If you’re anything like me, the last few weeks have been full of emails from authors and service providers asking if I want to stay on their email list. I’ve reconfirmed some, deleted some, and ignored most (and now I’m waiting to see if my passive rejection will be seen as rejection or as confirmation).
GDPR, the legislation designed to prevent spam emails, has led to a deluge of spam emails.
One of the big questions authors have had about the introduction of GDPR is whether they need to obtain consent from the people who have previously signed up to their email list. It doesn’t help that the lawyers can’t agree on who does and who doesn’t need to send reconfirmation emails.
GDPR Applies to EU Residents
Note that GDPR only applies to EU residents. If you don’t have a website or an email list, GDPR probably doesn’t affect you. If you’re confident you don’t have any EU residents on your email list (because it’s only 17 people and you know all of them in real life, or because your email service provider can tell where people are from based on their IP address or other data), then GDPR isn’t likely to affect you.
But you still need to work through the process of deciding who is on your email list, and whether you have a lawful basis of processing data of EU residents.
Lawful Basis of Processing Data
There are six different ways we can legally process data under GDPR:
- Consent: the individual has consented to be on your email list. This is the most common reason, and has a high standard to prove.
- Contract: you have a contract with the individual and need to process their personal data to deliver that contract.
- Legal obligation: where you need to process personal data to comply with statute (e.g. you need to keep accurate financial records to satisfy the tax department).
- Vital interests: where you need to collect personal data to save someone’s life. Yeah, I don’t think this is going to include any author email lists.
- Public task: where you need the data to carry out a task or function set out in law. Another one that’s not going to apply to author email lists.
- Legitimate interests: where it is somehow in the individual’s best interest that you process their data. This is broad and flexible, and will cover some marketing activities (e.g. some lawyers argue uploading your email list to Facebook to target advertising towards your subscribers or similar groups would be covered by legitimate interest).
Most author newsletters are going to claim consent as their lawful basis for processing data. Many authors have been sending emails to reconfirm consent, but there is a school of legal thought that considers reconfirming where you can’t already prove consent is sending unsolicited email, and contrary to GDPR and other anti-spam laws.
I have several email lists, and can think of four main ways people signed up:
- In person (e.g. at a conference)
- Direct website signup
- Signed up to an email course
- By participating in an online giveaway
The following is my interpretation of how each of those needs to be treated for GDPR, both in terms of past sign-ups, and going forward. If you don’t know what GDPR is, check out my previous posts:
All the usual legal disclaimers apply. I’m not a lawyer, and this is not legal advice. This is my interpretation of what I need to do (or not do) for GDPR. My circumstances are different to yours, so my answers may not be right for you.
1. In Person Sign-Ups
When I speak at a conference, I invite people to sign up for my email list. In-person signups are fine as long as individuals signed themselves (i.e. they weren’t signed up by a friend), and as long as I keep a paper or scanned copy of the signup form as proof. In this case, I’m relying on consent as my legal basis for processing data.
Going forward, we can continue to take in-person signup, but have a copy of your privacy policy available as well, and ensure we keep the paper or scanned copy of the signup (as your email service provider will see it as someone you have manually added to the list).
I don’t consider I need to send reconfirmation emails for this group, as I have their signed consent (besides, I’m confident there are no EU residents in this group!).
2. Direct Website Signup
People can sign up to my email list directly from my website through forms on each page and each blog post. Signups directly through a website may need to be reconfirmed for GDPR if the original sign up was not GDPR compliant (e.g. signing anyone who commented on your site up to your email newsletter). Double opt in doesn’t prove compliance, but single opt in probably isn’t compliant (as someone could be signed up without their knowledge).
The website also needs to have make clear what people were signing up to e.g. a newsletter that will include news about your books (i.e. marketing information). Your email service provider should have a record of how and when everyone signed up.
I don’t consider I need to send reconfirmation emails for this group, as they were each required to positively opt in (and complete a double opt-in) which made clear they were signing up for an email newsletter, and told them they can unsubscribe at any time. In other words, following best practice email marketing principles.
3. Email Course Signup
I have a paid email course, the Kick-Start Your Author Platform Marketing Challenge. I can’t reasonably deliver an email course without holding the email addresses of the participants. This is covered by contract as a lawful basis to process data under GDPR.
4. Giveaway Signup
Online giveaways are where signups get tricky. There are several different ways of running or participating in an online giveaway.
Also, GDPR requires that individuals can refuse consent without detriment i.e. you can’t promise someone a free gift but only give it to those who sign up for your email list. It could be argued that forcing someone to sign up for an email list isn’t GDPR compliant.
I have participated in several types of giveaways:
- Self-Hosted (via KingSumo)
- Individual Sign Up (via Instafreebie)
- Group Sign Up (via Spirit-Filled Kindle)
Self-Hosted via KingSumo
I have used KingSumo for several giveaways. KingSumo uses a double opt in, and adds people directly to my email list. I can therefore show consent if required.
KingSumo allows the giveaway winner to be chosen from:
- Everyone who provided their email address, or
- Only from those who completed the double opt in (i.e. consented to sign up for my email list).
Going forward, I will continue to use KingSumo giveaways, as but will ensure there is no detriment to those who don’t complete the double opt in (i.e. they still go in the draw for a prize). I will also ensure I continue to keep a record of the terms and conditions of each individual giveaway, and add a link to my privacy policy.
I don’t consider I need to send reconfirmation emails to this group, as I clearly stated that by completing the double opt in, participants were consenting to receive my email newsletter. While KingSumo does track who enters, only those who completed the double opt in were added to my email list, and they have had the opportunity to unsubscribe.
(Click here to read my blog post introducing KingSumo and two other online giveaway tools.)
Individual Sign Up (via Instafreebie)
There are a range of paid giveaways hosted by an external provider such as Instafreebie or Ryan Zee/Booksweeps.
These giveaways give entrants the option to sign up to all the email lists, none of them, or to pick specific lists. I participated in an Instafreebie giveaway, and around 20% of those participating chose to sign up to my email list to receive a copy of Christian Publishing: A List of Publishers Specializing in Christian Fiction.
Each new subscriber went through a welcome sequence, and about 10% unsubscribed as part of that sequence. I’ve since sent a re-engagement email and bulk unsubscribed everyone who hasn’t opened any of my emails for the last six months, on the rationale that those who have opened my emails have had the option to unsubscribe directly.
I’m of the view that where an individual signed up for a giveaway but had the option of signing up to several email lists including mine, then an individual who has signed up to my email list has consented to be on that list.
If there wasn’t a double opt in, or if individual was required to subscribe in order to receive the gift, or if they weren’t given the option to unsubscribe (e.g. because the giveaway was last month and you haven’t yet emailed them), then it may be necessary to send a reconfirmation email (as if it was double opt in).
I won’t be sending a reconfirmation email to my segment of Instafreebie subscribers, as I have already sent an engagement email and bulk unsubscribed non-openers.
Note that Instafreebie (and similar programmes such as BookFunnel) have changed their systems so individuals can receive the free book without signing up to author’s newsletter, as making the gift dependent on a subscription is against the spirit of GDPR (i.e. the idea of no detriment).
Group Sign Up (via Spirit-Filled Kindle)
Another form of group giveaway is where all entrants are added to a master email list which is forwarded to all participating authors. These giveaways are often run through software such as Gleam or KingSumo. These tools don’t allow entrants to sign up to individual email lists.
I participated in a giveaway with Spirit Filled Kindle which used this approach. All entrants went through a double opt in. This make it clear they would be added to the email lists of all participating authors.
I emailed this group three times, then deleted anyone who didn’t opened at least one of those emails. Anyone who opened one or more emails had the opportunity to unsubscribe, so I kept them on my email list without sending a formal reconfirmation request. As always, they have the option to unsubscribe at any time.
Spirit Filled Kindle have now changed their approach. My understanding is that entrants will be emailed the individual email list links. This means they can choose which lists to sign up to.
What’s Your Approach?
However, my answer shouldn’t necessarily be your answer. Your answer will depend on:
- How you collected the email addresses (and was that consistent with GDPR).
- When you collected the email addresses.
- How many times you’ve contacted your subscribers.
- When you last contacted your subscribers.
- Whether you make it easy for subscribers to unsubscribe or update their details.
- Whether you have “cleaned” your list to remove those who don’t open your emails.
At the very least, take the introduction of GDPR as an opportunity to re-engage with those who haven’t opened your emails for a while, and deleting those who haven’t. It will improve your open rates, which helps make future emails more deliverable.
I hope the information and options I’ve provided help those of you who are still puzzling over your email list.