I normally have a new blog post every Monday. Last week I missed it because I was trying to do some troubleshooting within my blog theme. The problem I have with the theme involves this stupid European Union thing known as GDPR, or General Data Protection Regulation.
By now, most bloggers and everyone else knows at least a modicum about it. For those that don’t, and don’t want to follow the above link, here’s the down and dirty about it.
In essence, this is a privacy regulation that the European Union has come up with that’s supposed to protect the privacy of the general public. It sets in place standards that websites, blogs and any entity that’s online need to set up to alert users that any information they give you might lead to your being tracked or being sold for monetary purposes (or not) or give information to anyone who might want to track you down.
What we’re supposed to do is write specific privacy pages indicating what we’re doing based on what we’re supposed to be doing. We’re supposed to have web cookie alerts to let visitors know that we could (probably are) be dropping these into one’s browser if we ask for information so you don’t have to sign in anew every time you visit or that we won’t be doing anything to you. We’re supposed to give you a way to erase anything you might have ever done on our sites and immediately remove it, no matter how far back it does. Then we’re supposed to destroy any records that might have your information on it, but keep records that can prove we did it if the EU decides to audit us.
It goes a lot deeper than that, but that’s pretty much it in general terms. If you’ve been wondering why you’ve been receiving a rash of emails from sites you might have accounts on or visited every once in a while and possible signed up for something or bought something, or subscribed to an email… it’s related to this.
For bloggers, we’re supposed to do all that and a little bit more. Most blogs require a person who wants to comment to at least leave us an email address; that’s considered tracking information. WordPress software also records IP addresses; that’s considered tracking information. If it’s tied to an avatar that the person sets up elsewhere, that’s considered tracking information. Anything you do that’s related to an email list… you get the picture.
One of my issues is that I use the same theme for all of my blogs. It’s an older theme I like because I can customize it so it looks like whatever I want it to look like. Every one of them has a different color, sometimes different print. Yet, with some of the newer plugins that are coming out, I can’t get some of them to work properly. There are some GDPR plugins that would help a lot, which includes adding a check box that visitors who want to comment could check, indicating they’re allowing you to accept their email address and such, but it won’t work with my theme; sigh…
By the way, the penalty is 20 million euros or 4 percent of a company’s annual global revenue from the year before, whichever is higher. The euros come to $23,072,700; that’s higher than copyright violations by a whole lot!
I’m left with a dilemma… or am I? Let’s talk about it.
The first thing to look at is how much “business” you do with countries covered by the EU declaration. If you specifically market to them and generate any real business, you’re definitely subject to the regulation. If you do very little with them, indirectly or not, you’re still obligated but are probably safe, especially if you’re not making any money or barely any money.
In my case, the average percentage of visitors to my blogs from European Union visitors is less than 2%. I’ve never sold a single thing to anyone over there; there’s no finances for me to track. As we like to say, I’m small potatoes; they could care less about me.
The second thing to look at is that it’s meaningless to anyone outside of the EU. In other words, if anyone in a country that’s not within the EU complains, no one has to do a thing about it. The same privacy laws aren’t in place anywhere else. This means that jumping through proverbial hoops might be cost prohibitive and troublesome if you don’t have a financial incentive to change.
The third thing to think about is privacy notices in general. All websites or blogs that can capture information from someone are supposed to have privacy notices already. This was set up initially in 2009 by the Big G. I have privacy notices on all my blogs, and they all say the same thing. However, Google took Adsense away from this blog in 2010, so I could probably remove their statement and come up with my own.
For everyone else, it’s a good thing to have, but the reality is that almost no one is ever going to read it. That’s true for all these emails we’ve been getting, but it turns out that might be a mistake. It turns out there’s some intriguing information that alerts us to what’s going on within some of the social media platforms or websites we participate with; the article I’ve linked to helped me find out how some advertisers and such have not only been tracking me but the types of things they were linking back to me (more than half of them incorrect).
Lucky for you, I’ve already told you how to handle your LinkedIn privacy settings and my friend Holly told you how to do the same for Facebook before she left the platform for good. This leads to my fourth point.
My fourth point… be vigilant about your information. Regardless of the EU and its pending failure of a regulation (no way this can work against the overwhelming majority of people; Google and Facebook, a much different matter), truth be told, there needs to be some personal accountability from each of us. If you feel compelled to leave a comment on any site, you have to know you’re giving people information. If you visit a site like eBay regularly and don’t want to sign in every time you go, you have to know they’ve dropped cookies on your browser so it works; if you didn’t, consider yourself educated.
If you want that free report and give your name and email address, you know you’re asking to be on a mailing list because they usually tell you that’s what you’re doing. If you don’t want to be on a mailing list, then don’t sign up for the free item.
If you’re added to a mailing list you didn’t sign up for… that’s a different story. That’s happened to me over all the years I’ve been online; still happens now. Yet, the GDPR isn’t going to protect me from that, since I live in New York; this means I have to take care of me, like you have to take care of you.
I’m not saying don’t do anything regarding the GDPR just because you’re not in Europe. I’m not a lawyer; this is just my opinion. What I’m saying is that if you’re not in the European Union, if you’re not marketing your services specifically to members of the European Union, and (at least for now) you’re not in control of the minimal information being requested from someone to participate in your space and they want to participate anyway… don’t overly worry about it.
They haven’t set up enforcement with any outside governments. The FBI isn’t going to stop by to collect the fee imposed on you (which I shared above), and they’re probably not going to slap a freeze on your bank accounts. They could put through a request to freeze your domain name if you’re flaunting the breaking of rules if you’re big enough; that falls under the category of “don’t be stupid.”
At least that’s my take on it; what’s your thought about all of this? By the way, as a caveat, once the United Kingdom officially leaves the EU, the percentage of EU visitors to my site drops to just above 0%. That’s a shame, but for now I can live with it.
Since WordPress and a few of my plug-ins have made it easy enough to “comply”, I did add a privacy page to my main blog.
I agree that this has about as much teeth as as a gummy bear–and about as scary. I also suspect that it will wither to insignificance as the world wide web users continue to freely abdicate their privacy and safety responsibilities for the sake of conveniences.
Cheers,
Mitch
Did you hear that within hours of the thing being enacted there was around an $8 billion lawsuit filed against both Google & Facebook? In my opinion that’s all it took to invalidate the entire thing, no matter what they say or do about this instance. There’s always going to be someone to try to take advantage of a situation.
No, I did not read about that! My goodness! What basis do they have, if any?
Cheers,
Mitch
It’s some Austrian guy who’s a privacy advocate. He’s suing saying both companies ask for too much privacy information. It seems he hates the “all or nothing” policies companies have for consumers to decide whether they want to play or not, saying it’s a violation of the GDPR. No one wants accountability anymore.
That, alone, won’t “invalidate” a thing, Mitch. In PRINCIPLE, I’m all for the GDPR – and it might be nice if we had anything like it. But in reality, it’s going to be hard to figure out if you’re “compliant” until you’re not, and you get sued.
What would be interesting is if Facebook, Twitter, Google, and other large multinational organizations said, “Huh. Nope, too much of a pain in the behind,” and just BLOCKED all EU IP ranges.
THAT might serve to “invalidate” the whole thing, as EU citizens go, “Whoa…um…that’s not what we meant for this to do…”
To me, it’s the potential penalties that are ridiculous when it comes to little bloggers like us. 20 MILLION EUROS?? (That 4% isn’t comforting – it’s “whichever is larger” and you can bet it’s the 20 MILLION EUROS.) It would make more sense to block EU IP ranges. Sorry, EU folks.
I blocked China after the infamous spambot attack. I do not have the time, energy, or IT resources to do it any other way. (I may have to do it again – the block seems to have been lifted, unintentionally, during the move to a new web host. They’re trying to brute force their way into a different one of my domains, now. My current hosting company isn’t too worried they’ll succeed, but it’s still a major annoyance given there’s NO legitimate traffic coming from over there.) Anyway, the EU may be next for me. I don’t WANT to shut out any readers, ever, but if that’s what I have to do, I don’t have that many readers from there, anyway. 🙁
Wait; how do you block countries or regions from seeing your blog? You need to write an article on this bad boy! I was thinking the same as you; $20 million euros is overkill and ridiculous, and the lawsuit this Austrian moron filed on day one is proof of that.
I reckon Holly has a good idea, for Google, FB, Twitter and the like to block Europe! What a hoot that would be. Could you imagine the uproar?
Wish I could remember my other comment Mitch lol.
If it became a problem I’d do it in a heartbeat. It’s a horribly written law and it’s already being abused.
Well, as someone who just wrote an article about it, the EU is pretty clear about it. If you are using an EU citizen’s information in any way, you have to make sure it is secure and not used for any other purpose. If you do or if there is a data breach, as a company, be ready to face the wrath of EU and massive fines. It is a great law in terms of protecting data privacy. More countries outside the EU needs to adopt GDPR and make it universal.
Actually it’s a horrible law. It’s way too encompassing, the level of the fines is ridiculous and, like Google, I don’t trust them. There’s no way something like that happens in the United States. Even if our politicians don’t have a lick of sense, they understand personal responsibility. Big companies do things that the rest of us don’t; if it was only written for them and the penalties were lower I might be more supportive of it.