personal websites and the law - behind the zine-s
In July, I wrote an article to submit to a project, but didn't hear back. So I decided to publish it here.
What challenged me the most was writing something that should not need endless footnotes and links, when everything in it is so nuanced and I am used to using them a lot to back me up in certain topics. I also had to catch myself not to zero-in too hard on the legal frameworks I know a little more about (EU/Germany), and instead had to keep it a bit more general, as the intended audience is global and under legal frameworks I am less or not at all familiar with.
I settled for writing this behind-the-scenes post to go more in-depth and present my considerations/justifications that wouldn't have fit into the article. I write this as a law student who is in the final stretch of getting certified as a data protection officer on the side.
base considerations
When I think of sites on hosters like Neocities and Nekoweb and what they might need to know about, I think about their their graphics everywhere, their autoplay music and music players, embedded YouTube videos, Spotify playlists and Last.fm activity. There's also a not-so-small portion of website or blog owners that include a donation link in their footers - does that make the offering commercial?
These thoughts decided the main parts of the article, because those page contents bring up questions around Copyright and licenses, cookies, and the need for a Privacy Policy.
I also think of the services that make it easy to create your website or blog and offer analytics or a newsletter option that you can implement. How would they need to handle the subscription and the visitor consent to the analytics?
And in-between all of this, I want to drive home that there are local laws that might apply too, so that needs an example, preferably one I am very familiar with.
does it even apply?
But do these laws even apply to personal websites? They're not selling anything, they're not huge, they're not professional. And after all, the GDPR1 for example sets the material scope in Art. 2, saying
"This Regulation does not apply to the processing of personal data: [...] "by a natural person in the course of a purely personal or household activity."
The people creating these websites are natural persons and doing this for purely personal reasons, right?
It's a very vague wording to exclude and include various situations that cannot be foreseen. The main example that is always brought up in study materials is that it exists so that you do not have to give out data processing consent forms for matters like organizing a private party and asking people for their address for sending invitation letters to their house.
A good way to further interpret the law are the recitals, but even here, this one is limited. Recital 18 states purely personal or household activity has...
"...no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities."
Social networking and online activity means social media accounts, for example.
Some court decisions for the GDPR predecessor Directive EC/95/46 (that already had the 'household exemption') elaborated more on this issue2, especially Lindqvist (C-101/01) about a private website sharing personal information of others.
In paragraph 47:
"That exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people”.
Interestingly, there's also this paper by the Article 29 Working Party from 2013 that dives deeper into how internet presences have made the exemption a gray area, and what criteria you should use to decide whether something falls under it or not.
This and some additional court decisions3 help to understand that the use of "purely" is meant to be fairly narrow and restrictive. If your website is password-protected and just for you and a few others you know that have the password, it would still be private and domestic. However, published on the internet and accessible to everyone online, it leaves your household and privacy and is a public offer anyone can interact with that you have no personal connection to. I know it is easy to point to social media like TikTok and see the same happening there, but one is a platform that takes care of all the legal aspects so the users can just have a profile and post, and the other is you and your own web presence not on a platform that handles it all for you.
So, if we assume your website falls into the scope of the GDPR and that you are a a data controller, which means someone that decides the purpose and nature of processing personal data, you can find the requirement for a Privacy Policy in Articles 12-15 GDPR, which handles what information needs to be transparently communicated to the user.
The work doesn't stop here, because the GDPR isn't the only thing that applies to websites. To things like cookies, for example, it actually applies very little. It only mentions cookies once - in Recital 30, saying they count as personal data. What we actually want is the ePrivacy Directive4, last amended in 2009. They wanted to replace it and still haven't done it, which sucks.
What instantly sticks out is that the ePrivacy Directive itself doesn't have a household exemption :^) and in Article 3, says it ...
"[applies] to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community, including public communications networks supporting data collection and identification devices."
That's pretty all-encompassing for internet services and websites, even if it sounds weird. That's why so many services keep asking you, even your Spotify app.
There's also lots of discourse about its scope: Does it apply on 'country of origin' or 'country of destination' basis? The core of the discourse is: Do you have to comply to only the standards of the EU member state in which you are established ("country of origin" principle) or of every member state where your users are based ("country of destination" principle). This decides if you have to comply to the opt-in or opt-out rules of every member state. And since it's a directive, how do member states differ in applying it? Luxembourg, for example, has a 12 month limit on cookie retention others don't have.
And this is just going into the European Law. UK has copied a lot since they left, Brazil has a very similar law to the GDPR, there are US laws like the California Consumer Privacy Act (CCPA). Obviously, the majority of websites are offered internationally and everyone is interested in keeping it fairly harmonized so websites don't have to comply with 394829 different laws. The good thing is that if you comply with a law that is the strictest and most widespread and sort of an industry leader5, you tend to have enough compliance with the other ones too - that is how companies have been winging it for a while. So I consider it the easiest for now to seek out how to comply with the GDPR and then go from there.
Unfortunately, lots of information or case law out there just doesn't acknowledge websites that are not professional or commercial in nature and assumes it is your portfolio, monetized blog or your sales website, so it's hard to get information for an indie web use case. All I can go off of is that the GDPR's household exemption is more restrictive than internet commenters usually assume and deems cookies personal data, and that the ePrivacy directive and the national laws I looked at don't explicitly rule out websites like ours.
That means I only feel comfortable recommending to comply and pointers to how that may be done, and if you think that is wrong or you want legal advice, you have to seek it out and take the risk yourself. There are as many different legal opinions about anything as there are shells on the beach, and you will always find someone saying the opposite of what you're reading one person say. All I can do is drive awareness and do some education, what you do is up to you :)
Reply via email
Published 26 Aug, 2025
Remember that this one is applicable in a very wide regional scope because it applies whenever you offer a service to someone in the EU. So unless you regionlock your website (as many US news outlets do), this is interesting to you despite not being in the EU.↩
It's common and normal to look at the predecessor and its case law to understand current law, especially when the wording of the part in question stayed the same.↩
There is also C-212/13 - Ryneš, which is about video surveillance in front of the home, but also decided that the household exception needed to be applied restrictively. The second it leaves your direct circle and home, it will likely not apply anymore.↩
Careful: The ePrivacy Directive still in effect, the ePrivacy Regulation was supposed to replace it to harmonize the contents across the EU, but hasn't been passed so far. A directive sets out a goal that EU member states must achieve and it is up to the individual countries to adjust their own laws on how to reach these goals. A regulation is a binding legislative act across all member states that must be applied in its entirety with little to no national wiggle room.↩
The GDPR served as a model for a successful and comprehensive data protection law, once again proving the Brussels Effect.↩