A Blogger’s Nightmare

Get out of my way

I am sure that, if you are a blogger yourself,  you have a big red mark on your calendar for May 25th. Because this is the date were the new EU data protection regulation (GDPR- General Data Protection Regulation/DSGVO-Datenschutz-Grundverordnung ) will come into force. Although, while primarily governing the handling of data privacy in the EU, it will practically affect everyone in the blogging world, because you are affected when your blog handles data (like logging of IP-addresses or e-mail addresses) of EU citizens.

When you search for GDPR in blogging forums (like the WordPress support forums), there is a lot of confusion about how to handle that situation. Some fellow bloggers already have deactivated their blog or are planning to do so.

While I always had the nagging feeling I need to revise the data privacy statements of my blog to comply with the new laws, I was not worried too much as the “Streets of Nuremberg” are a purely non-commercial, private blog in which I share my photographic endeavors. But recent posts from fellow bloggers and a face-to-face meeting with fellow local Street Photographer Kai (Kosmophil.de) just yesterday really got me worried and into action mode, as looming penalties (especially for blogs with commercial orientation of any sorts) are really severe.

I’m not a lawyer, and I can’t write the umpteenth article on how to bring your blog in compliance with the new law. And after half a night of research, there are many useful tips and guides to be found in the net, just search for “GDPR” (english) or “DSGVO” (German) and “blogging”.

I’m still in the process to determine what adjustments I need to do on my blog, just to be on the safe side and not run blindfolded into a possible legal trap.  Just by researching the web, all those things like a button “Follow via E-Mail…”, all social media sharing buttons,  allowing comments with avatars could potentially pose a data privacy problem, and bloggers need turn those things off or at least make their readers aware of it, which requires an updated data privacy statement on the blog. So I will dig deeper into the requirements and derive my personal measures I need to put in place.

My blog is hosted by WordPress.com (not to be confused with WordPress.org) and the company running it (Automattic). I would assume, that a service provider taking my money will take care of all the data privacy topics that run in their backend.  And WordPress itself has announced new features in May (oh by the way, this topic can only be found in their English support forum).  But ten days before the new law is put into force, no real help/tools is available so far.

I had a one hour chat session with their support today, asking for the availability of automated tools and a data privacy contract between them and myself as contract partners, confirming they protect the private data of my users that is logged in the background by their servers.  In the end, they referred me to their updated DP statement: Automattic and the General Data Protection Regulation (GDPR). The support said more will become available as we approach the May 25th deadline. I was totally disappointed they let (even their paying) customers walk that thin line. Not that we didn’t have several years to prepare for the new laws.

I see a lot of  panic and fear in the community, but I am quite confident that myself and all others who have behaved legally so far, with some changes and adjustments, can continue to blog without running into problems. But we first need to navigate through this period of uncertainty.

I hope I did not spoil your day with this post, but I would like to raise your awareness to this looming topic, and encourage you to do some research of your own into whether you might be affected and how you can adjust to avoid any legal trouble after May 25th.

I will continue to write about my experiences and activities regarding GDPR compliance, so stay tuned.

Have a nice Tuesday


Links to relevant WordPress.com support sites:





65 thoughts on “A Blogger’s Nightmare

Add yours

  1. I haven’t really looked into this at all. I guess I should figure out if I need to change anything.

  2. Oh wow, this is so scary and personally its over my head as well because I just don’t know much about it. Hoping that WordPress is working on some tools and clearly you would think that they have to be. Have a great day Marcus. Xo

    1. Today I signed my Data Processing Agreement with WP, so another step done. I haven’t checked what tools they made available the last days, need to dig into this. In the end all will be well. And as you surely know, this is not one of the most important topics for us to take care of, more a nuisance.

  3. Marcus, thanks for bringing this up, I really had no idea of the complexity of this. I hope that I will be OK if I put a Data Privacy statement up that will do the trick, but it worries me that there is a lot of data that WP collects about comments received, likes etc etc and that all the site data is stored….aargh

  4. I’d actually pulled way back on a new blog that I worked very hard to establish. I think I will be re-implementing it without WordPress, something much more minimalist, farming out the social interaction to Disqus perhaps. But I more or less stopped contributing to my own blog while I’m trying to figure out the impact.

    1. What we should not do is pull the plug on what we love to do. We need to pragmatically handle it, and with a few adjustments like putting up a DP statement we should be good.

  5. Marcus, have you seen this WordPress article? [Automattic and the General Data Protection Regulation (GDPR)]

    My understanding is that WordPress is taking all of the technical steps to make their platform EU compliant. A personal blog may post a Privacy Statement which basically is a copy and paste of the official WordPress Terms of Use. There may be a widget that you can simply insert in your blog’s sidebar or footer.

    At the above site, WordPress provides a link to a copy and paste Privacy Statement, and will post further updates as needed.

    1. Thanks for your comment, David. Yes, Automattic (WordPress) has really gotten into action these past days. Too bad it took a gazillion of complaints from panicking customers for them to finally get their act together and come up with support they should have had in place weeks ago. But hey, maybe they like their “just in time” approach. I’m still waiting for some tools/widgets that we can access and activate via the dashboard. But putting up a privacy statement on the blog is the must-do measure for us, that should take care of most requirements. Let’s keep the fingers crossed! Marcus

  6. Good lord. I half heartedly read the e-mails I got from WordPress about it. I tought everything is their concern. I guess that is the case for my Snapshot Story blog, I don’t earn money or collect data myself (at least that I’m aware of, hahaha). But I also have a website. On there people can fill in a contact form… I have to check that and maybe see if my host has more info. Thank you for sharing this Markus. I’ll have to get my tiny brain going. I only know half what I’m doing lol.

    1. Thanks for your comment. Interestingly enough, I don’t recall getting emails from WordPress about the GDPR topic. But in the last days they really have jumped into action. On a personal blog it seems you can mitigate most requirements with a data privacy statement, explaining to the (interested) readers what the WordPress backend (what we mostly share anyway) is going with the infos they/their plugins collect from our blogs. This should also cover contact forms, although there are still various opinions out there. In the end all will be well, hopefully 😉

  7. Oh my goodness, I understand nothing of any of this. I have a brain as tiny as my little blog. I shouldn’t be affected surely as I earn no money, Don’t do any giveaways or anything like that, it really is to share pictures mainly. How are people expected to comprehend any of this if they, like me, aren’t quick at understanding technical stuff? I don’t even know how to use WordPress , I just blunder through.

    1. Don’t worry Jill, there is so much confusion out there even among lawyers and legally trained people, no wonder us non-lawyers have trouble understanding what we need to do. Just like you, I just use what WordPress gives me as my (paid) service provider. But I get we need to be more on top of what is happening on the technical end of our blog regarding data collection. We all complain about Facebook, Google etc misusing our personal data, but we should take care of whatever we can do on our end as well. Actually, looking under the hood of what plugin and social media provider collects what information from us is quite interesting.

    1. Worst case you’re fined 20 Mio €. GDPR is definitely an issue for anyone sending out newsletters or who has a shop on their blog. I don’t really see a big issue for hobby bloggers but it wouldn’t hurt if you let people know in your privacy policy what sort of data processing, profiling etc you’re doing. I am not a lawyer either but I do GDPR for the company I work for and although I welcome GDPR (just look at Cambridge Analytica or if you feel like it the website of the ICO and you will be appalled by what people do with your personal data), it is a bleeding nightmare for small businesses, charities (warning! charities will have to stick to an extra set of rules) and self-employed people, i.e. those who are their business. Too much work needs to be done and small business don’t have the staff. It is not just online data but also hard copies like old contracts. There is no opt-in/consent by default anymore, people have the right to access, rectification, deletion, objection, restriction etc regarding their data. the underlying principle is that you are and remain the owner of your data. GDPR applies to any business (small or big) or any person handling personal data of EU citizens professionally (meaning data with which a natural person can be identified) or who operates within the EU (i.e. you can be in France dealing with the personal data of Americans but because you are in the EU, the Americans are protected under the same laws). If you literally just blog on this site, don’t do any profiling, data processing or newsletters, you should be fine. Esp, considering that people have to actively follow your blog. I will put a blurb on my policy to make sure but I a) have a free blog and don’t do profiling, b) don’t have social media on it and c) don’t do a newsletter or have a shop. There is no commercial purpose whatsoever to my block.

      Disclaimer don’t just take my word for it, read up on the topic.

      1. Thanks so much, Debra, for those awesome insights. Putting up a data privacy notice on the blog is what we all need to do. At least us personal bloggers should then be on the safe side. What Automattica (WordPress) has put put will certainly help with that. I don’t know about other countries, but here in Germany there are a few great websites of IT-lawyers that have free data privacy statement generators. You klick yourself through a questionnaire about what you do with your blog, what backend and what plugins you use. And from that it generates you a finished DP notice (in German language). This is what I will put up, plus the DP statement from Automattica.

        Now the disclaimer: I’m no lawyer, but his is what I understand I should do from all my research and all those helpful comments. Make sure you all do your own research and derive your mitigating measures! Marcus

    2. Naaw, nobody is blocking blogs. Worst case you get fined 20 million Euros (just kidding, this max fine is for companies only). Putting up a data privacy statement is seemingly what we need to do.

  8. Thank you Markus, My word! Sometimes I really find myself in the deepest far end of third world country. If I hadn’t scrolled over your blog, I wouldn’t even be aware of anything like this. Grr… Now it seems freely expressing yourself, having a platform for free speech and sharing ideas becomes a platform for being screwed up if you are not having a lawyer degree on your shoulders. We have so many social media platforms and children are literally poisoned on some of them with some of the contents but no one cares. But blogging becomes now a major complicated legal issue. Thank you for all the digging and researching. I guess, I have to put my nose this weekend into some legal papers. 🙂

    1. You are welcome, Carmen. This is the benefit of a community, someone always picks the issues and lets everyone else know. This is how this thing (although already in my subconscious) lit up on my radar. It looks (from my non-legal viewpoint) as if putting up a data privacy notice will meet most of the requirements of GDPR, at least for us non-commercial bloggers. There are some German IT-Lawyers that have free data privacy statement generators. Via individual Q&A they generate you a personal data privacy statement you can put on your blog (albeit in German language). Together with what WordPress will give us via the dashboard tool/widgets plus their own data privacy statement we should have enough to be compliant. I will write a separate post about this with a few interesting links. Just need time, but hope for the weekend. Best wishes! Marcus

  9. This is more confusing than I thought. I only just moved to a private account with wordpress giving me a dot com address last month, so, although aware of it, I was mainly assuming GDPR was for other people to worry about until then.

    I have print ordering links on my site, so they handle purchase details, but don’t have anything, I think, that captures any data myself except the sign up by email widget… will keep an eye out for any wordpress news though.
    Thanks for highlighting it Marcus.

  10. Oh dear, Marcus … what a mess. I had no idea the GDPR regulations could potentially impact a personal blog — let alone blogs based outside the EU. But I extend a huge heartfelt THANKS to you for having researched this so carefully. I’m really glad in hindsight that I’ve never tried to use my blog to drive revenue. And I’m doubly glad to know that you will be able to continue your blog, too! But yikes … what a complicated age we live in.

    1. Oh yes, Heide! The creepy thing is that by researching what is happening under the hood of our blogs in respect of plugins, widgets, social media buttons and even fonts pulling out personal information, I start to understand what companies like Google, Facebook etc. collect every day from us every time we pick up our smartphone, tablet or laptop. Creepy….The thing is, nobody is giving Google a hard time, but us little bloggers need to do real pushups to be compliant…..

      1. Increasingly the world is dominated by big companies, Marcus … it seems that the more money they have, the more “rights” they can buy. Sigh.

        But what’s this about fonts pulling out personal information? This is a new one! I’m almost afraid to find out the answer, because I’m already just one step away from wearing a tinfoil helmet to protect my brain waves. 🙂

  11. Oh and do lock everything down – two factor authentication across the board, on your e-mail accounts and all.

    e-mail address collection should also be double opt-in.

  12. As a Group IT Manager I get it from two directions – my blog and my 9-5.

    It does affect anybody in the EU, moreover if you are dealing with anyone who will not subscribe to GDPR, you should be cutting that link – that’s a much more complex picture.

    Many have jumped on the bandwagon with the usual bunch of myths, though is some truth out there.

    The main key is to know what personal data you handle, and why – there must be a legitimate reason for capturing and storing the data, otherwise get rid of it.

    The next thing is to ensure safe storage of the data. That can be tricky, but if you are using services such as mailchimp, wordpress.com, who actually store your data, they will have information on their GDPR situation.

    Analysing my self hosted site:
    e-mail addresses are collected via Mailchimp popup, and stored by Mailchimp. in GDPR terms they are freely given by their owners, to me, for the express purpose of receiving information from me.
    Mailchimp’s service provides clear opt-in / opt-out options, and clearly secure storage. I do need to know the marketing options, so will be asking subscribers to opt-in or out in the next couple of days.
    Google collects data from my site, which is stored by Google in their secure servers, under their privacy rules, as stated in my site privacy policy.
    There are a few other areas which I am examining but you should start to get the gist. In terms of my own site and it’s database contents there is no personal data held anywhere.

    If you have a commercially oriented site, look carefully at where and why any personal credit information is being held. In our business site and my blog, the payments side is handed off to other agencies, so, again, no PCI (Personal Credit Information) is held onsite.

    There are many official guides out there. Follow them. Or employ a solid consultant with identifiable background, e.g. a known auditing firm.

    The regulators are not out to hammer bloggers, unless they receive complaints or data breaches occur, but the fines are massive if you get it wrong.

    1. Thank you so much for your detailed comment, it further helps to understand this complex topic, that anyone running a blog with commercial interests should analyze what his obligations towards GDPR are and how to adjust the blog accordingly for compliance.

      Strictly private bloggers with no commercial interests of any sorts seem to be not affected, as long as there are no affiliate links, revenue generating advertisements or banners, or cooperations generating any benefits for the blogger.

  13. Hey Marcus. From what I’ve read on the .gov.uk website, my understanding, for the UK at least, is that the gdpr will only affect medium and large business who handle a lot of data and personal information and smaller organisation that handle sensitive information. I understand it won’t apply to individuals with personal sites or even small businesses. I’ll double check that though.

    1. Thanks, Richard, for your clarifications.

      After further research, it seems that truly private blogs (like mine) are indeed not affected. This is also valid for blogs using free hosting offerings (like from WP), were WP displays advertisments on the bloggers pages, where the blogger does not get any revenues out of and does not have control over the contents of those advertisement.

      But as soon as the blog generates any kind of income/benefits from affiliate links, banners, cooperations of any sorts, you have a high chance to fall under the GDPR regulations.

      1. Thankyou for the information Marcus. I sent an email to the college that I study with and they confirmed what you have just said. Which is very good to know.

  14. Hello Marcus,
    you and me and fellow bloggers in Europe and the Federal Republic of Germany worry about the new data protection and privacy rules.
    As yourself, I had a correspondence with the WordPress /Automattic support team.
    Today, WordPress and Automattic delivered new information and recommendations towards data protection and privacy.
    With a lot of work at the personal blog as well as my professional advices; I am still confident, that we can make it.
    Yours, Bernd

    1. Thanks, Bernd, really appreciate your comment. It seems WordPress.com is working on some automated tools that we can activate using the dashboard.

      What to me is still a bit unclear is to what degree strictly private bloggers (no advertisements, banners, affiliate links, cooperation or any other commercial interests) are impacted by the GDPR/DSGVO.


      1. What a good question, which keeps us busy. We are going to find the answers together. WordPress / Automattic sent new advice.
        Yours Bernd

      2. Yes, things are finally moving on the Automattica (WordPress) side. We’ll be fine. It looks like a solid data privacy statement will do the trick. Lets keep fingers crossed! Marcus

  15. Thanks a lot Marcus for this post. I have been searching as well wether this new regulations will effect my (free) blog, non-commercial and just meant to be able to show some of my pictures and, as a very welcome (!) side effect means of communicating with wonderful people all over the world. I would hate to lose that. But it’s hard to find sufficient information on how to act in order to be ‘safe’. I wish WordPress had/ will come with info about that. I’ll try find more info myself and will be spelling your findings carefully.

    1. Thanks Peter for your comment, and you nailed it for me. I wish there was more clear information to what degree strictly private, un-commercial blogs are affected, so I still hunt for those clarifications.


  16. The info available is quite confusing but only in Germany I have observed some panic. Other countries like Sweden do not apply these regulations for private blogs so nobody cares about it in reality.

  17. How ridiculous. Who are the culprits that are shoving their ideas as being best, down people’s throats? if my meager blog were affected, it will go off the web. Much more I can say but….

  18. Oh my! I had no idea. Really, I can’t imagine all bloggers, youtubers, instagrammers, etc doing changes to their blogs/vlogs/pages. Maybe it will pass and nothing will happen??

    1. I still need to nail down if strictly private, non-commercial blogs are affected. Amazing that there are no clear statements from our service providers (WordPress)..

      1. As I read it ANYBODY retaining PERSONAL information acquired from the public is subject to the rules. That includes any website / blog / etc.
        In practice most of use various services services, so that the personal data is NOT stored on our own hosting servers. That applies, even if there is a commercial aspect, if you are NOT storing personal information.
        As website owners (a blog is website!) we should be aware of what personal data is being stored, where, and how safe that is.
        Personal data includes e-mail addresses connected to names (collected in e-mail collections, subscriptions, etc.,), ip addresses (collected by Google Analytics) and PCI (personal credit information, which is the big issue and only relevant if you have an onsite shopping trolley).
        We need to know that because any user of our sites is fully entitled to ask what information we keep, and request that it be totally erased.

        Comments about it not affecting small non-commercial bloggers are not strictly correct, but in practice, we don’t directly collect the personal data or store it. Main thing is to know what is being collected and who controls it.

        I will qualify this by saying that I am not a GDPR lawyer, but have had to research it and work with consultants as part of my job. The above reflects my understanding of it.

      2. Great, thanks for being more specific. My research is absolutely in line with what you described here. We as personal, non-commercial bloggers need to be aware about what our provider does on the tech side of our blogs. Putting up a data privacy statement, explaining to (should anyone be ever interested) readers what our service provider collects of their personal data is what we need to do. Actually, I’m getting the hang out of using a few free tools to discover what providers of plugins, social media platforms, font providers etc. etc. are pulling of information from our sides. This is creepy, especially as this is happening to all of us whenever we pick up our smartphones, tablets, laptops and go online. Our blogs are just a small piece of this total data mining from us from those companies …

      3. Once you start to get involved in the marketing aspect it’s amazing what is there, and quite scary as you become aware of how much data is being collected and how it’s being used.
        Suddenly you start to understand why GDPR is important.
        The really hard part is writing company policies and trying to manage the users! It’s a hard message to get across…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Up ↑

%d bloggers like this: