(updated May 14, 2019)
If you wish to sign up for my mailing list, the only information you need to provide is your name and your email address. Mailchimp, my email provider, also notes your approximate location (by city and country). As you interact with emails sent through the mailing list, Mailchimp keeps track of whether you opened each email and what links, if any, you clicked on.
None of this information is shared, sold, or otherwise given away. Either Mailchimp or I would respond to a valid subpoena or other legal request (though, given the nature of my emails, it’s difficult to imagine a situation in which any government official would seek a subpoena in the first place).
I use the mailing list solely to provide you with information about my writing (new releases, for example) and related opportunities in which you might be interested (sale prices and other bargains, giveaways I host or cohost, for example). The list is not used for any other purpose.
When you sign up, you are given the information about what the list will be used for. After completing the form (through the Mailchimp link, any mailing list signup from on this site, or any mailing list signup form provided through a Mailchimp integration with a third party (such as Gleam, my giveaway provider), you will receive an email to confirm your subscription. (This process is known as double opt-in and ensures that people don’t sign up by accident or without knowing what they are signing up for.) You are added to the mailing list only if you click on the link in the confirmation email.
Both the signup form and each email contain an unsubscribe link. If you unsubscribe, you are immediately removed from the list and will not receive any further emails. Either through me or through Mailchimp, you can also ask that your data be removed if you unsubscribe. (Mailchimp is fully GDPR compliant. You can read more about Mailchimp’s practices here.)
The information provided below is true to the best of my knowledge. However, I’m not a programmer, so I’m reliant on code created by others to run the site. I have the site audited monthly by Cookiebot to keep track of any potential cookie changes, and I use the Complete GDPR / AVG Cookie Consent WordPress plugin, which in my testing did the best job of blocking cookies before consent without breaking the site. It has built-in mechanisms to block over forty of the most common third-party cookies prior to consent, as well as all iframes (which sometimes produce cookies) and a process for blocking cookie-producing scripts by enclosing them in shortcode. However, I can’t guarantee that there will never be any glitches. I can guarantee I will always make a good faith effort to respect your wishes and preserve your privacy. If you have any concerns, please feel free to email me.
If you are concerned about minimizing the privacy risks that some cookies represent, you can add an extra layer of protection for yourself on this and other sites by blocking third-party cookies in your browser. The methods for implementing that protection on various browsers are explained here. You can protect yourself better against tracking by using DNT (Do Not Track) requests. The techniques to use in each browser are explained here.
Ways in Which the Site Has Been Designed to Minimize Privacy Concerns
- All frontend areas of the site (with the exception of the email subscriber’s area, which is password protected), are open to anyone. There is no need to log in or even create an account, and indeed account creation has been disabled. As a result, far less data is stored on the site than might otherwise be the case. See the User Data section for more information.
- I do not sell anything directly from the site. That eliminates the need for other kinds of data and for cookies to keep track of transactions in progress.
- The social media plugin I use, Social Warfare, collects no user data and sets no cookies. When you click one of the share buttons, you are interacting with the API of that particular service in the same way as if you shared directly through the service itself.
- I stopped using Google Analytics as of May 27, 2018. The only statistical plugin I do use is Jetpack, the data collection and cookie usage of which is described below.
- I do not use any onsite advertising, except to the extent that the Amazon book previews and Amazon associate visual links could be regarded as ads. Both are enclosed in iframes, which means they are blocked prior to cookie consent.
Aside from mailing list signup (discussed above), and the information collected by the comment form (discussed below), the website does not collect any personally identifiable information. (As I mentioned above, by design, you do not need to sign up for the website in order to view any portion of it.) For that reason, certain options available to EU citizens under the GDPR (right to be forgotten, data access, data rectification, notification of data breach) are not as relevant.
However, the site does collect some user data through the comment form (discussed below) and through WP Forms. If you do fill out one or more of the forms, the data you have provided will be stored on the site. The GDPR options then become relevant and can be accessed by emailing me at the address in the header.
If you choose to comment on a post, the form does collect a name and email address as part of the effort to prevent spam. However, the email address is not displayed. Also not displayed is other information the form collects for spam prevention purposes (IP address and browser user agent string). There is now a consent box on the comment form that links to this policy, so no one will comment without having given the appropriate consent. WordPress does generate cookies when you comment so that it can quickly populate the information on the form for you if you comment again, but you have to click a checkbox to allow those cookies to be set.
Providing your email address in the comment form does not subscribe you to my mailing list. I won’t use the emails addresses provided by commenters to email them unless they email me with a request. When you comment, you also don’t need to use your real name.
In the interest of minimizing the amount of data that is stored, the comment form doesn’t require you to create an account or login. While that does reduce the onsite data, it also makes it more difficult for people to request revisions or deletions to their comments. To avoid any inconvenience, I am happy to grant any requests for revision, deletion, or export of comments. All you need to do is email me using the email address you provided when you commented.
Your Ability to Regulate Cookie Usage
When you first visit the site, you have the opportunity to accept or decline cookies. If you accept, you can modify your settings at any time on the privacy settings page, or from the button in the footer of every page. If you decline, no first-party or third-party cookies will be saved to your device with the exception of those necessary for site operation. These include the following:
- Wpca_consent, which sets your cookie preference (otherwise, you’d have to decline every time you visited). There is also a wpca-cc cookie, which only contains data if I’ve set cookie categories. (Since the plugin doesn’t provide any way to auto-block by categories, though, those settings only apply to iframes and scripts I block manually, so there didn’t seem to be much point.)
Cookies Used on the Site if You Accept Cookie Usage
In order for you to be aware of how the cookies on the site function, below is the latest audit by Cookiebot. It includes which entity (this site or third party) set each cookie, what its function is, and how long the data persists. The report is followed by some additional clarifications. You will need to scroll in order to view the whole report. (Do not be panicked by the number of them.
Cookie scan report 5-14-2019
Although Cookiebot provides an excellent service, there are sometimes possible inaccuracies caused by the nature of the internet. Some of these are listed below. (These are from the May 14, 2019 audit report–subsequent audit reports may vary in details)
- Cookiebot shows the site’s server location as in the Netherlands. It’s actually in the United States, but Cookiebot, a European-based company, might be drawing the site from a Netherlands-based server in Sitelock’s CDN (Content Delivery Network).
- _cfduid, a Cloudflare cookie necessary to the operation of sites using Cloudflare’s CDN, shows up even though I haven’t used Cloudflare in over a month. The script tag must still exist, but in my tests (using Firefox Web Developer Tools, Storage Manager), _cfduid doesn’t actually get set.
- The same is true of CookieConsent, which I think is the cookie for one of the plugins I tried earlier. The script tag for that one is evidently there also, but it doesn’t fire in my tests.
- The rc::c cookie from Google, which distinguishes humans from bots, doesn’t fire for me, either, but Cookiebot finds it on a page with a captcha. Evidently, something about Cookiebot’s testing triggered it. I don’t think it would normally be set unless you interact with the captcha. Other sources indicate that this cookie is supposed to limit the number of times the same visitor is shown video advertising, but there is no advertising on this page or any other in the website. In the context of this site, the captcha is used to prevent bots from making downloads, which is a legitimate security function.
- The ___utmvc cookie, which is supposed to be used with Google Analytics (which I don’t have anymore) appears in the audit on a page where Firefox Storage Manager and the Chrome Cookie Manager extension don’t detect it. It’s another script tag issue and may be related to the fact that Screencast, provider of the videos listed on the page, uses Google Analytics.
- Billhiatt.education, my former other site that just shut down, is sometimes listed as the cookie provider, even though there was no direct link between the two sites and even though the .education site no longer exists. For a short while, I had it set up as a subdomain of billhiatt.com, and the domain currently redirects to .com, so that may be where the confusion comes from.
Testing in different browsers sometimes also produces different results, which may account for the discrepancies.
Default WordPress Cookies
The following italicized information is provided by WordPress. Most of it is only applicable in the event that you create an account on this site or log in with your WordPress account, neither of which is necessary to access any site features. The issue of opting in to saving information to repopulate comment fields has been discussed above.
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
As I said above, on May 27, 2018, I disconnected this site from Google Analytics and deleted my account (deletion was fully effective in thirty-five days and removes all prior data). Aside from Jetpack, described below, the site collects no visitor analytics. It is still possible Google cookies from third parties might appear if you accept cookies. Gleam, for instance, uses Google Analytics if you interact with one of the giveaway widgets. See the Section on Gleam below.
YouTube and Other Third Party Cookies for Embedded Content
If you accept cookies, interacting with third-party content may generate them. This is particularly true of YouTube videos. Even if you decline cookies, you’ll notice the videos are not blocked out like the iframe content. That’s because I use the Advanced Responsive Video Embedder plugin, which installs an image in the page and loads the video only if you click on the image. Normally, I’d say that if you don’t want YouTube cookies, you shouldn’t interact with the videos, but in my tests, ARVE seems to have embedded them with URLs from YouTube’s no-cookie domain, meaning that they play in privacy-enhanced mode–no cookies! My tests in Firefox and Chrome seem to confirm this, though if I were genuinely third-party cookie averse, I’d block them in my browser before playing a YouTube video, just in case.
If you accept cookies, you get nine of them if you visit a page with the Gleam widget. However, when I checked with Gleam support, I was told, “We do an initial check when the widget loads to see if the user allows 3rd party Cookies or not. Nothing else is stored until the user interacts with the widget.” In that case, it would appear the others are ready to facilitate interaction with the widget if a user decides to interact. They appear to be the same cookies one would get if one loaded the giveaway page on Gleam’s site.
Gleam cookie names in several cases are unique to a particular giveaway and have the giveaway’s code as their suffix.
It’s important to note that security companies such as Sitelock have to collect a certain amount of information in order to protect a website. From what I can see, however, Sitelock retains information only on suspicious traffic. Country of origin and IP address are necessary in the event a malicious user or bot needs to be blocked.