In some corners of the internet, authors have been talking about the new privacy law in the European Union (EU), known as GDPR (General Data Protection Regulation), and what it means for writers.
In other corners of the internet, writers haven’t heard the topic at all. (*raises hand* Yep, that was me until a week and a half ago.)
I was surprised to learn that even though I’m not in the EU and not an EU citizen, the law still affects me. Like many authors, I have a newsletter (two actually, one for my blog posts and one about my books), and it’s likely that some of my subscribers are EU citizens.
Or if we have a blog, it’s likely that our blog platform (such as WordPress) collects information from those who leave comments. Or if our website includes a contact form, our site collects information from those visitors. If any of our commenters or visitors are EU citizens, that all counts too—and the penalty for non-compliance can be 20 million euros!
So if this is all news to you, here’s your update: Any entity that collects or processes the personal data (including just an email address or IP address) of EU citizens must comply with the GDPR.
What does that mean for us? Luckily, Kharma Kelley is here with all the answers. *whew* She’s made herself an expert not only on the GDPR but also on what it means for authors.
Please welcome Kharma Kelley! *smile*
How the GDPR Affects Authors
by Kharma Kelley
A lot of authors, bloggers and marketing platforms have been discussing GDPR lately and how it could affect them. Because the regulation goes into effect on May 25th 2018, there have been tons of conversations and posts regarding what the regulation actually entails and how to ensure you’re not breaking any laws and staying compliant.
What's the new EU GDPR law and how does it apply to authors? by @kharmakelley Click To TweetMany big businesses have been preparing and talking about this since 2016, which gave businesses two years to get up to speed. But what about us, the little guys?
Make no mistake, this affects many of us directly, so it’s important to savvy which practices are red flags for compliance and more importantly, what you can do to get ready when GDPR launches.
A little disclaimer: I’m not a lawyer, so this is purely to inform and should not be taken as legal advice. If you want to learn more about GDPR, please visit, https://www.eugdpr.org, or seek legal advice on staying compliant. I’m just doing my part in keeping my fellow authors informed.
What Is GDPR?
The General Data Protection Regulation, otherwise referred to as GDPR, is the likely the most significant ruling in the digital world for the past two decades, and it focuses on data keepers to be transparent with everyone. Let’s face it, a lot has changed with the internet the past twenty years, and it’s time that the laws caught up to it.
The purpose of the law going into effect is to protect all the citizens in the European Union (EU), allowing them to control how their personal data will be accessed and/or used.
At any given time, an EU user can request details on:
- what personal data is being held,
- who is using it,
- how they’re using it, and
- how it’s being stored.
They can request copies of this data, and also ask to have it completely removed (a clause called “the right to be forgotten”).
Why Does This Matter to Authors?
You may be thinking, “Hey, this is an EU law, but I’m in the US. Why does this matter to me?”
Well, it matters to anyone who handles personal data for any citizen in the EU.
If any of the items below apply to you, then the GDPR definitely affects you, so it’s important to educate yourself:
(Note from Jami: Newsletter readers, click through to the post to see the graphic.)
As you could see, there are some activities that you may be doing that have you interacting with the personal information of an EU citizen.
One of the important things to remember about the law is that it requires EU users to explicitly opt-in to receive newsletters from you as well as clearly understand what you plan to do with their info once you collect it. So, anything that makes that shady or ambiguous could mean trouble for you.
What “Red Flags” Should We Watch Out For?
It’s also critical for you to review some pitfalls that can put you at risk.
Red Flags that can jeopardize your compliance:
- Using implied text or pre-filled opt-in forms to communicate consent to your readers
- Participating in mailing list swaps where people exchange email addresses. (Not cool, BTW)
- Hosting giveaways that don’t have users explicitly request receiving contact from an author/blogger
- No privacy notice on your website that details how a user’s data is being collected and used
- Keeping reader personal data where it could be hacked or manipulated.
Any of those above make it hard to track the how and when the user gave consent and can potentially violate the regulation.
7 Ways to Prepare for Compliance
#1: Leverage Your Third Party Vendors as Much as Possible
Read up on their strategy on GDPR and what they are doing to be compliant. If they are compliant, that in a sense keeps you compliant. Research and ask questions. Make sure you understand how their strategy helps you (if at all).
Some vendors may opt to protect themselves, but transfer the potential liability to you, so be sure you understand what you’re still responsible for and cover yourself.
#2: Reaffirm Your EU Subscribers’ Consent Prior to Deadline
If you have a mailing list, it may be a good idea to take the opportunity to do a campaign to your subscribers informing them of the GDPR and ask them to click to reaffirm they still want to receive emails from you.
7 ways to get ready for the new EU GDPR law (and avoid huge fines!) by @kharmakelley Click To TweetAsk your email marketing platform if they can help you segment by region to target your EU subscribers. If that’s not possible, you can send the campaign to all your subscribers to ensure you did your diligence.
To minimize the risk of removing valuable subscribers, you’d want to send a series of emails before you take the plunge to delete unresponsive readers. I suggest sending at least 3 different emails (Intro email with opt-in, Follow-up email with opt-in to non-responders, Final email to non-responders) before purging.
#3: Avoid Practices Where You Can’t Prove How and When User Gave Explicit Consent
Any group sweepstakes, giveaway, or newsletter builder where you can’t clearly document when the user agreed to receive communication from you puts you at risk. If someone contacts you and requests that information, you need to be prepared to disclose it.
As of date, MailChimp, BookFunnel and BookSweeps have announced strategies to help you get this information should the situation arise. Before jumping into any marketing or advertising endeavor, be sure this can be achieved.
#4: Remove Files with Users’ Personal Data from Your Hard Drive (Unless You Can Protect It)
We hear all the time how companies and people are hacked. It happens. But it’s one thing to have your private data stolen, but it’s a bigger issue when your users’ data is stolen because it’s sitting on your personal system.
Make it a practice not to leave email lists and spreadsheets with names, addresses and emails of your readers on your drive. Move it to the “cloud” if you must keep it, but try to eliminate potential opportunities for others’ private data to get snagged under your watch.
#5: Clearly State How the User’s Information Will Be Used on Any Collection Form
Remember, the name of the game is “explicit opt-in,” so it’s good practice to include on your submission forms how their entered data will be used by you.
Are you solely using their emails to send emails regarding updates, new releases and sales? If so, state it on the form. Make it very easy and transparent for the person to choose giving you access to their data.
All websites should have this, so if you don’t, I highly recommend it.
Yeah, I know, you see it all the time on other sites but never read it. But some people do, and it should:
- be easy to understand
- clearly state what is collected on your site
- explain who they can contact if they have problems
Several sites like freeprivacypolicy.com and seqlegal.com offer some templates you can use. Prices can vary from free to a nominal fee depending on your how your website functions and what protection you need. As always, research and find what’s best for you.
#7: Double Opt-in Should Be Your Standard
Double opt-in will be your best friend. Why? Because with this process, it displays explicit consent.
With double opt-in, a user signs up with their email, receives a confirmation email for them to click, and then is finally added to your list. If the user never confirms the opt-in from the email, then the user is not added to your subscriber list. The confirmation email serves as an “explicit opt-in” to receive newsletters from you.
Every email marketing platform is different, but MailChimp and MailerLite both have this option. Honestly, these days any platform worth their salt should have this option, so check with the one you use and see how to enable it for your lists.
Consent and Transparency Are Good for All
This is a good thing. Seriously!
I know this could seem overwhelming, but this is a good move towards data privacy for citizens, and it’s long overdue.
There’s still plenty time to get ready prior to May 25th, and when the penalty for violations could rack up to 20 million euros, every effort taken to not get in the GDPR crosshairs is responsible time well spent.
There are some who believe that getting slapped with an insane punitive fine like that won’t happen to us little guys, but those people probably aren’t familiar with Sony BMG vs. Tenenbaum. 🙂
No one thinks it could happen to them—until it does, so don’t be an example. Hopefully these insights will help keep you confident and ready when May 25th rolls around.
A Paranormal Romance and Urban Fantasy author, Kharma Kelley has always been enamored with all things that go “bump in the night”. She truly believes that finding humanity and beauty in some of the most seemingly unconventional places is part of the romantic psyche to her.
Her work has been featured on Cosmopolitan.com and has won several peer awards with her action-packed, steamy prose. A big fan of the Big Easy, Kharma tends to weave her proud Cajun heritage and values into her books. She enjoys reading other urban fantasy and romance novels and playing Minecraft in her spare time.
About Tall, Dark & Deadly:
Half-vampire. half-human. 100% Badass.
Now, let’s see if her new boss loves jailbirds.
Chloe Hunter can’t seem to stay out of trouble. Incarcerated by The Bureau after running amok for a century with a gang of vampires, grifting and terrorizing humanity, she’s ready to make up for her dark past. Luckily, when The Bureau would rather see her at the end of a wooden stake, in comes her new straight-laced boss, Ethan Raines who’s got other plans for the enthralling ex-con.
An enigmatic vampire who finds Chloe’s hybrid blood and sexy street prowess too irresistible to pass up, Ethan requests The Bureau to release her into his custody to protect the streets of New Orleans. Now, her debt to society is to punish other supernaturals who break the law and bring them to justice.
When Chloe’s old gang involves her in a plot to unlock a mysterious box of woe, she’s forced to make some hard choices that threaten to betray the trust of the man who’s given her a second chance at life and love. Ethan may have his work cut out for him in Tall, Dark & Deadly, the first steamy blockbuster in the Agents of The Bureau series!
Thank you so much, Kharma! I didn’t have a clue about the GDPR until I watched your webinar, and I’m so grateful to you for breaking this down for us.
Kharma’s also been awesome enough to grant everyone permission to view her in-depth hour-long presentation about the GDPR for free. If you’d like more information about the GDPR and how/why it affects authors, check it out! (Her presentation starts at about the 5 minute mark.)
- Newsletter signups
- Contact forms
- Blog comments
- ARC and/or street team signup lists
- eCommerce (selling products or services)
- Advertising (Facebook Pixel, Google AdSense/AdWords, etc.)
- Target audience marketing information
- Checklist for How to Develop a Privacy Notice
- The 8 Rights of Individuals under GDPR (policies must address these rights)
- How to Comply with the GDPR
- Everything about Privacy Policies: what to include, template, samples from companies, how to implement, etc. (not GDPR-specific)
- GDPR Privacy Notice Best Practices
- Best Practice Examples for GDPR
- 6 Examples of Non-Compliant Practices
- Podcast with Business Law Expert about GDPR
Yes, it can definitely be overwhelming, but once we’ve thought about what we collect through our various activities, we can just copy/paste from the appropriate examples and tweak. With Kharma’s help and the resources in this post, hopefully the process won’t be too painful. *smile*
Had you heard of the GDPR before? Have you gotten ready for it yet? Have you identified some ways you’re affected? Or do you already practice some behaviors (like double opt-in) that will make the process easier? Do you have any questions for Kharma?Pin It