(updated August 8, 2019)
If you wish to sign up for my mailing list, the only information you need to provide is your name and your email address. Mailerlite, my email provider, may also note other information, depending upon how you subscribed. Subscriptions using the Mailerlite hosted-form will keep track of the date you opted in as well as the IP and approximate location from which you opted in. Subscriptions through Mailerlite’s API used by a service provider such as Gleam, BookFunnel, and StoryOrigin will keep track of similar information as part of their confirmation process but don’t pass it directly to Mailerlite or to me. (Such information is necessary to verify that your email address is valid and as part of the process of verifying that you are the one using your email to sign up.)
As you interact with emails sent through the mailing list, Mailerlite keeps track of whether you opened each email and what links, if any, you clicked on.
None of this information is shared, sold, or otherwise given away. Either Mailerlite or I would respond to a valid subpoena or other legal request (though, given the nature of my emails, it’s difficult to imagine a situation in which any government official would seek a subpoena in the first place).
When you sign up, you are given the information about what the list will be used for. After completing the form (through the Mailerlite link, any mailing list signup from on this site, or any mailing list signup form provided through a Mailerlite integration with a third party (such as Gleam, my giveaway provider, or free book sites such as BookFunnel or StoryOrigin), you will receive an email to confirm your subscription. (This process is known as double opt-in and ensures that people don’t sign up by accident or without knowing what they are signing up for, as well as verifying that you are the one signing up.) You are added to the mailing list only if you click on the link in the confirmation email. (If you subscribe directly through a Mailerlite form, the confirmation process is handled by Mailerlite. If you subscribe through another company, such as the ones mentioned above, the confirmation process is handled by that company.)
I use the mailing list solely to provide you with information about my writing (new releases, for example) and related opportunities in which you might be interested (sale prices and other bargains, giveaways I host or cohost, for example). The list is not used for any other purpose.
Each email contains an unsubscribe link. If you unsubscribe, you are immediately removed from the list and will not receive any further emails. Through me, you can also ask that your data be removed if you unsubscribe.
Mailerlite is fully GDPR compliant. You can read more about Mailerlite’s practices here.
If you are concerned about minimizing the privacy risks that some cookies represent, you can add an extra layer of protection for yourself on this and other sites by blocking third-party cookies in your browser. The methods for implementing that protection on various browsers are explained here. You can protect yourself better against tracking by using DNT (Do Not Track) requests. The techniques to use in each browser are explained here.
Ways in Which the Site Has Been Designed to Minimize Privacy Concerns
- All frontend areas of the site (with the exception of the email subscriber’s area, which is password protected but does not require a login), are open to anyone. There is no need to log in or even create an account, and indeed account creation has been disabled. As a result, far less data is stored on the site than might otherwise be the case. See the User Data section for more information.
- I do not sell anything directly from the site. That eliminates the need for other kinds of data and for cookies to keep track of transactions in progress.
- The social media plugin I use, Social Warfare, collects no user data and sets no cookies. When you click one of the share buttons, you are interacting with the API of that particular service in the same way as if you shared directly through the service itself.
- I stopped using Google Analytics as of May 27, 2018. The only statistical plugin I do use is Jetpack, the data collection and cookie usage of which is described below.
- I do not use any onsite advertising, except to the extent that the Amazon book previews and Amazon associate visual links could be regarded as ads. Both are enclosed in iframes, which means they are blocked prior to cookie consent.
Aside from mailing list signup (discussed above), and the information collected by the comment form (discussed below), the website does not collect any personally identifiable information. (As I mentioned above, by design, you do not need to sign up for the website in order to view any portion of it.) For that reason, certain options available to EU citizens under the GDPR (right to be forgotten, data access, data rectification, notification of data breach) are not as relevant.
However, the site does collect some user data through the comment form (discussed below) and through WP Forms. If you do fill out one or more of the forms, the data you have provided will be stored on the site. The GDPR options then become relevant and can be accessed by emailing me at the address in the page header.
If you choose to comment on a post, the form does collect a name and email address as part of the effort to prevent spam. However, the email address is not displayed. Also not displayed is other information the form collects for spam prevention purposes (IP address and browser user agent string). There is now a consent box on the comment form that links to this policy, so no one will comment without having given the appropriate consent. WordPress does generate cookies when you comment so that it can quickly populate the information on the form for you if you comment again, but you have to click a checkbox to allow those cookies to be set.
Providing your email address in the comment form does not subscribe you to my mailing list. I won’t use the emails addresses provided by commenters to email them unless they email me with a request. When you comment, you also don’t need to use your real name.
In the interest of minimizing the amount of data that is stored, the comment form doesn’t require you to create an account or login. While that does reduce the onsite data, it also makes it more difficult for people to request revisions or deletions to their comments. To avoid any inconvenience, I am happy to grant any requests for revision, deletion, or export of comments. All you need to do is email me using the email address you provided when you commented.
Your Ability to Regulate Cookie Usage
When you first visit the site, you have the opportunity to accept or decline cookies. If you accept, you can modify your settings at any time on the privacy settings page, or from the button in the footer of every page. If you decline, no first-party or third-party cookies will be saved to your device with the exception of those necessary for site operation. These include the following:
- Wpca_consent, which sets your cookie preference (otherwise, you’d have to decline every time you visited). There is also a wpca-cc cookie, which only contains data if I’ve set cookie categories. (Since the plugin doesn’t provide any way to auto-block by categories, though, those settings only apply to iframes and scripts I block manually, so there didn’t seem to be much point.)
- Cookies with a sitelock.com or shield.sitelock.com are also connected with the operation of the Sitelock Trueshield.
In order for you to be aware of how the cookies on the site function, below is the latest audit by Cookiebot. It includes which entity (this site or third party) set each cookie, what its function is, and how long the data persists. The report is followed by some additional clarifications. You will need to scroll in order to view the whole report.Cookie scan report July 2019
Since Cookiebot scans without accepting cookies, in theory it should only list cookies set prior to consent. I have noticed, however, that it also lists cookies referenced in script tags, even if they aren’t set prior to consent, at least in my Firefox tests (using Storage Inspector).
Although Cookiebot provides an excellent service, there are sometimes possible inaccuracies caused by the nature of the internet. Some of these are listed below. (These are from the May 26, 2019 audit report–subsequent audit reports may vary in details)
- Cookiebot shows the site’s server location as in the Netherlands. It’s actually in the United States, but Cookiebot, a European-based company, might be drawing the site from a Netherlands-based server in Sitelock’s CDN (Content Delivery Network).
- The ___utmvc cookie, which is supposed to be used with Google Analytics (which I don’t have anymore) appears in the audit on a page where Firefox Storage Manager and the Chrome Cookie Manager extension don’t detect it. However, the script tag for it still apparently exists.
Cookies Used on the Site if You Accept Cookie Usage
Default WordPress Cookies
The following italicized information is provided by WordPress. Most of it is only applicable in the event that you create an account on this site or log in with your WordPress account, neither of which is necessary to access any site features. The issue of opting in to save information to repopulate comment fields has been discussed above.
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
As I said above, on May 27, 2018, I disconnected this site from Google Analytics and deleted my account (deletion was fully effective in thirty-five days and removes all prior data). Aside from Jetpack, described below, the site collects no visitor analytics. It is still possible Google cookies from third parties might appear if you accept cookies. Gleam, for instance, uses Google Analytics if you interact with one of the giveaway widgets. See the Section on Gleam below.
YouTube and Other Third Party Cookies for Embedded Content
If you accept cookies, interacting with third-party content may generate them. This is particularly true of YouTube videos. Even if you decline cookies, you’ll notice the videos are not blocked out like the iframe content. That’s because I use the Advanced Responsive Video Embedder plugin, which installs an image in the page and loads the video only if you click on the image. Normally, I’d say that if you don’t want YouTube cookies, you shouldn’t interact with the videos, but in my tests, ARVE seems to have embedded them with URLs from YouTube’s no-cookie domain, meaning that they play in privacy-enhanced mode–no cookies! My tests in Firefox and Chrome seem to confirm this, though if you are genuinely third-party cookie averse, you may wish to block third-party cookies in your browser before playing a YouTube video, just in case.
If you accept cookies, you get nine of them when you visit a page with the Gleam widget. However, when I checked with Gleam support, I was told, “We do an initial check when the widget loads to see if the user allows 3rd party Cookies or not. Nothing else is stored until the user interacts with the widget.” In that case, it would appear the others are ready to facilitate interaction with the widget if a user decides to interact. They appear to be the same cookies one would get if one loaded the giveaway page on Gleam’s site.
Gleam cookie names in several cases are unique to a particular giveaway and have the giveaway’s code as their suffix.
It’s important to note that security companies such as Sitelock have to collect a certain amount of information in order to protect a website. From what I can see, however, Sitelock retains information only on suspicious traffic. Country of origin and IP address are necessary in the event a malicious user or bot needs to be blocked.
At first I was puzzled by the presence of _cfduid, the cookie Cloudflare uses as part of its security system, since it kept appearing in Cookiebot audits event though I was no longer using Cloudflare, but it turns out that some of the third-party providers do use Cloudflare. One of the instances of the Cloudflare cookie comes from the Creative Commons license button, and the other one comes from Mailerlite. In both cases, the purpose of the cookie is to enable Cloudflare’s firewall to do its job.
The Elementor Pro plugin produces one cookie prior to consent. However, I have been assured by Elementor technical support that the cookie only records data if Elementor pop-ups are in use. (There are none on this site.) Also, even if popups were enabled, the cookie only saves data to your local computer and does not export it anywhere else. Elementor technical support ensures me this approach is compatible with the requirements of GDPR.