Home » General Data Protection Regulation

Tag: General Data Protection Regulation

Do you need to reconfirm your email list for GDPR?

Do You Need to Reconfirm Your Email List for GDPR?

If you’re anything like me, the last few weeks have been full of emails from authors and service providers asking if I want to stay on their email list. I’ve reconfirmed some, deleted some, and ignored most (and now I’m waiting to see if my passive rejection will be seen as rejection or as confirmation).

GDPR, the legislation designed to prevent spam emails, has led to a deluge of spam emails.

One of the big questions authors have had about the introduction of GDPR is whether they need to obtain consent from the people who have previously signed up to their email list. It doesn’t help that the lawyers can’t agree on who does and who doesn’t need to send reconfirmation emails.

GDPR Applies to EU Residents

Note that GDPR only applies to EU residents. If you don’t have a website or an email list, GDPR probably doesn’t affect you. If you’re confident you don’t have any EU residents on your email list (because it’s only 17 people and you know all of them in real life, or because your email service provider can tell where people are from based on their IP address or other data), then GDPR isn’t likely to affect you.

But you still need to work through the process of deciding who is on your email list, and whether you have a lawful basis of processing data of EU residents.

Lawful Basis of Processing Data

There are six different ways we can legally process data under GDPR:

  1. Consent: the individual has consented to be on your email list. This is the most common reason, and has a high standard to prove.
  2. Contract: you have a contract with the individual and need to process their personal data to deliver that contract.
  3. Legal obligation: where you need to process personal data to comply with statute (e.g. you need to keep accurate financial records to satisfy the tax department).
  4. Vital interests: where you need to collect personal data to save someone’s life. Yeah, I don’t think this is going to include any author email lists.
  5. Public task: where you need the data to carry out a task or function set out in law. Another one that’s not going to apply to author email lists.
  6. Legitimate interests: where it is somehow in the individual’s best interest that you process their data. This is broad and flexible, and will cover some marketing activities (e.g. some lawyers argue uploading your email list to Facebook to target advertising towards your subscribers or similar groups would be covered by legitimate interest).

Most author newsletters are going to claim consent as their lawful basis for processing data. Many authors have been sending emails to reconfirm consent, but there is a school of legal thought that considers reconfirming where you can’t already prove consent is sending unsolicited email, and contrary to GDPR and other anti-spam laws.

I have several email lists, and can think of four main ways people signed up:

  1. In person (e.g. at a conference)
  2. Direct website signup
  3. Signed up to an email course
  4. By participating in an online giveaway

The following is my interpretation of how each of those needs to be treated for GDPR, both in terms of past sign-ups, and going forward. If you don’t know what GDPR is, check out my previous posts:

All the usual legal disclaimers apply. I’m not a lawyer, and this is not legal advice. This is my interpretation of what I need to do (or not do) for GDPR. My circumstances are different to yours, so my answers may not be right for you.

1. In Person Sign-Ups

When I speak at a conference, I invite people to sign up for my email list. In-person signups are fine as long as individuals signed themselves (i.e. they weren’t signed up by a friend), and as long as I keep a paper or scanned copy of the signup form as proof. In this case, I’m relying on consent as my legal basis for processing data.

Going forward, we can continue to take in-person signup, but have a copy of your privacy policy available as well, and ensure we keep the paper or scanned copy of the signup (as your email service provider will see it as someone you have manually added to the list).

I don’t consider I need to send reconfirmation emails for this group, as I have their signed consent (besides, I’m confident there are no EU residents in this group!).

2. Direct Website Signup

People can sign up to my email list directly from my website through forms on each page and each blog post. Signups directly through a website may need to be reconfirmed for GDPR if the original sign up was not GDPR compliant (e.g. signing anyone who commented on your site up to your email newsletter). Double opt in doesn’t prove compliance, but single opt in probably isn’t compliant (as someone could be signed up without their knowledge).

The website also needs to have make clear what people were signing up to e.g. a newsletter that will include news about your books (i.e. marketing information). Your email service provider should have a record of how and when everyone signed up.

I don’t consider I need to send reconfirmation emails for this group, as they were each required to positively opt in (and complete a double opt-in) which made clear they were signing up for an email newsletter, and told them they can unsubscribe at any time. In other words, following best practice email marketing principles.

3. Email Course Signup

I have a paid email course, the Kick-Start Your Author Platform Marketing Challenge. I can’t reasonably deliver an email course without holding the email addresses of the participants. This is covered by contract as a lawful basis to process data under GDPR.

4. Giveaway Signup

Online giveaways are where signups get tricky. There are several different ways of running or participating in an online giveaway.

Also, GDPR requires that individuals can refuse consent without detriment i.e. you can’t promise someone a free gift but only give it to those who sign up for your email list. It could be argued that forcing someone to sign up for an email list isn’t GDPR compliant.

I have participated in several types of giveaways:

  1. Self-Hosted (via KingSumo)
  2. Individual Sign Up (via Instafreebie)
  3. Group Sign Up (via Spirit-Filled Kindle)

Self-Hosted via KingSumo

I have used KingSumo for several giveaways. KingSumo uses a double opt in, and adds people directly to my email list. I can therefore show consent if required.

KingSumo allows the giveaway winner to be chosen from:

  • Everyone who provided their email address, or
  • Only from those who completed the double opt in (i.e. consented to sign up for my email list).

Going forward, I will continue to use KingSumo giveaways, as but will ensure there is no detriment to those who don’t complete the double opt in (i.e. they still go in the draw for a prize). I will also ensure I continue to keep a record of the terms and conditions of each individual giveaway, and add a link to my privacy policy.

I don’t consider I need to send reconfirmation emails to this group, as I clearly stated that by completing the double opt in, participants were consenting to receive my email newsletter. While KingSumo does track who enters, only those who completed the double opt in were added to my email list, and they have had the opportunity to unsubscribe.

(Click here to read my blog post introducing KingSumo and two other online giveaway tools.)

Individual Sign Up (via Instafreebie)

There are a range of paid giveaways hosted by an external provider such as Instafreebie or Ryan Zee/Booksweeps.

These giveaways give entrants the option to sign up to all the email lists, none of them, or to pick specific lists. I participated in an Instafreebie giveaway, and around 20% of those participating chose to sign up to my email list to receive a copy of Christian Publishing: A List of Publishers Specializing in Christian Fiction.

Each new subscriber went through a welcome sequence, and about 10% unsubscribed as part of that sequence. I’ve since sent a re-engagement email and bulk unsubscribed everyone who hasn’t opened any of my emails for the last six months, on the rationale that those who have opened my emails have had the option to unsubscribe directly.

I’m of the view that where an individual signed up for a giveaway but had the option of signing up to several email lists including mine, then an individual who has signed up to my email list has consented to be on that list.

If there wasn’t a double opt in, or if individual was required to subscribe in order to receive the gift, or if they weren’t given the option to unsubscribe (e.g. because the giveaway was last month and you haven’t yet emailed them), then it may be necessary to send a reconfirmation email (as if it was double opt in).

I won’t be sending a reconfirmation email to my segment of Instafreebie subscribers, as I have already sent an engagement email and bulk unsubscribed non-openers.

Note that Instafreebie (and similar programmes such as BookFunnel) have changed their systems so individuals can receive the free book without signing up to author’s newsletter, as making the gift dependent on a subscription is against the spirit of GDPR (i.e. the idea of no detriment).

Group Sign Up (via Spirit-Filled Kindle)

Another form of group giveaway is where all entrants are added to a master email list which is forwarded to all participating authors. These giveaways are often run through software such as Gleam or KingSumo. These tools don’t allow entrants to sign up to individual email lists.

I participated in a giveaway with Spirit Filled Kindle which used this approach. All entrants went through a double opt in. This make it clear they would be added to the email lists of all participating authors.

I emailed this group three times, then deleted anyone who didn’t opened at least one of those emails. Anyone who opened one or more emails had the opportunity to unsubscribe, so I kept them on my email list without sending a formal reconfirmation request. As always, they have the option to unsubscribe at any time.

Spirit Filled Kindle have now changed their approach. My understanding is that entrants will be emailed the individual email list links. This means they can choose which lists to sign up to.

What’s Your Approach?

However, my answer shouldn’t necessarily be your answer. Your answer will depend on:

  • How you collected the email addresses (and was that consistent with GDPR).
  • When you collected the email addresses.
  • How many times you’ve contacted your subscribers.
  • When you last contacted your subscribers.
  • Whether you make it easy for subscribers to unsubscribe or update their details.
  • Whether you have “cleaned” your list to remove those who don’t open your emails.

At the very least, take the introduction of GDPR as an opportunity to re-engage with those who haven’t opened your emails for a while, and deleting those who haven’t. It will improve your open rates, which helps make future emails more deliverable.

I hope the information and options I’ve provided help those of you who are still puzzling over your email list.

 

Update Your Website for GDPR

Updating Your Website for GDPR (an #AuthorToolBoxBlogHop Post)

This post is part of the monthly Author ToolBox Blog Hop, organised by Raimey Gallant. We now have over 40 blogs participating. To find more Blog Hop posts:

Click here to visit the main Blog Hop page
Click here to find our posts on Twitter
Click here to find our Pinterest board

GDPR and Your Website

My April #AuthorToolBoxBlogHop post introduced GDPR. Here are the main highlights:

  • The GDPR is the General Data Protection Regulation, and comes into force on 25 May 2018.
  • If you process or hold the personal data of EU residents, it applies to you no matter where you are based.

In other words, GDPR applies to me even though I’m not based in the EU. It probably applies to you as well.

Since writing that post, I’ve read thousands of words of blog posts and watched or listened to hours of YouTube videos and podcasts to try and understand what we have to do by 25 May to comply with GDPR.

First, the PSA. I’m not a lawyer, so none of the information in this blog post is legal advice. It’s my best guess as a layperson who has studied the subject. If you want legal advice, you ask a lawyer who is qualified to practice in this area. In this case, that means a lawyer based in the EU with a background in privacy, data protection, or similar. You don’t get legal advice off the internet.

The first thing to remember is that the world is not ending. As British lawyer Suzanne Dibble says:

“The GDPR mandates organizations to put into place comprehensive but proportionate governance measures.”

“Proportionate” is important. It means that you and I, as a one-person organisations, aren’t going to be expected to have all the data protection bells and whistles of, say, British Airways. But we still have to be responsible about the way we collect and process personal data, and we’re still accountable for that.

It’s the Golden Rule in practice.

We need to treat the personal information we hold in the same way we’d want them to treat our data.

Note that personal information is defined as any information relating to an identified or identifiable natural person. This includes name, email address, and can also include an IP address, and website cookies. At the most basic level, GDPR is about respecting the privacy of individuals. I’m sure we can all agree with that.

The other thing to remember is that the ICO isn’t going to be actively monitoring our GDPR compliance. Organisations will be investigated only if a complaint is made against them.

What Do I Need to Do?

There are actually a few things you can or should do if you have a website. Here are eight points I think are the most important:

1. SSL Certificate

If your website doesn’t already have an SSL certificate, it may be worth getting one for the added layer of security and the Google benefits. If you haven’t yet set up your website, I would definitely recommend using SSL from the beginning.

Many web hosts (e.g. BlueHost) provide a free SSL certificate with their hosting packages. Alternatively, NameCheap offers SSL certificates starting at $9/year (see this blog post from Nuts and Bolts for more information).

Neil Patel at Kissmetrics has a detailed post on the subject.

2. Update Your Privacy Policy

If you don’t already have a Privacy Policy, now is a good time to develop one. You already need one under Californian law (CalOPPA), if you use Google Analytics, or if you’re an Amazon affiliate.

There are plenty of free and paid resources online to help you. I’ve checked out several options:

Auto Terms of Service and Privacy Policy WordPress Plugin

Auto Terms of Service and Privacy Policy is a free WordPress plugin. I added this to my author website, and found it had no customisation, no reference to GDPR, and fails the plain English test. I’ll be replacing this ASAP.

Free Privacy Policy

Free Privacy Policy is customisable and produces a solid policy, but has no reference to GDPR. On the plus side, free meant free, and the form was easy to fill out. But it won’t be valid after 25 May.

DGD Deutsche Gesellschaft für Datenschutz

The only free GDPR-compliant policy I found was from a German website (click here). The policy is customisable, and available in your choice of English or German. However, the stilted English suggests the policy has been written in German and translated. I’d rather have a policy that was written in English.

Terms Feed

Terms Feed offer a “free” Privacy Policy, but you have to pay for certain necessary customisation, like the GDPR verbiage. My quote was $61, so I didn’t download it.

Privacy Policies

Privacy Policies charge $29.99 for a commercial policy (with “commercial” including anyone who is using affiliate links, or marketing or selling any product or service). The policy is customised, but I didn’t buy it so I don’t know how good it is or whether it covers GDPR.

iubenda.com

Randy Ingermanson of Advanced Fiction Writing recommends iubenda.com. The free policy covers next to nothing, so most authors will need the paid version, which is $27 per year. The policy is customisable, but I found there were too many options to choose from, and it didn’t include some of the plugins I use. I didn’t get a policy, but you can see Randy’s here: Privacy Policy. Note that it’s stores at the iubenda website, not on Randy’s own site. I prefer something that’s stored on my own site, so I know it isn’t updated without my knowledge.

Zegal.com

Another good option is Zegal.com, which offers free privacy policies tailored for New Zealand or Australia. Mine was clear, easy to read, and easy to understand, but it’s not GDPR-compliant (although there is a paid version which is).

I’ve used the Zegal policy as the basis for my updated Privacy Policy, and added extra sections as advised by WordPress.

Suzanne Dibble

Suzanne Dibble, a British lawyer and expert in the subject, has put together a full GDPR pack. It’s not cheap (GBP 197) but covers everything. To see what’s in the pack, check out this blog post from Shannon Mattern: How to Get Your Website Ready for GDPR.

Suzanne also has a free Facebook group and lots of videos. This is the most important (and the longest):

 

Don’t copy someone else’s Privacy Policy without permission, or you will be infringing on the copyright of the lawyer who wrote that policy. As writers who want our copyright to be respected, we need to respect the copyright of others.

Even if someone has given permission to copy their policy, read it carefully and revise if necessary. It might not include the information you need, either because they use things you don’t, or because you use things the policy doesn’t refer to. And it might use the wrong language for your brand. For example, this NSFW policy from Writers HQ contains all the necessary legal information, but the language is all wrong for my audience. And probably yours.

3. Terms and Conditions

If you are selling directly from your website, you should consider a terms and conditions policy. I’m currently using the extreme legalese of Auto Terms of Service and Privacy Policy, but I will look at this again.

4. Cookie Policy

Most websites use cookies, and EU law requires website owners to advise visitors of this fact, and obtain their consent to using cookies. WordPress plugins such as the EU Cookie Law Widget help site owners comply.

Click here to learn more about cookies. Cookies can be addressed as part of your Privacy Policy, or in a separate Cookie Policy.

If you use WordPress, check out the GDPR Cookie Compliance plugin.

5. Update Your Email Signup Forms

Once you have created (or updated) your Privacy Policy, you will need to update your email signup forms to include a reference or link to your Privacy Policy.

Your signup form must also make clear that they are signing up for your email newsletter, and that they will receive marketing information. You can also give them a free book or other gift for signing up, as I do. But it has to be in that order:

Sign up for my monthly newsletter and receive a free gift.

Is probably acceptable (probably. Not definitely). This is not:

Want a free gift? Sign up here.

Why is that second example not acceptable? Because it doesn’t make it clear that the user is being signed up to an email list. What about this?

Want a free gift? Sign up here, and I’ll add you to my email list.

This isn’t acceptable under GDPR because it ties the free gift to signing up to the newsletter. Yes, this looks the same as my first example. Semantics. Even the lawyers I’ve listened to don’t agree on this one.

6. Update Your Contact Form

Most websites have a contact form (e.g. Contact Form 7, Gravity Forms, or Ninja Forms). Contact forms collect information such as the person’s name, email address, and IP address. You’re allowed to collect this information, as it’s a legitimate business interest that will enable you to answer their query. But you still need to disclose you are collecting and storing this information (even though it seems obvious).

Your Privacy Policy will need to include what information you collect on your contact form, and what it is used for. The WP GDPR Compliance plugin for WordPress will add a tickbox to your Contact Form 7 or Gravity Forms contact form. It takes about two minutes to install and activate.

7. Update Your Comments Form

Most blogs have a comments section. This collects your name, website, email address, and IP address, as well as your message. This is private information, and is stored by WordPress, so we need consent to store this information.

The WP GDPR Compliance plugin also handles comments, which means you’ve covered two items with one plugin.

8. Create or Update Your Cookies Policy

Most websites use cookies, and EU law requires website owners to advise visitors of this fact, and obtain their consent to using cookies. WordPress plugins such as the EU Cookie Law Widget help site owners comply.

Click here to learn more about cookies. Cookies can be addressed as part of your Privacy Policy, or in a separate Cookie Policy.

If you use WordPress, check out the GDPR Cookie Compliance plugin. It’s easy to install and customise.

 

Is your website GDPR-ready?

What Authors Need to Know about GDPR (General Data Protection Regulation)

What Authors Need to Know About GDPR | An #AuthorToolBoxBlogHop Post

This post is part of the monthly Author ToolBox Blog Hop, organised by Raimey Gallant. We now have over 40 blogs participating. To find more Blog Hop posts:

I have two posts in the Blog Hop this month—this post on GDPR, and I’m also guest posting on Publishing at Ronel the Mythmaker’s blog, as part of her April A-Z Challenge.

But here I’m talking about the General Data Protection Regulation: what it is, and why authors need to know about it.

First, the PSA. I’m not a lawyer, so none of the information in this blog post is legal advice. It’s my best guess as a layperson who has studied the subject. If you want legal advice, you ask a lawyer who is qualified to practice in this area. In this case, that means a lawyer based in the EU with a background in privacy, data protection, or similar. You don’t get legal advice off the internet. Now, on with the blog post.

What is GDPR?

The GDPR is the General Data Protection Regulation, and comes into force on 25 May 2018. It harmonizes data privacy laws across the European Union (EU), so it affects any organization holding personal data from EU citizens. Note that the EU still includes the United Kingdom, so GDPR still applies. The British government have indicated they will implement GDPR-like legislation following Brexit (if it goes ahead).

Why do authors need to know about GDPR?

GDPR affects all organisations based in the EU, or supplying goods or services in the EU. If you have a website or an email list, this includes you.

If you have an email list, you’re supplying services. Your subscribers may not pay you, but you are supplying a service. If your email list includes EU residents, or is likely to include EU residents in the future, the GDPR applies to you whether you live in the EU or not.

[The GDPR] applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

If you have a website, you’re collecting information on your visitors. If you have visitors who are EU residents, the GDPR applies to you whether you live in the EU or not.

‘Personal data’ includes data such as a name or email address. It also includes IP addresses (such as those collected by your website when someone comments), and posts on social networking sites.

‘Companies’ includes your email list provider (e.g. MailChimp or MailerLite), and includes clouds. If you use an email list provider and follow their recommended best practice (e.g. double opt-in), then you are probably operating within the law. Probably. As I’ve said before, I’m not a lawyer and this is not legal advice.

GDPR requires that you collect the minimum data necessary.

This has always been best practice: if you are collecting email addresses, the only piece of data you actually need is the email address.

Asking for their first name might help you build a relationship with the subscriber (if they type their name correctly!), but it’s not necessary. Many sites also ask for a surname, and few people are going to object to that. But giving my business name, address, telephone number, number of employees … that’s over the top when all I want to do is download a short pdf file.

You have the option of making fields compulsory or optional. If the field is anything but 100% necessary, make it optional (most people will still complete it).

Note: this also applies to the contact form on your website, because that’s another way of collecting personal information.

GDPR requires active and explicit consent

The regulations say:

Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​

People must be actively consenting to join your email list.

  • Joining the email list can’t be automatic by filling out a form (as happened to me today!).
  • If you have a reader magnet or other free gift, then you can’t send the gift and tell people they are now on your email list. You have to give them the option to download the gift without joining your list, or invite them to join your list and send the gift as a thank you.
  • If there is a “Join my list” checkbox, it has to be unchecked. This means the would-be subscriber has to actively check the box.
  • Joining can’t be one item in a long and unreadable list of legalese.

I suspect people also can’t explicitly consent to joining twenty email lists at once. We used to see this in online giveaways. Now, giveaways must give entrants the option to opt in or not opt in to each participant’s list (which some giveaways always did).

It must also be easy to withdraw consent. All the major email providers make this easy, by offering instant unsubscribe options (a far cry from when I used to unsubscribe to a spam email list and be told it might take up to a month!). Subscribers also have the right to have all their information deleted upon request, and the good email list providers do their best to make that easy as well.

How email providers are reacting

The major email providers do have lawyers on staff. I’m sure they’ve all been busy reading and arguing the finer points of the legislation, and considering what they need to change in order to ensure their customers (you and me) remain compliant.

Here’s what some of the main email providers have to say about GDPR:

Aweber

Aweber is self-certified with both the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield, and intend to be fully compliant with GDPR. They say Aweber customers need to ensure they comply with Aweber terms of service to help ensure they are GDPR-compliant.

Convertkit

ConvertKit are building new features to enable users to identify their EU subscribers and provide explicit consent, including providing a specific opt-in checkbox for EU subscribers.

ConvertKit recommend users:

  • Use double opt-in wherever possible.
  • Perform regular list backups.
  • Make your intentions clear on email signup forms and landing pages (e.g. what will they get by signing up to this list? Will they also be signed up to another list?).

This is good advice for everyone.

MailChimp

MailChimp have introduced a specific opt-in box on MailChimp-hosted forms, and recommend users clearly explain to subscribers how their data will be used. MailChimp is certified with both the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield.

MailerLite

MailerLite have developed a GDPR template to help users reconfirm their email list to be sure everyone has actively and explicitly consented.

What should I do?

If you’re not 100% sure all your subscribers have opted in to receiving your emails (e.g. you haven’t always used a double opt-in), then you should check out what templates or services your email list provider offers, and use them to clean your list.

If you have an email list, you need to use a recognised email list provider! No, you can’t send bulk emails through Gmail, Hotmail, or Outlook.

Have you cleaned your email list lately? Have you deleted the people who never open your messages? Sure, it will mean fewer people on your list. There are advantages to cutting the dead weight from your list. It will increase your open rates, cost you less, and mean your emails are less likely to end up in spam. Isn’t that a good thing?

What do you need to do to prepare for GDPR?