Blogspot & GDPR: Checklist (and unresolved questions!)


GDPR checklists and tips are now a dime a dozen for WordPress. But what about Blogspot/ What do you have to do to make a Blogspot blog GDPR compliant?. With this article I would like to try to collect to-dos for Blogspot bloggers. I have already found solutions to some problems. However, some issues are still unresolved.This list is a work in progress and does not claim to be complete. I will update them regularly and keep you up to date on Blogspot’s GDPR compliance. Help and feedback is very welcome! If you can think of anything else that is missing. From the list or if there is any news regarding the point mentioned. Let me know!Attention: Legal uncertainty if you continue to use Blogger!


The GDPR has been in effect since May 25th, 2018. To date, Google has unfortunately still not provided any information. About what personal data is collected from blog visitors at all. How long it is stored and what exactly it is used for. This is problematic, for example, if a visitor wants to exercise their right to information or deletion. There is also the possibility of a warning from consumer protection associations and possibly also competitors . A contract for order processing (cf. Art. 28 GDPR),

which would provide information about the processing. Of personal data by Google and create legal security, is still missing. I can’t estimate exactly how high the legal risk actually is. Personally, I think it’s rather small (especially if you’ve implemented the points described in the article), but you never know. If you want to be on the safe side, consider switching from Blogger to self-hosted WordPress(.org). I describe exactly how to do this in detail in my guide How to move from Blogger to WordPress in 7 steps .

1. Switch to HTTPS

Since May 2016, you have had the option of converting your own blog to HTTPS at Blogspot. To do this, go to Settings > Basic Settings > HTTPS in the admin area and set the selection box to Yes . Will automatically turn your blog from:It then takes a while for the changes to take effect. Once the process is complete, you still need to enable HTTPS redirection so that visitors entering the old URL are redirected to the new one.

2. Adjust or remove external code

If you want to make your Blogspot blog GDPR-compliant, you should examine all scripts. Plugins and generally code you have added to the blog to see whether personal data is stored and. If necessary, remove, adapt or replace them with a data protection. Friendly alternative. These include, for example:

Social Plugins (e.g. Facebook Like Box, Instagram Widget, Twitter Feed, Pinterest Wall Widget etc.)
Tracking code (e.g. Google Analytics, Piwik/Matomo or Blogfoster)
Newsletter forms (e.g. Mailchimp)
Advertisements (e.g. via Google AdSense)

2.1 Inlinkz

Many bloggers use the Inlinkz tool for link parties or blog parades. In order to enter a link, it is necessary to send the e-mail address to InLinkz in addition to the blog name and URL.In the meantime, an AV contract is available for Inklinz, which can be downloaded here. Inlinkz has also adjusted its data protection declaration and published an extensive blog article on the GDPR .

2.2 Bloglovin’

Similar to Facebook, Google+, and Twitter, Bloglovin also appears to use its widgets and buttons to track users. When the page is called up, a large number of cookies are left on the user’s computer in the background (without the user having interacted with the widget or button in any way). I recommend replacing it with simple text links or an image with a link to your Bloglovin’ profile.


[Update March 2019] Since Google+ no longer exists, all social network. Integrations (widgets, +1 buttons, comments and profiles) have also been removed from Blogspot. An adjustment is therefore no longer necessary. You can read more about this in the official blogger blog .

4. Google AdSense

Google loads a script from Google AdSense at Blogspot, even if you have not linked your own blog to AdSense and are not using any ads: You can remove this by switching off the navbar under Layout > Navbar > Edit or by deleting the entire navbar from the source code (see step 3).

5. Adjust data protection declaration

The GDPR requires various adjustments to the data protection declaration in the course of the information obligation. You can find more information e.g. e.g. here: New information obligations with the General Data Protection Regulation (from Data Protection Officer Info) Obliged to provide information (from ix)
Of course, this also applies to Blogspot blogs, as long as they are not used purely privately or for family purposes (however, it is unclear exactly where the boundary is, so in case of doubt I would assume that a blog is not private).There are various templates and generators for this, e.g. B. from:

eRecht24 Premium (covers more use cases, member area with lots of additional information and tools on the GDPR)
Lawyer Dr. swing
However, remember to customize these to fit your use case and cover all the ways personal data is collected on your blog.

6. Record of Processing Activities

As a Blogspot blogger, you also need a directory of processing activities (also called a directory of procedures) in which all processes are documented in the course of which your personal data is processed. This can include, for example:

  • Comment function on your blog
  • Newsletter
  • Google Analytics
  • Affiliate-Programme
  • Webhosting (Google)
  • email communication
  • Publishing personal images on your blog
  • accounting software

You can find out exactly what this directory must contain and a great sample directory on Regina Stoiber’s blog .

Blogger displays a cookie banner by default, but its purpose is questionable.

First, this is annoying for readers and certainly doesn’t contribute to a better user experience. Secondly, it is doubtful whether the notice really protects against warnings. Because it is only an informative note and not an explicit opt-in.

A cookie hint can even lead to warnings if it hides links to important pages such as the imprint or data protection declaration.

If this is the case for you (test the mobile version too!), you can remove it by going to Appearance > Edit HTML and pasting the following code right after the <head>tag:

7.1 EU user consent policy

This has nothing to do with the GDPR, but is still worth mentioning.

The cookie notice also does not yet meet the requirements of Google’s new  EU user consent policy, which came into force together with the GDPR on May 25, 2018.

Instead of a cookie notice, Google therefore requires an explicit opt-in so that Google can set cookies and use personal data to personalize advertising and other services.

It’s Google’s turn again to implement its own guidelines for Blogspot.

8. Statistics (unsolved)

Blogger collects statistics about your blog visitors, including page views, traffic sources (referring URLs and websites), and information about your audience, such as: B. the countries your visitors come from, browsers and operating systems used.

Unfortunately, I was not able to find out whether personal data is also collected (such as IP addresses).

9. Gadgets

It is also possible that personal data is transmitted to Google or other services via gadgets in Blogspot. Sometimes in the background and without the user being able to consent to this. Below are the gadgets I find problematic.

Add a Comment

Your email address will not be published. Required fields are marked *