Privacy Policy Requirements for a Blog
If you own or operate a blog, it is critical that you post a Privacy Policy on your site that meets the regulations of every jurisdiction where your blog readers reside. This protects your readers from any potential privacy breaches and protects you from legal liability. While a blog might not seem like a place where personal information is being collected, the fact is that almost every online site does collect personal information either directly or indirectly. Not only does the browser your blog readers use collect information from your audience, but so does your blog.
This article will explain why you need a Privacy Policy for your blog, and help you create and display your own.
- 1. When and Why Blogs Collect Personal Information
- 1.1. List Sign-up
- 1.2. Communications and Contact
- 1.3. Content Upgrades
- 1.4. Chat Tools
- 1.5. Social Sharing
- 1.6. Commenting
- 1.7. Ecommerce
- 1.8. Cookies
- 1.9. Third Party Services
- 2. What is a Blog Privacy Policy?
- 3. How to Create Your Privacy Policy
- 4. Privacy Laws Affecting Your Blog
- 4.1. CalOPPA Privacy Policy Regulations
- 4.2. General Data Protection Regulation of the EU
- 4.3. Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
- 5. Third Party Privacy Policy Requirements for Blogs
- 5.1. Google Analytics
- 5.2. Your Blog Platform
- 6. How Social Platforms Affect Your Blog's Privacy Policy
When and Why Blogs Collect Personal Information
At minimum, your blog likely collects the following types of personal information to function and be optimized:
- First and last name
- Email address
- Social media profiles and information
- Reader comments
- Reader actions (browse time, links followed, ads viewed, etc.)
All personal information collected online is subject to global privacy regulations.
Blogs, like other websites, deploy multiple technologies to attract, engage, convert and serve their audiences. Some blogs are monetized with ecommerce features, and many blogs present readers with display ads.
The list of potential ways a blog directly and indirectly collects personal information is long. Let's take a look at some of the most common ways your blog might be collecting personal information from your readers.
List Sign-up
List sign-ups are commonly found on blogs, but because they collect at least an email address, they trigger the requirement of a Privacy Policy.
Small business SEO consultant Main Street ROI uses multiple tools to grow its email list, encourage referrals and convert blog readers to paying customers. This simple email list sign-up tool pictured above appears at the end of every blog post. It includes one personally identifiable data point -- the reader's email address.
This single information capturing tool is enough to require a Privacy Policy on the site. However, like most blogs, this tool is one of only many tools deployed on the site to grow the audience.
Communications and Contact
If you have a contact form where users can contact you, or you encourage them to communicate with you somehow, you will surely be collecting legally protected personal information.
The right sidebar on every page of the Main Street ROI site, including blog pages, encourages readers to schedule a call. The call is free, but several data points are required to get it:
- First Name
- Last Name
- Phone
- Website
Not only is all of this information legally protected personal information, but by providing the website address, the reader is essentially inviting Main Street ROI to collect even more information than contact data.
Content Upgrades
An engagement tool in a blog's sidebar is an increasingly common tool called a content upgrade. Content upgrades offer information considered more valuable than the blog itself or other enticements offered on the site. These upgrades require you to share personal information such as an email address to access the upgrade.
If a site visitor isn't enticed to join the email list or schedule a call, an exciting content upgrade might be the best next option to convert the reader to a blog follower.
In order to get the content upgrade - in this case, The Internet Marketing Survival Guide - the reader needs to enter a valid email address.
Chat Tools
Another tool blog sites use to provide value to readers in exchange for personal information is a chat tool.
Here's howl Main Street ROI does this:
In order to use the tool, the reader must enter personal information. In this case, the required information is an email address. However, the reader also may enter information into a text box, which likely could include personal information, such as other contact information, their website URL or even payment information.
Social Sharing
Another popular blog engagement tool is a social sharing tool. When a reader clicks to share a blog post, the blog receives additional personal information about the reader through integration with the chosen social platform.
Here is the sharing tool Main Street ROI uses:
Commenting
Many blogs also invite reader comments, which serves two purposes: increasing blog SEO and increasing engagement. In the process, the blog enjoys another opportunity to directly collect personal information. They also collect personal information and mean that you'll need a Privacy Policy.
Island Jane requires anyone who wishes to leave a comment to provide a name and email address, both of which are personally trackable. Additionally, the reader has the option to provide her website and leave a comment, which also may include personally identifiable information.
Ecommerce
In order to process an order, shoppers must must provide a name, shipping address, email address and phone number, all of which are protected by privacy laws and require a Privacy Policy.
The Island Jane blog includes an integrated ecommerce store in which direct and indirect personal information is collected.
The store also utilizes third party vendors to process payments. In this way, Island Jane is collecting information to share with those third parties.
Cookies
Certain types of cookies collect personal information and this must be disclosed in your Privacy Policy.
In reading Main Street ROI's Privacy Policy, we learn they are indirectly collecting personal data from their readers through Google cookies.
Third Party Services
If you share information with any third party services such as payment processors or analytics tracking software, this must be disclosed within a Privacy Policy. Oftentimes, the third party itself may require its clients (you) to maintain and publish a Privacy Policy.
In addition to indirectly collecting information through cookies, the site discloses they also may share information with third parties who they choose to help operate the site, conduct business and manage services:
If your blog utilizes even one of the described reader engagement tools, as it very likely does, then you are collecting personally identifiable information and you must create a unique Privacy Policy for your site.
What is a Blog Privacy Policy?
A blog Privacy Policy is where you comprehensively identify all ways your blog is collecting personally identifiable information from your readers. This includes information you collect directly, such as through sign-up or through an ecommerce store, or indirectly through third parties such as payments processors, online advertisers, social platforms and analytics tools.
A unique Privacy Policy written specifically for your blog is necessary to comply with state, federal and global laws protecting consumer privacy rights in every jurisdiction where your readers reside. As the web helps your blog reach more and more people from all corners of the earth, your legal liability increases. Ensuring your Privacy Policy meets all possible legal regulations is critical to your success.
Additionally, your Privacy Policy should be written in a way that your typical blog reader can clearly understand.
It also should acknowledge your respect for, and adherence to, all applicable laws.
If your blog attracts minors, you assume additional privacy obligations that must be addressed in your procedures and in your Privacy Policy.
And, when you update your Privacy Policy in a material way, you should send out or provide some sort of an Update Notice.
How to Create Your Privacy Policy
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
Privacy Laws Affecting Your Blog
Privacy laws are written to protect the residents in the jurisdiction where the law applies. If there is any chance that your blog might attract a reader from jurisdictions where privacy laws exist, then you are required to comply with those laws.
Let's take a look at some privacy laws that are likely to affect your blog.
CalOPPA Privacy Policy Regulations
The California Online Privacy Protection Act, also known as CalOPPA, requires websites, including blogs, to post a Privacy Policy.
CalOPPA also includes specific rules for website and blog privacy procedures, and rules mandating how to present those procedures in the Privacy Policy.
General Data Protection Regulation of the EU
The General Data Protection Regulation (GDPR) creates strict regulations mandating how websites and blogs must protect personal data collected from EU residents.
As is the case with CalOPPA and virtually every other legal privacy requirement, GDPR applies to blogs attracting visitors who live in the jurisdiction, whether or not the blog itself is located in the EU.
An interesting component of the GDPR is a requirement for blogs to obtain informed consent from readers before collecting personal information from them. In other words, previous privacy protection standards which put the burden of knowing privacy rights onto the reader are now clearly placed on the blog owner.
Article 5(3) of GDPR requires website owners, which includes blogs, to properly inform readers of the actual and potential information that may be collected through the site, both directly and indirectly, and give the reader options for preventing or limiting the information they provide:
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
Canada's Personal Information Protection Electronic Documents Act, also called PIPEDA, was created to address privacy concerns relating to the commercial collection and management of personally identifiable information of Canadian citizens.
The act defines commercial activity as:
"Any transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists."
If your blog attracts readers from Canada, then your Privacy Policy must also include provisions that meet the PIPEDA requirements.
Third Party Privacy Policy Requirements for Blogs
In addition to government laws and regulations, third party blog services often have Privacy Policy requirements for those using their services. This is because the third party has its own legal obligations when it comes to protecting consumer information.
Google Analytics
It is very likely your blog is interacting with one or more Google platforms such as Google Analytics. If so, your Privacy Policy must meet Google's data handling requirements as well as local, state, federal and global requirements.
This is because, as spelled out clearly at the top of its Policy Requirement, Google uses technology tools such as cookies to collect information about your blog's readers and their browsing patterns:
Google's policy then clearly states that in doing this, your site must post a Privacy Policy fully disclosing all such instances of data collection and sharing between your blog site and the Google platform:
Since it's highly likely your blog does or might attract readers from the EU, your Privacy Policy also must include special provisions to meet GDPR requirements:
Your Blog Platform
Blog platforms such as WordPress, Reddit and others include built-in features to help you grow your blog traffic. To do this, they automatically collect information about your readers such as browsing patterns and IP addresses, which locate your readers' device. User comments, which are an effective and popular way to increase blog SEO, also collect protected data such as reader name, email address, social platforms and in many cases, a photograph.
In the example below, the comment submitted by a WordPress blog reader includes his IP address:
The public view of most blogs displays the reader's photograph with comments. See this example from a reader comment at Island Jane, where we see publicly the reader's first and last name, as well as his photograph:
The WordPress Privacy Policy spells out the personally identifiable information it collects from blogs using the platform:
Reddit's Privacy Policy distinguishes between information the platform collects automatically such as usage data and location information, and information the platform collects from other sources, such as device IDs.
It does this in two separate clauses.
All of that information is protected by various privacy laws and must be disclosed in your Privacy Policy.
How Social Platforms Affect Your Blog's Privacy Policy
An increasingly popular method for gaining blog followers is the use of social sign-up buttons. These allow your readers to quickly sign up for your blog through a platform in which they are already logged in. In doing this, however, you also accept the privacy laws governing that exchange of data, as well as each platform's requirements to ensure you comply with not only applicable laws, but also their unique Privacy Policies.
Facebook and Twitter are examples.
By providing quick social sign-up, you get the benefit of not only a new reader, but also access to data from the reader's social site used for sign-up.
Online public forums such as Disqus offer opportunities for your blog to gain a global following. You'll also increase your privacy protection obligations. If you choose to integrate with the Disqus platform, you must comply with their terms, which includes a requirement to comply with all privacy laws:
With ever-increasing enthusiasm to connect a worldwide audience with great content and exciting new technologies to make that happen, privacy risks and legal obligations also increase. Creating a unique, bulletproof Privacy Policy for your blog is an absolute must to protect your readers and your blog.