GDPR

You write, you blog, you publish. And someone reads your blog and comments, or reads your newsletter.

Or you sell something online – a pen, a book, a wooly hat, an iPhone case – and you get paid.

What do you have? You have the name, address, email address, and maybe some other information such as the customer’s liking for woolly hats. Surely, none of it is the kind of stuff that the framers of GDPR (the General Data Protection Regulations) are really worried about.

They are worried about people who have other people’s ‘sensitive personal information’ (racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation).

What happens in reality is that we all get swept up in the dust storm and have to comply. In the pre-digital age, whenever governments brought out these kinds of regulations, businesses went to see their lawyers and the printers rubbed their hands with glee at the thought of all those reprints they would be asked to do – of brochures and leaflets and notices – all the stuff that would be necessary.

But in the digital age where we do it all ourselves, I just see a pain in the behind for thousands and thousands and thousands of bloggers and small businesses when it is surely blindingly obvious that 99.9% of what is intended to be protected by GDPR has nothing at all to do with those bloggers or those small businesses.

Double Opt-In In the Age Of GDPR

If you do send out a newsletter, and if your original opt-in was a double opt-in (the recipient signed up with an email address on your site and also confirmed their desire by clicking on the link that arrived in their email inbox) and then you don’t need to get consent again.

Double opt-in has been around for a while and the reason for it and the reason I say you ‘have’ to be double opt-in is that if you are not, then some malicious person could sign up with someone else’s email and you would be sending newsletters to someone who never requested them.

Emailing someone who didn’t request you to email them has been outlawed under the regulations (Privacy and Electronic Communications Regulations) for a long while. GDPR highlights it and makes the penalties stronger.

GDPR Steps

You need a page that sets out your privacy policy policy, a page that sets out your cookie policy (or a section about cookies in your privacy policy page) and a means for your visitors to signify cookie consent or an indication of where to go to find out more.

If your site is built on WordPress, you are in luck because the very latest version (4.9.6) practically does it all for you, at least gives you the framework to write out your privacy policy statement. If you haven’t already got a page setting out your privacy policy then go to your admin dashboard, and in Settings, you will see a section named ‘Privacy’ – click on that and choose the ‘Or: create new page’ WordPress will do that for you and set out the sections you need to fill in. You still have to read up on the GDPR requirements (who collects the info, what kind of info, etc.) but the bones of it are there.

Next, you need a page in which you set out your cookie policy. OR, you can put the cookie policy in a section in the Privacy Policy page. The contents are pretty standard, so find a good site (the BBC, Marks and Spencer, WordPress, Google, etc.) and crib the bits you need.

Finally, you need a cookie consent form. You can no longer tell people that you deem their consent by them continuing to use your site, or maybe you can, but it’s easy to be safe rather than sorry. You need a little banner that people can click to say they are alright with cookies. They don’t have to click it – you just have to have it there for them to click. I have tried various plugins and used EU Cookie Law (by Alex Moss and others.

Update June 2022 – the EU Cookie Law plugin is no longer being maintained.

Update After GDPR – Popups That Require Consent As The Price Of Access

Is this the intended consequence of GDPR? Go to a page on a website and be confronted with a popover that hides the content. Don’t click ‘I accept’ for cookies. Instead click on ‘more info’ or ‘preferences’ or whatever is there.

Say ‘No’ to cookies and refresh the page you want to see.

Be confronted again with the same popover that hides the content. You know what to do this time because you have been here before. Click ‘Accept’ because there is no other way to read the article.

So what we have here is a kind of paywall that says ‘If you want to play, do it my way.’ Or to put it another way, it is forcing consent to cookies as the price of reading the content. Surely that is against the spirit of the GDPR?

One thing – Google penalises sites that use popups that cover content – maybe that will nudge webmasters to stop using popups that require consent as the price of access.

GDPR Response

It is completely understandable that if a website gathers sensitive information regarding, for example, health, sexual preferences, minors, criminal records, then the website owner should be held to a high standard of accountability. But look at how the majority of headline websites have responded to GDPR. They use popovers to force visitors to accept cookies. Or if not to accept then to go through hoops to discover exactly what cookies to allow. Popovers are a kind of paywall, forcing consent to cookies as the price for being enabled to read the content.

Moreover, the good intention behind GDPR pales when you think of how Facebook chases you around the Web.

I can think of a date in the future when Facebook and Google know so much about you that they know more about you than you know yourself. We could be there already and we wouldn’t know it. We don’t have access to the data and we wouldn’t be sure we understood it even if we did have access. That is not even taking into account the ego railing against someone or something else knowing us at all.

A lot has changed in the past few years. Web designers have offloaded a lot of the job onto the browsers. Rather than everything being delivered by the server where the website resides, the browser plays an active part in that process. That development may have played into the hands of privacy campaigners. Specifically, Safari and Firefox have track blockers built in to defeat cross-site scripting. Perhaps there will come a day when Google and Facebook will have information about you up 2020 but then a black hole.

Come the next pandemic in 2026 when Google will be the best place to give pertinent advice to individuals about the actions they should take to defeat the virus, dependent on their genetic makeup, food intake, location, etc, and when asked, Google will say: Sorry, due to privacy actions you have taken in the past we are unable to give you tailored advice on actions to take in this pandemic.

Web Accessibility Woes

I was looking at a website that has a web accessibility page. It describes how the site is accessible to people with various impairments.

I googled for whether such a page is a legal requirement. I don’t think it is, but what is a legal requirement in the UK under the Equality Act 2010 is not to discriminate by preventing impaired people from accessing services. I see there are similar provisions in the US, and no doubt in other countries.

It’s easy enough to understand what discrimination is when it’s a set of steps leading into a shop, and people in wheelchairs can’t get in – but maybe it’s not so easy for people to understand how websites can discriminate, and how web accessibility is important for the impaired.

So how can web accessibility go wrong?

Websites can discriminate by using fonts that are hard to read against the background colour.

They can discriminate by not having a text explanation for images that are used on the website.

They can discriminate by using high-level language that stops some people understanding what the site is saying or stops them understanding how to do what they want to do on the site.

They can discriminate by having complicated menus that some people find difficulty in negotiating.

And the list goes on.

Obviously, a website about quantum physics, addressed to fellow professionals, is not going to be accessible to many people. The point is that it should still not pose an extra barrier to people with impairments, over and above the barrier that its content poses to the population in general.

So with that understanding, I pasted a chunk of the text into Google. I pasted a chunk of text from the statement I had seen on the accessibility page of the site I was looking at.

I pasted in:

recognises the importance of providing a website that is accessible to all user groups, including the disabled, the visually impaired and those with motor deficiences and cognitive disabilities.

And I got ream after ream of websites with the same standard text about how they care about accessibility, and what they’ve done to make their websites good examples of accessibility.

It’s depressing. Not that I am claiming anything wonderful about me or websites I am involved with – it’s just the way that someone’s idea of making the Web a better place for the impaired has been turned into a endless pages of standard text.

Well maybe not. Maybe the websites are built to good standards, and it is just the accessibility pages that are a bit ‘off the shelf’.

So I ran a couple of prominent sites through a web accessibility tool.

The UK Government website page on the 2010 Act threw up 29 errors and 91 alerts.

Marks and Spencer had 12 error and 227 alerts.

WordPress.com returned a creditable 2 errors and 30 alerts.

WordPress.org returned zero errors and 6 alerts.

No More Pencils (this site) returned 4 errors and 6 alerts. Good for me, but I think it’s just because this site is built in WordPress which is good on that score, and I chose a theme made by a developer who writes beautiful code.

Simultaneously In A Communal Space

For example, I am now writing in my space. It’s hosted on WordPress’ space, but it’s my space there.

If I write a comment on your site, we are in your space. If we interact on Facebook, we are in Facebook’s space, etc.

I like to think that by 2035 we will be able to communicate and be in our spaces and yet meet in something that is not anybody else’s space.

I know that sounds impossible – the space has to belong to ‘somebody’ – but I think it will happen.

There will be a space we meet where you are in your space and I am in my space and yet simultaneously we will be in a communal space that is no one else’s space, not under someone else’s control.

Maybe quantum mechanics will make it possible.

Pulling Your Money Where Your Mouth Is

Forbes reports that one of the latest advertising firms to pull money out of Google YouTube advertising is the UK arm of France’s Havas, one of the world’s largest ad agencies, whose clients include Domino’s, Emirates and the BBC.

It has done so because Google will not pull the videos that are obviously hate speech.

Meanwhile, the Sami have convinced one of the largest Pension funds in Norway to pull its investments out of the company that is pushing the Dakota oil pipeline.

It’s an interesting and good thing when people with money choose to be ethical in where they put their money.