GDPR - Some Questions, Confusion, and Clarity
Update: Since I wrote this initial post Wordpress brought out a new update to meet a lot of the GDPR compliance steps, the plugin developers are also getting on board as well as social media and everyone else, so things are beginning to become clearer. Here is another post with some updates https://my.wealthyaffiliate.com/mozmary/blog/gdpr-privacy-po...
https://my.wealthyaffiliate.com/mozmary/blog/summary-of-gdpr...
Hi guys, it seems a lot of the European shops and websites have decided to email everyone on their list and ask them to optin again or they will be unsubscribed. My inbox is filling up! I'm on about a billion newsletters and do all my shopping online too - though the Americans don't seem to be doing this ...yet! Which feels weird to me on two levels:
1. Most of my newsletters are actually from America and a quick google shows the US & Canada are 'supposed' to comply too.
2. Seems like a panic attack on behalf of European business's yet again, being forced to send out emails and potentially lose half their list who can't be bothered to open them, or who can't be bothered being forced to click 'yes' yet again, because we are already getting repetitive strain injury from clicking cookie optin plugins every time we visit a site here.
As you can imagine this sweep of a blogger's or business's entire list is worrying to some of them and they offer enticements and discounts and little gifts to get us to continue subscribing. However not everyone is doing it, and I notice in the search bar here some GDPR articles here at WA on it.
How Do We Comply - What is Personal Data?
There's an interesting article on this here at WA by OnlineBzDog https://my.wealthyaffiliate.com/onlinebzdog/blog/what-is-gen...
who has given the link to the actual official GDPR definition of Personal Data, and I love how he exposes for the most part it is a marketing scam, someone is creaming big time off of this 'do you want to keep using the internet, duh click here' lark. However when I read the personal data definitions I see one thing different to him in the definition of personal data:
- A Name and surname is considered personal data by itself, even without an address, see the screenshot feature image above. Home address is a separate piece of qualifying personal data.
Bloggers & Online Event Registration:
- So immediately think of your autoresponder - is it collecting email only or name and surname?
- Are you using a contact form, eg many people are using contact form 7?
- Does your website have visitors from Europe or the UK?
- Many online events eg seminars, webinars, online health talks and summits ask us to register by giving both name and surname and email.
I'm on about a billion of these newsletters and have not been contacted by anyone.
- Resuscribe: If you have someone's name and surname apparently technically you may have to do something about that, like make sure they opted in, if you can show they did them fine but if not then getting them to resubscribe is one of the options propose. The autoresponders are now taking care of that themselves, you may need to check yours.
- Double Optins: Notice Emerald's blog here at WA who points out a double opt in meets compliance. https://my.wealthyaffiliate.com/emerald860/blog/gdpr-changes... I'm thinking single optin should meet it but many people had lists where no original optin was in place.
- Plugins: This is the scam part of it all imo with a lot of people trying to sell you a plugin to make you compliant when it is not necessary and likely will not make you compliant fully at all. I'm looking at a wordpress plugin in here at the moment that has 20,000 installs already, claims to cover contact form 7 for GDPR, yet declares it is not a guarantee to cover the GDPR compliance regulations! wtf, a good example of the fact no one really knows and it's all a bit of a GDPR panic attack!
Paying a legal company: lol<---well let's hope that doesn't come back to bite me on the ass, but isn't that part of the scam, erm, game that's in play here at the moment.
UPDATE: privacy by design in the regulations mean all plugins such as contact forms, autoresponders, comments, will have to become GDPR compliant so they will look after it and you just watch out for those who have done so. Also, it should never be necessary to buy a premium plugin for any of this.
Webshops:
- Clearly these require your address for shipping. Update: woocommerce will be taking care of GDPR.
And my inbox is currently filling up with worried business owners, including very small webshops asking me to optin to them all again.
I say worried because unless their entire list chooses to 'optin' and resuscribe then they've lost potentially quite a bit of their income, hence many are offering gifts and enticements just to even get us to open their optin email! But if they can demonstrate they had an optin in place first time round then why would that be necessary? Well many can't.
Google Analytics: Training Walk Through & Two Updates Rolled Out
Google has sent out a number of emails on this for different updates being rolled out at the same time, Data Retention Controls is set to default at 26 months and we don't have to do anything, we can change it up or down if we decide to but it requires no action right now.
Data Processing Terms is a second GA update and this one requires us simply to accept the amendment to those data processing terms of theirs
The Google Analytics Accept Amendment Walk Through & a GDPR Checklist
- Here is a training I did walking you through the new Google Analytics update to Accept the Amendment to the Data Processing Terms to comply with GDPR https://my.wealthyaffiliate.com/training/google-analytics-gd...
- Here is a blog I wrote explaining the difference between the two google emails sent out, one was Data Retention Controls review [which most people can ignore] and the other is Accept the Data Processing Terms [which we cannot ignore] and I include GDPR checklist https://my.wealthyaffiliate.com/mozmary/blog/google-analytic...
Notice the IP address issue on their list of 'personal data', so wherever you see that coming up, and it can come up a lot. Some of my health summit affiliate platforms capture IP addresses which are passed onto me, which means many other affiliate platforms may be doing the same. As regards the IP issue I've two points to make to cut through the hype out there at the moment:
- Privacy by Design in the legislation means Google has to take care of this on the back end rather than force us to take advanced classes to be able to go in and anonymize IP addresses. - Not everyone agrees those IP addresses need to be anonymized in the first place - explicit consent is for sensitive information mostly and places that don't need explicit consent are places where you need the data to perform.
* Be careful of being sold a plugin for this.
Cookie ID
Well this one has a little star on it for a footnote in their definition, however I've blogged on cookie law before, it's separate from gdpr as part of the eprivacy directive, this was one of the first mass stampedes in Europe and to this day we are still talking repetitive strain injury from clicking cookie pop ups every time we visit a site, multiple times on the one page sometimes. So basically anything goes there, it was never well defined or understood before, and I'm not in favor of bloggers being dumped on by laws the lawmakers don't even seem to understand, whatever about privacy, they have not thought out how to apply cookie law when it comes to bloggers role in compliance, maybe because surprisingly they don't really understand blogging or content marketing, in my experience, it's the other types of marketing they seem to think is the norm. Cookies now in the new wp update 4.9.6 will be explained and part of the 'needed to function' category imo.
So you think the US is out of reach?
The Americans seem to have got away with cookie law up to this and lulled into a false sense of security by not having to do anything with the first google email about Data Retention, but this GDPR affects anyone with European traffic. And as one of the biggest freebie marketing opportunities they've had in ages it's hard to tell what's necessary and what is not, especially when the legislators sort of throw stuff out hoping for the best but their legislations are now building on top of each other and gaining momentum.
No one is out of reach anywhere in the world, all currencies welcome policy. But it shouldn't have to cost you anything if you have someone to ask for free, like in here.
& Clarity
The real clarity comes here: I also think there are times when website owners as a group need to be able to talk back to the legislators, who sometimes get it very wrong and can make or break a website or business or traffic flow because of policies not well thought out.
*Apologies to anyone who has written a brilliant article on gdpr not quoted here, but you know what the search bar is like, there's only so many times I'm going to re-enter a search term as it keeps vanishing and I've already got repetitive strain injury from the cookie pop-up plugins in europe! You can leave the link to your blog or question here if you like.
Mary
Update: Kyle has written an article after this and opened a discussion on all things gdpr.https://my.wealthyaffiliate.com/kyle/blog/gdpr-compliance-ou...
and see my response to that in the comment there
https://my.wealthyaffiliate.com/kyle/blog/gdpr-compliance-ou...
notice the definintion of personal data in my featured image for this post
ps the real scams going on right now are people selling plugins and doing audits and selling courses to you that you don't need.
Recent Comments
21
No need to panic.
No need to ask your customers to re-subscribe to mailing lists.
The new policy is an extension of already existing data protection regulations.
It affects your website if you process any personal data of your visitors in or coming from the European Union.
Bear in mind that this also includes data used in affiliate links, comment sections, and information gathering plug-ins. For example, social media buttons (even if they only record IP addresses which are also considered personal data).
It makes no difference whether you use the data for private or commercial purposes.
What to do?
Stay calm and drink tea.
Over a stimulating cup of tea update your privacy policy.
- Name, address, email of the person responsible for data protection.
- Which type of data is collected:
personal (name, address etc.),
contact (email, phone number),
content (photos, videos etc.),
user (Google Analytics),
meta (device info, IP address)
- Purpose of data processing
Use of online content (shops)
Communication (contact form for instance)
Marketing
Security reasons
- Name the relevant laws the policy is based on (if available).
- Data processing with Third Parties
Explains that some data will be shared with third-parties to fulfill the purpose of the website (web hosting, payment portals etc.). This happens with the consent of the user.
- Data processing in countries outside the EU
Users agree that some data might be processed in entities outside the EU but with the same or similar level of data protection (e.g., "Privacy Shield“ framework in the US).
- User Rights
Every user has the right to know what happened to his/her data, what it was used for and how.
Users can demand the deletion and/or disclosure of all gathered data (any demand thereof has to be replied to within one month).
The above list is not complete but sufficient enough to avoid any legal warnings from overzealous law companies.
The policy page needs to be reachable from every subpage of your website.
In time there will be a proper policy example here on WA - at least I hope so.
Martin
They likely will have the WA Privacy Policy template in SiteContent updated to cover up to date stuff
- however an updated privacy policy cannot be backdated to those from whom you already collected 'personal data', I think that is why some businesses are doing a re-optin
-and then seeing as most people don't read or even see a privacy policy on a website there are concerns to make the 'acceptance' more visible by using plugins, which it seems aren't really comprehensive
it's a bit of a mess and given the hype and lack of clarity and marketing frenzy out there with companies charging people a ton of money for definitive answers they likely don't even have, yeah, don't panic for sure. How can they argue with a sincere effort on the behalf of websites in the current 'swampland' as Taetske put it so well.
I use MailChimp and MC has a lot of helpful? largely unintelligable help on their website. https://kb.mailchimp.com/accounts/management/collect-consent-with-gdpr-forms
I'm totally confused and believe only a lawyer specializing in GDPR can help.. Good luck finding one.
To be in compliance I have to scrub my lists of anyone living in the EU and refuse any one from the EU who wants to join one of my lists. How will I even know if all I am collecting is an email address.
According to MC I have to set up a separate list segmented by every way I use my email list and setup a separate page describing how I will use an email for each way I market to my list.
The whole thing is a confusing mess that will take months of work and thousands of dollars to set up. I have a choice. I can refuse to accept emails from anyone in the EU. I feel for businesses working out of the EU who must comply. There is a good chance small operators will be driven out of business.
I hope we can get some guidance from our EU WA members on how they are handling GDPR compiance.
wow MC seem to be messing you around there and it seems to be on them for how they collect the data in the first place. On the bright side, a lot of WA members are saying Mail Chimp are not good for affiliate marketers, many people here have had mc ban them on a whim for breaching their rules which seem to exclude affiliate marketers.
Remember any double optin is supposed to cover you for GDPR, however that said, I don't see how it covers those already signed up if they weren't double optin, and can anyone really tell or are they prepared to look?!
Yet in the past I've seen autoresponders have contacted entire lists and asked them to reoptin, that should be possible.
You'd expect they could change their form to NOT include a surname, see the official definitions of Personal Data in that link supplied by OnlineBzDog, it shows name PLUS surname means falling under gdpr, however name or no name just email address doesn't, as far as an autoresponder goes. To eliminate all of europe seems silly and not a good ux for europeans, though shows the legislators have no real comprehension of the situation - they are just legislators and never tried running a website - we need a voice for website owners.
Can you move autoresponders without losing your list? I used to have a free one that allowed double optins.
I was trying to get compliant here with the GDPR, but I am not too good working around Analytics, and was wondering if you have worked all this out for us?
I hate this nonsense and its not like we did anything wrong but now we must suffer these little inconveniences, that turn into huge time wasting problems, because Analytics has not done a vid or a clear - NOT SPECIALIZED SPEAK - way of imparting what the heck they want us to do step by step.
Look forward to someone breaking this down so even newbies can do it with ease and be done with all this and get on with building their own authority sites.
I also live and work in the UK. I am lucky in so much as all my contacts are a double opt-in so I should be in the clear.
Derek
I live and work in the E.U. Well the U.K so temporarily at this point. I am so bored of re opting in to email lists. The only one I have taken seriously is the Google One and have given them permission to do what they like whenever.
This is a total con and I am sure some businesses are losing most of their email lists through boredom and time wasting. Some are losing money by employing lawyers because it’s too damn complicate to understand.
Personally I’m doing nothing... if it bites me in the bum... so be it ... but I don’t think so somehow !
well said, I'm seeing so many companies/vultures scaring website owners into paying for 'proper' advice huh, such a con. And the shops are particularly scared because they all employed someone to set up their websites in the first place and don't have the hands on knowledge like us.
yep, too many people to bite at one time :D
This is so weird Mary, I was going to Private Message you today and, out of the blue, I get an email about the very thing I was going to ask you about.
Weird, haha, great article and thank you for the clarity because all this nonsense just melts by head.
Notice how all this has happened since Cambridge Analytica was caught stealing FB's user data by buying up an app that was doing this anyways.
Nasty world, and watch all these data thieves get away with it as well.
If you ain't rich - then the law applies to you - even laws invented 2000 years ago.
Sick world. Anyways, I digress, good job on this Mary and thank you as well. I do have one question which I will PM you because I am sure how to phrase it - I think there might be a good follow up blog for you in it.
Thanks Mary and you are only one of few blogs I actually follow.
- Philip.
Good afternoon Mary,
Thank you for your good post.
We are working on installing this plugin and hope that like that we are on the safe side.
Loes wrote a post on this recently which "woke" me up. GDPR Requirements in layman's language Greetings from the south of Spain, Taetske
that seems to raise issues for data collection officers and suggests the plugin solves compliance, I've shown the plugins don't claim to guarantee compliance, and many people are not relying on them but have other strategies in place. Also, yet another plugin on top of the cookie plug which was having negative ux on some sites, hm, not the way I'd go...
though it has explained parental consent and why hotmail locked me out of my 20 year old account, well almost, nothing can really explain their compliance regulations :D
To me, it is like a swampland I try to navigate with care. I personally do not collect names/emails and such on my 2 sites but then others do on my sites. I hope for the best.
Taetske
Hello Mary, you are correct we in Canada and the United States have gotten away from complying with the GDPR, but I am sure it will eventually if not sooner catch us.
See more comments
Thanks for clarifying Mary, Best Alan