Today, I was contacted by a friend who was worried about gathering data on her blog and the effects that the future European data protect act (DPA) would have on this. As I was writing my response I thought that would be good to share on my blog so here it is.
I take it you are referring to the European Union’s (EU) General Data Protection Regulation (GDPR) that will come into force in 2018 over-riding the UK’s own Data Protection Act. If the UK has not quit the EU before the GDPR is implemented then the UK will have to abide by it and even if the UK has left the EU, the UK may choose to adopt it or something similar anyway.
The GDPR does have an effect on the majority of websites as most websites use Google analytics (or similar) which means using cookies and storing things like the users IP address to see what country/region traffic is coming from. IP address will be classed as personal information so needs to comply with privacy laws. I think the deadline for compliance is in 2018 but I don’t have the exact date to hand.
The big issues are that the GDPR requires you to explicitly “opt-in” to cookies rather than what 99% of websites did when it first came into question with the last act in 2012 (I think), which was to implicitly opt everyone in unless they asked to opt out.
I knew that wasn’t in the spirit of the legislation and I opted for the explicit opt-in (which no-one did and my analytics suffered) so seeing as every other website went along the implicit route with a banner allowing people to opt out, I eventually went for the same.
Your site uses WordPress and as this change will affect a lot of websites, I’m confident that someone will come up with a solution. There is nothing automatically built into WordPress at the moment to cope with it but there are plenty of plug-in’s and if there is not one already like that then I’m sure it won’t be too long before there is one that copes with explicit opt-ins. I use a WP add-in at the moment for the implicit scenario but I could easily dig out my old explicit opt-in code and implement that in WP if no plug-in can be found. Whatever, everyone else does, we will all just follow but I wouldn’t expect to see any explicit cookie add-ins until nearer the deadline.
The next important thing about the GDPR is that if someone requests what information you are holding on them (including that stored with your analytics provider) then you have to share that and also make it available in a suitable electronic format if they want to switch providers. Imagine how hard it will be if Joe Blogs calls up to say what data do you hold on me, Google (or other providers) do not associate any IP address with a person but his IP address is personal information so you’d have to ascertain his IP address and search Google’s analytic archive (and if they have archived it off then the archive too). The other issue here is that most ISP’s don’t give user’s a static IP address so the user’s IP address changes (or renews) every week or so. This would be a nightmare. The solution would be to implement your own analytics without an analytics provider and don’t ever store IP address or use cookies on your site.
Your other question related to storing people’s names and emails. This can be accommodated by a WP plug-in although you might have to pay for it. There might be some free ones though. Under the current UK DPA you must provide any data you hold on a person if they request it and also must remove such data at their request. You’ll just have to consider than on the page where you are collecting the information and maybe the plug in will allow the user to self-administer it themselves. I think that sort of thing is probably why they charge for the plug-ins.
I hope that is of some help. I will write again when I know more about what others intend to do about the upcoming European General Data Protection Regulation.