May 3, 2018

The New EU Law: What All Authors Need to Know — Guest: Kharma Kelley

Security camera along a wall with text: Are You Ready for the New Privacy Law?

In some corners of the internet, authors have been talking about the new privacy law in the European Union (EU), known as GDPR (General Data Protection Regulation), and what it means for writers.

In other corners of the internet, writers haven’t heard the topic at all. (*raises hand* Yep, that was me until a week and a half ago.)

I was surprised to learn that even though I’m not in the EU and not an EU citizen, the law still affects me. Like many authors, I have a newsletter (two actually, one for my blog posts and one about my books), and it’s likely that some of my subscribers are EU citizens.

Or if we have a blog, it’s likely that our blog platform (such as WordPress) collects information from those who leave comments. Or if our website includes a contact form, our site collects information from those visitors. If any of our commenters or visitors are EU citizens, that all counts too—and the penalty for non-compliance can be 20 million euros!

So if this is all news to you, here’s your update: Any entity that collects or processes the personal data (including just an email address or IP address) of EU citizens must comply with the GDPR.

What does that mean for us? Luckily, Kharma Kelley is here with all the answers. *whew* She’s made herself an expert not only on the GDPR but also on what it means for authors.

Please welcome Kharma Kelley! *smile*


How the GDPR Affects Authors

by Kharma Kelley

A lot of authors, bloggers and marketing platforms have been discussing GDPR lately and how it could affect them. Because the regulation goes into effect on May 25th 2018, there have been tons of conversations and posts regarding what the regulation actually entails and how to ensure you’re not breaking any laws and staying compliant.

What's the new EU GDPR law and how does it apply to authors? by @kharmakelley Click To TweetMany big businesses have been preparing and talking about this since 2016, which gave businesses two years to get up to speed. But what about us, the little guys?

Make no mistake, this affects many of us directly, so it’s important to savvy which practices are red flags for compliance and more importantly, what you can do to get ready when GDPR launches.

A little disclaimer: I’m not a lawyer, so this is purely to inform and should not be taken as legal advice. If you want to learn more about GDPR, please visit,, or seek legal advice on staying compliant. I’m just doing my part in keeping my fellow authors informed.

What Is GDPR?

The General Data Protection Regulation, otherwise referred to as GDPR, is the likely the most significant ruling in the digital world for the past two decades, and it focuses on data keepers to be transparent with everyone. Let’s face it, a lot has changed with the internet the past twenty years, and it’s time that the laws caught up to it.

The purpose of the law going into effect is to protect all the citizens in the European Union (EU), allowing them to control how their personal data will be accessed and/or used.

At any given time, an EU user can request details on:

  • what personal data is being held,
  • who is using it,
  • how they’re using it, and
  • how it’s being stored.

They can request copies of this data, and also ask to have it completely removed (a clause called “the right to be forgotten”).

Why Does This Matter to Authors?

You may be thinking, “Hey, this is an EU law, but I’m in the US. Why does this matter to me?”

Well, it matters to anyone who handles personal data for any citizen in the EU.

If any of the items below apply to you, then the GDPR definitely affects you, so it’s important to educate yourself:

How does GDPR affect authors--newsletter, targeted advertising, eCommerce, GoogleDocs, etc.

(Note from Jami: Newsletter readers, click through to the post to see the graphic.)

As you could see, there are some activities that you may be doing that have you interacting with the personal information of an EU citizen.

One of the important things to remember about the law is that it requires EU users to explicitly opt-in to receive newsletters from you as well as clearly understand what you plan to do with their info once you collect it. So, anything that makes that shady or ambiguous could mean trouble for you.

What “Red Flags” Should We Watch Out For?

It’s also critical for you to review some pitfalls that can put you at risk.

Red Flags that can jeopardize your compliance:

  • Using implied text or pre-filled opt-in forms to communicate consent to your readers
  • Participating in mailing list swaps where people exchange email addresses. (Not cool, BTW)
  • Hosting giveaways that don’t have users explicitly request receiving contact from an author/blogger
  • No privacy notice on your website that details how a user’s data is being collected and used
  • Keeping reader personal data where it could be hacked or manipulated.

Any of those above make it hard to track the how and when the user gave consent and can potentially violate the regulation.

7 Ways to Prepare for Compliance

#1: Leverage Your Third Party Vendors as Much as Possible

Read up on their strategy on GDPR and what they are doing to be compliant. If they are compliant, that in a sense keeps you compliant.  Research and ask questions. Make sure you understand how their strategy helps you (if at all).

Some vendors may opt to protect themselves, but transfer the potential liability to you, so be sure you understand what you’re still responsible for and cover yourself.

#2: Reaffirm Your EU Subscribers’ Consent Prior to Deadline

If you have a mailing list, it may be a good idea to take the opportunity to do a campaign to your subscribers informing them of the GDPR and ask them to click to reaffirm they still want to receive emails from you.

7 ways to get ready for the new EU GDPR law (and avoid huge fines!) by @kharmakelley Click To TweetAsk your email marketing platform if they can help you segment by region to target your EU subscribers. If that’s not possible, you can send the campaign to all your subscribers to ensure you did your diligence.

To minimize the risk of removing valuable subscribers, you’d want to send a series of emails before you take the plunge to delete unresponsive readers.  I suggest sending at least 3 different emails (Intro email with opt-in, Follow-up email with opt-in to non-responders, Final email to non-responders) before purging.

Example of Opt-in Confirmation

#3: Avoid Practices Where You Can’t Prove How and When User Gave Explicit Consent

Any group sweepstakes, giveaway, or newsletter builder where you can’t clearly document when the user agreed to receive communication from you puts you at risk. If someone contacts you and requests that information, you need to be prepared to disclose it.

As of date, MailChimp, BookFunnel and BookSweeps have announced strategies to help you get this information should the situation arise. Before jumping into any marketing or advertising endeavor, be sure this can be achieved.

#4: Remove Files with Users’ Personal Data from Your Hard Drive (Unless You Can Protect It)

We hear all the time how companies and people are hacked. It happens. But it’s one thing to have your private data stolen, but it’s a bigger issue when your users’ data is stolen because it’s sitting on your personal system.

Make it a practice not to leave email lists and spreadsheets with names, addresses and emails of your readers on your drive. Move it to the “cloud” if you must keep it, but try to eliminate potential opportunities for others’ private data to get snagged under your watch.

#5: Clearly State How the User’s Information Will Be Used on Any Collection Form

Remember, the name of the game is “explicit opt-in,” so it’s good practice to include on your submission forms how their entered data will be used by you.

Are you solely using their emails to send emails regarding updates, new releases and sales? If so, state it on the form. Make it very easy and transparent for the person to choose giving you access to their data.

#6: Include a Privacy Policy on Your Website Disclosing What and How Information Is Collected and/or Used

All websites should have this, so if you don’t, I highly recommend it.

Yeah, I know, you see it all the time on other sites but never read it. But some people do, and it should:

  • be easy to understand
  • clearly state what is collected on your site
  • explain who they can contact if they have problems

Several sites like and offer some templates you can use. Prices can vary from free to a nominal fee depending on your how your website functions and what protection you need. As always, research and find what’s best for you.

#7: Double Opt-in Should Be Your Standard

Double opt-in will be your best friend. Why? Because with this process, it displays explicit consent.

With double opt-in, a user signs up with their email, receives a confirmation email for them to click, and then is finally added to your list. If the user never confirms the opt-in from the email, then the user is not added to your subscriber list.  The confirmation email serves as an “explicit opt-in” to receive newsletters from you.

Every email marketing platform is different, but MailChimp and MailerLite both have this option. Honestly, these days any platform worth their salt should have this option, so check with the one you use and see how to enable it for your lists.

Consent and Transparency Are Good for All

This is a good thing. Seriously!

I know this could seem overwhelming, but this is a good move towards data privacy for citizens, and it’s long overdue.

There’s still plenty time to get ready prior to May 25th, and when the penalty for violations could rack up to 20 million euros, every effort taken to not get in the GDPR crosshairs is responsible time well spent.

There are some who believe that getting slapped with an insane punitive fine like that won’t happen to us little guys, but those people probably aren’t familiar with Sony BMG vs. Tenenbaum. 🙂

No one thinks it could happen to them—until it does, so don’t be an example. Hopefully these insights will help keep you confident and ready when May 25th rolls around.


A Paranormal Romance and Urban Fantasy author, Kharma Kelley has always been enamored with all things that go “bump in the night”. She truly believes that finding humanity and beauty in some of the most seemingly unconventional places is part of the romantic psyche to her.

Her work has been featured on and has won several peer awards with her action-packed, steamy prose. A big fan of the Big Easy, Kharma tends to weave her proud Cajun heritage and values into her books. She enjoys reading other urban fantasy and romance novels and playing Minecraft in her spare time.

Website | Facebook | Twitter @kharmakelley | Instagram | Goodreads


About Tall, Dark & Deadly:

Half-vampire. half-human. 100% Badass.
Now, let’s see if her new boss loves jailbirds.

Tall, Dark and Deadly coverChloe Hunter can’t seem to stay out of trouble. Incarcerated by The Bureau after running amok for a century with a gang of vampires, grifting and terrorizing humanity, she’s ready to make up for her dark past. Luckily, when The Bureau would rather see her at the end of a wooden stake, in comes her new straight-laced boss, Ethan Raines who’s got other plans for the enthralling ex-con.

An enigmatic vampire who finds Chloe’s hybrid blood and sexy street prowess too irresistible to pass up, Ethan requests The Bureau to release her into his custody to protect the streets of New Orleans. Now, her debt to society is to punish other supernaturals who break the law and bring them to justice.

When Chloe’s old gang involves her in a plot to unlock a mysterious box of woe, she’s forced to make some hard choices that threaten to betray the trust of the man who’s given her a second chance at life and love. Ethan may have his work cut out for him in Tall, Dark & Deadly, the first steamy blockbuster in the Agents of The Bureau series!

Amazon | iBooks | B&N | Kobo


Thank you so much, Kharma! I didn’t have a clue about the GDPR until I watched your webinar, and I’m so grateful to you for breaking this down for us.

Kharma’s also been awesome enough to grant everyone permission to view her in-depth hour-long presentation about the GDPR for free. If you’d like more information about the GDPR and how/why it affects authors, check it out! (Her presentation starts at about the 5 minute mark.)

I’ve always used double opt-in for my newsletter and I’m not together enough for targeted advertising, so the big changes for me have been creating that privacy policy and modifying my forms. Unlike standard legalese-type policies, GDPR-compliant policies are supposed to be in plain English.

You can check out what Kharma created for her policy here, and here’s a link to my policy. In creating my policy, I was surprised by how much data our author-activities might collect from visitors.

  • Newsletter signups
  • Contact forms
  • Blog comments
  • ARC and/or street team signup lists
  • eCommerce (selling products or services)
  • Plugins that use cookies (many!), such as Google Analytics
  • Advertising (Facebook Pixel, Google AdSense/AdWords, etc.)
  • Target audience marketing information

Honestly, every blog and website should have a privacy policy, so I’m glad this finally got me to put mine together. The need for explicit consent appeals to me both as a romance author who focuses on consent in my stories and as someone who’s been signed up for author newsletters without my consent before. As Kharma said, this process can be good for us. *grin*

Here are a few more resources I found to help us put that privacy policy together and to learn more about the GDPR law:

Yes, it can definitely be overwhelming, but once we’ve thought about what we collect through our various activities, we can just copy/paste from the appropriate examples and tweak. With Kharma’s help and the resources in this post, hopefully the process won’t be too painful. *smile*

Had you heard of the GDPR before? Have you gotten ready for it yet? Have you identified some ways you’re affected? Or do you already practice some behaviors (like double opt-in) that will make the process easier? Do you have any questions for Kharma?

Pin It

Comments — What do you think?

Click to grab Unintended Guardian for FREE!
  Subscribe to emails for Comments/Replies on this post  
newest oldest most voted
Notify of
Bran Ayres

Perfect timing for this post!!! I planned to revisit my newsletter and blog today to make certain I’m compliant but I wasn’t sure where to start. So thank you very much for this!

Sieran Lane
Sieran Lane

Bran, just reconfirmed my subscription to your newsletters. And thank you for Pearl! 😀

Julie Glover

Thank you. Just thank you.

Leticia Toraci

One question, if you aren’t yet using mailchimp or another newsletter service but only the usual email follow by wordpress, do you have to do anything?

Kharma Kelley

Hi Leticia – I think it would depend if your site was collecting personal data like IP address, email address, full name, etc, in order to power that follow feature on WP. Unfortunately, I’m not that familiar with that particular functionality, and a solid article from WP about GDPR has been difficult to find. This is not by WP, but one of the better articles here. Also, I heard that there was a GDPR plugin for WP, you may want to check it out here It won’t make you 100% compliant, but may be helpful!


Leticia Toraci

I use free and would need to pay for a plan for using plugins.

Deborah Makarios

So is this suggesting that the EU has jurisdiction over people who are not in the EU and not citizens of the EU? That’s a disturbing precedent, if so. Because essentially, they are passing laws which they demand the entire world be subject to. Didn’t y’all fight a war over jurisdiction without representation?

Kharma Kelley

The law is specifically to protect all EU citizens. However, any business that markets to and/or collects data from EU citizens is subject to penalties for violations. The reason why it feels so far reaching, is that most businesses are global. Most of us have a least one or two subscribers from the EU, and because we serve them and they are protected under GDPR, the long arm of the law touches us too when we are considered the business.

Roland Clarke

I fear that I may just delete my website as I sense there are some stumbling blocks that I’m going to struggle with. I just wish WordPress was advising its users rather than just taking my money. Writing is my priority. Thanks for the post though.

(I’m a UK citizen living in the US. My website has followers from all over the world, but my newsletter is dormant with 3 subscribers.)

Kharma Kelley

Hi Roland, I don’t use a WP site, but it sucks they don’t have a centralized communication on these changes. At least, that’s the vibe I’m getting. Honestly, if your email list is that small you can ask them to reconfirm if you want to keep them, or purge them if you don’t. I would look into the free GDPR WP plugin to help you with your site. It would really suck for you to lose your web presence, so I hope this helps.

Roland Clarke

Thanks, Kharma. I’ll check that plugin out you link to in another comment. I also realise from other comments that as MailChimp handles my inactive newsletter, then I should check there as well.

Glynis Jolly

I saw this coming. To tell the truth, I think the GDPR should be in the US too even though it means a little extra work for those of us who have blog and websites. I use MailChimp so I already have part of the work done for me.

Elizabeth Randolph

I had no idea. In this case I’m glad I only have two followers. I’ll wait. Surely, more will be coming out. Thank you for the post.


[…] that has many businesses in a tizzy. Trouble is, it will impact authors, too. Kharma Kelley has what authors need to know about the new EU law, and Barb Drozdowich has further information about authors and […]


[…] make their ads follow us around from site to site after a visit, so this is enlightening (and if we’re updating our website for GDPR compliance, we need to understand how remarketing works to explain to visitors in our privacy policy how […]


[…] can all thank the European Union’s (EU) new GDPR rules going into effect last Friday for the deluge. Although privacy policies and being transparent and […]

Click to grab Stone-Cold Heart now!