I’ve received quite a few inquiries regarding the new European Union privacy legislation known as GDPR (General Data Protection Regulation). GDPR comes into effect on May 25, 2018. This regulation initially impacts European Union member countries and aims to protect people from companies selling personal data. To do this, it regulates the use of people’s personal data online and aims at ensuring that every business storing an individual’s personal information has their prior consent. Furthermore, people have the right to know which data is stored and to ask for their removal.
Does That Affect My Newsletter?
The first question in most authors’ minds is: how does this affect my newsletter? There are four points to remember here:
First of all, if you’re in the US contacting solely Americans, you’re covered by the CAN-SPAM regulation; not GDPR. However, if you’re also addressing Europeans, you must enforce GDPR. In other words, the GDPR will become a de facto global privacy legislation.
Second, if data already obtained was obtained lawfully (as specified by the current directive), you can freely continue using it. Any individual’s consent given so far is valid. In simple words, you don’t need to send a confirmation email or newsletter to your current subscribers if you got their email legally. Should anyone asks (and, unless you’re Stephen King, it’s highly unlikely anyone will), you can prove this by pointing to your records as to how you got each person’s email. If you’d made it clear at the time they’d be subscribing to your newsletter, you’re okay.
Third, in regards to new subscribers, consenting to subscription now needs to be a clear affirmative action. An example is clicking through an opt-in box or choosing settings from the menu. Pay attention to not have pre-ticked boxes on the consent form.
Finally, you need to make sure you have that all-important Unsubscribe link at the end of your newsletter.
What About My Website?
An IP address, certain cookie data, and geolocation can be classed as personal data under the GDPR. Additionally, browsing behavior collected to create a profile may also be considered personal data. It all depends on the specifics. If you collect IP addresses in order to identify and target an individual, then you’re in breach of GDPR (seriously, though, how many of us would do that–let alone know how to do it?)
For an example of what kind of information our plugins collect, check out this informative privacy-related post by Akismet, the most commonly used anti-spam plugin.
As mentioned before, GDPR protects European citizens. Most other countries, however, have similar laws and regulations in place. Here are a few noteworthy points in the US and Australian legislation:
United States: Can-Spam Act of 2003
• Don’t use false or misleading header information.
• Don’t use deceptive subject lines.
• Identify the message as an ad.
• Tell recipients where you’re located.
• Tell recipients how to opt out of receiving future email from you.
• Honor opt-out requests promptly.
Australia: Spam Act of 2003
Consent: In Australia, commercial electronic messages must be sent with your consent. The Spam Act provides for two types of consent: express and inferred.
Express consent means you have deliberately and intentionally opted-in to receiving electronic messages from the message sender.
Inferred consent relies on a relationship you have with the message sender, who may decide that because you have an existing relationship, you would be interested in
receiving electronic messages about similar products and services. For example, if you subscribe to a magazine or newspaper, it could reasonably be inferred that you might
also want to receive an email newsletter.
So, What Should You Do?
First of all, a disclaimer: I’m not a lawyer and the information here is only meant to give you some pointers. If you have any doubts as to what you should do, you may wish to consult a professional.
Any cookies on my website are used to ensure normal website functions (for instance, Youtube videos won’t work without their own identifiers). These cookies cannot be switched off because the website wouldn’t work properly anymore. However, these identifiers do not store any personal data. Learn more about how WordPress uses your data.
Also, when you leave a comment, WordPress stores your name (or avatar name), IP Address, and email. As I have no way of turning this off, I have updated the text over my comment area to notify people of this and have added the following text to my small print page:
When you leave a comment, WordPress stores your gravatar name, IP Address, comment, and email address. Therefore, leaving a comment is considered a clear affirmative, specific, and unambiguous action as defined by the GDPR giving me consent to store this information, and permission to contact you in the future by email.
Your personal information will not be sold or shared with any third parties under any circumstances. Your information shall be retained until you unsubscribe or ask me to remove your data. If you feel your data has been misused, you have a right to complain to the Hellenic Data Protection Authority (HDPA). If you do not consent to the above, please don’t leave a comment.
To make sure you are in compliance with GDPR, check the following list, making sure you have:
- Explained your lawful basis for processing the data;
- Explained how long you’ll retain data;
- Explained your right to complain to the relevant authorities (e.g. the Information Commissioners Office (ICO) if in the UK or the Hellenic Data Protection Authority (HDPA) in Greece);
- Explained all in concise in plain, clear language.
I hope the above helps you ease your GDPR pains 🙂
Many thanks to the Alliance of Independent Authors and Effrosyni Moschoudi for their help with this post!
This is enormously helpful. I’ve been rather out of the loop lately, so I was quite confused by all this GDPR stuff. I finally feel like I know what it’s all about.
Yay! So glad I could help 🙂
Excellent- thanks so much!
I can’t tell you how helpful this was!!! Thank you! The examples and link to NN Light was just what I needed. 😀
Yay! So glad to have helped 😀
I agree. At least, that’s what I’ve done 🙂
I suppose I better do something small fry about this… not that I want to steal anyones’ data! Thanks for the illuminating post Nicolas.
I believe a simple privacy notice would suffice 🙂
Thanks for the post, Nicholas. I’ve been hearing about this but wasn’t sure what exactly was up. I’m still not quite sure if it applies to me. I’m in the US, and don’t have an email list, but people do comment on and follow my WordPress blog from other countries, including email followers. Does that mean that I’m subject to all the privacy laws of whatever countries they are from, in addition to the US laws?
I highly doubt anyone will trouble you about this. But I guess it wouldn’t hurt to have a privacy page with a couple of paragraphs similar to the ones I’ve listed here. What can I say, it’s a global world 🙂
Sooo useful. Thanks a mil!
Yay! So glad to hear that–and to see you around 🙂
Nice clear post, Nicholas. Thank you.
Thank you so much, Norah 🙂
If I am using WordPress.com can I still edit the comment section to include something like your disclaimer? According to my wordpress settings I have Jetpack installed but never used it.( I have an upgrade but never subscribed) Although I can alter my site’s settings with nice little blue pointers to every component, the only one that does not have one is the ‘Leave a reply comments’ area. Any quick way to access an ability to post a disclaimer like yours? Obviously I can do it manually on one, but to get automatic appearance for every one?
I brought up Jetpack ( allegedly installed) but perhaps I need to subscribe as well? Sorry to ask Nicholas.
Thanks Nicholas. I feared that might be the case. Even the ‘happiness engineer’ had no suggestions! I thought you used to have a Wp.com site so might know. Sorry to have imposed on you but thanks for replying. P
No problem at all! I do have a WP.com site; I just haven’t found a better solution than adding a new page 🙂
Going to reblog this via your basic site. Many thanks, Nicholas.
Best wishes, Pete.
It doesn’t seem to be on that site, so I will have to wait until the reblog button is back!
Oh! That’s odd; it seems fine when I look at the page. Are you logged in at the time?
Logged in to WP, but cannot find this post on your old site, for some reason. I can only see very old posts there. Strange.
Stranger and stranger. OK, here’s the direct link: https://nicholasrossis.wordpress.com/2018/05/15/gdpr-and-authors-what-you-need-to-know/
Thank you so much for sharing, Pete 🙂
Thank you Nicholas. I wasn’t going to worry about it, but you reminded me that I do have followers in the UK and EU. I’m going to add the disclaimer statements. It’s nice to know that US are covered with the CAN-SPAM.
I’m sure no one will mind us small fry, but it’s an easy enough thing to add to the privacy page, so…
Also, your ‘like’ button is gone? After I added a new cookie plugin, my ‘like’ under each comment is gone too. Mysterious.
I’m still trying to figure that one out 🙂
I think that’s also a Jetpack issue. 🙁
That’s my understanding, too. It happened after I activated the Likes on comments.
When I installed the GDPR plugin, I fine tooth read all instructions, it mentioned me to go into Jetpack settings and turn something or other off, and if I remember correctly it had to do with likes and comments. Happy if I can help you back. 🙂 Oh, and while I’m at it. Do you have any tricks for how to get the policy to show above comments as you have? I searched high and low and nowhere to stick it above comments so I stuck my at the end of all my posts but I don’t like the big font and yours seems to be gold and small?
Of course, you could just create a user for me and I’ll be happy to edit the css for you, if you wish.
Oh wow, thank you so much for your generousity. As you may remember, I never touch css code lol. Anytime I get a ‘theme’ update, it always states that any previously added css may disappear. Lol, I don’t even know what that would entail. And I still have you on as a user LOL. I can email you the login again? 🙂
That is only true if you edit the theme’s stylesheet. Without getting too technical, there is also the option to use a different file.
No need to resend the login, just email me what changes you’d like to make. On the website, I see a tickbox, “By using this form you agree with the storage and handling of your data by this website. *” which looks fine to me!
Oh thank you again. Actually, all I was after is where I added the policy after ‘post content’ to be in the place to pop up before someone comments as you have it, and in smaller letters like yours so it’s not so glaring in people’s faces. The policy is there, but I’ll copy and paste it in an email. No rush, and much appreciated. 🙂 🙂
I did it through Jetpack. You can edit the text that appears over your comments and over the share buttons. Thank you for the link 🙂
Oh thanks Nicholas, I’ll look into that. I may have to take from some of your words in the policy if that’s ok 🙂
Of course! That’s why I posted them 🙂
Thank you!!!!! 🙂 🙂