Table of Contents
Does your blog collect Personally Identifiable Information (PII)?
Personally Identifiable Information (PII) is any information that could identify a particular individual or any information relating to that individual. PII is regulated under a number of privacy laws and, in most cases, if you are not collecting PII, then those privacy laws will not apply to you. While you may be thinking that your blog does not collect PII, you may be surprised as the following blog features frequently collect PII:
- Blog article comment forms (collect names and email addresses);
- Newsletter subscription forms (collect names and email addresses);
- Website analytics such as Google Analytics (collect IP addresses);
- Advertising pixels such as Facebook Pixel, LinkedIn Insight Tags or Google Pixel (collect IP addresses, information about how individuals interact with advertisements, social media user ID’s, etc.);
- Contact forms (collect names, email addresses, phone numbers and potentially more).
Even though privacy laws can start applying to your blog as soon as you collect PII, it is important to note that blogs very frequently share PII as well. For example, if your blog allows individuals to subscribe to a newsletter and then you send such newsletters through services like MailChimp, ConstantContact or ActiveCampaign, your blog is sharing this PII with email marketing vendors. In addition, if you receive an email once an individual submits a contact form on your website, then you may be sharing that PII with email service providers.
What is the nature of your blog?
A commercial purpose is a means to advance your commercial or economic interests, such as by inducing another person to buy, subscribe to, provide or exchange products, goods, property, information, or services, or by enabling or effecting, directly or indirectly, a commercial transaction. The following types of blogs are examples of blogs that have a commercial purpose:
- Blogs that receive affiliate income through affiliate links. For example, if your blog shares your favorite recipes and links to Amazon to purchase the ingredients and you receive a commission anytime someone purchases those products, that would engaging in a commercial purpose;
- Blogs that sell goods or services. For example, if your blog shares your favorite recipes and an individual can book you for a private chef session through your blog, that would be engaging in a commercial purpose as you are getting paid for such sessions;
- Blogs that sell subscriptions. For example, if your blog shares your favorite recipes and an individual can pay $10 per month to receive access to special recipes, then you are engaging in a commercial transaction;
- Blogs that display third party advertisements. For example, if a third party pays you to display advertisements for their cookware on your blog, then you are engaging in a commercial purpose.
On the other hand, if your blog is simply meant to share your thoughts and insights and you receive no money from the blog or are not engaging in any commercial activity, then your blog would probably not have a commercial purpose.
In general, privacy laws are enacted to protect the privacy of individuals residing in certain states or countries. Due to the broad reaching nature of the Internet (anyone from anywhere can submit their PII to a website), this means that privacy laws can apply to you even if you are not located in the state or country in which that privacy law was passed. Unfortunately for bloggers, privacy laws do not specifically exempt blogs, nor do they all specifically exempt small businesses. To determine what privacy laws apply to your blog, you should ask yourself whose PII you are collecting, who you are tracking as they use your website, where are your customers located (if your blog allows individuals to make purchases), or where you offer goods or services (if you do offer goods or services through your blog).
- California Online Privacy and Protection Act (CalOPPA);
- California Privacy Rights Act (CPRA):
- Nevada Revised Statute Chapter 603A;
- Delaware Online Privacy and Protection Act (DOPPA);
- Virginia Consumer Data Protection Act (VCDPA);
- Colorado Privacy Act (effective July 1, 2023);
- Connecticut SB6 (effective July 1, 2023);
- Iowa SF262 (effective January 1, 2025);
- Indiana SB5 (effective July 1, 2026);
- Tennessee HB1181 (effective July 1, 2025);
- Utah Consumer Privacy Act (effective December 31, 2023);
- Montana MCDPA (effective October 1, 2024);
- Texas Data Privacy and Security Act (effective July 1, 2024);
- Oregon Consumer Privacy Act (effective July 1, 2024)
- Delaware Personal Data Privacy Act (DPDPA) (effective January 1, 2025)
- Personal Information Protection and Electronic Documents Act (PIPEDA);
- Australia Privacy Act 1988.
- General Data Protection Regulation (GDPR);
- United Kingdom Data Protection Act 2018 (UK DPA);
- Quebec Law 25 (effective September 1, 2023).