GDPR for Bloggers - Smart Creative Social

GDPR for Bloggers

Disclaimer: The contents of this web page do not constitute legal advice. This page is for informational purposes only, and I strongly encourage you to seek independent legal counsel to understand how your organization needs to comply with the GDPR.

You’ve probably heard a lot lately about the EU’s General Data Protection Regulation, or GDPR. As a blogger and online business owner, I am going through the process of making my sites compliant with GDPR. I am going to share the resources and tools I am using to make my own sites GDPR compliant and hopefully, this gives you a starting point for the process for yourself. A lot of the guidance out there is for giant ecommerce sites … but what about GDPR for bloggers? Here’s what bloggers and small business need to know about GDPR compliance.

Please note that I am not a lawyer and this is not legal advice. I am sharing what I have found in my research about GDPR and the tools and resources I am using to make my sites GDPR compliant.

GDPR image

What is GDPR?

Last December, Mashable explained GDPR in detail. It’s a law passed in the EU to help protect the personal data of it’s residents online. This infographic from Marketing Profs explains how GDPR works. You might be wondering why everyone is worried about GDPR is if it is an EU law? Social Media Examiner recently explained how GDPR impacts US companies.

You can find out more about GDPR and read the law for yourself on the EU GDPR website.

People working at desk with computers

Why should bloggers care about GDPR?

As a business owner or blogger, you should be concerned about GDPR compliance if:

  • If you have traffic or interaction with residents of the EU (not just citizens but anyone who lives in the EU)
  • Similar laws may be coming to the US with the recent Cambridge Analytica breach at Facebook and other privacy concerns.
  • If you collect or possess two different types of data – personal and sensitive
    • Personal data is name, email address, facial recognition, location data, IP address … according to Danielle Liss from HashtagLegal, personal data is anything that can be used to identify you personally.
    • Sensitive data is race, genetic data, etc

If you care about transparency with your readers, then following GDPR will will make a lot of sense to you. Consider how you would want the hundreds (maybe thousands of companies) who have cookied you, gathered your email address, and are following you around the internet … to treat your data.

There’s complying with GDPR because it’s a law. And then there’s complying with GDPR because we care about our readers and their data.

Grab a free GDPR for bloggers checklist in the Smart Creative Social Community Facebook Group. You’ll have to join the Group first by requesting access here … then grab the checklist here.

GDPR applies to your online activity if:

  • You monitor behavior of residents in the EU
  • Offer products or services (free or paid) that can be obtained by residents in the EU

EU flag

Which countries are included in the EU?

The EU countries are (as of May 16, 2018):

Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK

What’s required by GDPR?

Explicit Consent

  • Voluntary consent
  • Consent has to be an affirmative action and explicit, meaning users have to opt-in … not opt out.

Specific and informed

  • Tell them what you are collecting
  • Why you’re collecting it
  • And how you will use that data


  • Clear language people can understand
  • Cannot redirect to tos with legalese and jargon

Default setting for strict privacy

  • Obtain consent before they use your tool, such as Facebook Pixel or email list

Rights to data

  • Users can ask for the data you have, ask to be forgotten

Privacy Policy

  • Privacy Policy that explains how data is used, what is collected, and how they can be forgotten

There are more requirements that don’t typically apply to bloggers but you should be aware of them. Social Media Examiner explains them in detail here. Get a free GDPR for bloggers checklist in the Smart Creative Social Community Facebook Group. You’ll have to join the Group first by requesting access here … then grab the checklist here.

infographic showing data flow

Step One: Audit your website for personal and sensitive data collection

The first step is to audit your website to identify everywhere you might be collecting personal and sensitive data. Microsoft has prepared a free quiz to help you identify your company’s compliance with GDPR.

A list of GDPR protected data you might be collecting:

Places your website might be collecting personal and sensitive data protected by GDPR:

  • Freebies you offer
  • Products you sell on your site
  • Contact form
  • Comment form
  • Forum or subscription through your site
  • Newsletter sign up or email list sign up
  • RSS sign up (less common)
  •  Plugins
    • From sponsors or networks
    • Track activity on your site
  • Remarketing ads, including the Facebook Pixel
  • Sponsored content that includes tracking pixels or cookies
  • Affiliate links – cookies
  • Display ads – your ad network should take care of this but you need an overlay or consent before ad content displays
  • Embedded social media posts, such as Pinterest boards or embedded twitter or Facebook videos
  • Embedded content from other sites, like HomeTalk or coupon widgets
  • Tools that collect data, like giveaway tools like Gleam and Rafflecopter
  • Google Analytics
  • Website backups

Want this in a PDF? Grab the free GDPR for bloggers checklist in the Smart Creative Social Community Facebook Group. You’ll have to join the Group first by requesting access here … then grab the checklist here.

Step Two: Set up disclosures and opt-ins for GDPR compliance

After the audit of your site, you’ll need to set up disclosures and opt-ins for users to be aware and opt in to sharing their personal information with your site. Before doing this, take special notice of these areas of concern …

Areas of concern with GDPR

  • Give consent for each use of the data
    • Lead magnets – consent needed for: (checkbox for each)
      • Get the freebie
      • Add them to email list
  • Cannot pre-check boxes
  • Consent cannot be a precondition to service – really affects optins
  • Explain how they can withdraw consent

What about Lead Magnets, Content Upgrades, or Opt-ins?

Whether you call it a lead magnet, content upgrade, or opt-in, it’s all offering an incentive to sign up for your email list. This incentive is problematic because typically we offered the incentive without  explicitly disclosing that by entering their email address and other personal data, someone would also be subscribed to our email newsletter. Yes, we as marketers, bloggers, and business owners know and understand this is why people even offer freebies but the general public might not understand this. And that’s where GDPR comes in.

There are essentially two options when it comes to getting consent to add people to your email list with a freebie:

  • Check box method
  • Flip method

Okay, I made up these names but it makes sense to me! *wink wink*

The way people sign up to get the freebies is almost always via a form on our websites. These methods cover those forms.

Checkbox Method

With this method, you would add a series of checkboxes to your forms for the opt-ins. You’ll need at least two checkboxes:

  • one checkbox for the consent to send them the freebie via email
  • another checkbox for them to consent to be added to your email list

This applies if you offer is worded in a way that receiving the opt-in is the primary purpose of the form and adding them to the email list is a condition of receiving the freebie. This raises the issue of can they receive the freebie WITHOUT opting in?

The flip method helps up avoid this question entirely. I don’t know about you but I don’t want to be giving away my freebies willy nilly for nothing. I mean I do give them away, sometimes, but the reason we all make these lead magnets, opt-ins, and content upgrades is to build our lists. Creating and offering this bonus content makes a better experience for our readers but it takes a huge amount of time and effort … we as marketers do want to get some return on this investment of time, knowledge, and skill.

Flip Method

The flip method is what I will be using on all of my sites.

Essentially, the wording on your sign up forms needs to make signing up on the email list the priority and the lead magnet is a bonus they get as a consequence of signing up.

It’s definitely nuanced but the idea is that the form’s focus is only on signing up to the email list. GDPR compliance requires that you tell people how you will be using this data. You can explain on this form with a line like: “by signing up on this email list, you will be sent emails newsletters and bonuses, including the free checklist I shared about here”.

Bam. Done.

Here’s a page I have already done this on: flip method example

Someone asked about GDPR for opt-ins, lead magnets etc in a Facebook Group so I am sharing the Q&A here:

Q: It sounds like content upgrades are no longer allowed. Is that true?

A: From what I understand, they are allowed but you just have to get consent:

A. to add them to your list
B. to send them the content upgrade via email

It seems redundant but the spirit of it is that if people ask for a freebie, they need to understand they are also being added to a list. You can explain this verbally without checkboxes but the checkbox is more for you to be able to prove that “hey, they read this and checked a box agreeing”.

I mean, how many times do people say they never signed up for your list but you can show that they totally signed up on a form on your site on a specific date? People don’t pay attention so the checkbox for you is to show that yes, they gave consent.

Verbal explanation can be something like “sign up to get on my email list! You’ll get a free bonus when you sign up”. From all I hear, that is compliant wording, no checkbox needed.

Q: Do you have to offer the option of receiving the content upgrade without actually joining the list?

A: The other wording says the signup box is to join the list … and they get a bonus for joining the list. It’s a nuance but from what I understand, UK bloggers are already doing this and they are covered. But I am not a lawyer. I am interpreting it more strictly on my sites with 2 checkboxes.

Q: Is the bonus separate from the content upgrade?

A: The content upgrade is the bonus. So like for my chore chart post it would be ” fill out this form to join my list and get a printable chore chart as a bonus!”. You don’t HAVE to give people a free bonus for doing nothing. Like if you buy a washing machine and they give a bonus of free detergent, you don’t get to go in the store and just demand free bonus detergent.

They sign up on the list. You send them the freebie optin as a bonus. The signup is NOT to get the freebie … does that make sense?

Thrive Themes has a great write up on the smart way to make your forms GDPR compliant here.

The next step for GDPR compliance:

  • New consent on emails – previous consent is not grandfathered in
    • Need to get consent again
    • Segment your list
  • Overlay for Google Analytics consent on your site or anonymize your data collected – Jeffalytics explains how to do this here
  • Updated easy to read privacy policy that details:
    • What data is collected
    • How it is used
    • How people can find out what data you have on them
    • How people can request to have their data forgotten
  • Update any optin forms to be compliant. Here are two ways:
    • Checkbox method:
      • Add a checkbox to forms so they consent to have the goodie sent to them
      • Add another checkbox to the form so they also consent to join your email list
    • Flip the offer: the form is to sign up for the email list and the goodie is a “bonus” they receive upon sign up
  • Get rid of plugins you are not using, that collect data you don’t need
  • Privacy Policy
  • Notices when you are collecting personal and sensitive data

GDPR graphic

Resources for GDPR compliance

Check out these resources that I used to make my own site GDPR compliant:

GDPR Tools:

GDPR Plugins:

Free GDPR Checklists:

GDPR Podcasts and GDPR Videos:

Email template to get consent from EU subscribers already on your list

Want the emails I sent to let my subscribers know about GDPR? You can get it in the Smart Creative Social Facebook Group. Join here then grab the email copy here.

How I am making my sites GDPR compliant:

Like I said previously, I am not a lawyer. But I do want to share the exact steps I am taking to make my sites GDPR compliant as I understand the law and guidance available. I hope that this helps you with a starting off point but please, seek legal advice from a lawyer for compliance for your specific business.

Kajabi Site:

I run my courses on the Kajabi site. On that site I collect payment information and personal information. The personal and payment information are covered in the terms of service I have had prepared by a lawyer but I needed to set up additional consent for the email addresses collected to make the process GDPR compliant.

Smart Fun DIY blog and Smart Creative Social blog (this site):

My blogs are all run on WordPress. These are the types of data I collect or track and areas of my sites which are affected:

  • Cookies and pixels from affiliates, social networks, embedded social posts, and sponsors
  • Email address
  • Name
  • IP address
  • Email address as a condition of receiving a freebie
  • Payment information
  • Demographcis information
  • Google Analytics info

In order to make my sites compliant with GDPR, I implemented the following:

  • Privacy Policy: I purchased an updated GDPR compliant privacy policy from this website for about $20. They also offer a free version that must include their branding if you choose to use it. I am still updating it but you can check it out here.
  • Email List Sign Up via Active Campaign: see their GDPR compliance updates here
    • Turned off my site tracking code until I can figure out how to get consent
    • Contacted my current subscribers who self-identified their location as an EU country to re-opt-in
      • Sorted contacts by geography for those located in EU (reference EU countries list above)
      • Added a tag to all the contacts “EU”
      • Created an email for each list (one for Smart Fun DIY and one for Smart Creative Social), segmenting to only send to the contacts tagged with EU on each list
      • In the email I ask them to opt-in and tell them that I will remove anyone who did not opt-in as of May 25, 2018
      • Remove anyone who does not optin by May 25, 2018
    • Using the Flip Method for my email opt-ins.
  • Cookie Consent via EU Cookie Consent Plugin: I used this for affiliate and sponsor disclosure
    • Facebook Pixel: I left this as-is, waiting for Facebook to release a fix for this tracking pixel
    • Sponsor pixels: I am contacting each sponsor to see what data they are collecting, disabling pixels more than one year old, and including verbage about this in my cookie consent plugin and privacy policy
    • I am thinking about changing to either of these plugins that might act as more of an all-in-one solution Cookie Notice by dfactory or EU Cookie Law
  • Optins and Landing Pages via Thrive Themes
    • Privacy Policy linked on each form and page
    • They are still in progress on updating their tools so I am just gonna have to wait to fully implement consent boxes and so on for these tools
    • I’m considering new ways to deliver freebies without collecting an email address:
      • deliver via Messenger bot on Facebook
      • delivered only to current newsletter subscribers, so they are not actually in my blog posts
      • delivered in my Facebook Group – they can join the Group to get access to the freebie, which I will link to in the post (I am doing this for this post so scroll down to see what that looks like)
      • giving the freebie with no strings attached
      • creating longer posts like this where I deliver a ton of information for free, lead readers down a path, and if they get to the end (they are a hot lead at this point), then offer the freebie so I  only need consent from the MOST interested readers, not everyone who is just passing by (P.S. you’re gonna see more of this strategy from me in the future!)
  • Google Analytics:
    • I chose to anonymize the data Google Analytics collects using this tutorial from Jeffalytics. I use Google Tag Manager on this site and I use Universal Analytics on Smart Fun DIY so I had to do two different actions but it was literally just pasting a piece of code into the analytics code snippet. It looks harder than it is …
    • I set the data retention to “do not automatically expire” using this tutorial from Jeffalytics
  • Right to be Forgotten: I am installing Delete Me  to allow users to delete their own data. I am telling them to email me if they want me to remove them from everything.

What are you doing to make your site GDPR compliant?

I’d love to hear more in the comments. Please share!

And be sure to check out this Facebook Live video where we discuss GDPR in the Smart Creative Social Community. Can’t see it? Join our group first here.

Pin this for later:

GDPR for bloggers free checklist

About the Author Jennifer Priest

A craft industry professional for over 14 years, Jennifer Priest has been featured in major publications and online by the likes of Apartment Therapy and MSNBC. Jennifer's digital marketing consulting firm, Smart Creative Social, has a prestigious client list in the craft and hobby industry, connecting influencers with brands, developing digital marketing strategy, and guiding clients in creating a solid social media strategy for their brand.

follow me on:

Leave a Comment:

Ricki Jill Treleaven says May 18, 2018

Jennifer, this is a fantastic post. Thank you so much! I’ve included a link to this post on my post about GDPR. I’m just a nerdy book blogger without tons of followers, and it’s frustrating to me because this is going to take so much time, plus this isn’t my day job. Thanks again for all you do for the blogging community.

I have a question: If I made my blog private, would I be protected, do you think? I know you’re not a lawyer, but maybe that would be a very bad idea because readers would have to enter their email addresses every single time they read my blog! I wish that would qualify for consent, and then edit my privacy policy for a private blog….IDK….just trying to figure this out….

    Jennifer Priest says May 18, 2018

    I think we are going to see more of these changes coming from other countries besides the EU. Take steps to making your site compliant – I think if you are making an effort and can show that, it’s a start. I don’t think they will fine people right away … I think they will have a warning system like the FTC did with .com disclosures. SO just take it one step at a time. I think we will see more and more tools over time that make this easier. And thank you for linking to this post!

Lydia Nordhoff says May 21, 2018

Thank you so much for taking the time to compile these resources and share them, this was so unbelievably helpful!

Sammie says May 28, 2018

Thanks so much for this! I feel like this helped me get my head on straight. It was very helpful! I appreciate you!

    Jennifer Priest says May 28, 2018

    Thank you Sammie!!

Add Your Reply