Documentation

How to Make Your Blog Compliant (Full Guide)

As the owner of a blog, you may be wondering if the same rules of commercial sites and apps apply to you.

To answer that question, here are a couple of things you need to consider:

  • Are you collecting/interacting with the personal data of your readers (eg. names, usernames, email address, IP addresses, session activity or payment details)?
  • Do you have a contact form or newsletter sign-up?
  • Do you use any third-party widgets or services (for example, Google Analytics or AdSense)?

If you answered yes to any of these, then many of the same privacy rules that apply to commercial websites and apps will apply to you.


Legal requirements in general

Major legislations

In the US privacy laws can vary widely and are often implemented on both a State and Federal Level.

In the EU, the main data privacy regulations are the General Data Protection Regulation (GDPR) and the ePrivacy Directive (the Cookie Law). You can read our general legal overview.

Which Regulations apply to you

As mentioned above, if you implement any kind of service that interacts with the personal data of users, you’re legally required to have a privacy policy in place and to comply with applicable data privacy laws. Generally, these laws apply to any service targeting residents of the region, which effectively means that they may apply to your business whether it’s located in the region or not.

For the most part, compliance requires that you disclose data collection, inform users of their rights in regards to their data and implement methods of receiving/rescinding consent. Failure to adhere to data privacy laws can result in hefty fines, leave you open to litigation and negatively affect the credibility of your website. You can learn more about which laws apply to you here.

Legal requirements specific to blogging

Using a privacy policy to inform users about personal data use

By law users of your site need to be informed about what data is being collected, their rights in regards to that data, your notification process for policy changes, the effective date of your privacy policy and third-party access to their data, for example, third-party comment widgets, social buttons, ad service integrations etc.

Disclosing endorsements in accordance with legal guidelines

Many regulations, including those by US, EU and The International Consumer Protection and Enforcement Network (ICPEN), have specific guidelines in place regarding product/ service endorsements. Generally, they require that endorsements made by bloggers and influencers reflect the truth-in-advertising principles. This means that you’re not allowed to make any claims about the product that the marketer couldn’t legally make and that endorsements must be non-misleading and fully disclosed. You must inform users when there’s a connection between an endorser and the marketer a consumer would be interested in knowing, or that would change their perception if known. For example:

  • you’re endorsing a product that is marketed by your relative;
  • you’re an employee, shareholder or investor in the product.

You must also inform users when you’ve been given an incentive (financial or otherwise) to push the product. This means that whether you were given a free product/service, paid directly, or you make a percentage off each sale (in the case of Affiliates) you’re equally obligated to inform users of the fact. For example:

  • you’ve been given a free night at a hotel in exchange for an endorsement;
  • you’re reviewing a product with an affiliate link that earns you money, discounts or free products;
  • you’re being paid by a brand to post pictures of yourself wearing their clothing.

According to ICEPEN, you must clearly and prominently label content that you’re paid to endorse and ensure that it is clear whose opinion or experiences is being stated. This means that disclosures need to be specific to the particular endorsement, so simply putting a single disclosure on your homepage won’t suffice.

Here’s an example of a complaint disclosure using the affiliate example above: “This blog received a commission for using “company name” products in the tutorial shared in this post. Although we receive a commission for using and linking their products, all of the products are tested thoroughly and only the ones that meet our standards are linked. All opinions stated are our own.”

Third-party requirements

Third-party apps and services also need to follow the law. As organizations themselves, they too can be exposed to major reputation damage, fines, and sanctions if their legal obligations are not met. For this reason, it’s often mandatory that all partners and customers that use their services meet regulatory standards.

One example is Google. In order to access certain services and tools (for example, AdSense, Google Analytics, Google Play store), Google requires that you have a comprehensive and up-to-date privacy policy in place. Here’s an excerpt from the Google Analytics terms of use:

“You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect traffic data, and You must not circumvent any privacy features (e.g, an opt-out) that are part of the Service.”

Another example is Amazon. Users of the Amazon Affiliate program are not only expected to have a privacy policy in place but are also required to be transparent and specifically disclose the affiliate relationship:

“We extended the requirement to disclose our affiliate relationship to any means where you may be leveraging Associates’ content.”

Needless to say, it’s important to ensure that both legal and third-party requirements are met. From time to time, however, third party requirements can change in response to internal or regional regulations. It’s therefore necessary that your policies meet the latest requirements in order to avoid interruption of service or legal consequences. For this reason, we use embedding and NOT copy & paste for our document solutions. With this method, you can rest assured that your policy is up to date and being maintained remotely by our legal team.

You can read more about Google’s requirements here and Amazon’s requirements here.

How to comply

Have an up-to-date privacy policy in place that informs users of what data you’re collecting, how you’re collecting it, their rights in regards to their data; your purposes for collecting this data and specifically which third-parties have access to their data and for which purpose. Regulations require that your policy is clear, easy-to-understand and that it lists specific third-parties in a granular manner. The policy also needs to be easily accessible throughout the website.

How iubenda can help:

Putting together a privacy policy that fits your specific needs while addressing legal requirements across various geographical boundaries and jurisdictions can be difficult to do. We solve this problem by generating policies that work within the best-practices of various jurisdictions. With hundreds of available clauses, our privacy policies contain all the elements commonly required across many regions and services, while applying the strictest standards by default – giving you the option to fully customize as needed.

Our policies are created by lawyers, monitored by our lawyers and hosted on our servers to ensure that they are always up-to-date with the latest legal and third-party requirements. Easily integrate with your website/app using any one of our integration methods to make sure that your policies are visible and easily accessible as legally required.

The process is straightforward and intuitive, simply click to add your services, fill out your web/app owner and contact details, embed. Click here to read the full guide on How to Generate a Privacy Policy.

1) Add your services

  • Click “add a service” then start typing the name of the service you’d like to add. Remember to include all services processing personal information as a blogger, you’ll most likely want to add services like “Contact Form”, “Mailing list or Newsletter” and social widget services such as the “Facebook like button”.
  • Select each applicable service from the list of suggestions that shows up and customize by simply adding the specific types of personal data you collect. Our lawyer-crafted clauses automatically include the relevant user-rights disclosures and service definitions based on your input here.
  • If you’d like to add a custom service clause, simply click the “create custom service” button and fill out the built-in form.

2) Fill out your web/app owner and contact details

  • Enter name and full address
  • Enter email address

Congratulations! Your policy has been created. Simply check that all the details are correct, then:

3) Embed

  • Customize the look of your button or simply choose a text link;
  • Choose the embedding method (choose between embedding code, direct link or direct text embedding);
  • Easily embed wherever you’d like! Remember you’re required to choose a location that is easily accessible and visible to users.

You can start generating here.


Consent for data collection forms

Generally, US laws require that you provide users with an option for withdrawing consent (opt-out) when using data collection mechanisms (e.g. newsletter sign-up forms). Compared to US laws, however, EU laws (in particular the GDPR) are more stringent. Consent under the GDPR must be “explicit and freely given”. This means that the mechanism for acquiring consent must be straightforward and involve a clear “opt-in” action.

Within the context of a blog, this means that you’d be in violation of regulations if you were to employ mechanisms such as pre-ticked newsletter sign-up boxes when a user registers an account, as GDPR regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms. The regulation also gives users a specific right to withdraw consent. This means that you’re required to make it as easy to withdraw consent as it is to give it. You can read more about Newsletters here and the GDPR here.

How to Comply

► Put in methods in place for obtaining informed, verifiable and explicit consent. The user should be honestly and straightforwardly informed about what they’re consenting to and the mechanisms chosen for obtaining the consent should require the user to actively consent via a clear affirmative action, such as clicking an “agree” button or clicking a checkbox. Ensure that the consent obtained is specific to the purpose of obtaining it and clearly indicate that the consent is optional as consent must not be “freely given” and not coerced in any way.

For example:

Yes, I would like to receive weekly offers and deals in my inbox as indicated in the privacy policy (optional)

►Provide a means of withdrawing consent. As consent must be as easy to withdraw as it is to give, the withdrawal mechanism must be visible, easy to understand, simple and immediately available. Your withdrawal mechanism should be both situationally and generally available and involve no more than a single webpage. It should also be accompanied with an explanation as to its purpose.

For example:

If you no longer wish to receive weekly emails from us, you can click here to modify your settings or click here to unsubscribe instantly.

As shown in the example above, the mechanism most commonly used is the email unsubscribe link, however, it’s important to remember that the user should also have withdrawal options available within their account in order to facilitate withdrawal even before they’ve received the first email communication from you. User requests for withdrawal must be honored within 10 days under US law and within 30 days under EU law.

► Keep clear records of the consent attained. Records of consent should at least contain the following information:

  • The Identity of the user giving consent;
  • When they consented;
  • What disclosures were made (what they were told) at the time they consented;
  • Methods used for obtaining consent (e.g., newsletter form, during checkout etc.);
  • Whether they have withdrawn consent or not.

How iubenda can help

iubenda can help with this in two ways.

  • Firstly, while you’re separately required to implement methods to collect, record and verify consent, our privacy policy solution makes it easy for you ensure that the consent received is informed as per your legal obligations. Our solution helps you to meet your disclosure obligations by allowing you to comprehensively disclose and define necessary details in a legally compliant way. The interface is intuitive, the process straightforward and the results precise. You can start generating here.
  • Our Consent Solution helps you meet your legal requirements by helping you to easily store proof of consent and manage consent and privacy preferences for each of your users. It allows you to keep track of and record every aspect of individual consents, including:
    • the legal or privacy notice made available to the user at the time the consent was acquired (including multiple versions of the same document);
    • the consent form (accepts various file formats) that the user was presented with at the time of consent collection;
    • the identification of the specific user (it allows you to do this in multiple ways including an automatically-assigned user id); and
    • the related preferences expressed by the user.

It conveniently installs via HTTP API or JavaScript widget, allowing you to retrieve consents at any time and keep them updated.

Cookie disclosure and Consent

Cookies are small bits of information that websites and apps store on a computer or mobile device, which are designed to hold small amounts of user-specific data. Many platforms, such as WordPress, and third-party widgets use them by default. Because using cookies means both processing user data and installing files that could be used for tracking, it is a major point of concern when it comes to user data privacy rights. The ePrivacy Directive (or EU Cookie Law) was implemented to address this concern. The Cookie law is intended to protect online privacy by informing users about data collection activities and empowering them to choose whether it’s allowed or not. This means that if your blog (or any third-party service used by your blog) uses cookies, you must first obtain consent before the installation of those cookies. You can read more about The Cookie Law here.

How to comply
Allow users to exercise their rights in regards to their data and cookies. If your blog (or any third-party service used by your blog) uses cookies, you must first obtain consent before the installation of those cookies. In many EU countries, this will require the use of script-blocking (preventing code execution that could install cookies) prior to obtaining user consent.

How iubenda can help
Our comprehensive Cookie solutionsimplifies compliance with provisions of the European Cookie Law. It allows you to easily inform users via banner and a dedicated cookie policy page (which is automatically linked to your privacy policy and integrates what’s necessary for cookie law compliance); obtain consent and save cookie consent settings; preventively block scripts prior to consent.

Simply go to dashboard > [your website] > Cookie Solution > Edit to open the configuration settings: enter name details and set consent model, customize your look, integrate cookie policy and embed.

1) Enter name details

  • Enter your site/app name or url into the text-box.
  • Select your language and country from the drop-down menu.

2) Set consent model

  • Click to choose between “with prior consent” (script blocking prior to user consent and reactivation after consent) or “no prior consent” (no prior script blocking). Remember script blocking prior to consent is mandatory in some regions including the EU.
  • Choose whether to activate “consent via scroll” or not. When the option is chosen, your users can consent by simply scrolling and continuing to browse; the banner will be automatically closed by the action of scrolling. If this option is not activated, the user will have to click to close the banner.

3)Customize your look

  • Customize the location and look of your banner via the simple built-in options or edit the css yourself via the “advanced” tab.

4)Integrate cookie policy and embed

  • Choose whether to automatically generate an integrated cookie policy or simply paste the link of your existing cookie policy.
  • Easily embed into your site. Choose between directly pasting the embed code into the head section of your site’s pages or using a plugin.

Congratulations! Your cookie solution has been created and is fully operational. Get started with your cookie solution here.


Protecting your interests and your content

Though not always legally required, a Terms & Conditions document is pragmatically required. It governs the contractual relationship between you and your users and is therefore essential for protecting your content from a copyright perspective as well as protecting you from potential liabilities. The Terms & Conditions document is a legally binding agreement, therefore not only is it important to have one, but it’s also necessary to ensure that it’s clear, easily understandable, precise and that users can both easily see it and agree to it in an unambiguous way (for example, clicking a checkbox with a visible link to the document before being allowed to create an account or comment). You’ll likely need a Terms & Conditions document if any of the following apply to you:

  • You have different user levels (eg. registered vs non-registered)
  • You want to set the rules for user behavior (including comments) and state grounds for termination of accounts
  • Your users are allowed to upload content
  • You participate in some kind of commerce, including affiliate programs
  • You’d like to protect your blog and it’s content by stating how it can be used

How to comply
Set clear terms for users with a comprehensive and up-to-date terms and conditions document. This legal agreement is essential to protecting the interests of your business and establishing terms of usage. It is therefore vital that this contract be precise and up-to-date with all applicable regulations. It should include the general conditions for use of your service with special attention to limitation-of-liability clauses and disclaimers.


Please note that from time to time, laws are amended and updated. It’s therefore important to ensure that your policies meet the latest requirements. For this reason, we use embedding and NOT copy & paste. With this method, you can rest assured that your policy is up to date and being maintained remotely by our legal team.

Still have questions?

Visit our support forum Email us