Drowning in GDPR and Privacy Policy Notices? Should We Send Email Too?

I spent way too much time this past holiday weekend cleaning up tons of emails asking me to “verify your email subscription” or notifying me of an updated privacy policy. I know I’m not the only one. *smile*

We can all thank the European Union’s (EU) new GDPR rules going into effect last Friday for the deluge. Although privacy policies and being transparent and respectful with others’ data are good things, the deadline has caused last-minute panic in all corners of the internet.

On Twitter, jokes flew about how we’re all drowning in these notices:

By age 35 you should have received enough ‘Update To Our Privacy Policy’ emails to fashion a makeshift lean-to in your parents backyard.

— dell (notcomputer) (@dellmadsen) May 22, 2018

*sits down to watch Solo*

*watches ads*

*watches previews*

*movie starts*

“A Long Time Ago, In A Galaxy Far, Far Away…”

“We updated our privacy policy…”

— Sean R. Frazier (@TheCleftonTwain) May 28, 2018

So,

You’ve updated your privacy policy. pic.twitter.com/3iIWOiF6iD

— Legal Name Zenith (@Zenithwillrule) May 27, 2018

dad: matt, we need to talk

me: oh my god dad we haven’t spoken in years

dad: matt, I am updating my privacy policy

— Matthew Inman (@Oatmeal) May 28, 2018

me: *opens fortune cookie*

Cookie: “We have updated our privacy policy”

— PEEKABOO (@peekaboobeats) May 29, 2018

Some inboxes got so bad that their email systems shunted everything that mentioned privacy policy or GDPR to spam folders. (Yes, really.)

I’ve gotten so many GDPR emails the past couple of days that they’ve started going to spam all on their own. *blink, blink*

— Lynn Raye Harris (@LynnRayeHarris) May 26, 2018

Given the potential of a 20 million euro penalty for non-compliance, the panic is understandable. However, the flood can also make us wonder if we need to send out emails about our privacy policy or subscription confirmation as well.

The Goal of the GDPR Regulations

Before we panic and add to the deluge, we should take a step back and remember what the GDPR is meant to accomplish.

The purpose of the GDPR is to provide a set of standardized data protection laws across the EU. The laws address issues of how the personal data of EU citizens (wherever they reside) is treated by online entities, including:

• the need for clear consent before collecting or saving personal information
• transparency for how the data will be used
• self-control over personal information (such as to update or delete)

In other words, sites that have always focused on consent (double-opt in for email subscriptions) and using data in ways users would expect (leaving a comment doesn’t automatically subscribe visitors to email, etc.) shouldn’t have to change or update much.

On the other hand, if we’ve made a habit of shady practices, we need to worry more. Yet many of those emails we’ve been seeing might not be the right answer either.

Does the GDPR Apply to Us?

As I mentioned in the introduction to Kharma Kelley’s guest post, I was surprised to learn that even though I’m not in the EU and not an EU citizen, the law still affects me. The law covers EU citizens no matter where they are in the world.

So it’s likely that many of us are affected:

• If we have a newsletter, some subscribers might be EU citizens.
• If we have a blog, our blog platform (such as WordPress) might collect information from those who leave comments, some of whom might be EU citizens.
• If our website includes a contact form, our site collects information from those visitors, and again, some of them might be EU citizens.

Other common ways we might collect personal data from EU citizens is through targeted advertising (including Facebook Pixel and Google AdWords), running a store, offering giveaways or ARCs, plugins/cookies (such as Google Analytics, Facebook buttons), etc.

Do We Need to Send GDPR Emails Too?

In her guest post a few weeks ago, Kharma Kelley addressed what red flags to watch out for and shared 7 tips for how to become GDPR compliant, so I won’t repeat that information here. But I want to touch on the two types of emails we’ve been flooded with and whether we should join the crowd.

Email Flood #1: Privacy Policies

Yes, every blog and website should have a privacy policy, as they increase trust with readers (and many Google services expect us to have them). So whether the GDPR applies to us or not, we can consider the new rules an incentive to finally put ours together. *smile*

That said, unless we’re massively changing our behavior from before the GDPR went into effect, we probably don’t need to send an email to everyone pointing to our privacy policy.

The big companies sending out those update emails likely have more complicated websites, where they handle money transactions directly and visitors set up accounts with terms and conditions. They also probably had privacy policies in place before, and with GDPR, they have to change the policy that existed when people signed up.

Should we send out “Privacy Notice Update” emails? Click To TweetMost authors’ sites are far more simplistic, so a new privacy policy likely won’t say anything too surprising that visitors need a heads up for. Our visitors were using our site without issue before, so a privacy policy is more of just a way to reassure them.

However, if we engaged in shady practices before—such as signing up people for newsletters automatically when they left a comment—we might want to be more proactive about notifying people that we’re not going to behave that way anymore.

In other words, if we are changing how we treat visitors, we’d want to bring attention to our improvements, but an email still wouldn’t be the way to go if the people we’d be emailing never consented. In that case, we might just want to highlight our new policy on our site or mention the new policy during other communications.

On WordPress? Here’s GDPR Privacy Policy Help

If we’re on WordPress, the latest update (version 4.9.6) comes bundled with a privacy policy generator, so be sure to update the WP software before starting this process.

From the Dashboard, select Settings>Privacy (a new menu item).

From there, select an existing page to flag as the privacy page or create a new page to display a privacy policy.

If we choose to select an existing page, the guide linked on the Settings>Privacy page includes help with suggested text to use and tips for the different sections to include. We can copy and paste the guide into our existing page to edit from there.

If we choose to create a new page, WordPress will automatically generate a privacy policy template on that new page. However, the automatic generation works only once, so we’ll have to keep our privacy policy updated if our site changes its approach in the future.

The auto-generated page includes help and suggestions for our privacy policy. Some of the sections included are:

• Who we are
• What personal data we collect and why we collect it
• Where we send your data

In addition, the new WordPress update adds a checkbox to default comments (i.e., if we’re not using a comment system) to let visitors choose whether their data is saved in a browser cookie to make commenting easier in the future.

The new update also includes two new Tools: export or erase visitors’ personal data. These can be found from Dashboard>Tools. These tools probably only find blog comments and not anything through plugins or other features, but if our site is super-simple, that might be all we need.

What Else Do We Need to Address in a Privacy Policy?

The auto-generated privacy policy page is a great start, but we’ll probably have to add more information. Although it includes details on the data collected by WordPress for comments, media, cookies, and embedded content, we have to add specifics for anything our theme, contact/subscription forms, plugins, or third-party services may collect.

Part of coming up with a privacy policy is taking the time to go through our site and noting the features and functions we use. Note the fields we use in features (such as contact forms) and whether they’re required or optional, dig into plugins (especially ones that are cloud-based or connect to external services), etc.

For example, we might assume that our site doesn’t use cookies, but chances are that some aspects of our site do. From our browser, we should be able to see what cookies our site uses. (In Chrome, the “i” in a circle to the left of our site’s URL address gives information about cookies.)

Regardless of how we’ve created our privacy policy, we also need to link to it from our main menu. If our theme uses a footer menu or columns, we might want to include a link there as well.

Additional Privacy Policy Resources

Here are additional resources that address privacy policies:

• Checklist for How to Develop a Privacy Notice
• The 8 Rights of Individuals under GDPR (policies must address these rights)
• How to Comply with the GDPR
• Everything about Privacy Policies: what to include, template, samples from companies, how to implement, etc. (not GDPR-specific)
• GDPR Privacy Notice Best Practices
• Best Practice Examples for GDPR
• 6 Examples of Non-Compliant Practices
• New: How to Add a Privacy Policy to Your WordPress Website (Step by Step)

Email Flood #2: Newsletter Subscription Confirmation

I’ve seen many, many authors send emails asking readers to reconfirm their subscription. In fact, Kharma mentioned that step in tip #2 of her guest post. However, reconfirmation might not be needed—or even a good idea.

The main GDPR goal that applies to newsletters is consent. We need to be sure that all our subscribers have consented to being on our list.

The two main ways that we establish consent are to require subscribers to:

1. complete a double-opt-in before being added to a list
2. check a box before being added to a list

Have We Always Practiced Good Consent?

If we always had one of those two methods in place for our subscribers, we don’t need to email them to reconfirm their newsletter subscription. It doesn’t matter where our subscribers live or what country they’re citizens of, consent is consent.

If we’re looking for a way to clean out the deadwood of our subscribers and see who doesn’t open and read our emails, we might be tempted to reconfirm anyway. Non-engaged subscribers can cost us money, depending on our newsletter service.

However, given the deluge of emails our readers are probably receiving, a request to reconfirm will likely garner only a 10% or less response rate. Readers who usually pay attention to our newsletters might ignore it (or as the tweet above mentioned, our request could end up in their spam folder!) simply because of the flood. Starting down the path of asking them to reconfirm could mean a loss of 90% of our list for no reason.

Or Has Consent Been Questionable?

On the other hand, if we haven’t been using double-opt-in, clear notification, or check boxes all along, we need to dig deeper.

Technically, sending a reconfirmation email to users we don’t have definitive consent from is a violation of GDPR just as much as sending a marketing email.

As Toni Vitale, the head of regulation, data and information at a UK law firm, pointed out in The Guardian:

“If the business really does lack the necessary consent to communicate with you, it probably lacks the consent even to email to ask you to give it that consent.”

So we might want to ask ourselves how bad we’ve been:

• Did we offer a free book with zero mention of adding them to our newsletter list?
• Did we participate in a multi-author giveaway that didn’t make it clear entries included a newsletter subscription?
• Did we *shudder* swap email addresses with other authors?

Each of those situations would lack clear consent.

What If Some of Our Subscribers Likely Lack Consent?

If we’re missing clear consent, we have to decide how to proceed:

• We could attempt to reconfirm, but that attempt might be a violation for any we don’t have consent for and redundant for any we do.
• We could simply delete subscribers within certain parameters.
• Or if we’ve kept track of which newsletter subscriber groups came from which signups, we might have more options.

For the case of certain parameters, if our newsletters have always had clear unsubscribe links, we might decide our active subscribers are “safe” enough. If they’ve opened and/or clicked on our emails, they’ve had plenty of opportunities to remove their questionable consent by unsubscribing.

If we’ve segmented or tagged our subscribers from various giveaways or sources, we might focus our attention only on those groups with questionable consent.

Do we really have to reconfirm all our newsletter subscribers for GDPR? Click To TweetFor example, I know which of my subscribers came through the few giveaways I participated in. If some of those giveaways weren’t clear about an entry leading to a newsletter signup, I could delete just those subscribers, send reconfirmation emails to just those subscribers, or delete just those inactive subscribers.

In my case, after every giveaway or Bookfunnel event (even with clear consent), I sent out a welcome email that ended with a no-guilt “If you signed up just for the giveaway/free book, no worries! Here’s how to unsubscribe” invitation. Depending on how old our questionable subscriptions are, we might be able to address some of the consent issue with that approach as well.

How Worried Should We Be?

Given the chances that little ol’ us—who might not be in the EU and/or targeted EU citizens—would get in trouble, we might decide to take the risk that these attempts to make things “right”-ish would be enough. That said, I have to make clear this is not a recommendation—just an observation. *smile*

Self-publishing guru Mark Dawson argued this case in a recent podcast. But we each have to make the decision that feels right for us.

Moving Forward with GDPR

Now that so many big companies have had to follow GDPR for their international contacts, there have been rumblings that non-EU countries might adopt similar regulations—including the U.S. Letting users control the collection and use of their personal data is a good thing, and we might see consumers push for these rights across the globe. So making the changes to accommodate the GDPR now might “future-proof” us for upcoming regulations.

As I mentioned above, there’s no reason we shouldn’t define our privacy policy. And no matter how much we decide to worry about the consent status of our current subscribers, we’re going to want to make sure consent is more clear for our newsletter subscribers in the future.

So we should pay attention to the various options for updating our newsletter signup form. Some rely on a checkbox for active consent, and some include language about the nature of the newsletters and a link to a privacy policy for informed consent. Either way, using double-opt-in is safest and should be used with either (or both) of those approaches.

For another example, before participating in a multi-author giveaway, we’d want to know how subscriber lists for entries are handled, etc. I’ve seen some that give readers an entry for each individual newsletter signed up for rather than a single entry, so there’s no “master” list shared among authors. That way, consent for each newsletter is clear.

Also, by keeping these regulations in mind, we’re thinking about how to earn our readers’ trust and increase their connection and engagement. So all this work comes with a few bonuses as well. *whew*

Have you come up with a privacy policy yet? Or do you still have reservations or questions? Have you made any newsletter subscription changes for GDPR yet? If so, what have you done? How did you decide on that approach? If you haven’t, are you planning on making changes, or have you decided to risk it?