We can all thank the European Union’s (EU) new GDPR rules going into effect last Friday for the deluge. Although privacy policies and being transparent and respectful with others’ data are good things, the deadline has caused last-minute panic in all corners of the internet.
On Twitter, jokes flew about how we’re all drowning in these notices:
— dell (notcomputer) (@dellmadsen) May 22, 2018
*sits down to watch Solo*
“A Long Time Ago, In A Galaxy Far, Far Away…”
— Sean R. Frazier (@TheCleftonTwain) May 28, 2018
— Legal Name Zenith (@Zenithwillrule) May 27, 2018
dad: matt, we need to talk
me: oh my god dad we haven’t spoken in years
— Matthew Inman (@Oatmeal) May 28, 2018
me: *opens fortune cookie*
— PEEKABOO (@peekaboobeats) May 29, 2018
I’ve gotten so many GDPR emails the past couple of days that they’ve started going to spam all on their own. *blink, blink*
— Lynn Raye Harris (@LynnRayeHarris) May 26, 2018
The Goal of the GDPR Regulations
Before we panic and add to the deluge, we should take a step back and remember what the GDPR is meant to accomplish.
The purpose of the GDPR is to provide a set of standardized data protection laws across the EU. The laws address issues of how the personal data of EU citizens (wherever they reside) is treated by online entities, including:
- the need for clear consent before collecting or saving personal information
- transparency for how the data will be used
- self-control over personal information (such as to update or delete)
In other words, sites that have always focused on consent (double-opt in for email subscriptions) and using data in ways users would expect (leaving a comment doesn’t automatically subscribe visitors to email, etc.) shouldn’t have to change or update much.
On the other hand, if we’ve made a habit of shady practices, we need to worry more. Yet many of those emails we’ve been seeing might not be the right answer either.
Does the GDPR Apply to Us?
As I mentioned in the introduction to Kharma Kelley’s guest post, I was surprised to learn that even though I’m not in the EU and not an EU citizen, the law still affects me. The law covers EU citizens no matter where they are in the world.
So it’s likely that many of us are affected:
- If we have a newsletter, some subscribers might be EU citizens.
- If we have a blog, our blog platform (such as WordPress) might collect information from those who leave comments, some of whom might be EU citizens.
- If our website includes a contact form, our site collects information from those visitors, and again, some of them might be EU citizens.
Other common ways we might collect personal data from EU citizens is through targeted advertising (including Facebook Pixel and Google AdWords), running a store, offering giveaways or ARCs, plugins/cookies (such as Google Analytics, Facebook buttons), etc.
Do We Need to Send GDPR Emails Too?
In her guest post a few weeks ago, Kharma Kelley addressed what red flags to watch out for and shared 7 tips for how to become GDPR compliant, so I won’t repeat that information here. But I want to touch on the two types of emails we’ve been flooded with and whether we should join the crowd.
Email Flood #1: Privacy Policies
The big companies sending out those update emails likely have more complicated websites, where they handle money transactions directly and visitors set up accounts with terms and conditions. They also probably had privacy policies in place before, and with GDPR, they have to change the policy that existed when people signed up.
However, if we engaged in shady practices before—such as signing up people for newsletters automatically when they left a comment—we might want to be more proactive about notifying people that we’re not going to behave that way anymore.
In other words, if we are changing how we treat visitors, we’d want to bring attention to our improvements, but an email still wouldn’t be the way to go if the people we’d be emailing never consented. In that case, we might just want to highlight our new policy on our site or mention the new policy during other communications.
From the Dashboard, select Settings>Privacy (a new menu item).
If we choose to select an existing page, the guide linked on the Settings>Privacy page includes help with suggested text to use and tips for the different sections to include. We can copy and paste the guide into our existing page to edit from there.
- Who we are
- What personal data we collect and why we collect it
- Where we send your data
In addition, the new WordPress update adds a checkbox to default comments (i.e., if we’re not using a comment system) to let visitors choose whether their data is saved in a browser cookie to make commenting easier in the future.
The new update also includes two new Tools: export or erase visitors’ personal data. These can be found from Dashboard>Tools. These tools probably only find blog comments and not anything through plugins or other features, but if our site is super-simple, that might be all we need.
Here are additional resources that address privacy policies:
- Checklist for How to Develop a Privacy Notice
- The 8 Rights of Individuals under GDPR (policies must address these rights)
- How to Comply with the GDPR
- Everything about Privacy Policies: what to include, template, samples from companies, how to implement, etc. (not GDPR-specific)
- GDPR Privacy Notice Best Practices
- Best Practice Examples for GDPR
- 6 Examples of Non-Compliant Practices
Email Flood #2: Newsletter Subscription Confirmation
I’ve seen many, many authors send emails asking readers to reconfirm their subscription. In fact, Kharma mentioned that step in tip #2 of her guest post. However, reconfirmation might not be needed—or even a good idea.
The main GDPR goal that applies to newsletters is consent. We need to be sure that all our subscribers have consented to being on our list.
The two main ways that we establish consent are to require subscribers to:
- complete a double-opt-in before being added to a list
- check a box before being added to a list
Have We Always Practiced Good Consent?
If we always had one of those two methods in place for our subscribers, we don’t need to email them to reconfirm their newsletter subscription. It doesn’t matter where our subscribers live or what country they’re citizens of, consent is consent.
If we’re looking for a way to clean out the deadwood of our subscribers and see who doesn’t open and read our emails, we might be tempted to reconfirm anyway. Non-engaged subscribers can cost us money, depending on our newsletter service.
However, given the deluge of emails our readers are probably receiving, a request to reconfirm will likely garner only a 10% or less response rate. Readers who usually pay attention to our newsletters might ignore it (or as the tweet above mentioned, our request could end up in their spam folder!) simply because of the flood. Starting down the path of asking them to reconfirm could mean a loss of 90% of our list for no reason.
Or Has Consent Been Questionable?
On the other hand, if we haven’t been using double-opt-in, clear notification, or check boxes all along, we need to dig deeper.
Technically, sending a reconfirmation email to users we don’t have definitive consent from is a violation of GDPR just as much as sending a marketing email.
“If the business really does lack the necessary consent to communicate with you, it probably lacks the consent even to email to ask you to give it that consent.”
So we might want to ask ourselves how bad we’ve been:
- Did we offer a free book with zero mention of adding them to our newsletter list?
- Did we participate in a multi-author giveaway that didn’t make it clear entries included a newsletter subscription?
- Did we *shudder* swap email addresses with other authors?
Each of those situations would lack clear consent.
What If Some of Our Subscribers Likely Lack Consent?
If we’re missing clear consent, we have to decide how to proceed:
- We could attempt to reconfirm, but that attempt might be a violation for any we don’t have consent for and redundant for any we do.
- We could simply delete subscribers within certain parameters.
- Or if we’ve kept track of which newsletter subscriber groups came from which signups, we might have more options.
For the case of certain parameters, if our newsletters have always had clear unsubscribe links, we might decide our active subscribers are “safe” enough. If they’ve opened and/or clicked on our emails, they’ve had plenty of opportunities to remove their questionable consent by unsubscribing.
If we’ve segmented or tagged our subscribers from various giveaways or sources, we might focus our attention only on those groups with questionable consent.
Do we really have to reconfirm all our newsletter subscribers for GDPR? Click To TweetFor example, I know which of my subscribers came through the few giveaways I participated in. If some of those giveaways weren’t clear about an entry leading to a newsletter signup, I could delete just those subscribers, send reconfirmation emails to just those subscribers, or delete just those inactive subscribers.
In my case, after every giveaway or Bookfunnel event (even with clear consent), I sent out a welcome email that ended with a no-guilt “If you signed up just for the giveaway/free book, no worries! Here’s how to unsubscribe” invitation. Depending on how old our questionable subscriptions are, we might be able to address some of the consent issue with that approach as well.
How Worried Should We Be?
Given the chances that little ol’ us—who might not be in the EU and/or targeted EU citizens—would get in trouble, we might decide to take the risk that these attempts to make things “right”-ish would be enough. That said, I have to make clear this is not a recommendation—just an observation. *smile*
Self-publishing guru Mark Dawson argued this case in a recent podcast. But we each have to make the decision that feels right for us.
Moving Forward with GDPR
Now that so many big companies have had to follow GDPR for their international contacts, there have been rumblings that non-EU countries might adopt similar regulations—including the U.S. Letting users control the collection and use of their personal data is a good thing, and we might see consumers push for these rights across the globe. So making the changes to accommodate the GDPR now might “future-proof” us for upcoming regulations.
For another example, before participating in a multi-author giveaway, we’d want to know how subscriber lists for entries are handled, etc. I’ve seen some that give readers an entry for each individual newsletter signed up for rather than a single entry, so there’s no “master” list shared among authors. That way, consent for each newsletter is clear.
Also, by keeping these regulations in mind, we’re thinking about how to earn our readers’ trust and increase their connection and engagement. So all this work comes with a few bonuses as well. *whew*