section that I really do not know what to do with.
I am enclosing a screen shot of it if you have the time to look at it.

Many thanks again

Chrissie :)
Reply
TanjaRita Premium
I didn't activate that page (checked off in the screen shot). I'm curious to see what Kyle or anyone else has to say about that.
Reply
Chrissies Premium
Me too Tanya :)
Reply
Chrissies Premium
Hi Tanya
I've just found a new training by Loes which shows exactly what to do with that page:
Reply
TanjaRita Premium
Thanks, I will take a look at that.
Reply
jenni1309 Premium
I have a lot of things I don't understand about this whole thing and then there's GDPR Compliance topic. However, I don't worry a bit knowing that Kyle and the entire WA team, not to mention other expert members here are always there to provide the right guidance. Thank you for this Kyle!
Reply
nightwatch Premium
I wonder how these consent measures will affect the number of comments we'll now receive on our sites and the number of people who'll sign up on our squeeze pages.

While the WP GDPR Compliance plugin addresses the consent issue on leaving Comments, a different approach will have to be taken if we're using 3rd-party tools or services to build our squeeze and landing pages.

Theoretically those product and service creators should be implementing GDPR into their offerings but there's no guarantee they will.

What if a squeeze page service provider decides to limit signups to non-EU citizens because there's a generally low percentage of subscribers from the EU and it saves their company money by not implementing GDPR compliance?

But as a list builder, a lot of my subscribers might come from the EU. Would I then be forced to switch to using a tool that is GDPR compliant and have to rebuild all my squeeze pages in that tool as well so that those pages are GDPR compliant?
Reply
Kyle Premium
It will impact comments, I bet more so when people first add these measures. The thing is, many people are running sites with MOSTLY US visitors/customers. This is going to impact everyone, in an adverse way, including the visitors of a website.
Reply
smokeywins Premium
Thanks for the clarification Kyle! I must admit trying to figure out how to be compliant with GDPR has been somewhat of a headache. Now I think I'm finally in compliance so I can get back to work :-)
Reply
dcart87 Premium
How do we remain compliant in regards to 'cookie consent' plugins?

Pretty much all of the implied consent ones are no good now. Since users have to opt-in to say that they agree to Google Analytics tracking and other non-essential cookies before they fire.

I've found one called CookieBot that's supposed to be compliant. But setting it up is beyond my technical knowledge. It needs scripting changes and other things I can't learn by myself.

Is there a simple solution?

(I'm guessing not because 3rd party cookies need to be blocked first by default).
Reply
Kyle Premium
There isn't a simple solution and if "consent" was required for any piece of data a user shares on a website, no website would actually be able to operate. You are collecting that data before ANY consent (IP, geographic location, etc). It would break the Internet and I think there has to be a level of "let's be somewhat reasonable" that comes into play.

The GDPR official website wouldn't be able to load without consent, proving case and point that this level of broad spectrum language will not work.
Reply
TonyMonzon Premium
hi dcart87,
I would probably disable those plugins until you can find a solution. Or you can hire a coder that can add those functions.
hope this helps.
Reply
dcart87 Premium
I used the developer tools in Chrome and it looks like Google Analytics is the only third-party cookie operating on my site.

So I've deleted the tracking code.

As far as I know, you don't need to state that your site uses essential first-party cookies - or seek an opt-in.

I've updated my Privacy Policy to reflect this.

So, problem solved?
Reply
MozMary Premium
DEFINITION OF PERSONAL DATA
There is an official definition of personal data which is a list and IP address is stated as personal data there, same as name and surname - it's how they define 'personal data' and ip address within gdpr that counts, so how you interpret it may not be correct under some interpretations I've seen where it is a vital piece of the jigsaw in identification and within their official definitions, however the good news is this:

PRIVACY BY DESIGN!!!

HOWEVER something people are not spotting in the legislation is 'privacy by design', so while we are being told we need to anonymize ip address within GA by many people out there the truth is that would be forcing us all to take advanced google analytics classes when really google needs to do that on the back end - half of the moves being played right now are to protect google and not comply with GDPR

people are selling a lot of pro plugins on the back of that issue alone, unnecessary, and also people are saying the only other route is to use a popup so people consent to analytics before the site collects their data via google analytics - again that is google's problem, not ours, but if we aren't aware then sure google will pass that one on to us!

Again they are missing out on another vital piece of info within the legislation that states we can use what we need, consent does not always have to be explicit and there's a difference in the type of personal data we collect eg sensitive and non-sensitive data

Same with the plugin you recommend, it should not be necessary imo and of course that is just my take on this, but back to privacy by design, all plugins will become gdpr compliant by design, that includes the autoresponders, the contact form 7, etc., and worpdress should have put a tick box on there if it was necessary on the comments too.

S-P-A-D to be GDPR compliant

SECURITY: people need to demonstrate they are on top of that - it is in the training here - Change Admin to a name in your WP, you've got SiteProtect, SSL certs, you need to keep updating your plugins and themes and wp as those become available.

PRIVACY: as well as privacy policy - which is clear on what data is collected and what it is used for ie cookies, we are aware in WA not to use other people's photo's in screenshots also go up a gear with that now to protect all personal identity when it comes to names, etc

ACCOUNTABILITY: you have to be able to demonstrate this if someone makes a complaint against you - it is easy - you have a security plan in place and that covers data breach though honestly you are not hanging onto sensitive data anyway.

- You are also taking part in a WA platform process to become GDPR compliant, record any steps you have taken on this, including this discussion on Kyle's post and what's recommended unless you've got alternatives you are happy with.

DATA: This is where consent goes to a whole new level, this is why new tick boxes are appearing, people can consent to something on your website yet not consent to being on your mailing list, and need to be able to opt out easily.

-And the rights of people to ask you to delete, ammend, and hand over any personal data are now possible. They are in the Export data tools added to the new wp.

- And a big area of concern for bloggers here is the interpretation of 'data portability', let's keep it personal, some people want that to be all data every submitted but no, that may be necessary for big organizations with sensitive data but we need to focus on personal data there. Why would we export someone's shopping list or comments over the last 10 years, that's not personal data, unless wp is geared up for that good luck with that, I'm taking a stand.

- affiliate programs, some of mine will pass on an email address when someone buys a package - that person did NOT opt in or consent to being on my email list but I have their address in the past it would have been a no brainer but to stick it on but not anymore! - NO - that person bought a package they would need to tick another box or give consent in some other way to be on my mailing list now

*they never did solve the whole cookie pop up issue in Europe, I've had years of seeing websites respond in varied and crazy ways, some people are trying to deal with that now this time round in this new sweep because they know we have cookie pop up fatigue, that said, google analytics are trying to bring out yet another one!

We do have to know the basics of this law or else we will get pushed this way and that and we do need to draw a line in the sand here and there as bloggers when this is being ironed out mostly for big corporations with the big money. And I got an email yesterday from a wordpress blogging community who kept flashing 4% and 20 million dollar fines - that is absolutely ridiculous and hype, ao I welcome a more relaxed view towards IP and GDPR but a couple of things still to look at imo.
Reply
Kyle Premium
Well articulated here Mary.

Though much of the GDPR is presented as a structure, some of these structures they have created for arguments have been set out not to tackle small companies or independent bloggers online.

Rather these have new legislations have given authorities a vehicle to go after the larger corporations that have been wildly using our data (and have only been giving us very abstract knowledge about this).

The IP issue and that alone being personal identifying data will be challenge fiercely and won by every company that challenges it. It is no different than saying "blue coat" or "apple computer" is an identifier. They are not, without supporting and relevant personal identifying data like name, like email, or address.

Fines will come, to some. For most, they won't. The reality is most people are not misusing personal data, and most operating within the online world aren't directly storing or processing it. These operations are being done through 3rd party agencies.

The internet consists mostly of anonymous data and from a consumer perspective, the best and probably only want to combat privacy data will become our inability to operate anonymously online.

It always concerns me when large agencies have conflicting reports, whitepapers, and press releases about "regulation" and how to comply to that, with conflicting ideas. This to me tells me that the entire GDPR legislation has yet to be properly hashed out.
Reply
MozMary Premium
yes, it's not at all ironed out for us as bloggers and affiliate marketers, and we've got to protect our corner or potentially get squashed by legislators not thinking it through for us

yes they are saying there's going to be a settling period with it all and I'm already seeing quite a bit of 'interpretation' and 'argument' when it comes to applying it

as for IP address you could equally argue that name and surname is not an identifier, how many people have the exact same names! So I can't distinguish IP from name and surname or from email address or postal address - each one of these stands equal on their list of 'personal data' - but like you said, breaking the internet by getting too prissy about 'the law' is an issue too. And we've got to also look at forms of consent and google's responsibility in privacy by design

the biggest potential problem is the visitors getting the wrong end of the stick and demanding rights they think they have or need, when really nothing has changed on our end, like you say - it's mostly other types of marketers and biz they are trying to make behave with this one, unfortunately many of those are our affiliate programs who are very aggressive in their marketing and who have got round all this very easily already with their barely visable check boxes!
Reply
Kyle Premium
Exactly, you could argue that an address is not an identifier. There are usually multiple people at an address. I guess their current stance is that any data that you offer up, whether automatically from your IP, geographic area, or physically enter, is grounds for personal data.

Together, they can be yes. But independently, things like IP are not. Think of a coffee shop, or a football stadium. Quite likely they are all on the same IP, but surely that ONE IP couldn't alone be a piece of data that is an identifier or something that a blogger has to declare that they are collecting.

I think that is where you are going to see some resistance built, as it doesn't make sense. If this is a consent issue as well, this will actually break the Internet.
Reply
MozMary Premium
The privacy policy example that I gave in my blog from Thought simply declares where they are collecting data and why, a bit of a cookie audit as to where info is being collected is all we need, so they state they are using GA but no need to anonymize IP [unless you are trying to flog a pro premium plugin lol] and now Udemy is coming out with the same advice, just state you are collecting that info in your pp, so the majority of bloggers will be stickin together on this point unless there is an ulterior agenda at play like the plugin selling feeding frenzy out there

Some will argue out there in google land but truth is it is up to google to anonymize IP addresses for europeans on the back end, they are the ones need to be gdpr compliant there for the privacy by design aspect now built inot the regulation, IF it is necessary at all, as we do not need explicit consent for everything.

However if you argue on raw definitions we can't really unpick what's in the list on their official website, just that it has to be handled properly.
Reply
ChristinaAsh Premium
I really want to know if I need the pop up cookie notified on my site , I am really trying to stay away from pop ups so if I can just put it somewhere easily found than I I would be thrilled . I have the comment thing in place and my privacy policy . I am beginning to wonder if I should just widget in a new post at the top of my page and put literally everything that collects data in there , make a not on my home page to see said post and call it a day ... I dont want pop ups .
Reply
TedP Premium
Hey Kyle,

Once again, you and Carson have come up with solutions to issues that so many of us need help with. I am a total newbie when it comes to anything involving websites, but I am learning each day. I am not a fan of the EU at all. I think there policies and open board enforcement have virtually destroyed every country in Europe that became members. I do not believe that any country let alone group of countries have the right to try to force their laws on another country.

In this case with the internet expanse far beyond the boarders of countries, and when it comes to personal privacy, I totally understand the needs of the individuals to be able to control as much of that information as possible. But, the Eu as usual creates a law with the intent to help, that has the potential to destroy entire companies because of the cost to comply. AS usual with a progressive, liberal or socialistic mindset, they never look at the consequences of their actions, because in their view they know better than everyone, and "the ends always justifies the means", not matter what the cost.

Those of us here at WA are fortunate that we the leadership and membership to lean on in order to help u comply with what otherwise would be cost prohibitive.

All I can say...is thank you!!!!!!
Reply
Kyle Premium
I would agree that their policies can be frustrating because of the broad scope in which they operate, but they are putting these in place to protect consumers which is good.

But in doing so, many of these GDPR like updates can actually hurt the internet, and the way in which we operate as consumers. There may reach a time when we have alarms going off with every click, because of the idea of consent. This is going to be frustrating to an end user.
Reply
TedP Premium
I understand the goal of protecting consumers, the only issue is the same liberal reaction to any issue, they never ever think things all the way through. The never consider the consequences of the actions they take. Which makes me feel sorry for all those that cannot afford to go through the increase in cost, because a group of mindless want to be "do gooders" have zero vision...
Reply
TedP Premium
Sorry if I sound a little disgruntled, but facts are facts...I am just so glad to be a part of the WA Community, where we have members and leadership to help us navigate through such issues as this.
Reply
TNewkirk Premium
Thank You, Kyle, As I am a "newbie" I have been very confused regarding this issue. My one question is: As a "newbie" I do not as yet offer a newsletter nor do I have an autoresponder provider on my website. In the updated privacy policy how do I address this?
Reply
Stella2 Premium
Hi there; the common advice has been to leave that section out until when/if it is relevant for your site.
Reply
PetraT Premium
I just left out the bits that don't apply and just have to remember to add them later if I need to.
Reply
PetraT Premium
You beat me to it ☺
Reply
TNewkirk Premium
Thank You. I thought maybe that was the way to do it but I wanted to be sure :)
Reply
TNewkirk Premium
Thank you. It's nice to get the same answer to a question from several people. That way I know I must be headed in the right direction :) I will do that!
Reply
Stella2 Premium
haha. It never hurts to hear more than one voice on a topic. :-)
Reply
Stella2 Premium
You're welcome! :-)
Reply
PetraT Premium
True ☺
Reply
PetraT Premium
You're welcome ☺
Reply
4veeq Premium
This GDPR is just whack. Every site will adjust their privacy to it and all. Every person who is visiting any page must agree on them to even view the insides. So for what is that law? Can't they make general law that informs if you go on page admin can do this and that with your data and for what is admin responsible for and ways to delete your data from website?
Reply
Kyle Premium
That is the concern. There needs to be a centralized internet watchdog that creates this sort of regulation, not independent countries or unions.

At this point, one could avoid these by blocking the EU from visiting their websites, which could devastate the exact consumers in the EU that they are looking to help/protect.
Reply
judebanks Premium
Thank you, Kyle. One question about the Comment plugin you mention. The WP update includes GDPR tools, one of which is a new tick box at the bottom of the comment form and a statement:

"Save my name, email, and website in this browser for the next time I comment". I suppose when that is ticked, it is taken as consent to retain their information?

(This may not show up with some comment reply plugins until those plugins are updated too. )

If that statement appears, is the comment plugin you recommend also necessary? ~Jude
Reply
Alan Hocking Premium
Good question Jude

Mine shows the comment form statement so I haven't installed that plugin as I see it as already covered in the latest WP update.

In fact if you install and activate that plugin you get 2 tick boxes under the comments which seems a bit overkill and totally unnecessary.

It'll be interesting to hear what Kyle's view is
Reply
judebanks Premium
It is not showing on my site - I think because I am using a comment reply plugin that has not been updated. I've left a message for the reply plugin developer to ask if she will be including the GDPR tick box.

But, yes, I asked this question because it seems WordPress has provided this as one of the GDPR tools. ~Jude
Reply
Alan Hocking Premium
That's probably why it's not showing if your plugin hasn't been updated

I don't use any plugins just the WP default comments module and mine shows up perfectly

There's a screen shot on my post here:
Reply
PatsyC Premium
Hi Jude, I don't have that one on my website and maybe it is because I have a plugin that notifies of my reply to them.

I have been thinking of deleting that plugin and now wonder if I did, that check box will appear and I won't need the new one I installed that Kyle left us.
Reply
Alan Hocking Premium
Just try deactivating the plugin and you will be able to see Patsy

Note: the check box only shows up when you are logged out of your site
Reply
PatsyC Premium
Hi Alan, I was just going to reply to yours.

I was logged out when I checked but will deactivate the plugin as you suggested to see thanks.

I went to your post and prefer that over the one I have now thanks!
Reply
Alan Hocking Premium
Yes I think it's cleaner and will cause less problems with people not wanting to click the check box
Reply
PatsyC Premium
I deactivate both, the one I had and Kyle's.

There is nothing there now. I don't have the one you show in your new screenshot.

Should I not have that seeing it's updated to be there with the WP update?
Reply
PatsyC Premium
I just had an idea.

We can change the wording on the plugin Kyle left us which I did already, but will go back and use what is in your screenshot instead. Then will periodically check just incase that box does appear then I can delete Kyle's suggested plugin.
Reply
Alan Hocking Premium
Make sure you check when you are logged out of your site because the WP default one doesn't show if you are logged in

When I had Kyles plugin activated I had 2 boxes so I just deleted the plugin and everything is fine
Reply
PatsyC Premium
Hi Alan, I did check. I was logged out and Google searched my website to see.

I made sure there weren't 2 boxes, but will keep an eye on it incase the WP default ones comes up.

Thanks for your help!
Reply
Alan Hocking Premium
You're welcome :)
Reply
jvranjes Premium
Are you sure that the two checkboxes have the same meaning? The text they show is different.

On the other hand, the plugin gives a few other things that seem to be compulsory, like adding some items in Contact Form and in some other places. Also it allows you to add a widget which people can use to request their data.

So are you sure it is not necessary? I would rather not have it, but ...
Reply
Alan Hocking Premium
Good points

You can set the text to anything you want in the plugin the default is just a suggestion I think the default WP version is easier to understand for the average person visting my site

I'm sure any contact form plugins will have that feature soon and in the new privacy policy template in Site Content you tell people to contact you if people want their data removed which is very easy to do with the new privacy settings in the latest WP update.

I'm still waiting for Kyle to give his opinion but I'm not using the plugin for now
Reply
jvranjes Premium
OK, thanks. I think I shall also wait with it.
Reply
Alan Hocking Premium
You're welcome :)
Reply
jvranjes Premium
I just checked, the Contact Form is updated, it has Name as a new compulsory box, no checkbox.
Reply
Alan Hocking Premium
Ahh okay I hadn't noticed thanks for pointing it out Jovo

Wasn't it always a compulsory field?
Reply
jvranjes Premium
Actually I am not sure, perhaps you are right. They updated it these days, so I thought the Name was new just like in the Comments where it is now compulsory, and it was not there as I remember.

There is no option to remove it (in Comments) so it is annoying for visitors; we are forced to collect data which we do not need. Simply absurd. The best protection of data is not to collect them, and that's it.

So perhaps they might still make another update for that checkbox in Contact Form. I want to avoid the plugin.
Reply
PatsyC Premium
Hi Jovo..interesting.

They do have a different meaning. I went and changed the plugin one to the wording WP uses since it's seems 'easier' for the visitor to understand. I'll change it back just in case.

I don't understand why I didn't get the default one from the WP update.

I'll keep and eye out for it.
Reply
PatsyC Premium
I was just thinking, both are from WP. The default one and the plugin so they may be the same? why have 2 different meanings.
Reply
jvranjes Premium
You have the default one, must go incognito to see it. I told this yesterday to Loes in her training so after she checked she realized she had two checkboxes.

But this is overkill. I did not install the plugin and this will remain so for now.
Reply
jvranjes Premium
No, the plugin is not from WP but it is a WP plugin, almost all plugins have independent authors.
Reply
PatsyC Premium
Hi Jovo, I do?

Thanks for checking!

I did check in incognito so why don't I see it.

The plugin has the widget we add to our sidebar that Loes showed us in her training.
Reply
PatsyC Premium
Thanks for clarifying that it's not from WP Jovo :)
Reply
jvranjes Premium
I assume you have updated WP, if so then there is a checkbox under the Comment box. So this is from WP, not from the plugin. You can see it in the screenshot I showed to Loes in her training.

Yes, the plugin allows you to add a widget, but the question is if you really need this as Alan rightly says.
Reply
PatsyC Premium
Hi Jovo, I did update it otherwise I wouldn't have the GDPR features like their PP template the 2 additions to Tools>export etc.

I read that other members didn't get the default comment added either but not sure if they checked incognito.
Reply
jvranjes Premium
Well, I cannot know what you have. But I have checked in all my sites with all WP updated and found out that 2 of them do not have the checkbox while they have the other new features, so I have no idea why this is not working properly. But I did check incognito so this is it, very strange.

Would you mind letting me know if you find out how to fix it?

I guess the plugin suggested by Kyle is a fix. Perhaps I shall use it in those two sites only.
Reply
PatsyC Premium
I left you a PM.

OK, so you have the 2 site without.
Reply
jvranjes Premium
Yes, it is so. I was not aware of it. Those are abandoned sites which I rarely check but will have to correct this issue.
Reply
laurenjean Premium
Hooray!! Thank you so much, Kyle!! I knew you would create a new Privacy Policy for us. I only got started on GDPR Compliance this week and I had no clue how to re-write my Privacy Policy - even with the Template given to us in the latest Wordpress update. You ROCK.
Reply
ThankfulOne Premium
Thank you, Kyle. I am one who cares not what the GDPR regs wish to implement. I am not going to acquiesce to their request just as the pirate code implies...because this is a pirate perspective. Good grief. Really? I do not have to do business with those who claim GDPR, nor do they with me.
Reply
bpais1 Premium
Thanks, for the clarification, Kyle.

I have been doing a trial run using Clicky, which required me to update my privacy policy to include:

"We use Clicky to log and analyze the traffic to our web site. You may review Clicky’s privacy policy at http://clicky.com/terms/privacy. A “Unique ID” tracking cookie is used for the “legitimate purpose” of identifying unique visitors, but otherwise no “personal data” is logged."

A question about the WP GDPR Compliance plugin:

I understand that it will add a check box for organic comments but, how about comments in the SiteComments platform? Will WA folks have to check a box to comment on my webpages?

Looks like my 90% for plugins in my Site Details will be dropping a notch...soon...unless somehow, it can be eventually internalized through my theme or WordPress!

:-(

Jim
Reply
Kyle Premium
SiteComments is independent. These comments we created from within our platform, which would put it under the ruling of our privacy policy in terms of sharing details with 3rd party entities, which would then fall under your privacy policy, which should cover website comments.

Confusing, but that is how these regulations have been implemented.
Reply
hugh9905 Premium
Thank you for keeping us updated, Kyle.

There is a post by WPBeginner site which mentioned breach notification and data protection officer are also the requirements of GDPR. A data protection officer might not be required for most of the folks here, though. :)

Out of curiosity, I was wondering how EU governments will enforce the GDPR. Do they hire people to audit sites or use bots like Google bots to crawl and audit sites?

BTW, there is an annual ISO audit coming in the next 2 week at work so I'm all prepped for the red tapes. :)

Hugh
Reply
Kyle Premium
You are the data protection officer, but an actual entity within your company is not required. This is included in the privacy policy update, but it is as simple as adding your first name/email, there.

As for enforcement, it is going to be next to impossible and they surely are not going to waste their time on the little guy that is not actually collecting or reusing meaningful data.

From my experience regulatory entities create new law like this when they want to secure a means of going after those that are clearly breaking the rules (and are unscrupulous companies).
Reply
hugh9905 Premium
Thanks for the clarification, Kyle.

Hugh
Reply
phakacha8 Premium
Kyle,
You've made GDPR very simple. This has brought some relief on the weeks-long buzz that flicked a pint of Fear & Anxiety to all of us here at WA.
But whatever had transpired in the matter is FANTASTIC because one never loses in learning more.

As website owners, we should keep learning more and be in control of the things happening around us and WA is SUPRA active in this regard with the latest trends.

I congratulate all members who had shared on this.

I made a blog today trumpeting to every member to be on board.

Kudos to the New WA Privacy Policy.
Keep rocking.
Reply
Kyle Premium
I agree, there has been some amazing conversations here within the community about GDPR and I have really enjoyed keeping up with them and in many of them, being very much involved.

We can tackle new changes like this much better as a community than trying to take them on independently.
Reply
phakacha8 Premium
Yes, that's awesome. We can always stand together for a good cause like this.

Thanks for your prompt reply.
Have a wonderful day.
Reply
PatsyC Premium
Hi Kyle, I have been waiting for this!

Since the Google email with Google Analyics settings to adjust, I started to apply what I could and shared that. Then it got confusing along the way with so much information.

Thank you for having it all in one post and making it SO much easier to understand. I'm not the 'last minute' type and at least started with what I could. Your explanation for IP addresses and personal data, and how I'm not storing it made sense.

Thanks for the updated Privacy Policy template, I waited to finish mine and now can.

I appreciate it thank you,

Patsy
Reply
Kyle Premium
Yeah, the IP address is a very confusing aspect of this, because alone it is not a unique identifier. It identifies at the very best, a string of users, and even knowing what exact computer someone is using, on the same IP, doesn't identify them personally (think of a library).

There are far too many holes in ANY interpretation that an IP, by itself, is a personal identifier. It does become one when you are actually storing personally identifying information beside it, in which case it is complimentary data that a company could use for various reasons.
Reply
PatsyC Premium
Thanks Kyle.

Stating it's like a library actually helps!
Reply
mbouteiller Premium
Hi Kyle,

I started implementing your GDPR Privacy Policy and this is really easy. Thank you.

I am going to upload the WP GDPR plugin.

I just have 2 questions:

1) I am not using an autoresponder yet. I still want to put something here because I know I will be doing this soon. What autoresponder do you suggest?

2) Do we need to list our Third Parties? When I read the template, I interpreted it as having a list here.

Regards,
Monica
Reply
Kyle Premium
1) If you are not using an autoresponder, then you can remove this section for now.

2) Yes, if there are any third parties that you are actually handing off PERSONAL data too. Likely you are not, but in some cases websites will be doing so.
Reply
mbouteiller Premium
Thank you Kyle.
Reply
PhilipC1 Premium
Now, this post will stop huge waves of people losing their minds lol! Thank you so much Kyle and that settles this issue once and for all.

Great to have the official word on this and instructions for the Plugin as well - never thought to wonder about having a check box for comments before, thank you for this and I will be on it in no time.

- Philip.
Reply
MarkBa Premium
Thanks Kyle. In the end I think all of this will be a good thing for all of us. It would be fantastic if the more countries could agree on the same requirements. Maybe with time although nothing in history suggests that this is definitely even possible.

~Mark :)
Reply
Kyle Premium
Well implicitly they are. After speaking with several lawyers in the US, they are tending to look up to the EU to implement internet based regulations because of the incredible partisan issues in the US (and their inability to get anything done).
Reply
TedBliss Premium
If all you're doing is collecting e-mails, along with the person's name (which can be only their first name) through an Opt-In, Comments, and your Contact form, do you have to say anything about "Cookies"? Does Google Analytics put Cookies on your visitor's computers? If so, all we have to do is to mention Google, which isn't us. So, we can still say that we don't use Cookies. Right?

Does referring people to an Affiliate count for anything? It's still confusing, so I'll keep working on my Notifications until I get them right. In the mean time, my website is suffering.

Any clarification will help a lot. Thanks. Ted
Reply
OnlineBzDog Premium
Reply
TedBliss Premium
Thanks for the help. It looks like the small businesses we run are not impacted. Even Kyle's article didn't change much. Great! We were all panicking for nothing. Now I can go back to business. I'll be "following" you for more sage advice. Ted
Reply
tomanec Premium
Before I publish the new version of the Privacy Policy in compliance with GDPR, given on a template in the Site Content/SiteRubix com. I should enter/fill in the the needed data for my website.
In the Mailing Lists heading of the Privacy Policy I should enter the name of my Autoresponder Service.My problem is that I have not yet chosen an autoresponder or I'm not aware in case it is automatically there.Can someone help me?
Reply
onmyownterms Premium
If you are not using an autoresponder service, just delete that entire mailing lists section.
Reply
Kyle Premium
Then you can delete the entire block, as Mel has stated here.
Reply
DSweat1 Premium
Thanks for the update Kyle!

Some of the other members here have recommended installing additional plugins (such as Cookie Notification bars, etc.).

Will those be necessary on top of your recommendations?

Or, will we be in line with the regulations once we personalize our Privacy Policy page (using the template) and install the GDPR Compliance plugin?
Reply
Kyle Premium
You can. Again, this comes down to many things, your jurisdiction and whether or not you are using cookies. If you are an affiliate, you are not using cookies...they are set on the merchant page, not your site.
Reply
DSweat1 Premium
Okay, that makes sense, but if we have things like Adsense it's probably wise to err on the safe side and let EU visitors know, as you mentioned in your post, right?

Maybe a lot of us are overthinking this but personally, I'd rather play it safe - as long as a Cookie notification bar won't steer a large number of visitors away from staying on my site.
Reply
StunningBell Premium
I strongly believe that this new policy will lead to a drastic drop in the number of email subscribers, as they would be required to check a lot of boxes before providing their email addresses. For potential subscribers who do not want to read and understand, they would prefer not to leave their personal information. Besides they lose nothing. We are the ones to lose if they don't leave their email addresses.
Reply
suzieq Premium
This is awesome Kyle, thanks so much for making it easy to understand! This was all so confusing but I chose to wait to hear from you. Right now I am only using SEO techniques for organic traffic. Should I add the plug-in now or wait until I have an auto responder?
Cheers eh,
Suzanne
Reply
FDemont Premium
Great question Suzanne. I wonder the same and will wait with you for Kyle to respond. It is still a bit confusing, and Kyle did a great job here explaining.
Reply
Carson Premium
Hey Suzanne,

Adding the WP GDPR Compliance plugin is something that you should do regardless whether or not you have an autoresponder. If you accept comments on your website or have a contact form, you should have this installed :)

Carson
Reply
skmorrow Premium
I used the EU Cookie Law plugin that Loes demonstrated in her blog post here at WA. Do we need this WP GDPR Compliance plugin in addition?
Reply
Pernilla Premium
Great question, Steve!
I wonder about this too!
:-)
Reply
suzieq Premium
Thanks so much for responding Carson! I’ll get on that right away.
Cheers
Suzanne
Reply
gartnerf Premium
Thank you for providing some clarification around this GDPR compliance issue. The waters do get very muddy when trying to factor in the policies of the various affiliate program providers, subscription services and analytical tool providers and how they inter-relate to your website operations.

It will probably take a while before all this is sorted out and I believe if we are making a good faith effort to disclose what we know, what we store and who we are doing business with it will go a long way in protecting our business. Government and legal entities will be trying to figure this out for a while so with an updated privacy policy we should we good to go for now.

Appreciate your work and template on this legal action!
Reply
herinnelson Premium
Thanks, once again, Kyle, for coming to the rescue and clarifying all these stipulations, provisions and regulations in regard to Internet Privacy. There was a lot of speculation surrounding this issue and I'm relieved to have all the questions answered in your insightful post! Many thanks for always keeping us in tune with the times!

Erin :)!
Reply
Bryan8 Premium
Thanks Kyle, Carson, and team, but this looks like yet another example of a law that will be unenforceable for some time. Even if they COULD enforce it would it be worth going against an individual with minimum resources?

I suggest that they might make a few test cases against larger companies, but I don't believe that a small concern or an individual would be a target.

There will most likely be numerous court cases against this policy as well. Can you imagine if EVERY country or continent had their own policies? What a nightmare that would be. I think that in the long run some international organization will be formed to form a universal policy. The EU does not exist in a vacuum.
Reply
777getgoing Premium
Thank you Kyle, I also agree about the IP address, it really doesn't have anyone's name on it. I personally love that EU is making changes, it may be confusion, but we will get through it and I feel it is a step forward in the right direction. Thanks for the info, much appreciate it.
Reply
Kyle Premium
It doesn't have any application, without other actual personal data. However, even an ISP could not look up who is operating on an IP, they could determine who is paying the bill, but that is about the extent of it.

So IP in my opinion could never be considered "personal data" by itself, it could be complimentary data that could work along side actual personal identifying data.
Reply