The aforementioned GDPR regulations go into effect on May 25th, in 5 days from this post. Because of the headaches and intense amount of website work this is causing me, I do not have time to write a review this week – you can thank the EU. A quick summary of the sources of my current migraine:
- The GDPR requires separate opt-in consent for EACH COOKIE set on a site. My ad-network, because it’s a mish-mash of third-party ad networks, plants something like 23 cookies. That technically means I’m supposed to present 23 unchecked boxes to acquire consent.
- The GDPR applies to any visit from an EU resident. But, because I cannot guarantee that an EU resident isn’t visiting my site via a VPN that obscures his or her location, I cannot assume that EU IP addresses are the only ones that need to be handled under the law.
- The GDPR stipulates that I cannot block access to my content on the basis of not giving consent to tracking. That means I have to allow non-consenting EU residents (or anyone, really, see point above) to effectively steal (or, really, to access my site without me getting paid) my content, since I get paid via an ad network that requires the use of tracking cookies. (Hint: All of them do.)
- Technically, I’m supposed to STORE personal data (which I wasn’t doing before) in order to be able to PROVE under an audit that I properly acquired and stored a visitor’s consent to be tracked. I actually have to do MORE personal data tracking to adhere to the new law.
- If I were to get hacked (I’m not Google, I can’t afford the kind of industrial Internet security it would take to 100% guarantee this won’t happen), I could be liable for fines.
- If I miss something and end up getting reported to the appropriate EU authority, and the US (where I live) decides to honor the EU request to enforce the fine under international law, I could be fined up to 2 million Euros. I don’t have 2 million Euros.
Sorry man that’s really annoying
“My advice to you, is to start drinking heavily.”
– John “Bluto” Blutarsky
Wait…how are you supposed to “store” visitors consent?
In the website backend. In my case, it’s partially in WordPress’s Comment database, and partially in my Ad Network’s consent database. Still probably not as “robust” as called for in the GDPR.