As a blogger, you may already be aware that the GDPR is an EU data protection regulation that came into effect on May 25, 2018. Perhaps you might already have some measures in place to comply with this far-reaching legislation.
But if you don’t know much about it or you’re still getting your head around it, no worries at all.
In this post we will take an incisive look at what the GDPR means for bloggers, anyone who plans to create a blog for whatever purpose and blogging in general.
I’m a trained lawyer (LLB, LLM, PhD in EU & International Law) + a University lecturer + a blogger/entrepreneur. Yes, you’ve read it right, I have a PhD exactly in what? in EU law! and good news, today you’re gonna borrow my 15+ years’ legal expertise & experience to figure out whether the GDPR does or does not apply to you!
We’ll cover the basics, including what GDPR is, who & what it applies to, and why it applies to bloggers.
Let’s get right to it, shall we?
But before we dive in, let me add a few disclosures and disclaimers, and don’t forget that if you’re in a rush at the moment, you can always pin this post and go through everything at a later time.
DISCLAIMER: Although I’m a lawyer specialized in International and EU Law (LLB, LLM, PhD) by profession, this article is meant for educational and informational purposes only. It doesn’t constitute legal advice and doesn’t create an attorney-client relationship. I will not be held liable for any losses or damages caused by acting or failing to act on the ground of the content of this article. Should your circumstances require, I encourage you to seek legal advice through other avenues. Please read my full disclaimer for further information.
This post may contain affiliate links, which means we may receive a commission, at no cost to you, if you make a purchase through a link. Please see our full disclosure for further information. If not otherwise stated, all prices are intended in US$.
What is the GDPR?
GDPR stands for General Data Protection Regulation which is a tough European Union regulation that was especially designed to enhance the rights to the protection of online privacy and personal data of users based in the EU. In practice, this law puts forward the rules that govern how blogs can collect, store and process personal data of persons based in the bloc.
According to European Union Law specifically, the GDPR is defined as:
“Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.”
Despite entering the blogging scene recently, the GDPR is not so new. The EU lawmakers passed the legislation in April 2016 and entered into force the next month. But, to give owners of digital assets time to prepare and comply, it was decided that it would become enforceable as from 25th May 2018.
It’s now in full force.
It’s worth noting that the GDPR is largely based on its lenient and less-defined predecessor, the 1995 Data Protection Directive (DPD), which set earlier goals requirements for data security and privacy. Being its predecessor a directive and not a regulation, it was upon each EU country to implement these requirements under a general goal of harmonization.
The General Data Protection Regulation, however, is legally binding legislation that unifies digital privacy across the EU. It incorporates several new provisions that look to bolster data protection rights for EU citizens, and comes with more severe penalties for noncompliance and violations.
If you want to go through all the ins and outs of the GDPR, you can read this super comprehensive post on what the GDPR means for bloggers and online entrepreneurs I wrote on my other blog when the GDPR first entered into force.
Does the GDPR Apply to Bloggers?
That’s a resounding YES.
At its core, GDPR applies to anyone who:
- Is based in the EU; or
- Offers or markets products or services to people based in the EU; or
- Tracks and monitors the behaviour of people based in the EU.
As you can see, bloggers are right in the mix. And it doesn’t matter if you are based in or outside of the European Union, if you target users based in the EU or monitor their behaviour, you have to comply with the GDPR if you collect, process, store or otherwise handle the said data.
But we will see that more in detail in a minute. Let’s first clarify what’s impacted by the GDPR.
need help with your legal pages?
Check out our library of FTC + GDPR compliant done-for-you legal templates professionally drafted by a seasoned lawyer and specifically designed for bloggers and online entrepreneurs. Get the templates and be done in 10 minutes or less!
Material Scope – Whom/What is Impacted by the GDPR?
The GDPR was established as an umbrella law for the entire EU and provides one set of rules which impact entities doing business within EU borders. However, the legislation applies to companies beyond the border of the EU itself.
More specifically, the General Data Protection Regulation is applicable to any agency, company or individual that processes or determines the purpose of personal data belonging to people based in Europe. So, whether you process the data automatically or manually, the legislation applies to you.
As a blogger, you may be a data controller, data processor, or both.
Since your blog plays a role in determining the purpose of processing personal data of your visitors or readers, then usually it’s said that you are a data controller.
The external providers and plug-ins that you use to actually conduct the processing of the data, are said data processors.
You are required to comply with the GDPR, and make sure that plug-ins, add-ons, social integration tools, ad providers, and other external partners to your blog are equally compliant.
What Data is Covered by the GDPR?
The GDPR covers both sensitive personal data and personal data. The latter is a broad and complex category of data which entails all kinds of personally-identifying information, even if it is anonymous.
Personal data, according to the GDPR, can be your blog visitor’s name, IP address, physical address, identification number (driver’s license, passport number, etc.), email address, location data, Twitter handle, online usernames, and a plethora of other information that can be used to identify the use on the internet.
On the other hand, sensitive personal data is what it sounds like – stuff that you may not feel comfortable sharing with everyone. This can be your religious inclination, sexual orientation, medical data, political views, genetic information, and lots more in between.
Most bloggers think that the GDPR is only applicable to blogs that ask visitors for their names, email addresses and other personal information. Yes, if you have a contact form, chat feature, email list, sign-up pages, etc., it’s pretty obvious that you handle personal data, and you have to comply.
However, there are many cases that you control or process personal data indirectly. Here are a few examples to drive the point home:
- You run Google Analytics or use any other analytics tools to monitor the behaviour of the visitors, where they are coming from, what they do and how they use your blog.
- Comment feature – Most blogs ask users to enter some type of unique information before they can leave a comment.
- You use cookies which track user browsing behaviour.
- You offer membership zones, VIP or loyalty programmes
- You do targeting or retargeting advertising
- You use plugins and tools which might check user location and other backend information.
Treat your blog like a business and protect it legally! Comply with the GDPR if you don't want to risk fines up to €20M, lawsuits, and formal complaints!
Territorial Scope – Where Does the GDPR Apply?
It’s a no-brainer that the GDPR applies to entrepreneurs and bloggers based in the EU. Non-EU countries that belong to the EEA (European Economic Area) like Norway, Liechtenstein and Iceland are also covered.
So, what if you aren’t in the EU?
The GDPR still applies to bloggers who collect, store, handle or process personal data belonging to users based in the EU, irrespective of where they are IF they target or monitor the behaviour of users based in the EU.
In fact, as we’ve mentioned earlier, the GDPR clearly states that it applies to the processing of personal data of individuals who are in the European Union by an individual, company or agency not established in the EU, where the processing activities are related to:
- the offering of goods or services to individuals in the EU, irrespective of whether a payment is required; or
- the monitoring of their behaviour as far as their behaviour takes place within the EU.
From the above provisions, we can infer three main key points:
- If you offer goods or services to users who are based in the EU on your blog, the GDPR applies to you. Wherever in the world you’re based, it doesn’t matter. If you offer goods and services to individuals based in the EU and process their personal data, you are bound by the GDPR.
- The GDPR applies to you even if you are not generating an income from your blog.
- If you’re not based in the EU, the GDPR only applies to you if you either target users based in the EU or monitor their behaviour.
The third point is crucial. So, let’s see what it means and how it translates for bloggers based in the US, Canada, South Africa, India, or Australia like myself.
Does the GDPR Apply to U.S. Bloggers?
One of the most common questions among bloggers based in the US (or Canada, or Australia, for that matter) are
- If users based in the EU visit your site, are you bound to comply with the GDPR even if you’re based in the US?
- If someone based in the EU subscribes to your newsletter, then does the GDPR automatically apply to you?
- Or any variation of the above.
So, let’s answer these questions once and for all, shall we?
The answer is, if you’re based in the US or elsewhere outside the EU, then you’re only bound by the GDPR if you offer goods or services to users based in the EU – with the active intent to do so, meaning you’re expressly targeting them – or you monitor their behaviour as long as their behaviour takes place in the EU.
Targeting or Monitoring EU users
Having established that, let’s now clarify what “targeting users based in the EU” or “monitoring their behaviour” means.
Luckily, the GDPR itself gives some pointers about what this actually means.
Recital 23 clarifies that in order for the GDPR to apply, it needs to be apparent that your website envisages offering goods or service to users based in the EU.
- The mere accessibility from the EU of the website, an email address or other contact details; or
- The use of a language generally used in the country where you’re based
are not enough for the GDPR to apply to you if you’re not based in the EU.
By contrast, factors such as
- the use of a language or a currency generally used in one or more States of the EU; with the possibility of ordering goods and services in that other language; or
- the mentioning of customers or users who are in the EU
may make it apparent that you envisage offering goods or services to users based in the EU and therefore the GDPR will apply to you.
As to the monitoring of the behaviour of users based in the EU, Recital 24 clarifies that it needs to be ascertained whether users are tracked with subsequent use of techniques consisting of profiling, particularly in order to take decisions concerning them or for analysing or predicting their preferences, behaviours and attitudes.
So, to translate the above statement in plain English and give you an example of the extent of these provisions, using Google analytics won’t make you in itself automatically bound to comply with the GDPR; whereas running ads with behavioural targeting techniques might.
If you have an email list and you use progressive profiling or similar techniques to tag or segment your list in order to deliver to your subscribers emails that are more relevant to them and you have subscribers based in the EU, then you may be bound to the GDPR.
Further clarity on the territorial scope of the GDPR has been offered by the guidelines released by the European Data Protection Board on 16th November 2018.
Legal bundle value pack
Grab this legal bundle of the 4 most important legal pages you must have on your blog and get this massive discount! Snag this bundle and be done with your legal pages in 10 minutes or less!
Bottom Line on Whether the GDPR Applies to Bloggers
Whether you make money or not blogging, or whether you have an email list or not, you have to make sure your blog is compliant with the GDPR.
If you’re based in the EU, there is no way around it. The GDPR is the law and you must comply or else, you risk fines up to €20M (or 4% of global turnover, whichever is greater), lawsuits, and formal complaints to the EU supervising authorities.
If you’re not based in the EU, you’re not necessarily off the hook. If your blog targets subscribers, members, clients or visitors from the EU and EEA or monitors their behaviours, the GDPR is something you should stay on top of, whether you are in the US, in Australia, in Canada or in Chile.
If you’re a new blogger, the GDPR might not apply to you depending on the circumstances of your blog. But if you’re an established blogger who uses intermediate to advanced blogging and marketing techniques, then chances are the GDPR applies to you regardless of whether you’re based in the EU or somewhere else.
Protect your blog and yourself by having legal pages in place.
My legal templates are all GDPR compliant + FTC compliant and are good for bloggers based everywhere including the US. If the GDPR doesn’t apply to you, it will be indicated in the templates what paragraphs to remove.
You can check out my legal templates here or you can get my best-selling Legal Bundle Value Pack and snag a sweet discount of over $40 on purchase price! $40+ OFF. Who doesn’t like a great deal, ah?
And if you need help with your GDPR compliance, do not stress!
Remember, I got you covered. Take my course GDPR Compliant Blog! I have done all the groundwork so you won’ have to do it! Borrow my expertise as a Doctor in EU Law and my 15 years’+ experience as a lawyer, and make your blog fully GDPR compliant in 48 hours or less!
Related posts to "Does the GDPR applies to bloggers"
Legal courses + templates for bloggers
Legally Blogs
Legal Course for Bloggers-
Access from all your devices
-
Lifetime access to current and future updates
-
BONUS: Facebook Group
-
Suitable for bloggers worldwide
Legal Bundle Value Pack
Legal Templates for Bloggers-
4 legal templates - bundle
-
Extra bonuses included
-
Save $70+
-
Access from all your devices
-
Lifetime access to current and future updates
-
Suitable for bloggers worldwide
gdpr compliant blog
Legal Course for Bloggers-
Privacy policy + cookie policy included
-
10+ extra bonuses
-
Access from all your devices
-
Lifetime access to current and future updates
-
Suitable for bloggers worldwide
You may also like
How to Write a Copyright Notice for Your Blog or Website
B2B SEO Campaign for Beginners: What You Need to Know & How to Execute It
5 SEO Monitoring Tips to Boost Your Site Rankings
free 5-day email course
Blogging for new bloggers fast track
Get the exact blueprint that makes me $20K+ every single month. Enroll now to start your blog the right way and make money blogging within the next 6 months.
Unsubscribe at any time – Privacy Policy
Powered by ConvertKit