Disclaimer: The information I provide below is meant to point blogger's, site owners, and writer's towards sites that provide clarity on GDPR. It is a list of sites that I visited, and is in no way an indication that I have vetted the information on the sites or that I claim these sites to provide legal advice. I am not a lawyer and I take no responsibility for the advice provided. It is entirely your responsibility to make yourself knowledgeable and fully compliant with regulations.
If you are a blogger or have built your online platform with a website, you may have seen recent coverage on something called GDPR, or GDPR Compliance. GDPR stands for - General Data Protection Regulation. This regulation, created by the EU, places serious and complicated requirements on anyone requesting, using or storing electronic data from people. Here's where you start thinking, "oh, phew that's not for me, that's for corporations like Facebook," or "phew that's for the EU, not here where I live." *making an annoying buzzer sound* WRONG!
Second, if you blew out a long hard breath because you said to yourself, "I don't live in the European Union, I don't have to worry about this," then hold your breath again. Every site, that I provide links to below, explains that this regulation is beginning with the EU as of May 25, 2018, but within a very short period of time we should be expecting the same regulations to be applied here. When you consider the insane number of data breaches in very recent history, it's no wonder. It is actually more surprising that this change hasn't come into effect prior to this year. As a matter of fact, take a look at the website building organizations I mentioned above. Most of them have taken the necessary steps to become GDPR compliant, and have sent out notifications to their users to help them adapt to the requirements. Another thought that came to mind, when I wondered if this EU regulation was applicable to my site, I remembered that my site is not secluded to the States. Anyone in the EU can access my site, be subjected to the cookies and they have the ability to subscribe to my emails. While I am not sure if I could be held liable for not having a GDPR ready site, if and when an EU citizen visits it, I am not taking any chances. Why wait to find out?
The actual GDPR legal info is too complicated for me to deign to elaborate on further. What I have done for you here, is link every site that I visited that clarified the GDPR for me and helped me prepare my website. I felt compelled to share this info in order to stress how very serious this regulation is, and how very soon everyone that runs some form of website, will be required to comply.
Sites that offered me clarity:
The Bloggers Guide to GDPR (Retweeted by my editor. If not for her retweet, I wouldn't have been able to get the jump on preparing my site)
Preparing Your Wix Site for the GDPR (Despite this being geared towards Wix.com users, it has detailed info about the GDPR)
Five Final Checks to Ensure GDPR Compliance
Q&A I received via email from Iubenda:
So, how does the GDPR govern cookies?
Well, the short answer is that it doesn't — cookie usage and it’s related requirements are not governed by the GDPR, they are instead governed by the ePrivacy Directive (or Cookie Law).
Do I need to list the name of each cookie (including third-party cookies) used on our website or app?
No, the cookie law does not require that you list and name individual cookies. However, you are required to clearly state their categories and purpose. This decision by the legislative authority is likely deliberate as to require this would mean that individual website/app owners would have to constantly monitor every single third-party cookie, looking for changes that are outside of their control. This would be both unreasonable and likely unhelpful to the average user.
Must I provide the mechanism for users to manage their cookies preferences (including withdrawal of consent) directly on my website or app?
No, the cookie law does not require that you provide users with the means to toggle cookie preferences directly on your site/app, only that you visibly provide the option for obtaining informed, active consent, provide a means for the withdrawal of consent and guarantee via prior blocking that no tracking is performed before consent is obtained. This means the opt-out mechanism does not have to be hosted directly by you. In most cases under member state law, browser settings are considered to be an acceptable means of managing and withdrawing consent.
Our solution goes a bit further than this by pointing to the browser options, third-party tools and by linking to the third party providers, who are ultimately responsible for managing the opt-out for their own tracking tools.
Do I need to keep records of consent to cookies for each user?
The Cookie Law does not require that records of consent be kept but instead indicates that you should be able to prove that consent occurred — even if that consent has been withdrawn. The simple way to do this would be to use a cookie solution that employs a prior blocking mechanism as under such circumstances, cookie installing scripts will only be run after consent is attained. In this way, the very fact that scripts were run may be used as sufficient proof of consent.
Changes I've made to my site thus far: