Does Your Author Website Comply with GDPR Regulations?

by Marylee MacDonald in Apps & Software

A month ago I’d never heard the acronym GDPR, and frankly, I wish I still had never heard of it. Like most authors I’m not a programmer, and I especially resent every task that falls under the rubric of “marketing.” I resent doing it, and I resent having to completely reconfigure every single thing about the way I try to let the world know my books exist. In this post I’m going to give you some resources to help you cut through the current thicket of speculation, panic, and misinformation that surrounds to roll-out of Europe’s new regulation regarding online privacy. I hope my article will save you time and maybe a little grief. As an incentive for you to read all the way to the bottom, I’m offering you the gift of my newly revised, 33-page report on how to “Create Memorable Characters.” And, as a caveat, this column is not offered as legal advice. If you are facing issues such as I outline here, you should consult a lawyer. As the bottom of the article you will find additional resources.

GDPR incentive

At the bottom of this article you’ll find download links for both the flip book and pdf versions of this 33-page report. It’s a “thank you” for following my blog and for wading through an otherwise tedious and technical blog post.

What Is GDPR Anyway?

We’ve all heard of breaches of data privacy. The credit bureaus. Facebook. Twitter. All of these entities have had to change many of the practices that led to data leaks and manipulation of consumers’ opinions. The European Union is ahead of the United States in that it is requiring its businesses to comply with a new regulation–the General Data Protection Regulation (GDPR). The date for complying begins on May 25, 2018.

This regulation is designed to protect the privacy of EU residents. It gives them a mechanism to decide whether they want their personal information stored and shared. Additionally, they can decide whether they object to getting emails they didn’t authorize. From now on, any author with an email list must obtain explicit consent before they are allowed to send marketing email to a person in the European Union.

The enforcement of this regulation is handled by the Information Commissioner’s Office. Here is a draft of the consent requirements.

Implied Consent is a “no, no.”

GDPR implied Consent

Implied consent means that the “client” is giving you their email, but there is no way for them to specifically say that, yes, they want you to send stuff.

Explicit Consent — A checkbox makes the consent straightforward.

GDPR checkbox

To protect yourself, you should be as specific as possible about what you will be sending them emails about. In my case it’s “places to publish, writing contests, updates about my blog posts, free publications, and writing tools.”

Do You Even Need to Concern Yourself?

If you’re an author living in the US, Canada, Australia, New Zealand, or other non-EU country, you may need to comply. Here’s what I’ve been able to ascertain:

  • If you have a mailing list that includes residents of the EU
  • If your email manager is based in the EU
  • If you collect money in currencies used in the EU

Even if you are not selling anything from your website, but just giving away free information, you must comply.

Here’s when you don’t have to comply, according to the sources below:

  • You’re not collecting email addresses
  • You’re largely based in a non-EU-country, and people in the EU would only find you by happenstance
  • You’re not marketing to residents of the EU through entities like Twitter or Facebook

In my case I have almost 85,000 Twitter followers. I provide free information that I hope is of value. And I collect email addresses because I want to tell people who follow this blog about my forthcoming books and about craft techniques that can help them become better writers. Thus, I must comply.

The First Thing to Do

Let’s acknowledge that the ICO does not totally have their act together. They continue to issue addenda to the regulation, and so it’s a bit hard to hit this “moving target,” according to lawyer Suzanne Dibble. She has been making daily videos on various aspects of the rollout and its implementation.

As I understand what the lawyers are saying, if you want to show a good faith effort to comply, you need to start with two key elements. One is a privacy policy, and second is an explicit-consent checkbox. Your visitors must explicitly affirm that they’ve read your policy and consent to its provisions. In addition, your policy needs to give specifics about how you are tracking their behavior and using their data.

Now, I’m going to show you where you can get such a policy. Go here to get your GDPR Compliance Notice. The link takes you to a German company that handles data compliance. It will customize a privacy policy based on the way you use your blog and website. That policy will be written in plain English.

The examples below come from screenshots I took as I filled out their form. Mind you, I’m not a lawyer, and I’m just showing you how I’m interpreting the requirements.

Step 1

Fill out your address and website info and tell them whether you want the privacy policy to be in English or German.

Step 2

GDPR compliance

I’ve highlighted in yellow the tick boxed I checked.

Step 3

Data Officer

If you collect email addresses directly to your website, then YOU are the Data Protection Officer. If you use a service like Mailchimp, ConvertKit, GetResponse, or AWeber, then the company has a Data Protection liaison who can assist you with GDPR compliance records. Unless you list a specific, other person, the privacy policy will designate you as the Data Protection Officer.

Step 4

social media

Add tick boxes to all the social media accounts you’re now using or think you might use in the future. You don’t want to have to send your subscribers updated privacy notices because that will be annoying to both them and you.

Step 5

Analysis tools

Analytical tools reveal how many people are using your site. The tools don’t reveal “sensitive information,” such as their sex, religion, or medical history. The ICO calls this type of data collection “anonymous”. However, if someone leaves a comment, then that person’s internet address remains on your site. The privacy policy that will be crafted from your responses will spell out just what kinds of data are being collected so that visitors can agree or not.

Step 6

internet ads

I’ve tinkered around with Google Adwords, and one of these days maybe I can figure out how to create a Google ad.

Step 7

online marketing

I wish I had the time to do more online marketing. Mostly, I market through social media.

Step 8


WordPress is used by many bloggers, and Jetpack is a key component. It’s the only plugin I know I’m using, so I checked it.

Step 9


One of the plugins on my WordPress site uses Paypal. I want a clause in my privacy statement that talks about Paypal.

Step 10


In the Miscellaneous category, I found three services I know I’m using. It didn’t surprise me that Amazon showed up on the list, but I was surprised to see Bloglovin and Getty Images. The privacy policy gave me details about the data gathering policies of each of the above.

Step 10


The German company’s disclaimer is a good example of what’s meant by “explicit consent.” Check the boxes, and they will send you a custom privacy policy. One version is plain language and a second version has the html code embedded.

Oh, Good, I’m Almost Done

Wrong. Getting the privacy policy is just the first step. Now you must put it on your website. You’ll need a plugin to create a banner that shows up on the page when someone first visits your site.

Wordpress plugins

Enter GDPR (all caps) in the search box (top right). The plugin I chose is on the left, but there are others. Install the plugin and read their documentation about how to insert your privacy policy. In my case it was as simple as copy-and-paste.

Dealing with Email

Once you have a banner across your site, you’ll next need to deal with email. Again, I can only tell you how I’m approaching this. I’ll give you some places you can get more detailed information in case you decide my response doesn’t fit your circumstances.

But first, I want to give you a heads up on two terms: data controller and data processor. The data controller is the person who makes ultimate decisions about email and whatever other data is collected. The data processor is the company or data cruncher that handles and stores the data. I use ConvertKit to handle my email addresses. They are the data processor. I am the data controller because I am the only person who has access to the addresses on my list. If I had a virtual assistant helping me with email, then that person might also have access to the email addresses. I’m not sure how that would affect my privacy statement.

The key thing to know is that the data controller is the person to whom complaints and requests are addressed. If someone in the EU requests information about their data, then I would pass that request on to the ConvertKit Concierge. That person would look into the matter and get back to me with information. Alternately, they would do what I request, such as wipe the data from my records. If a subscriber complained to the EU, then the Concierge would provide documentation that the person had checked the “consent” box or that all information had been expunged.

Each company that deals with mailing lists seems to be handling the GDPR requirements in a slightly different way., for instance, gives you step-by-step instructions on how to update your sign-up forms, send out a notice for your current email list, and then how to segment out those in the EU who agree to the marketing email permission on the form. Click here for a look at their procedures.

Here’s the Catch-22, if you will. Let’s say you send a notice to your subscribers asking them to check consent boxes. By emailing them about this, the regulation (according to the lawyers below) seems to suggest that you already know you’ve violated their privacy. Some folks are reporting that when they’ve sent out consent forms, they’re only getting a 10 percent response. At that point they must wipe the rest of the names from their email list.

Lead Magnets

How did those names get on the email list in the first place? Many authors use an app called to gather names for their email list. Their hope is that if readers like what they’ve been reading, they’ll actually buy books in the future. Instafreebie, as of May 25, is changing its operating procedures. You will no longer be able to get an email address in exchange for a free book.

I haven’t used Instafreebie, but I do use Heretofore, Leadpages has allowed me to create landing pages with special offers pertaining to plot, characterization, setting, writing tips, and so forth. I have about a dozen of these publications, and in the past I Tweeted out links to my Leadpages. From there, aspiring writers could get a publication in exchange for giving me their email addresses. What happens is that the Leadpage shows a “lead magnet,” something I hoped would be attractive to folks who wanted to write books or find more readers.

When a person clicked that s/he was interested in my lead magnet, that person would be taken to a ConvertKit form that asked for the person’s first name and email address. Once I had that email address, the person would get the lead magnet and be automatically sent a series of six welcome emails. Those emails explained who I was, and (I hope) gave a taste of what the subscriber could expect. From then on, subscribers received an email roughly once a week. These emails contained information about publishing opportunities, writing contests, my latest blog posts, inspirational videos, and occasionally a bit about my own writing or that of other writers whose work sounded interesting to me. I also occasionally sent tools that I found useful, such as a word count tracker or Scrivener template. This strategy was designed to take advantage of my skills and to help me build an author platform.

All that is going to change. I’m having to update every Leadpage so that anyone can get the lead magnet without signing up for emails. I’m trying to do this so that only folks in the EU have to put a check in the little check box. However, I’m guessing that legislation like this is going to eventually come to other countries.

I have also been using something called a “double opt-in,” to confirm that people really do want to get my emails. (Here’s an article about the difference between single and double opt-ins.) Just so you know, a double opt-in does not satisfy the GDPR requirements. You need that explicit consent. Even though I have an unsubscribe link at the bottom of every email, I know that many of us are just inundated with email. I totally understand why giving people options is a good idea.

More Resources

Please understand that I am not an expert on the GDPR, nor am I a lawyer. I’m just a lowly author struggling to understand how all of this is going to affect me and future subscribers to my list. If you’re in doubt after delving into the suggestions and advice offered below, then consult a lawyer.

Some of the information out there is more applicable to businesses than to authors; however, any author attempting to reach a global audience is actually running an online business. Sigh.

Here are some places you can get different perspectives on issues that crop up around the GDPR rollout.

  1. Mark Dawson’s Self-Publishing Formula, Episode #14
  2. Suzanne Dibble’s Facebook Group
  3. Nick Stephenson’s Blog Your First 10K Readers GDPR Workshop
  4. Kboards (for a glimpse of the confusion surrounding the rollout),263080.0/wap2.html

The first three sites have the most straightforward solutions, but even these experts are grappling with many unknowns, such as how the regulation will ultimately be enforced.

Thank You for Hanging In

As a “thank you” for wading through this long article, here are links to one of my lead magnets. I just finished updating these today, and I had the fun of creating a “flip book.” For folks who’re reading this on cell phones, the flip book might actually work best. Alternately, feel free to download the pdf. You don’t even have to give me your email address. Just enjoy and get back to what we actually care about–the writing itself.

I’m curious how many of you have heard of the GDPR and what you’re doing to comply. Please leave comments below.








  • Marylee MacDonald

    Marylee MacDonald is the author of MONTPELIER TOMORROW, BONDS OF LOVE & BLOOD, BODY LANGUAGE, and THE BIG BOOK OF SMALL PRESSES AND INDEPENDENT PUBLISHERS. Her books and stories have won the Barry Hannah Prize, the Jeanne M. Leiby Memorial Chapbook Award, a Readers' Favorites Gold Medal for Drama, the American Literary Review Fiction Prize, a Wishing Shelf Book Award, and many others. She holds an M.A. in Creative Writing from San Francisco State, and when not reading or writing books, she loves to walk on the beach and explore National Parks.

    View all posts

Comments are closed.