The General Data Protection Regulation (GDPR) regulations were written in 2016. They went into effect in 2018. Here we are in 2019, and most genealogy bloggers are not following it. Really. None of us. Not Debbie Kennett, not Judy Russell, not Blaine Bettinger, not Leah Larkin, not Roberta Estes, and not I.
I thought I was. Then I took a look at the actual law, the reasons for the law, and what I had implemented.
Nope. What I had was not good enough.
I am working on the fix, but I am still not sure I have it right. What needed is not difficult, but the task list is long. I still have work to do. Hopefully, from this point if others follow along on my progress they will catch things I have missed.
What is GDPR though, and why does it exist?
The internet is full of data. There are shopping areas, blogs, organization websites, social media pages, and search engines to find it all. All of these places on the internet collect information about those who visit their pages. Company sites collect information on transactions, and blogs collect user preference information. As the internet has grown, this information has begun to be stored with small bits of code, called cookies. Alongside the growth, sites have built mailing lists of users. The users then receive sale promotions and site updates. Some sites kept confidential information such as name, mailing address, credit card number, and birth date.
It has reached the point where the average person would have a hard time knowing just who had what information about them.
There was sordid data sharing too. Lists of names and email addresses were bought and sold on the grey market. Insecure sites were hacked and private information was leaked. Even worse, companies did not disclose to their users these privacy violations for months if ever.
That last has some bite. Have you ever been emailing a friend about needing a new coffee maker and just hours latter had ads for coffee makers start to appear on your Facebook feed? You are not crazy to see a connection.
Website owners with connected Facebook pages have the option to set a type of tracker on their web pages. This helps them learn who clicks through from Facebook posts and what they read. Of course, if Facebook gives the site owner access to the information, then Facebook also has it. It does not stop there though. The site owner can also set their tracking preferences on Facebook to allow Facebook to share the information with other Facebook businesses and all of Facebook’s marketing partners. That can be just about everyone everywhere.
That is the nature of marketing trackers. If I use such a tracker, then my reader’s data is being bought and sold. Never mind that I, the blogger, am not being paid. It is my site, and I am the one who places marketing trackers and cookies. If I put it on my site, I am the accountable person.
Users of the internet have a right to know who has their data.
My mother had a thing about accountability. The European Union does too.
How does GDPR help?
GDPR outlines common sense rules of human decency that web site owners should be following. That is the core of GDPR.
- Companies should make every reasonable effort to make their site secure.
- If a company has a data leak, they have to disclose it in a timely way.
- If a company sets trackers, they have to disclose it. It must be opt-in not opt-out. The user must be able to change their settings on the site.
- Companies must disclose to users what information they have collected on them and be willing to remove it when asked.
What does that mean for me, the blogger? Here are the checks I have figured out so far.
- Is the site secure (HTTPS)?
- Check by reading headers on GTMetrix.
- Are site headers secure?
- Check on the Mozilla Observatory site.
- Are European Union users shown a cookie banner?
- Check by viewing the video of the site loaded in London, UK on GTMetrix.
- Do only essential cookies load before EU users agree to them?
- Inspect site using a web proxy in France.
- Can EU users opt-in or out of cookies by type?
- Inspect the cookie banner using a web proxy in France.
- Check by viewing the website.
- Check by viewing the website.
Does GDPR matter outside the EU?
Here is where we, in genetic genealogy, are so far.
|All My Foreparents||Israel Pickholtz||http://allmyforeparents.blogspot.com/||No||F||No||No||No||No||No|
|Annette Kapple’s genealogy research blog||Annette Kapple||http://annettekapple.blogspot.com/||No||F||No||No||No||No||No|
|Counting Chromosomes||Edison Williams||https://casestone.com/threlkeld/blog||Yes||F||No||No||No||No||No|
|Cruwys News||Debbie Kennett||https://cruwys.blogspot.com/||Yes||F||No||No||No||No||No|
|Data mining DNA||http://dataminingdna.com/||No||F||No||No||No||No||No|
|Deb’s Delvings in Genealogy||Debbie Parker Wayne||http://debsdelvings.blogspot.com/||No||F||No||No||No||No||No|
|Dienekes’ Anthropology Blog||Dienekes||http://dienekes.blogspot.com/||No||F||No||No||No||No||No|
|DNA and Family Tree Research||Maurice Gleeson||http://dnaandfamilytreeresearch.blogspot.com/||No||F||No||No||No||No||No|
|DNA Explained||Roberta Estes||https://dna-explained.com/||Yes||D||No||No||No||No||No|
|DNA Genealogy||Jason Lee||https://dnagenealogy.tumblr.com/||Yes||F||Yes||Yes||No||Yes||No|
|DNA Sleuth||Ann Raymont||https://dnasleuth.wordpress.com/||Yes||F||No||No||No||No||No|
|DNA Testing Advisor||Dick Hill||https://www.dna-testing-adviser.com/dna-testing-blog.html||Yes||F||Yes||No||No||Yes||No|
|Dr D Digs Up His Ancestors||Dave Dowell||http://blog.ddowell.com/||No||F||No||No||No||No||No|
|Evo and Proud||Peter Frost||http://evoandproud.blogspot.com/||No||F||No||No||No||No||No|
|Find lost Russian and Ukrainian Family||Vera Miller||https://lostrussianfamily.wordpress.com/||Yes||F||Yes||No||No||No||Yes|
|Gene Gest An English-language blog||Eryk Jan Grzeszkowiak||http://www.genegest.com/||No||F||No||No||No||No||No|
|Genealem’s Genetic Genealogy||Emily Aulicino||http://genealem-geneticgenealogy.blogspot.com/||No||F||No||No||No||No||No|
|Genealogia genetyczna (in Polish)||Eryk Jan Grzeszkowiak||http://www.genealogiagenetyczna.com/||No||F||No||No||No||No||No|
|Genomics Law Report||https://theprivacyreport.com/||Yes||C||Yes||No||No||Yes||No|
|Hartley DNA and Genealogy||Joel Hartley||http://www.jmhartley.com/HBlog/||No||F||No||No||No||No||No|
|Kitty Cooper’s blog||Kitty Cooper||http://blog.kittycooper.com/||No||F||No||No||No||No||No|
|Le Gall of Lower Britanny||Joss Ar Gall||https://legall-bzh.blogspot.com/||Yes||F||No||No||No||No||No|
|Michael Cooley’s Genetic Genealogy blog||Michael Cooley||http://blog.ancestraldata.com/||No||F||No||No||No||No||No|
|On-line Journal of Genetics and Genealogy||Steven Perkins||http://jgg-online.blogspot.com/||No||F||No||No||No||No||No|
|Radiant Roots, Boricua Branches||Teresa Vega||http://radiantrootsboricuabranches.com/||No||F||No||No||No||No||No|
|Roots and Recombinant DNA||T L Dixon||http://www.rootsandrecombinantdna.com/||No||F||No||No||No||No||No|
|Segmentology blog||Jim Bartlett||https://segmentology.org/||Yes||F||No||No||No||No||No|
|The DNA Geek||Leah Larkin||https://thednageek.com/||Partly||D+||No||No||No||Yes||No|
|The Enthusiastic Genealogist||Dana Leeds||http://theenthusiasticgenealogist.blogspot.com/||No||F||No||No||No||No||No|
|The Genetic Genealogist||Blaine Bettinger||https://thegeneticgenealogist.com||Partly||F||No||No||No||Yes||No|
|The Legal Genealogist||Judy Russell||https://www.legalgenealogist.com||Yes||F||Yes||Yes||No||Yes||Yes|
|The Lineal Arboretum||Jim Owston||http://linealarboretum.blogspot.com/||No||F||No||No||No||No||No|
|The Ultimate Family Historians||Linda Jonas||http://ultimatefamilyhistorians.blogspot.com/||No||F||No||No||No||No||No|
|Through the Trees||Shannon Christmas||http://throughthetreesblog.tumblr.com/||No||F||Yes||Yes||Yes||Yes||No|
|Tracing African Roots||https://tracingafricanroots.com/||Yes||F||No||No||No||No||No|
|Your Genetic Genealogist A genetic genealogy blog||CeCe Moore||http://www.yourgeneticgenealogist.com/||No||F||No||No||No||No||No|
In my next post, I will cover the practical task of changing from an HTTP to HTTPS website. Thanks to LetsEncrypt, it is completely free for most people.
Posts in Series
- GDPR & The Genealogy Blogger in 2019 – The Why?
- GDPR & The Genealogy Blogger in 2019 – Moving to HTTPS
- GDPR & The Genealogy Blogger in 2019 – Security Headers
- GDPR & The Genealogy Blogger in 2019 – That Cookie Banner
- GDPR & The Genealogy Blogger in 2019 – Opting In & Out