(updated August 8, 2019)
Website Address
If you wish to sign up for my mailing list, the only information you need to provide is your name and your email address. Mailerlite, my email provider, may also note other information, depending upon how you subscribed. Subscriptions using the Mailerlite hosted-form will keep track of the date you opted in as well as the IP and approximate location from which you opted in. Subscriptions through Mailerlite’s API used by a service provider such as Gleam, BookFunnel, and StoryOrigin will keep track of similar information as part of their confirmation process but don’t pass it directly to Mailerlite or to me. (Such information is necessary to verify that your email address is valid and as part of the process of verifying that you are the one using your email to sign up.)
As you interact with emails sent through the mailing list, Mailerlite keeps track of whether you opened each email and what links, if any, you clicked on.
None of this information is shared, sold, or otherwise given away. Either Mailerlite or I would respond to a valid subpoena or other legal request (though, given the nature of my emails, it’s difficult to imagine a situation in which any government official would seek a subpoena in the first place).
When you sign up, you are given the information about what the list will be used for. After completing the form (through the Mailerlite link, any mailing list signup from on this site, or any mailing list signup form provided through a Mailerlite integration with a third party (such as Gleam, my giveaway provider, or free book sites such as BookFunnel or StoryOrigin), you will receive an email to confirm your subscription. (This process is known as double opt-in and ensures that people don’t sign up by accident or without knowing what they are signing up for, as well as verifying that you are the one signing up.) You are added to the mailing list only if you click on the link in the confirmation email. (If you subscribe directly through a Mailerlite form, the confirmation process is handled by Mailerlite. If you subscribe through another company, such as the ones mentioned above, the confirmation process is handled by that company.)
I use the mailing list solely to provide you with information about my writing (new releases, for example) and related opportunities in which you might be interested (sale prices and other bargains, giveaways I host or cohost, for example). The list is not used for any other purpose.
Each email contains an unsubscribe link. If you unsubscribe, you are immediately removed from the list and will not receive any further emails. Through me, you can also ask that your data be removed if you unsubscribe.
Mailerlite is fully GDPR compliant. You can read more about Mailerlite’s practices here.
Website
General Disclaimer
The information provided below is true to the best of my knowledge. However, I’m not a programmer, so I’m reliant on code created by others to run the site. I have the site audited monthly by Cookiebot to keep track of any potential cookie changes, and I use the Weepie Cookie Allow Plugin, which in my testing did the best job of blocking cookies before consent without breaking the site. It has built-in mechanisms to block first- party cookies and over forty of the most common third-party cookies prior to consent, as well as all iframes (which sometimes produce cookies). It also has a process for blocking cookie-producing JavaScript by enclosing it in shortcode. However, I can’t guarantee that there will never be any glitches. I can guarantee I will always make a good faith effort to respect your wishes and preserve your privacy. If you have any concerns, please feel free to email me.
If you are concerned about minimizing the privacy risks that some cookies represent, you can add an extra layer of protection for yourself on this and other sites by blocking third-party cookies in your browser. The methods for implementing that protection on various browsers are explained here. You can protect yourself better against tracking by using DNT (Do Not Track) requests. The techniques to use in each browser are explained here.
Ways in Which the Site Has Been Designed to Minimize Privacy Concerns
- All frontend areas of the site (with the exception of the email subscriber’s area, which is password protected but does not require a login), are open to anyone. There is no need to log in or even create an account, and indeed account creation has been disabled. As a result, far less data is stored on the site than might otherwise be the case. See the User Data section for more information.
- I do not sell anything directly from the site. That eliminates the need for other kinds of data and for cookies to keep track of transactions in progress.
- The social media plugin I use, Social Warfare, collects no user data and sets no cookies. When you click one of the share buttons, you are interacting with the API of that particular service in the same way as if you shared directly through the service itself.
- I stopped using Google Analytics as of May 27, 2018. The only statistical plugin I do use is Jetpack, the data collection and cookie usage of which is described below.
- I do not use any onsite advertising, except to the extent that the Amazon book previews and Amazon associate visual links could be regarded as ads. Both are enclosed in iframes, which means they are blocked prior to cookie consent.
User Data
Aside from mailing list signup (discussed above), and the information collected by the comment form (discussed below), the website does not collect any personally identifiable information. (As I mentioned above, by design, you do not need to sign up for the website in order to view any portion of it.) For that reason, certain options available to EU citizens under the GDPR (right to be forgotten, data access, data rectification, notification of data breach) are not as relevant.
However, the site does collect some user data through the comment form (discussed below) and through WP Forms. If you do fill out one or more of the forms, the data you have provided will be stored on the site. The GDPR options then become relevant and can be accessed by emailing me at the address in the page header.
Comments
If you choose to comment on a post, the form does collect a name and email address as part of the effort to prevent spam. However, the email address is not displayed. Also not displayed is other information the form collects for spam prevention purposes (IP address and browser user agent string). There is now a consent box on the comment form that links to this policy, so no one will comment without having given the appropriate consent. WordPress does generate cookies when you comment so that it can quickly populate the information on the form for you if you comment again, but you have to click a checkbox to allow those cookies to be set.
Some of the information mentioned above is collected temporarily by Akismet, a service designed for spam prevention. An explanation of Akismet’s GDPR compliance can be found here, and its privacy policy is here. The explanation of how Akismet processes data is here. (The link is also displayed beneath the comment form.)
An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here. (Yes, the same company that owns Akismet, discussed above, and Jetpack, discussed below.) After approval of your comment, your profile picture is visible to the public in the context of your comment.
Providing your email address in the comment form does not subscribe you to my mailing list. I won’t use the emails addresses provided by commenters to email them unless they email me with a request. When you comment, you also don’t need to use your real name.
In the interest of minimizing the amount of data that is stored, the comment form doesn’t require you to create an account or login. While that does reduce the onsite data, it also makes it more difficult for people to request revisions or deletions to their comments. To avoid any inconvenience, I am happy to grant any requests for revision, deletion, or export of comments. All you need to do is email me using the email address you provided when you commented.
Your Ability to Regulate Cookie Usage
When you first visit the site, you have the opportunity to accept or decline cookies. If you accept, you can modify your settings at any time on the privacy settings page, or from the button in the footer of every page. If you decline, no first-party or third-party cookies will be saved to your device with the exception of those necessary for site operation. These include the following:
- Wpca_consent, which sets your cookie preference (otherwise, you’d have to decline every time you visited). There is also a wpca-cc cookie, which only contains data if I’ve set cookie categories. (Since the plugin doesn’t provide any way to auto-block by categories, though, those settings only apply to iframes and scripts I block manually, so there didn’t seem to be much point.)
- Cookies with an incap prefix or suffix, such as incap_ses_# and visid_incap_#. These are connected with the operation of the Sitelock Trueshield (firewall protection). The incap comes from Incapsula (now Imperva), a Sitelock partner. Sitelock needs to be able to gather some data in order to secure the site against a wide variety of attacks. You can view its privacy policy here. Please note, however, that the policy covers not only visitors to Sitelock-protected websites, but also clients, employees, and other groups, so only some of it is applicable to you.
- Cookies with a sitelock.com or shield.sitelock.com are also connected with the operation of the Sitelock Trueshield.
In order for you to be aware of how the cookies on the site function, below is the latest audit by Cookiebot. It includes which entity (this site or third party) set each cookie, what its function is, and how long the data persists. The report is followed by some additional clarifications. You will need to scroll in order to view the whole report.
Since Cookiebot scans without accepting cookies, in theory it should only list cookies set prior to consent. I have noticed, however, that it also lists cookies referenced in script tags, even if they aren’t set prior to consent, at least in my Firefox tests (using Storage Inspector).
Although Cookiebot provides an excellent service, there are sometimes possible inaccuracies caused by the nature of the internet. Some of these are listed below. (These are from the May 26, 2019 audit report–subsequent audit reports may vary in details)
- Cookiebot shows the site’s server location as in the Netherlands. It’s actually in the United States, but Cookiebot, a European-based company, might be drawing the site from a Netherlands-based server in Sitelock’s CDN (Content Delivery Network).
- The ___utmvc cookie, which is supposed to be used with Google Analytics (which I don’t have anymore) appears in the audit on a page where Firefox Storage Manager and the Chrome Cookie Manager extension don’t detect it. However, the script tag for it still apparently exists.
Cookies Used on the Site if You Accept Cookie Usage
Default WordPress Cookies
The following italicized information is provided by WordPress. Most of it is only applicable in the event that you create an account on this site or log in with your WordPress account, neither of which is necessary to access any site features. The issue of opting in to save information to repopulate comment fields has been discussed above.
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
Google Cookies
As I said above, on May 27, 2018, I disconnected this site from Google Analytics and deleted my account (deletion was fully effective in thirty-five days and removes all prior data). Aside from Jetpack, described below, the site collects no visitor analytics. It is still possible Google cookies from third parties might appear if you accept cookies. Gleam, for instance, uses Google Analytics if you interact with one of the giveaway widgets. See the Section on Gleam below.
Jetpack Cookies
Jetpack also uses cookies to capture visitor statistics for a variety of purposes and to help with interaction with Jetpack features, but for some reason, they didn’t show up in any of the Cookiebot audits. Here is an explanation of how Jetpack uses cookies (some of which are not applicable to this site). Jetpack does share statistical information with me and with WordPress.com. None of this information is personally identifiable.
YouTube and Other Third Party Cookies for Embedded Content
If you accept cookies, interacting with third-party content may generate them. This is particularly true of YouTube videos. Even if you decline cookies, you’ll notice the videos are not blocked out like the iframe content. That’s because I use the Advanced Responsive Video Embedder plugin, which installs an image in the page and loads the video only if you click on the image. Normally, I’d say that if you don’t want YouTube cookies, you shouldn’t interact with the videos, but in my tests, ARVE seems to have embedded them with URLs from YouTube’s no-cookie domain, meaning that they play in privacy-enhanced mode–no cookies! My tests in Firefox and Chrome seem to confirm this, though if you are genuinely third-party cookie averse, you may wish to block third-party cookies in your browser before playing a YouTube video, just in case.
Amazon Cookies
Amazon iframes are all blocked unless you accept cookies. You can view them on the Amazon site under the terms of Amazon’s privacy policy. If you accept cookies, the book previews give you five: csm-hit, session-id-time, session-id, session-token, and ubid-main. Clicking buy puts you on Amazon with the same five cookies, plus five more, at least in my case. Logging in generated another four. (In other words, if you shop on Amazon, you get a lot more cookies than just looking at the book previews gets you.) The cookies are intended to enable interaction with the book previews and to simulate certain aspects of the Amazon environment.
Gleam Cookies
If you’ve declined cookies, the Gleam widgets are blocked. Each active Gleam giveaway page includes a link to the hosted giveaway page, where you will interact with the widget under Gleam’s privacy policy. If you accept cookies, you can enter directly from this site. Either way, Gleam is a GDPR-compliant company that needs to collect certain information in order to run its giveaways. The basic information, such as email address, that I need in order to deliver prizes, is shared with me. I also get some general demographic information, such as country of origin. Gleam does not share information such as IP addresses with me. Those are used only as part of Gleam’s cheating-prevention system.
If you accept cookies, you get nine of them when you visit a page with the Gleam widget. However, when I checked with Gleam support, I was told, “We do an initial check when the widget loads to see if the user allows 3rd party Cookies or not. Nothing else is stored until the user interacts with the widget.” In that case, it would appear the others are ready to facilitate interaction with the widget if a user decides to interact. They appear to be the same cookies one would get if one loaded the giveaway page on Gleam’s site.
Gleam cookie names in several cases are unique to a particular giveaway and have the giveaway’s code as their suffix.
Screencast Cookies
The cookies attributed to Screencast are used to facilitate your interaction with embedded Screencast videos. There is a link with each one to view the video on Screencast if you have declined cookies. If you’ve accepted them, you get four, two incap ones, a nibi which I’ve read is used for load-balancing, and an ASP.NET_SessionId, which, according to Cookiepedia, is used to maintain an anonymized user session. To see what kind of information Screencast cookies collect and how the company deals with it, check its privacy policy.
Sitelock Cookies
Cookies attributed to Sitelock relate to site security, particularly to the firewall. They perform functions such as distinguishing humans from bots, and as such, are necessary cookies. These cookies include __utmvmwkuykvY, __utmvbwkuykvY, and nlbi_#. For more information, see Sitelock’s privacy policy.
It’s important to note that security companies such as Sitelock have to collect a certain amount of information in order to protect a website. From what I can see, however, Sitelock retains information only on suspicious traffic. Country of origin and IP address are necessary in the event a malicious user or bot needs to be blocked.
Wordfence Cookies
Wordfence is a WordPress security plugin. No cookies from it showed up in any audit so far, and I have read that it no longer uses cookies as part of its process. However, I also see information about potential cookies on the company’s website, which you can find here. Like Sitelock, Wordfence records some details from attacks on the site. It even records failed user logins, typically people trying to log in with some variation of my name or admin. If you aren’t trying to stage a break-in or an attack, your data won’t be recorded.
Mailerlite Cookies
Mailerlite stores one session cookie to facilitate interaction with its subscription form. You can find their cookie policy (the relevant section being functional cookies) here. Mailerlite needs a certain amount of information to verify your consent to receive the email newsletter.
Cloudflare Cookies
At first I was puzzled by the presence of _cfduid, the cookie Cloudflare uses as part of its security system, since it kept appearing in Cookiebot audits event though I was no longer using Cloudflare, but it turns out that some of the third-party providers do use Cloudflare. One of the instances of the Cloudflare cookie comes from the Creative Commons license button, and the other one comes from Mailerlite. In both cases, the purpose of the cookie is to enable Cloudflare’s firewall to do its job.
Elementor Cookie
The Elementor Pro plugin produces one cookie prior to consent. However, I have been assured by Elementor technical support that the cookie only records data if Elementor pop-ups are in use. (There are none on this site.) Also, even if popups were enabled, the cookie only saves data to your local computer and does not export it anywhere else. Elementor technical support ensures me this approach is compatible with the requirements of GDPR.