A Quick Note About Whatever, Your Data and GDPR
Posted on May 22, 2018 Posted by John Scalzi 14 Comments
I’ve had a couple of people ask me how the European Union’s new General Data Protection Regulation law (which goes into effect on Friday) affects this site and how I run it, so, let me talk about that very briefly.
One, on a personal level, aside from asking for an email address in order to leave comments here, I personally am not (and never have been) collecting any information about anyone, other in the very general sense of reading and comprehending whatever bits of personal information people leave in their comments. That said, I don’t do anything commercial with any of that — I don’t mine my comment threads for personal data, and certainly don’t comb through them for sales, advertising or other commercial purposes. It’s not that kind of site, and I’m really not that interested. Doing any of that requires work and effort that I have no desire to do. All I want to do here is write and post pictures. Aside from occasionally letting you know when I have a new book out, I have no interest in monetizing the site, nor anyone who visits it, nor any of the data they leave behind. Hell, I don’t even have sales affiliate links on Big Idea posts.
Two, while I personally don’t retain any personal information about you, WordPress, who hosts this blog via its VIP service, does (for example, if you do comment here, I’m pretty sure WordPress leaves a cookie in your browser so you don’t have to enter your personal information each time you decide to comment). WordPress tells me via its VIP service blog that it is currently reworking its infrastructure so that its services comply with the GDPR; inasmuch as WordPress’ VIP service constitutes the technological infrastructure of this site, I expect that how it handles your data, cookies, etc will now conform to EU law. Which is nice! Less work for me. Nevertheless I’ll be doublechecking to see if there’s anything else I need to be doing personally. I’m pretty sure there’s not, but it doesn’t hurt to be sure.
(For those of you asking why I’m even concerned about this at all, since I and the site are in the US, the short answer is that, as I understand it, the law covers EU citizens, and on any given day roughly 20% of the traffic here is from the EU. Likewise I’m pretty sure WordPress has users and offices in the EU.)
The short(er) version of this is that I don’t expect anything obvious will change here in terms of how either you or I use the site, and what things will change will be handled mostly in the background by WordPress itself, and generally speaking Whatever (and I) will continue not using any information you do provide here for any commercial purpose.
Basically, we’ll just keep on doing what we’re already doing here. If any of that changes in any significant way, I will let you know.
I’m currently working on a project impacted by both HIPPA and GDPR. There has been a whole lot of moaning and groaning about it from mostly American business and technology sectors about it being vague and unclear, but the basis of the law is crystal clear. It basically says that my data belongs to me, that if you (the general you) want to use it for something you need to get my explicit permission to do so, and you can’t hide that permission in a 20 page EULA you know no one will read. It also says I can tell you that you can no longer do anything with it and you have about 72 hours to comply.
I say that this is not just a good idea, it’s the law. :D
GDPR is Europe once again leading the way in something sensible. Similar to the Basel accords on Financial Institutions.
“Hell, I don’t even have sales affiliate links on Big Idea posts.”
Want to use mine instead?! Seriously, though, why not have your new intern get this up and running? It’s basically free money that costs you and your readers nothing. Given how much traffic you get, I’m guessing you’re missing out on hundreds of dollars a month, easily.
That’s an interesting idea, Piers. I don’t know if John would be interested in this *at all*, but if he doesn’t want the money (and it’s fine if he does), maybe the money from affiliate links could go to the author of the Big Idea book or something.
IMHO (and IANAL), I think that you may need at the very least a GDPR ‘notice’ (accept checkbox). This is because your site stores personal information, as defined by GDPR. You have comments that store name/email/IP address. And there are cookies that store some personal information for commenters (since a sign-in is required to post comments).
If you have Google Analytics (or some other similar) you need to disclose that. Your post states that 20% of visitors come from EU companies, so I assume that you are getting that geolocation info from somewhere, and that is covered by GDPR.
In addition, WP stores personal information; witness the new “Privacy” settings in Admin, Settings. And there is the IP address info stored by your hosting place logs.
Even if you don’t store any personal information (and you do), I still think you still need a Privacy page to state that.
So, at the very least, I think that you need a GDPR notice on your site. There are lots of plugins that will do that for you. Since I run many WP sites, I needed a simple one, but the ones that I found were a bit too complicated for my simple sites. So, I wrote my own (“Simple GDPR”). There are lots of others to choose from.
And, I think that you will need to have a “Privacy” page for your site. I used the suggested content from here: https://www.bbb.org/reno/for-businesses/sample-privacy-policy/ . And I use this (free/open source) code for my GDPR message https://cookieconsent.insites.com/documentation/about-cookie-consent/ on my sites.
Just my personal opinion. YMMV. All aspirin’s alike.
GDPR covers companies /doing business/ in the EU, wherever you may be based.
As a free website, I doubt you fall under its auspices. From some meetings I’ve been to, target #1 come Saturday is nuisance calls (have you been in an accident, want a new boiler, etc.) which I assume you have in the US.
In the UK, companies here factor in the fines from our Information Commissioners as just the cost of doing business. As the fine the ICO can now levy is suuuubstantially greater, those will be the targets. The comparatively small number of calls we get telling us we’ve one a free holiday to Florida? Those companies will we bay down the list. And, frankly, I’m not sure what sanctions the EU could take against a shell company in Delaware.
Re: Affiliate links:
You know, I’m doing all right financially without putting in the effort of affiliate links. And when authors offer their own affiliate links when they send in the Big Idea material, I usually put them in.
Rickhellewell:
With all due respect I’ll follow WordPress’ lead on this.
So…. no one here knows about that humongous mole on my right butt cheek?
Cool!
@Jerome O’Neil Yes, agreement! I’m doing similar consulting for a large multinational company on their policies and procedures with a strong eye towards GDPR compliance. It’s been a bit chaotic, but I’m pleased that the place I’m working has its ducks in pretty good shape. :) I’m comfortable with them being able to do well from everything I’ve seen.
One of the cool things about the GDPR regs is that they have teeth: if a GDPR office finds that your company has been flagrantly bad about data security (think Equifax as a supreme example), the company can be fined up to 4% of its global annual revenue. In Equifax’s case (this is hopeful thinking), their fine would be $124M. For Microsoft, that’d be about a billion dollars (I have no reason to believe MS’s fly is down; this is just by way of comparison). This is a pile o’ bucks.
4% of a company’s global annual revenue is a full report to the shareholders. It is an annual shareholder’s meeting with shouting and crowd control. It is the start of a complete turnover in C-level execs and Boards of Directors. It is a public scandal. It is possible jail sentences for malfeasance by the CTO and CEO. All of these things could be a lot of fun to watch at a great distance and, in the case of a company like Equifax, even up close.
I understand that Canada and the UK are looking at similar legislation. This’d be good.
This is because your site stores personal information, as defined by GDPR. You have comments that store name/email/IP address
I can personally attest that this blog really does not require genuine email addresses or cookie storage.
For instance, this has been posted under the email wooooookie@woookie.com and using a quick run of https://www.ccleaner.com/ or related software removes any hard traces.
Our Identity / IP addy is frequently different and Host has rather more scary peoples in his background anyhow (*waves to Tor peoples*) who know what they’re doing.
p.s.
Twitter is currently on fire with Avenger / Thor memes: it’s a glorious revolutionary anti-Peterson party/orgy going down, don’t miss it.
So, please look @ that previous Alfie Comic and know that **all** women are saving the world, if you know what I mean. (The tail metaphor is not a subtle one, but hey-ho).
Thanks. It’s great to know that you’re expending some time to at least look into what impact this has on your fans who post here. That’s pretty awesome, speaking as a fan who posts here!
Thanks for the update, John. I’m hoping that the nature of global business will prompt more US companies to do what WP is doing.
Hi John, I like your blog and your posts. Here’s an indirect insight into why the new EU laws you discuss here are such wonderful things – and why it would be even better if they were about 1000% stricter. Your blog is one of the very few that I am interested in following – but I can’t. Why? Because contrary to what WordPress claims in its ‘How to follow a blog’ explanations, they conveniently fail to let you know that if you happen to be running anti-tracking, ad-blocking or anti-script software on your computer – like I do as a matter of principle to protect my privacy – many of the features on WordPress don’t work. Chief amongst them apparently is the ‘Follow’ button. It’s supposed to be at the bottom right of every blog, but it doesn’t appear if you have similar software to mine. In other words, WordPress wants to hoover up your data just like Facebook and Google and just about everybody else, and doesn’t like it if you don’t want that to happen. Yes, I could temporarily ‘trust’ WordPress in my anti-tracking software etc to get it all working properly – but that means I have to hand over my data in the process, even though they haven’t had the manners to ask me for it and I don’t want them to anyway. These sort of antics from WordPress and similar others are precisely the sorts of reasons the EU has brought in these laws. What a pity they don’t go much further. Let’s hope that in the future as more detail emerges about just how invasive this data capitalism really is, that the relevant laws will get a whole lot tougher all around the world. And maybe then I’ll even be able to follow your blog (and a few others) in the way that I want to – apart from bookmarking it on my browser like I currently have to do. Come the revolution, these guys are going to be the first ones to go under…!! :)
In the privacy world, we always talk about writing clear and concise privacy notices that are understandable by the lay person.
This post is probably 90% there, missing only the legalese required.
Ergo, I think you should freelance writing privacy notices. Not really, but this post goes to show what a privacy notice written by a lay person, for a lay person, is like which looks vastly different than a privacy notice written by a lawyer for a corporation. I think within the spirit of the GDPR this one is closer to the intention of the law than most privacy notices flooding the internet today.