The GDPR feels incredibly scary to new bloggers.
It’s to the point where many American bloggers with 0 content and 0 traffic are scared to start a blog. They have an irrational fear that the European Union is going to sue them for millions of dollars.
I’m not a lawyer, and none of this is legal advice. However, I’d like to give a layman’s explanation of the GDPR so that new bloggers can sleep easy at night.
What Do New Bloggers Need to Know About the GDPR?
Cookie consent banners are what most bloggers think about when they think about the GDPR. This is a mistake; that’s not the law’s primary focus.
The General Data Protection Regulation (GDPR) is a law about mishandling user data that went into effect on May 25, 2018. When you look into what people are getting sued over, most lawsuits have to do with companies accidentally (or purposefully) exposing thousands of people’s very private information. Here are a handful of examples.
- Selling thousands of e-mail addresses to the highest bidder.
- Exposing or selling user passwords.
- Exposing or selling user’s biometric data.
- Exposing or selling user’s religious, sexual, political, location, or financial data.
As a new blogger, you can breathe a bit of a sigh of relief at this point. You likely don’t have any users on your site yet. And even if you did, those users show up, read your blog and leave. You’re probably not collecting any personal data about them that you’d need to protect. You’re likely not even re-marketing to your visitors yet.
If this is you, relax about the GDPR for now. Go create content. Come back to this article when any of the following happens.
- You have a lot of traffic.
- You start collecting e-mail addresses or user data.
- You start selling things to your traffic.
- You start re-marketing to your users through Google, Facebook, etc.
- You start running ads on your site.
- You start getting lots of comments on articles.
Long story short, if you’re a small blog that’s not collecting any user data, selling things or re-marketing to your visitors, relax. Don’t let this stop you from starting your blog.
Do I Need a Cookie Consent Banner?
If no cookies are given to users that visit your website, then no. Otherwise, yes, the GDPR states that you must “Receive users’ consent before you use any cookies except strictly necessary cookies.” The GDPR breaks cookies down into the following 4 categories.
- Strictly necessary cookies
- Preference cookies
- Statistics cookies
- Marketing cookies
To check if your website is giving users cookies, visit your site in chrome and click the lock in the address bar. Scroll down, and it’ll tell you how many cookies your site has applied.
While I think it’s absolutely insane that you’re supposed to get consent before using Google Analytics or applying a user’s style preferences, that’s technically what the law states.
However, I have to say that pretty much every website on the planet earth breaks this rule. And I can prove it. Go to any website in incognito mode and check out how many cookies are loading up without consent. Here are a handful of results I just got from major EU websites.
- BBC.com – 28 cookies!
- Volkswagon – 11 cookies!
- The GDPR Website That Says You Can’t Have Cookies! – 5 cookies!!! WTF!?
- Literally Every EU + Non-EU Website in existence!
I’m not at all saying you should blatantly disregard a law. But, there’s a million or two blogs on earth. Close to ZERO of them are in strict compliance with this law.
Do You Need Cookie Consent Before Using Google Analytics?
Technically yes (see above).
However, very few websites are doing this. Why?
Because only 11% of your visitors will consent to cookies. Google Analytics is virtually worthless if only 11% of your traffic opts-in (and you wouldn’t be able to tell what percent was opting in without analytics).
Again I’m not a lawyer, and I’m definitely not encouraging you to ignore a law. This is similar to how every car on the highway is going 5mph over the speed limit. Yes, it’s technically a crime and you shouldn’t do it, but how many people get pulled over for it? Only in this case, you’re on a highway with 455 MILLION other speeding cars.
Instead of getting bent out of shape about analytics, I’d be much more concerned about any data capture you’re doing: E-mail addresses, credit card numbers, re-marketing campaigns, stuff like that.
Can I Just Implement The GDPR For European Traffic?
Technically yes, and this is what I aim for as a US-based blogger where ninety percent of my traffic comes from North America / Asia.
Unfortunately, there’s no perfect way to differentiate an EU visitor from a non-EU visitor. The closest I’ve found is to check the user’s timezone with the JavaScript below. This isn’t a perfect solution, but it covers most cases.
var timeZoneString = "";
try {
timeZoneString = Intl.DateTimeFormat().resolvedOptions().timeZone;
}
catch(err) { }
if(timeZoneString.toLowerCase().indexOf("europe") !== -1){
//Load Cookie Consent Banner
}else{
//Load Cookies
}
Do I Need a Privacy Policy?
Yes, I highly encourage you to create one of these. Not just for your users but for yourself.
The GDPR is mostly about protecting user data and your users needing to opt-in to that collection of data. Your privacy policy should list all data you collect, how you collect it, and how your users can opt-out. This is a good thought experiment for bloggers. It makes you think about just how much data you’re collecting from users and if any of it could get you into trouble down the road.
Don’t get stressed out about creating a privacy policy; you can use mine as a template. As a new blogger, your focus should be on writing new blog posts.
Does The GDPR Prevent You From Having An E-mail List?
You absolutely can still have an e-mail list. Most e-mail marketing companies have software to help you comply with the GDPR. Here’s what you should consider to have a GDPR compliant email list.
- Users need to opt-in. And no tricky stuff like having the opt-in on by default when a user completes a purchase.
- Be careful about collecting more data than you need.
- Don’t share or sell this information to anyone.
- You may need to implement a double-opt-in for EU users.
What About The CCPA or Other Data Protection Laws That Pop Up?
The GDPR was the first data privacy law I heard about, but it’s unlikely to be the last. The CCPA is the California Consumer Privacy Act, a law similar to the GDPR, having to do with data privacy.
The key to all these laws is to think about the data you collect from users. Collect the minimum amount possible. Be sure to gather consent before gathering or distributing the information you do collect.
Again, I am not a lawyer, and none of this is legal advice. But, if you make efforts to do the right thing, you should be fine until you’re a much larger website. Lawsuits will tend to come from things like “You sold 50-thousand customer e-mail and physical addresses to a 3rd party” rather than “You used Google Analytics on a tiny website.”
If you’re a new blogger, focus on creating tons of great content for now. Collecting and mishandling user data is what’s going to get you into trouble, and if you’re not doing that, you can sleep easy at night.