GDPR : Ultimate Guide to GDPR Compliance for Blogs (Wordpress + Blogspot)

GDPR, GDPR and GDPR! Nowadays! Everyone is talking about GDPR and almost all bloggers and webmasters are getting worried about it as we must have to comply our blogs/websites with GDPR (General Data Protection Regulation), failing which we might be hit with a huge penalty. Moreover, you're receiving dozens of emails from big companies and also notifications from apps installed on your smartphone that they have updated their privacy policy. It's all because of GDPR, the EU has put hefty penalties over those companies not complying with GDPR rules. Disclaimer: Nothing on this website should be considered legal advice. We're just helping and sorting out some points to comply with GDPR rules. We're not lawyers. What is GDPR? Simply, It is a regulation in European law that protects all European individuals under Data Protection and Privacy. The motto of GDPR is to give more control of privacy to the citizens of European Countries over their personal data. This regulation clearly stated that after May 25th, 2018, businesses that are not in compliance with GDPR’s requirement can face large fines up to €20 million OR 4% of a company’s annual global revenue (whichever is greater). That's the major reason that this act created a havoc amongst the businessmen all over the globe. Some Important FAQ's regarding GDPR: Q. Which individuals are involved to get affected by GDPR?  Ans: All businesses which collect any data from EU individuals, any kind of business located under European territory or it could be located outside European territory but having clients or consumers from European territory and collecting their data in any means or in any form. Q. What things are included in 'Personal Data'? Ans: Personal data includes any identifiable information of individual like Name, Address, Contact Number, Email address, IP address, Photograph, Credit Card Number or any Bank detail, any Social Networking profile, health information, income etc. Q. What if my business does not comply with GDPR? Ans: As I stated above, big companies like Google and Facebook have been already penalized by EU. You may face large fines up to  €20 million OR 4% of a company’s annual global revenue (whichever is greater). Q. Does GDPR apply to my Blogspot or Wordpress blog? Ans: Yes, obviously! It just applied to every small and large business. But don't panic! As you will not be penalized directly in one go.  It will start with a warning followed by a reprimand, then a suspension of data processing of your business, and if you still continue to violate the law, then the hefty fines will hit you.  EU government is not an evil, rather it is protecting their individuals from the organizations handling their data and saving them for their use without the appropriate permission of the owner.  Once you understand the basics and aims of GDPR correctly, you will get the know how important it is and you can easily comply your blog/website with GDPR. What is required under GDPR? The aim of GDPR is to protect user's personal information and not to let any company or organization store, collect or share any user's personal data without appropriate permission of the respective owner. GDPR regulation has around 200+ pages but I mentioned and described them in the easily understandable language under few points. A business needs to comply with GDPR must declare the below-given points. Clearly, mention what personal information is going to collect in any form along with the stated reason why they need this information. If the collected data is going to be shared with any other third party, like storing emails in case of Feedburner or Mailchimp, IP and Geographical Location etc. in case of Analytics. The website owner must mention the names of third parties along with the reason to share the data. Introduction of Business, its registered address and the names of owner(s). Clearly mention how the user's data is being stored, processed and being protected and not going to be misused in any way. Describe the third parties that provide user's data. Like in case of interest based advertising networks, they will be shown up ads on your blog accordingly to user's interest. You must declare if you are storing user's cookies and the duration until when they are stored. You also need to inform how you're going to enhance the user's experience based on his/her cookies. Your website/blog must be secured. It must not contain any malicious script, plugin or any unauthorized third-party malware. Your blog must be secured with an SSL, if not mention the reason why. Steps to Follow to Comply your Blog with GDPR: (Wordpress + BlogSpot)  You might be using many third-party plugins, widgets, contact forms, payment gateways, Google Adsense and Analytics, etc. on your blog. Here I'm going to mention step by step guide which let your Wordpress as well as Blogger (BlogSpot) blog to comply with GDPR. For Wordpress: Create a GDPR compliant Privacy Policy Page: Yes! This is the most important requirement for your blog, especially in this GDPR era.  Wordpress now comes with a built-in privacy policy page generator. It guides you what you want to add according to what type of your website/blog is. This enables you to be more transparent with the users about what data you're storing and its purpose. 1. Update your Wordpress (if you're using lower version) as WordPress 4.9.6 and above comes with a built-in privacy generator. 2. Just Log into your Wordpress Admin Panel and head on to Privacy Option under Settings. 3. You can select any existing privacy policy page or If you want to create a new privacy policy page, then simply click on Create New Page. This will automatically generate a privacy policy template on your new page. The new page includes suggestions for your privacy policy. However, it is your sole responsibility to provide the correct and accurate information that your privacy policy requires. The privacy policy page comprises several sections including: ♦️ Who we are: In this section, your website URL is specified automatically. You’ll have to add any additional information you want to display on your own. ♦️ What personal data we collect and why we collect it: In this section, you can find several subsections such as comments, media, contact forms, cookies, embedded content from other websites and analytics. ♦️ Where we send your data ♦️ And a lot more..  Data Handling In the updated version of Wordpress, admins can now export a zip file containing user's personal data, including the data collected by WordPress and plugins you've installed. Along with this! you can also erase personal data of an individual user. WordPress Comments By default, In the update of Wordpress, personal details like name and email address will no longer be saved in browser cookies. Users are given a choice whether they want to save the data in a browser cookie for convenient commenting. The tick-box is unticked by default and must be as such according to GDPR rules until and unless the commentator ticks it manually.  Google Analytics: Almost all webmasters use Analytics to track their visitors, their behaviour, location, landing page, landing time and so on. For behaviour profiling, Google Analytics extensively collects personal data including IP addresses, user IDs and cookies. So, you need to review and accept the Data Processing Amendment on Google Analytics. Below are the steps to perform this task. 1. To review the Data Processing Amendment, Just Login to your Google Analytics and Click on Admin on the Left Menu. 2. Choose your Account and click Account Settings. If you have multiple accounts then you have to do it one by one. 3. The setting will load in the right. Scroll down a bit. You will find the Data Processing Amendment area. 4. Click on Review Amendment Button. 5. After that, a popup will load with the Data Processing Terms. Read it and click Accept. 6. Click Save and you're all set. (Don't forget to do it for all your accounts by selecting accounts in Step 2) However, if you’re using MonsterInsights, the most popular Google Analytics plugin for WordPress, then you’re in luck. They have released an EU compliance addon that helps automate the above process. Google Adsense: Most of the publishers use Google Adsense to monetize their content. If you're getting traffic from EU territory and you're showing ads to them, then you need to comply with EU User Content Policy on Google Adsense. You can choose whether Google Adsense will show personalized or non-personalized ads to EU individuals. In case you are storing Personal Information such as cookies etc to load personalized ads for them, you need to declare the same in your Privacy Policy. 1. First of all, Login to Google AdSense and Click on Allow and Block Ads on the Left Menu. Select, All my Sites. 2. A list of columns or tabs will load on top. EU User Content Tab will be on the extreme right. Click on it. 3. Choose from personalized and non-personalized ads, you need to select the type of ads you want to show your EU visitors. Remember to declare the same in your Privacy Policy for both the cases. 4. You can choose between personalized and non-personalized ads, personalized ads are pre-applied so you will see unclickable Save button for it. You can choose non-personalized ads but it will slightly lower your revenue but protect your user's data. 5. Click Save Changes when you are done. Retargeting Ads If your website is running retargeting pixels or retargeting ads, then you will need to get user’s consent. You can do this by using a plugin like Cookie Notice. Contact Forms: If you're using any contact forms, you must declare it in your privacy policy and add more transparency to the users that how you're going to use that data for their benefit and state reasons why you need this data even if for marketing purposes. Below are the things you might want to consider for making your WordPress forms GDPR compliant: Get explicit consent from users to store their information. Get explicit consent from users if you are planning to use their data for marketing purposes (i.e adding them to your email list). Disable cookies, user-agent, and IP tracking for forms. Comply with data-deletion requests. Disable storing all form entries. Try to create your contact form direct with just necessary boxes to fill up. Many wordpress plugins like WPForms, Ninja Forms, Gravity Forms do not share your form entries on their site. So, you don't need a Data Processing Aggrement to share visitor's information with third party.  Email Newsletters: Just like contact forms, if you are using any email marketing forms like popups, floating bars, inline-forms, and others, then you need to make sure that you’re collecting explicit consent from users before adding them to your list. This can be done with either: 1. Adding a checkbox that user has to click before opt-in 2. Simply requiring double-optin to your email list Fortunately, OptinMonster has added GDPR consent checkboxes and other necessary features to help you make your email opt-in forms compliant. Read more : GDPR compliance with OptinMonster I have shared the recommended WordPress plugins for facilitating GDPR compliance: MonsterInsights – if you’re using Google Analytics, then you should use their EU compliance addon. Moreover, you can directly opt for Data Processing Amendment (discussed above) WPForms – it is the most user-friendly WordPress contact form plugin offering GDPR fields and other features. Cookies Notice – popular free plugin to add an EU cookie notice. Integrates well with top plugins like MonsterInsights and others. Delete Me – a free plugin that allows users to automatically delete their profile on your site. OptinMonster – advanced lead generation software that offers clever targeting features to boost conversions while being GDPR compliant. Shared Counts – instead of loading the default share buttons which add tracking cookies, this plugin load static share buttons while displaying share counts. For Blogger (Blogspot): Complying a BlogSpot blog with GDPR is quite a difficult task as unlike Wordpress there are no direct plugins which can be installed in a click. You've to do most of the work manually but don't worry we will assist you in step by step so that you can easily create your blogger blog according to GDPR.  Privacy Policy: There is no official Blogger widget which helps you in creating a suitable privacy policy page. However, I am mentioning few services that let you create that. 1. Iubenda Privacy Policy Generator 2. RocketLawer Privacy Policy Generator 3. SEQ Legal Privacy Policy Template 4. Shopify Privacy Policy Generator Moreover, some of the features of these tools are paid and if you're not familiar with it then I recommend you to create a privacy policy page manually. 🔸 Just head on to your Blogger Dashboard > Pages > New Page.  🔸 You can take help from our Privacy Policy page and after some customizations like (site's name, owner's name and so on.) you could be able to wrap up your blog's privacy policies. 🔸 Make sure to link this privacy policy page to your homepage to make it easily accessible. Google Adsense and Analytics: You need to review and accept the Data Processing Amendment on Google Analytics. Also, you need to comply with EU User Content Policy on Google Adsense and choose between personalized and non-personalized ads for EU audience. Take a look at Google Analytics and Adsense sections discussed above. The steps are same for both Wordpress and BlogSpot blogs. Comment Form: To comply with GDPR policies, Blogger by default disabled all third parties like OpenID, Tumblr, Anonymous etc. Now you can only comment on blogs having Blogger comment system enabled only if you have a Google Account. Moreover, if you're using any third party commenting system like Disqus, Facebook etc. you've to mention it in your privacy policy page along with how you and the third party is using this data. You can also create a separate comment policy for your blog and link it just above the comment box. See our comment's policy here. Email Newsletters: If you're using any email collecting widget like Feedburner or Mailchimp, make sure to mention it in you privacy policy page. Tell how you're going to use their emails for making the services better and for what marketing purposes. Just go all transparent, don't hide anything because this could lead to a hefty penalty on you.  Make sure to add some lines on your subscription widget, like: 1. 'We will never share your Email with any third party.' 2. 'You can unsubscribe to us at any time.' 3. No Spam! You can read our privacy policy. (You could mention a link to your privacy policy page near your email subscription widget.) ↠ That's all for today! I hope this guide will surely help you to comply your blog with GDPR policies. We've mentioned all major steps for both WordPress and BlogSpot blogs. We will soon publish more guides on GDPR and many GDPR compatible widgets. If you have any query you can shoot me a comment and I will get back with a best possible solution.  Keep Sharing this post with your friends so that they can also take benefits. :) Legal Disclaimer: Due to the dynamic nature of WordPress and Blogger blogs, no single plugin or platform can offer 100% legal compliance. We are not lawyers. Nothing on this website should be considered legal advice.

Tweet

1

GDPR, GDPR and GDPR! Nowadays! Everyone is talking about GDPR and almost all bloggers and webmasters are getting worried about it as we must have to comply our blogs/websites with GDPR (General Data Protection Regulation), failing which we might be hit with a huge penalty. Moreover, you're receiving dozens of emails from big companies and also notifications from apps installed on your smartphone that they have updated their privacy policy. It's all because of GDPR, the EU has put hefty penalties over those companies not complying with GDPR rules.
Disclaimer: Nothing on this website should be considered legal advice. We're just helping and sorting out some points to comply with GDPR rules. We're not lawyers.

What is GDPR?

Simply, It is a regulation in European law that protects all European individuals under Data Protection and Privacy. The motto of GDPR is to give more control of privacy to the citizens of European Countries over their personal data.
This regulation clearly stated that after May 25th, 2018, businesses that are not in compliance with GDPR’s requirement can face large fines up to €20 million OR 4% of a company’s annual global revenue (whichever is greater). That's the major reason that this act created a havoc amongst the businessmen all over the globe.

Some Important FAQ's regarding GDPR:

Q. Which individuals are involved to get affected by GDPR? 

Ans: All businesses which collect any data from EU individuals, any kind of business located under European territory or it could be located outside European territory but having clients or consumers from European territory and collecting their data in any means or in any form.

Q. What things are included in 'Personal Data'?

Ans: Personal data includes any identifiable information of individual like Name, Address, Contact Number, Email address, IP address, Photograph, Credit Card Number or any Bank detail, any Social Networking profile, health information, income etc.

Q. What if my business does not comply with GDPR?

Ans: As I stated above, big companies like Google and Facebook have been already penalized by EU. You may face large fines up to  €20 million OR 4% of a company’s annual global revenue (whichever is greater).

Q. Does GDPR apply to my Blogspot or Wordpress blog?

Ans: Yes, obviously! It just applied to every small and large business. But don't panic! As you will not be penalized directly in one go. 

It will start with a warning followed by a reprimand, then a suspension of data processing of your business, and if you still continue to violate the law, then the hefty fines will hit you. 

EU government is not an evil, rather it is protecting their individuals from the organizations handling their data and saving them for their use without the appropriate permission of the owner. 

Once you understand the basics and aims of GDPR correctly, you will get the know how important it is and you can easily comply your blog/website with GDPR.

What is required under GDPR?

The aim of GDPR is to protect user's personal information and not to let any company or organization store, collect or share any user's personal data without appropriate permission of the respective owner.

GDPR regulation has around 200+ pages but I mentioned and described them in the easily understandable language under few points.

A business needs to comply with GDPR must declare the below-given points.

• Clearly, mention what personal information is going to collect in any form along with the stated reason why they need this information.
• If the collected data is going to be shared with any other third party, like storing emails in case of Feedburner or Mailchimp, IP and Geographical Location etc. in case of Analytics. The website owner must mention the names of third parties along with the reason to share the data.
• Introduction of Business, its registered address and the names of owner(s).
• Clearly mention how the user's data is being stored, processed and being protected and not going to be misused in any way.
• Describe the third parties that provide user's data. Like in case of interest based advertising networks, they will be shown up ads on your blog accordingly to user's interest.
• You must declare if you are storing user's cookies and the duration until when they are stored. You also need to inform how you're going to enhance the user's experience based on his/her cookies.
• Your website/blog must be secured. It must not contain any malicious script, plugin or any unauthorized third-party malware. Your blog must be secured with an SSL, if not mention the reason why.

Steps to Follow to Comply your Blog with GDPR: (Wordpress + BlogSpot) 

You might be using many third-party plugins, widgets, contact forms, payment gateways, Google Adsense and Analytics, etc. on your blog.

Here I'm going to mention step by step guide which let your Wordpress as well as Blogger (BlogSpot) blog to comply with GDPR.

For Wordpress:

• Create a GDPR compliant Privacy Policy Page:

Yes! This is the most important requirement for your blog, especially in this GDPR era. 

Wordpress now comes with a built-in privacy policy page generator. It guides you what you want to add according to what type of your website/blog is. This enables you to be more transparent with the users about what data you're storing and its purpose.

1. Update your Wordpress (if you're using lower version) as WordPress 4.9.6 and above comes with a built-in privacy generator.

2. Just Log into your Wordpress Admin Panel and head on to Privacy Option under Settings.

3. You can select any existing privacy policy page or If you want to create a new privacy policy page, then simply click on Create New Page. This will automatically generate a privacy policy template on your new page.

The new page includes suggestions for your privacy policy. However, it is your sole responsibility to provide the correct and accurate information that your privacy policy requires.

The privacy policy page comprises several sections including:

♦️ Who we are: In this section, your website URL is specified automatically. You’ll have to add any additional information you want to display on your own.
♦️ What personal data we collect and why we collect it: In this section, you can find several subsections such as comments, media, contact forms, cookies, embedded content from other websites and analytics.
♦️ Where we send your data
♦️ And a lot more.. 

• Data Handling

In the updated version of Wordpress, admins can now export a zip file containing user's personal data, including the data collected by WordPress and plugins you've installed. Along with this! you can also erase personal data of an individual user.

• WordPress Comments

By default, In the update of Wordpress, personal details like name and email address will no longer be saved in browser cookies. Users are given a choice whether they want to save the data in a browser cookie for convenient commenting. The tick-box is unticked by default and must be as such according to GDPR rules until and unless the commentator ticks it manually. 

• Google Analytics:

Almost all webmasters use Analytics to track their visitors, their behaviour, location, landing page, landing time and so on. For behaviour profiling, Google Analytics extensively collects personal data including IP addresses, user IDs and cookies.

So, you need to review and accept the Data Processing Amendment on Google Analytics. Below are the steps to perform this task.

1. To review the Data Processing Amendment, Just Login to your Google Analytics and Click on Admin on the Left Menu.

2. Choose your Account and click Account Settings. If you have multiple accounts then you have to do it one by one.

3. The setting will load in the right. Scroll down a bit. You will find the Data Processing Amendment area.

4. Click on Review Amendment Button.

5. After that, a popup will load with the Data Processing Terms. Read it and click Accept.

6. Click Save and you're all set. (Don't forget to do it for all your accounts by selecting accounts in Step 2)

However, if you’re using MonsterInsights, the most popular Google Analytics plugin for WordPress, then you’re in luck. They have released an EU compliance addon that helps automate the above process.

• Google Adsense:

Most of the publishers use Google Adsense to monetize their content. If you're getting traffic from EU territory and you're showing ads to them, then you need to comply with EU User Content Policy on Google Adsense. You can choose whether Google Adsense will show personalized or non-personalized ads to EU individuals.
In case you are storing Personal Information such as cookies etc to load personalized ads for them, you need to declare the same in your Privacy Policy.

1. First of all, Login to Google AdSense and Click on Allow and Block Ads on the Left Menu. Select, All my Sites.

2. A list of columns or tabs will load on top. EU User Content Tab will be on the extreme right. Click on it.

3. Choose from personalized and non-personalized ads, you need to select the type of ads you want to show your EU visitors. Remember to declare the same in your Privacy Policy for both the cases.

4. You can choose between personalized and non-personalized ads, personalized ads are pre-applied so you will see unclickable Save button for it. You can choose non-personalized ads but it will slightly lower your revenue but protect your user's data.

5. Click Save Changes when you are done.

Retargeting Ads

If your website is running retargeting pixels or retargeting ads, then you will need to get user’s consent. You can do this by using a plugin like Cookie Notice.

• Contact Forms:

If you're using any contact forms, you must declare it in your privacy policy and add more transparency to the users that how you're going to use that data for their benefit and state reasons why you need this data even if for marketing purposes.

Below are the things you might want to consider for making your WordPress forms GDPR compliant:

1. Get explicit consent from users to store their information.
2. Get explicit consent from users if you are planning to use their data for marketing purposes (i.e adding them to your email list).
3. Disable cookies, user-agent, and IP tracking for forms.
4. Comply with data-deletion requests.
5. Disable storing all form entries. Try to create your contact form direct with just necessary boxes to fill up.

Many wordpress plugins like WPForms, Ninja Forms, Gravity Forms do not share your form entries on their site. So, you don't need a Data Processing Aggrement to share visitor's information with third party. 

• Email Newsletters:

Just like contact forms, if you are using any email marketing forms like popups, floating bars, inline-forms, and others, then you need to make sure that you’re collecting explicit consent from users before adding them to your list.

This can be done with either:

1. Adding a checkbox that user has to click before opt-in

2. Simply requiring double-optin to your email list

Fortunately, OptinMonster has added GDPR consent checkboxes and other necessary features to help you make your email opt-in forms compliant. Read more : GDPR compliance with OptinMonster

I have shared the recommended WordPress plugins for facilitating GDPR compliance:

• MonsterInsights – if you’re using Google Analytics, then you should use their EU compliance addon. Moreover, you can directly opt for Data Processing Amendment (discussed above)
• WPForms – it is the most user-friendly WordPress contact form plugin offering GDPR fields and other features.
• Cookies Notice – popular free plugin to add an EU cookie notice. Integrates well with top plugins like MonsterInsights and others.
• Delete Me – a free plugin that allows users to automatically delete their profile on your site.
• OptinMonster – advanced lead generation software that offers clever targeting features to boost conversions while being GDPR compliant.
• Shared Counts – instead of loading the default share buttons which add tracking cookies, this plugin load static share buttons while displaying share counts.

For Blogger (Blogspot):

Complying a BlogSpot blog with GDPR is quite a difficult task as unlike Wordpress there are no direct plugins which can be installed in a click. You've to do most of the work manually but don't worry we will assist you in step by step so that you can easily create your blogger blog according to GDPR. 

• Privacy Policy:

There is no official Blogger widget which helps you in creating a suitable privacy policy page. However, I am mentioning few services that let you create that.

1. Iubenda Privacy Policy Generator

2. RocketLawer Privacy Policy Generator

3. SEQ Legal Privacy Policy Template

4. Shopify Privacy Policy Generator

Moreover, some of the features of these tools are paid and if you're not familiar with it then I recommend you to create a privacy policy page manually.

🔸 Just head on to your Blogger Dashboard > Pages > New Page. 

🔸 You can take help from our Privacy Policy page and after some customizations like (site's name, owner's name and so on.) you could be able to wrap up your blog's privacy policies.

🔸 Make sure to link this privacy policy page to your homepage to make it easily accessible.

• Google Adsense and Analytics:

You need to review and accept the Data Processing Amendment on Google Analytics. Also, you need to comply with EU User Content Policy on Google Adsense and choose between personalized and non-personalized ads for EU audience.

Take a look at Google Analytics and Adsense sections discussed above. The steps are same for both Wordpress and BlogSpot blogs.

• Comment Form:

To comply with GDPR policies, Blogger by default disabled all third parties like OpenID, Tumblr, Anonymous etc. Now you can only comment on blogs having Blogger comment system enabled only if you have a Google Account.

Moreover, if you're using any third party commenting system like Disqus, Facebook etc. you've to mention it in your privacy policy page along with how you and the third party is using this data.

You can also create a separate comment policy for your blog and link it just above the comment box. See our comment's policy here.

• Email Newsletters:

If you're using any email collecting widget like Feedburner or Mailchimp, make sure to mention it in you privacy policy page. Tell how you're going to use their emails for making the services better and for what marketing purposes. Just go all transparent, don't hide anything because this could lead to a hefty penalty on you. 

Make sure to add some lines on your subscription widget, like:

1. 'We will never share your Email with any third party.'

2. 'You can unsubscribe to us at any time.'

3. No Spam! You can read our privacy policy. (You could mention a link to your privacy policy page near your email subscription widget.)

↠ That's all for today! I hope this guide will surely help you to comply your blog with GDPR policies. We've mentioned all major steps for both WordPress and BlogSpot blogs. We will soon publish more guides on GDPR and many GDPR compatible widgets. If you have any query you can shoot me a comment and I will get back with a best possible solution. 

Keep Sharing this post with your friends so that they can also take benefits. :)

Legal Disclaimer:

Due to the dynamic nature of WordPress and Blogger blogs, no single plugin or platform can offer 100% legal compliance. We are not lawyers. Nothing on this website should be considered legal advice.