I’ve received quite a few inquiries regarding the new European Union privacy legislation known as GDPR (General Data Protection Regulation). GDPR comes into effect on May 25, 2018. This regulation initially impacts European Union member countries and aims to protect people from companies selling personal data. To do this, it regulates the use of people’s personal data online and aims at ensuring that every business storing an individual’s personal information has their prior consent. Furthermore, people have the right to know which data is stored and to ask for their removal.
Does That Affect My Newsletter?
The first question in most authors’ minds is: how does this affect my newsletter? There are four points to remember here:
First of all, if you’re in the US contacting solely Americans, you’re covered by the CAN-SPAM regulation; not GDPR. However, if you’re also addressing Europeans, you must enforce GDPR. In other words, the GDPR will become a de facto global privacy legislation.
Second, if data already obtained was obtained lawfully (as specified by the current directive), you can freely continue using it. Any individual’s consent given so far is valid. In simple words, you don’t need to send a confirmation email or newsletter to your current subscribers if you got their email legally. Should anyone asks (and, unless you’re Stephen King, it’s highly unlikely anyone will), you can prove this by pointing to your records as to how you got each person’s email. If you’d made it clear at the time they’d be subscribing to your newsletter, you’re okay.
Third, in regards to new subscribers, consenting to subscription now needs to be a clear affirmative action. An example is clicking through an opt-in box or choosing settings from the menu. Pay attention to not have pre-ticked boxes on the consent form.
Finally, you need to make sure you have that all-important Unsubscribe link at the end of your newsletter.
What About My Website?
An IP address, certain cookie data, and geolocation can be classed as personal data under the GDPR. Additionally, browsing behavior collected to create a profile may also be considered personal data. It all depends on the specifics. If you collect IP addresses in order to identify and target an individual, then you’re in breach of GDPR (seriously, though, how many of us would do that–let alone know how to do it?)
As mentioned before, GDPR protects European citizens. Most other countries, however, have similar laws and regulations in place. Here are a few noteworthy points in the US and Australian legislation:
United States: Can-Spam Act of 2003
• Don’t use false or misleading header information.
• Don’t use deceptive subject lines.
• Identify the message as an ad.
• Tell recipients where you’re located.
• Tell recipients how to opt out of receiving future email from you.
• Honor opt-out requests promptly.
Australia: Spam Act of 2003
Consent: In Australia, commercial electronic messages must be sent with your consent. The Spam Act provides for two types of consent: express and inferred.
Express consent means you have deliberately and intentionally opted-in to receiving electronic messages from the message sender.
Inferred consent relies on a relationship you have with the message sender, who may decide that because you have an existing relationship, you would be interested in
receiving electronic messages about similar products and services. For example, if you subscribe to a magazine or newspaper, it could reasonably be inferred that you might
also want to receive an email newsletter.
So, What Should You Do?
First of all, a disclaimer: I’m not a lawyer and the information here is only meant to give you some pointers. If you have any doubts as to what you should do, you may wish to consult a professional.
Any cookies on my website are used to ensure normal website functions (for instance, Youtube videos won’t work without their own identifiers). These cookies cannot be switched off because the website wouldn’t work properly anymore. However, these identifiers do not store any personal data. Learn more about how WordPress uses your data.
Also, when you leave a comment, WordPress stores your name (or avatar name), IP Address, and email. As I have no way of turning this off, I have updated the text over my comment area to notify people of this and have added the following text to my small print page:
When you leave a comment, WordPress stores your gravatar name, IP Address, comment, and email address. Therefore, leaving a comment is considered a clear affirmative, specific, and unambiguous action as defined by the GDPR giving me consent to store this information, and permission to contact you in the future by email.
Your personal information will not be sold or shared with any third parties under any circumstances. Your information shall be retained until you unsubscribe or ask me to remove your data. If you feel your data has been misused, you have a right to complain to the Hellenic Data Protection Authority (HDPA). If you do not consent to the above, please don’t leave a comment.
To make sure you are in compliance with GDPR, check the following list, making sure you have:
- Explained your lawful basis for processing the data;
- Explained how long you’ll retain data;
- Explained your right to complain to the relevant authorities (e.g. the Information Commissioners Office (ICO) if in the UK or the Hellenic Data Protection Authority (HDPA) in Greece);
- Explained all in concise in plain, clear language.
I hope the above helps you ease your GDPR pains 🙂
Many thanks to the Alliance of Independent Authors and Effrosyni Moschoudi for their help with this post!