Home » Privacy Policy

Tag: Privacy Policy

Update Your Website for GDPR

Updating Your Website for GDPR (an #AuthorToolBoxBlogHop Post)

This post is part of the monthly Author ToolBox Blog Hop, organised by Raimey Gallant. We now have over 40 blogs participating. To find more Blog Hop posts:

Click here to visit the main Blog Hop page
Click here to find our posts on Twitter
Click here to find our Pinterest board

GDPR and Your Website

My April #AuthorToolBoxBlogHop post introduced GDPR. Here are the main highlights:

  • The GDPR is the General Data Protection Regulation, and comes into force on 25 May 2018.
  • If you process or hold the personal data of EU residents, it applies to you no matter where you are based.

In other words, GDPR applies to me even though I’m not based in the EU. It probably applies to you as well.

Since writing that post, I’ve read thousands of words of blog posts and watched or listened to hours of YouTube videos and podcasts to try and understand what we have to do by 25 May to comply with GDPR.

First, the PSA. I’m not a lawyer, so none of the information in this blog post is legal advice. It’s my best guess as a layperson who has studied the subject. If you want legal advice, you ask a lawyer who is qualified to practice in this area. In this case, that means a lawyer based in the EU with a background in privacy, data protection, or similar. You don’t get legal advice off the internet.

The first thing to remember is that the world is not ending. As British lawyer Suzanne Dibble says:

“The GDPR mandates organizations to put into place comprehensive but proportionate governance measures.”

“Proportionate” is important. It means that you and I, as a one-person organisations, aren’t going to be expected to have all the data protection bells and whistles of, say, British Airways. But we still have to be responsible about the way we collect and process personal data, and we’re still accountable for that.

It’s the Golden Rule in practice.

We need to treat the personal information we hold in the same way we’d want them to treat our data.

Note that personal information is defined as any information relating to an identified or identifiable natural person. This includes name, email address, and can also include an IP address, and website cookies. At the most basic level, GDPR is about respecting the privacy of individuals. I’m sure we can all agree with that.

The other thing to remember is that the ICO isn’t going to be actively monitoring our GDPR compliance. Organisations will be investigated only if a complaint is made against them.

What Do I Need to Do?

There are actually a few things you can or should do if you have a website. Here are eight points I think are the most important:

1. SSL Certificate

If your website doesn’t already have an SSL certificate, it may be worth getting one for the added layer of security and the Google benefits. If you haven’t yet set up your website, I would definitely recommend using SSL from the beginning.

Many web hosts (e.g. BlueHost) provide a free SSL certificate with their hosting packages. Alternatively, NameCheap offers SSL certificates starting at $9/year (see this blog post from Nuts and Bolts for more information).

Neil Patel at Kissmetrics has a detailed post on the subject.

2. Update Your Privacy Policy

If you don’t already have a Privacy Policy, now is a good time to develop one. You already need one under Californian law (CalOPPA), if you use Google Analytics, or if you’re an Amazon affiliate.

There are plenty of free and paid resources online to help you. I’ve checked out several options:

Auto Terms of Service and Privacy Policy WordPress Plugin

Auto Terms of Service and Privacy Policy is a free WordPress plugin. I added this to my author website, and found it had no customisation, no reference to GDPR, and fails the plain English test. I’ll be replacing this ASAP.

Free Privacy Policy

Free Privacy Policy is customisable and produces a solid policy, but has no reference to GDPR. On the plus side, free meant free, and the form was easy to fill out. But it won’t be valid after 25 May.

DGD Deutsche Gesellschaft für Datenschutz

The only free GDPR-compliant policy I found was from a German website (click here). The policy is customisable, and available in your choice of English or German. However, the stilted English suggests the policy has been written in German and translated. I’d rather have a policy that was written in English.

Terms Feed

Terms Feed offer a “free” Privacy Policy, but you have to pay for certain necessary customisation, like the GDPR verbiage. My quote was $61, so I didn’t download it.

Privacy Policies

Privacy Policies charge $29.99 for a commercial policy (with “commercial” including anyone who is using affiliate links, or marketing or selling any product or service). The policy is customised, but I didn’t buy it so I don’t know how good it is or whether it covers GDPR.

iubenda.com

Randy Ingermanson of Advanced Fiction Writing recommends iubenda.com. The free policy covers next to nothing, so most authors will need the paid version, which is $27 per year. The policy is customisable, but I found there were too many options to choose from, and it didn’t include some of the plugins I use. I didn’t get a policy, but you can see Randy’s here: Privacy Policy. Note that it’s stores at the iubenda website, not on Randy’s own site. I prefer something that’s stored on my own site, so I know it isn’t updated without my knowledge.

Zegal.com

Another good option is Zegal.com, which offers free privacy policies tailored for New Zealand or Australia. Mine was clear, easy to read, and easy to understand, but it’s not GDPR-compliant (although there is a paid version which is).

I’ve used the Zegal policy as the basis for my updated Privacy Policy, and added extra sections as advised by WordPress.

Suzanne Dibble

Suzanne Dibble, a British lawyer and expert in the subject, has put together a full GDPR pack. It’s not cheap (GBP 197) but covers everything. To see what’s in the pack, check out this blog post from Shannon Mattern: How to Get Your Website Ready for GDPR.

Suzanne also has a free Facebook group and lots of videos. This is the most important (and the longest):

 

Don’t copy someone else’s Privacy Policy without permission, or you will be infringing on the copyright of the lawyer who wrote that policy. As writers who want our copyright to be respected, we need to respect the copyright of others.

Even if someone has given permission to copy their policy, read it carefully and revise if necessary. It might not include the information you need, either because they use things you don’t, or because you use things the policy doesn’t refer to. And it might use the wrong language for your brand. For example, this NSFW policy from Writers HQ contains all the necessary legal information, but the language is all wrong for my audience. And probably yours.

3. Terms and Conditions

If you are selling directly from your website, you should consider a terms and conditions policy. I’m currently using the extreme legalese of Auto Terms of Service and Privacy Policy, but I will look at this again.

4. Cookie Policy

Most websites use cookies, and EU law requires website owners to advise visitors of this fact, and obtain their consent to using cookies. WordPress plugins such as the EU Cookie Law Widget help site owners comply.

Click here to learn more about cookies. Cookies can be addressed as part of your Privacy Policy, or in a separate Cookie Policy.

If you use WordPress, check out the GDPR Cookie Compliance plugin.

5. Update Your Email Signup Forms

Once you have created (or updated) your Privacy Policy, you will need to update your email signup forms to include a reference or link to your Privacy Policy.

Your signup form must also make clear that they are signing up for your email newsletter, and that they will receive marketing information. You can also give them a free book or other gift for signing up, as I do. But it has to be in that order:

Sign up for my monthly newsletter and receive a free gift.

Is probably acceptable (probably. Not definitely). This is not:

Want a free gift? Sign up here.

Why is that second example not acceptable? Because it doesn’t make it clear that the user is being signed up to an email list. What about this?

Want a free gift? Sign up here, and I’ll add you to my email list.

This isn’t acceptable under GDPR because it ties the free gift to signing up to the newsletter. Yes, this looks the same as my first example. Semantics. Even the lawyers I’ve listened to don’t agree on this one.

6. Update Your Contact Form

Most websites have a contact form (e.g. Contact Form 7, Gravity Forms, or Ninja Forms). Contact forms collect information such as the person’s name, email address, and IP address. You’re allowed to collect this information, as it’s a legitimate business interest that will enable you to answer their query. But you still need to disclose you are collecting and storing this information (even though it seems obvious).

Your Privacy Policy will need to include what information you collect on your contact form, and what it is used for. The WP GDPR Compliance plugin for WordPress will add a tickbox to your Contact Form 7 or Gravity Forms contact form. It takes about two minutes to install and activate.

7. Update Your Comments Form

Most blogs have a comments section. This collects your name, website, email address, and IP address, as well as your message. This is private information, and is stored by WordPress, so we need consent to store this information.

The WP GDPR Compliance plugin also handles comments, which means you’ve covered two items with one plugin.

8. Create or Update Your Cookies Policy

Most websites use cookies, and EU law requires website owners to advise visitors of this fact, and obtain their consent to using cookies. WordPress plugins such as the EU Cookie Law Widget help site owners comply.

Click here to learn more about cookies. Cookies can be addressed as part of your Privacy Policy, or in a separate Cookie Policy.

If you use WordPress, check out the GDPR Cookie Compliance plugin. It’s easy to install and customise.

 

Is your website GDPR-ready?