A month ago I’d never heard the acronym GDPR, and frankly, I wish I still had never heard of it. Like most authors I’m not a programmer, and I especially resent every task that falls under the rubric of “marketing.” I resent doing it, and I resent having to completely reconfigure every single thing about the way I try to let the world know my books exist. In this post I’m going to give you some resources to help you cut through the current thicket of speculation, panic, and misinformation that surrounds to roll-out of Europe’s new regulation regarding online privacy. I hope my article will save you time and maybe a little grief. As an incentive for you to read all the way to the bottom, I’m offering you the gift of my newly revised, 33-page report on how to “Create Memorable Characters.” And, as a caveat, this column is not offered as legal advice. If you are facing issues such as I outline here, you should consult a lawyer. As the bottom of the article you will find additional resources.
What Is GDPR Anyway?
We’ve all heard of breaches of data privacy. The credit bureaus. Facebook. Twitter. All of these entities have had to change many of the practices that led to data leaks and manipulation of consumers’ opinions. The European Union is ahead of the United States in that it is requiring its businesses to comply with a new regulation–the General Data Protection Regulation (GDPR). The date for complying begins on May 25, 2018.
This regulation is designed to protect the privacy of EU residents. It gives them a mechanism to decide whether they want their personal information stored and shared. Additionally, they can decide whether they object to getting emails they didn’t authorize. From now on, any author with an email list must obtain explicit consent before they are allowed to send marketing email to a person in the European Union.
The enforcement of this regulation is handled by the Information Commissioner’s Office. Here is a draft of the consent requirements.
Implied Consent is a “no, no.”
Explicit Consent — A checkbox makes the consent straightforward.
Do You Even Need to Concern Yourself?
If you’re an author living in the US, Canada, Australia, New Zealand, or other non-EU country, you may need to comply. Here’s what I’ve been able to ascertain:
- If you have a mailing list that includes residents of the EU
- If your email manager is based in the EU
- If you collect money in currencies used in the EU
Even if you are not selling anything from your website, but just giving away free information, you must comply.
Here’s when you don’t have to comply, according to the sources below:
- You’re not collecting email addresses
- You’re largely based in a non-EU-country, and people in the EU would only find you by happenstance
- You’re not marketing to residents of the EU through entities like Twitter or Facebook
In my case I have almost 85,000 Twitter followers. I provide free information that I hope is of value. And I collect email addresses because I want to tell people who follow this blog about my forthcoming books and about craft techniques that can help them become better writers. Thus, I must comply.
The First Thing to Do
Let’s acknowledge that the ICO does not totally have their act together. They continue to issue addenda to the regulation, and so it’s a bit hard to hit this “moving target,” according to lawyer Suzanne Dibble. She has been making daily videos on various aspects of the rollout and its implementation.
As I understand what the lawyers are saying, if you want to show a good faith effort to comply, you need to start with two key elements. One is a privacy policy, and second is an explicit-consent checkbox. Your visitors must explicitly affirm that they’ve read your policy and consent to its provisions. In addition, your policy needs to give specifics about how you are tracking their behavior and using their data.
Now, I’m going to show you where you can get such a policy. Go here to get your GDPR Compliance Notice. The link takes you to a German company that handles data compliance. It will customize a privacy policy based on the way you use your blog and website. That policy will be written in plain English.
The examples below come from screenshots I took as I filled out their form. Mind you, I’m not a lawyer, and I’m just showing you how I’m interpreting the requirements.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 10
Oh, Good, I’m Almost Done
Wrong. Getting the privacy policy is just the first step. Now you must put it on your website. You’ll need a plugin to create a banner that shows up on the page when someone first visits your site.
Dealing with Email
Once you have a banner across your site, you’ll next need to deal with email. Again, I can only tell you how I’m approaching this. I’ll give you some places you can get more detailed information in case you decide my response doesn’t fit your circumstances.
But first, I want to give you a heads up on two terms: data controller and data processor. The data controller is the person who makes ultimate decisions about email and whatever other data is collected. The data processor is the company or data cruncher that handles and stores the data. I use ConvertKit to handle my email addresses. They are the data processor. I am the data controller because I am the only person who has access to the addresses on my list. If I had a virtual assistant helping me with email, then that person might also have access to the email addresses. I’m not sure how that would affect my privacy statement.
The key thing to know is that the data controller is the person to whom complaints and requests are addressed. If someone in the EU requests information about their data, then I would pass that request on to the ConvertKit Concierge. That person would look into the matter and get back to me with information. Alternately, they would do what I request, such as wipe the data from my records. If a subscriber complained to the EU, then the Concierge would provide documentation that the person had checked the “consent” box or that all information had been expunged.
Each company that deals with mailing lists seems to be handling the GDPR requirements in a slightly different way. Mailchimp.com, for instance, gives you step-by-step instructions on how to update your sign-up forms, send out a notice for your current email list, and then how to segment out those in the EU who agree to the marketing email permission on the form. Click here for a look at their procedures.
Here’s the Catch-22, if you will. Let’s say you send a notice to your subscribers asking them to check consent boxes. By emailing them about this, the regulation (according to the lawyers below) seems to suggest that you already know you’ve violated their privacy. Some folks are reporting that when they’ve sent out consent forms, they’re only getting a 10 percent response. At that point they must wipe the rest of the names from their email list.
Lead Magnets
How did those names get on the email list in the first place? Many authors use an app called Instafreebie.com to gather names for their email list. Their hope is that if readers like what they’ve been reading, they’ll actually buy books in the future. Instafreebie, as of May 25, is changing its operating procedures. You will no longer be able to get an email address in exchange for a free book.
I haven’t used Instafreebie, but I do use Leadpages.net. Heretofore, Leadpages has allowed me to create landing pages with special offers pertaining to plot, characterization, setting, writing tips, and so forth. I have about a dozen of these publications, and in the past I Tweeted out links to my Leadpages. From there, aspiring writers could get a publication in exchange for giving me their email addresses. What happens is that the Leadpage shows a “lead magnet,” something I hoped would be attractive to folks who wanted to write books or find more readers.
When a person clicked that s/he was interested in my lead magnet, that person would be taken to a ConvertKit form that asked for the person’s first name and email address. Once I had that email address, the person would get the lead magnet and be automatically sent a series of six welcome emails. Those emails explained who I was, and (I hope) gave a taste of what the subscriber could expect. From then on, subscribers received an email roughly once a week. These emails contained information about publishing opportunities, writing contests, my latest blog posts, inspirational videos, and occasionally a bit about my own writing or that of other writers whose work sounded interesting to me. I also occasionally sent tools that I found useful, such as a word count tracker or Scrivener template. This strategy was designed to take advantage of my skills and to help me build an author platform.
All that is going to change. I’m having to update every Leadpage so that anyone can get the lead magnet without signing up for emails. I’m trying to do this so that only folks in the EU have to put a check in the little check box. However, I’m guessing that legislation like this is going to eventually come to other countries.
I have also been using something called a “double opt-in,” to confirm that people really do want to get my emails. (Here’s an article about the difference between single and double opt-ins.) Just so you know, a double opt-in does not satisfy the GDPR requirements. You need that explicit consent. Even though I have an unsubscribe link at the bottom of every email, I know that many of us are just inundated with email. I totally understand why giving people options is a good idea.
More Resources
Please understand that I am not an expert on the GDPR, nor am I a lawyer. I’m just a lowly author struggling to understand how all of this is going to affect me and future subscribers to my list. If you’re in doubt after delving into the suggestions and advice offered below, then consult a lawyer.
Some of the information out there is more applicable to businesses than to authors; however, any author attempting to reach a global audience is actually running an online business. Sigh.
Here are some places you can get different perspectives on issues that crop up around the GDPR rollout.
- Mark Dawson’s Self-Publishing Formula, Episode #14 http://bit.ly/SPFYouTubeGDPR
- Suzanne Dibble’s Facebook Group http://bit.ly/DibbleFacebookGroup
- Nick Stephenson’s Blog Your First 10K Readers GDPR Workshop http://bit.ly/StephensonGDPRworkshop
- Kboards (for a glimpse of the confusion surrounding the rollout) https://www.kboards.com/index.php/topic,263080.0/wap2.html
The first three sites have the most straightforward solutions, but even these experts are grappling with many unknowns, such as how the regulation will ultimately be enforced.
Thank You for Hanging In
As a “thank you” for wading through this long article, here are links to one of my lead magnets. I just finished updating these today, and I had the fun of creating a “flip book.” For folks who’re reading this on cell phones, the flip book might actually work best. Alternately, feel free to download the pdf. You don’t even have to give me your email address. Just enjoy and get back to what we actually care about–the writing itself.
http://bit.ly/CreateMemorableCharactersFlip
http://bit.ly/CreateMemorableCharacterspdf
I’m curious how many of you have heard of the GDPR and what you’re doing to comply. Please leave comments below.