Does GDPR Apply to Personal Websites?
A few weeks back, I released v10.0.1 of my website. I use a static site generator to generate all the pages and publish it out into the internet for all the world to read. In that release, I added Application Insights to provide me with some performance data, but also to get a bit of usage data (for those willing to share it).
What I found odd was that all the links and articles I came across seemed to talk about things at a high-level (i.e. defining GDPR) or assumed I was working at a large scale (i.e. enterprise software), but nothing small projects like my personal website.
Still, I managed to draw some of my own conclusions on how to handle GDPR for my personal website and wanted to document them somewhere.
DISCLAIMER: This is not legal advice
I am not a lawyer, so this is just an opinion from a developer. As a rule of thumb, I avoid taking legal advice from random folks on the internet. If you take advice from this article, take that bit and keep it.
I hope others (like you) use this post to draw your own conclusions or how you want to proceed with your own plan for handling GDPR.
But if you want real advice. Get a lawyer and talk to them.
Short Answer: Yes
Yes, it does apply to your personal website if are tracking information about your users and you are developing your own website or application.
Developing Your Own Website or Application
I mean developing as it coding it, publishing that code, and hosting it somewhere like Microsoft Azure or GitHub Pages. If you are publishing your own code, GDPR may apply to you.
If you are using a third party tool or platform, like Facebook or LinkedIn to host your blog posts-- you appear to be in the clear. When you use a third-party platform, the platform, not you, is responsible for GDPR compliance.
Even if you think you are clear of GDPR responsibility, make sure that you trust your chosen platform to comply to GDPR and other regulatory bodies out there, as your site depends on it.
The GDPR is all about protecting personal information and giving control back to people navigating the internet. GDPR is not the only set of laws in play, as California, Brazil, and Canada have their own versions of similar legislation, but many of these laws seem to have been inspired by GDPR and why I tend to focus on it.
At the personal website level, you need to consider whether or not you are collecting personal information from your users. This includes things like IP addresses or cookie identifiers.
If you are NOT collecting information like that, you are good to go! Just remember that services like Google Analytics or Disqus Comments use personally identifiable information to operate, so if you have decided to include one of those services on your site then you need to think about GDPR compliance.
My Solution Highlights
I concluded the GDPR-like laws apply to my personal website if I want to do any kind of usage tracking and understand how users are using my site.. This means it needs to be an opt-in policy that gives the user the option to do just that, opt-in.
The dialogue above is the only real visual evidence on the site now. As simple as that looks, a lot of thought went into it prior to implementation. Rather than doing a complete code review, I figured I would share the highlights.
Understanding My Tools
My default would just be to include something like Google Analytics, and be done with it, but with GA being made illegal in the EU and more countries creating their own GDPR-like legislation, I thought I would stay away from it and try something different.
Regardless of what you choose for your analytics or tracking tool, the important part is that you understand how the tools are GDPR compliant and how the tracking technology works.
Opt-In for Cookies
You've seen million of them already, but those cookie banners have purpose. The GDPR website outlines the requirements around using cookies, and many tools use them. The important thing is that you know how your website works, along with all the dependencies you choose to include.
In my case, the cookie banner enables cookies in Application Insights, which in turn enable usage data collection, only if they click "Accept".
This last point is less technical, and more about design. I am designing with transparency in the front of my mind. I added a privacy statement to my about page to explain the "why" around using Application Insights, and will share more specifics and document them accordingly.
Conclusion / TL;DR;
GDPR and the various GDPR-like laws definitely apply to you and your personal website or app project if you are building the code yourself, assuming you want to track information about your users.
The short story on this is that you need to draw your own conclusions and take responsibility for what you include in your website. If you are developing something to share outward into the world, you need to take the time to understand how the various tools you are included (such as Google Analytics or Application Insights) as well as the requirements for compliance.
Two resources I found useful in explaining GDPR requirements are provided on the site GDPR.eu. If you are looking for more information, I definitely suggest checking out these links:
Thanks for playing.