You write a blog and someone reads your blog and they comment, or they sign up to read the newsletter you send out occasionally to readers.
Or you sell something online – a pen, a book, a wooly hat, an iPhone case – and you get paid.
You have the name, address, email address, and maybe some other information such as birthday or the customer’s liking for woolly hats.
Surely, none of it is the kind of stuff that the framers of GDPR (the General Data Protection Regulations) are really worried about.
Surely, what they are worried about is people who have other people’s ‘sensitive personal information’ (racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation).
What happens in reality is that we all get swept up in the dust storm and have to comply. In the pre-digital age, whenever governments brought out these kinds of regulations, businesses went to see their lawyers and the printers rubbed their hands with glee at the thought of all those reprints they would be asked to do – of brochures and leaflets and notices – all the stuff that would be necessary.
But in the digital age where we do it all ourselves, I just see a pain in the behind for thousands and thousands and thousands of bloggers and small businesses when it is surely blindingly obvious that 99.9% of what is intended to be protected has nothing at all to do with those bloggers or those small businesses.
Double Opt-In In the Age Of GDPR
If your original opt-in was a double opt-in (the recipient signed up with an email address on your site and also confirmed their desire by clicking on the link that arrived in their email inbox) and then you don’t need to get consent again.
Double opt-in has been around for a while and the reason for it and the reason I say you ‘have’ to be double opt-in is that if you are not, then some malicious person could sign up with someone else’s email and you would be sending newsletters to someone who never requested them.
Emailing someone who didn’t request you to email them has been outlawed under the regulations (Privacy and Electronic Communications Regulations) for a long while. GDPR highlights it and makes the penalties stronger.
Steps To Take For GDPR
For the benefit of those who need GDPR advice – this is my take on what you need if you have a website.
Is this the intended consequence of GDPR? Go to a page on a website and be confronted with a popover that hides the content. Don’t click ‘I accept’ for cookies. Instead click on ‘more info’ or ‘preferences’ or whatever is there.
Say ‘No’ to cookies and refresh the page you want to see.
Be confronted again with the same popover that hides the content. You know what to do this time because you have been here before. Click ‘Accept’ because there is no other way to read the article.
So what we have here is a kind of paywall that says ‘If you want to play, do it my way.’ Or to put it another way, it is forcing consent to cookies as the price of reading the content. Surely that is against the spirit of the GDPR?
One thing – Google penalises sites that use popups that cover content – maybe that will nudge webmasters to stop using popups that require consent as the price of access.