GDPR FAQs for Writers & Bloggers – a good summary of many important points
by Kirsten Oliphant, the author of Email Lists Made Easy for Writers and Bloggers and the host of the Create If Writing podcast.
My goal is to help writers, bloggers, and creatives like YOU turn readers into raving fans and learn to make a living doing what you love…without being smarmy. Questions? kirsten at kirstenoliphant.com
This Is Post #2 About GDPR And What It Means For Writers And Bloggers In Particular. I’m In The US, So My Thoughts And Take On This Are As Someone NOT In The EU. Here Are Some GDRP FAQS To Help You Understand What You Need To Know!
This post is really going to be a big list with as concise and clear answers as I can give. I’ve got a meatier post that focuses on a few specific aspects of GDPR in more detail and am doing a free training on strategy– particularly how you can use freebies in a post-GDPR world. Now let’s get to those GDPR FAQS!
Note: I’m not a legal expert, nor a lawyer. You should absolutely ask your lawyer or representative for more on this and do your own research as needed to make sure that you are compliant! Also, just know that this is the perspective of someone outside the EU.
GDPR FAQS
WHAT IS GDPR?
GDPR stands for General Data Protection Regulation and refers to a policy put in place in the EU to harmonize the laws regarding data collection and protection. The goal is to protect private citizens and their data and to hold companies (large and small) more accountable for how they handle data.
WHO DOES IT AFFECT?
Anyone who collects data from people in the EU.
BUT I’M JUST A PERSON! I’M NOT A COMPANY. I’M AN AUTHOR OR BLOGGER. IS THIS THE SAME REQUIREMENT THAT A BIG COMPANY HAS?
Yes and no. A big company will likely have to appoint a specific person in charge of this according to GDPR. The fines are set to be proportionate to size, so if you’re investigated, they will take into account your size, but being small or a solopreneur does NOT give you a pass. Anyone of any size handling data from persons in the EU is under GDPR.
WHAT’S DATA?
Essentially any information: email address, name, or any other information.
BUT I’M LOCATED OUTSIDE OF THE EU. DOES THIS REALLY IMPACT ME THE SAME WAY?
Yes and no. You are responsible for how you handle data from persons inside the EU. This may or may not be a large percentage, but you are still responsible. This means that you either need to make all your forms and policies compliant across the board or find a way to create EU-specific forms that only people in the EU can see. That’s fairly challenging.
WHAT ARE THEY GOING TO DO IF I IGNORE GDPR?
Probably nothing. But if you have complaints, there are high fines (proportionate to the size of your company). You don’t want to have an investigation or break the trust of your followers by not complying with this. (Even if you don’t like it and don’t live in the EU.) They ARE taking this seriously.
I’M JUST A BLOGGER. WHAT KIND OF DATA DO I EVEN HAVE ACCESS TO?
You might be surprised to learn that it could be a LOT. Many websites (wordpress included) store data in your dashboard in contact forms and even in your comments section. Yikes! You may want to consider a plugin like this GDPR Compliance one to add checkboxes for consent to any places people might enter data.
WHAT OTHER DATA DOES MY WEBSITE COLLECT?
In addition to comments and forms, if you are using Google Analytics or a Facebook pixel for tracking and retargeting, you should be letting people know about that in your privacy policy. If you’ve uploaded your email list to Facebook to run ads to your people or a lookalike audience, that’s also a use of data that GDPR would like for you to have permission to do. Again, be clear in your privacy policy.
NO ONES READS MY PRIVACY POLICY. DOES IT MATTER?
Yes! It’s a legal contract between you and your readers. And now under GDPR, your privacy policy should be linked to in every form where you ask someone to sign up for your email list.
HOW CAN I CREATE A GOOD PRIVACY POLICY?
You can create your own based on great examples you see or templates, but often that may leave you out to dry if you are investigated. GDPR wants it to be in plain language, concise, but also cover all the bases of the ways you use and collect data. If you feel comfortable with that, great! If not, I highly recommend checking out the privacy policy package from Businessese, my fave legal team. I’m an affiliate for their programs because I’ve used them for legal documents! Check out their privacy policy package.
HOW DOES GDPR AFFECT MY EMAIL LIST?
If you are using a trusted provider like ConvertKit, Mailerlite, or Mailchimp (to name a few), you’re likely in good hands. These are what GDPR calls data processors, which means that they have a responsibility with the data you collect for your email list. They will do a lot of the heavy lifting for you.
If you are NOT using a trusted provider and you are sending out emails via gmail to a mass group or using a service that’s free but no one has heard of, STOP. Get serious about this. There are US laws as well (like the CAN-SPAM Act) that have lots of requirements that these same email service providers help you maintain.
SO WHAT WILL MY EMAIL SERVICE PROVIDER DO FOR ME?
That depends on the provider. I use and highly recommend ConvertKit and they have been FABULOUS. They are working to provide checkboxes (more on that in a sec) to help you gain lawful consent. They also created a segment for EU people in the back end of your email so that you can obtain consent from those people already on your list.
- If you aren’t sure which email service provider to use, I’ve got a post that may help you! Read Which Is the Best Email Service Provider for YOU
WAIT, AREN’T THOSE OLD EMAILS GRANDFATHERED IN?
Nope. They aren’t.
SO WHAT THE HECK DO I DO WITH THOSE EMAILS?
Again, some of this depends on your email service provider. Convertkit made it possible for you to send an email just to your EU subscribers, asking them for consent. Contact your provider to see what they are doing.
I GIVE UP. CAN’T I JUST BLOCK EU PEOPLE?
Probably…but do you really want to? Let’s just calm down and try to focus. Your email service provider may also allow you to show the EU forms just to EU people. This can be tricky because of ip addresses and such, but is at least a step, especially if 90% of your audience is not in the EU and you don’t want to have to apply those standards to everything.
SO WHAT DO I NEED ON MY EMAIL SIGN-UP FORMS TO COMPLY WITH GDPR?
A few things. First, you need to link to your privacy policy, as mentioned above. You also need to be incredibly clear about what people receive when they sign up for your email list. This should be ONE thing, not a bundle. In essence, you can’t ask someone to sign up to get your free book AND your marketing emails. Not without a checkbox.
I NEED A CHECKBOX? WHAT? HOW DO I GET THESE?
Yes, you need a checkbox if you want to send people signing up for your freebie other emails AFTER they get the freebie. (This is, to me, the biggest impact and I’ll circle back to this in a minute.) You can’t have the checkbox pre-filled, either. People have to actively consent to the marketing emails. Your email service provider, again, should help take care of this.
WHAT IF PEOPLE DON’T CHECK THE BOX? DO THEY GET MY FREEBIE FOR…FREE?
Yes. This is where a lot of people outside the EU are balking, for good reason. Freebies have long been a way to grow your email list, whether you are an author who is offering a reader magnet or someone giving a free book or offering a free webinar or workshop.
WHAT IF I DON’T WANT TO DO THAT?
I feel you. I don’t like this one bit. We are all adults, after all. It seems that communicating clearly on the form would be enough. Not according to GDPR, though. That leaves you with a few options:
- Add the checkboxes to all forms
- Try to have the checkboxes show just to EU people (if you are able)
- Use clear language on the form without a checkbox *non-compliant option
- Use a follow up sequence to people from the EU who download a freebie, offering them the option to op-in *non-compliant option
ARE YOU SUGGESTING THAT I DON’T COMPLY WITH GDPR?
No. But I am saying that for many of us outside of the US, we may have a tiny number of EU subscribers. I checked and mine is personally under 2%. I personally don’t want to have checkboxes on every form I have, meaning people get all my freebies without giving me an email. You need to do what you feel is the best option for you to comply with GDPR but also run your business the way you run your business. (Yes, I know that sounds very American of me. I’m from the US, so yeah. I’m independent and sometimes a bit stubborn.)
I’ve heard raging debates over this from various “experts” and it seems that GDPR has many interpretations. Honestly, until this bad boy is in place and we start seeing how it impacts things, we won’t have a fully clear view. I’m making plans and updating things, but also watching closely to see how this all pans out.
IF I’M INVESTIGATED, HOW CAN I PROVE THAT I COMPLIED?
This is tricky, but double opt-in is a good start. I’ve recommended this anyway, but this is a way that will create a clear proof of the path someone took to get on your list. Read more about double opt-in and permissions and why I recommend double.
HOW DO I KNOW IF I’M USING DOUBLE OPT-IN?
Often it’s the default. Mailchimp made single opt-in the default this year (in a move I can’t wrap my brain around), so you may need to go into each list you have on Mailchimp and check the settings. Always check as well that your forms and signup process are optimized and customized.
WHAT ABOUT OTHER WAYS THAT I GET PEOPLE ONTO MY LIST? HOW DOES GDPR AFFECT THIS?
Well, if you are hosting a webinar, running a virtual summit, offering a reader magnet in the back of an Amazon book, doing a giveaway in exchange for an email, running a quiz that people need to opt into to get their results, giving away a PDF, doing a free workshop, creating bonus content, or any other method where people sign up for one thing and also get a follow-up sequence that leads to your regular emails, YOU NEED TO CONSIDER CONSENT. Go back up to the whole checkboxes thing.
WHAT ABOUT WHEN I GET A BUSINESS CARD AND ADD SOMEONE’S EMAIL TO MY LIST FROM THERE?
Um, you shouldn’t have ever done that. If you have, I’m not shaming you, but that’s not okay. The really great thing about GDPR is that it’s forcing people to market more honestly. Adding someone to your list without permission is not good. Don’t do that. Ever. Okay? Glad we had that talk.
PEOPLE CAN UNSUBSCRIBE IN EVERY EMAIL THROUGH A LINK AT THE BOTTOM OF THE EMAIL. AM I COVERED?
Not quite. Under GDPR, people have the right to be forgotten, which means that their data isn’t stored at all on the servers. This could be a challenge for you, but if you’re using a trusty email service provider, again–they will do the heavy lifting and make sure you can do this.
WITH THIS WHOLE FACEBOOK/CAMBRIDGE THING, EVERYONE IS TALKING ABOUT BREACHES. DO I NEED TO WORRY ABOUT THAT?
If you are using a trusted provider, you need to worry less. We pay them the big bucks to protect that data. And if there is a breach, they’ll help you comply, which means emailing those affected within 72 hours, being clear about what the breach entailed.
IT SOUNDS LIKE AN EMAIL SERVICE PROVIDER REALLY IS THE RESPONSIBLE ONE. DOESN’T THE WEIGHT OF THIS FALL ON THEM?
No. Under GDPR, your email service provider is the processor of data, but you are the controller. You decide what you’re doing with the data and communicate that clearly. Thus you are the one who is primarily responsible and accountable. In partnership with a good email service provider (again, I cannot recommend ConvertKit enough), you have a strong position for compliance.
WHAT ABOUT THIRD PARTY CONNECTORS, LIKE LEADPAGES OR SUMOME OR INSTAFREEBIE OR BOOKFUNNEL?
Those are making things more complex. Because they need to talk to your email service provider, there is a chance that they won’t talk well enough to transfer that compliance over. Some of those third-party tools may change their policy or how they collect data or what they do. This may be a good time to streamline your tools, but for sure at the least check their blogs or email them to see what they are doing to help facilitate compliance.
I’M EXHAUSTED AND ANGRY. WHAT DO I DO?
Me too, man. Me too. Here are a few things you can do:
- Read more in depth about GDPR in this post on how it impacts writers and bloggers where I go a bit deeper.
- Join me for a free training on strategy for using freebies in a post-GDPR world.
- Come on into my Facebook group. We can moan or groan about this and then talk about how we are going go comply.
SO…I CAN’T JUST PLUG MY EARS AND SAY LA-LA-LA?
I mean, you CAN. But I wouldn’t recommend it. Take a deep breath. Then start taking steps to comply. Check out my bigger post that has action steps.
MY BIG GDPR TAKEAWAYS
Here are a few things that I like about GDPR (because honestly, much of it makes me very stabby) and what I think we can take away from this regulation.
BE HONEST AND UP FRONT.
We should be doing this anyway, right? GDPR helps give clarity. If you are signing up for an email list, it’s good to know what that means. We should all be doing this anyway, but GDPR is a great reminder that we should always make our intentions clear.
USE BEST PRACTICES.
Don’t buy email lists. Don’t add people without permission. Don’t be smarmy!! Use smart marketing tactics that don’t break people’s trust! If it feels gross, you shouldn’t have been doing it anyway. GDPR puts some serious weight behind this.
PAY ATTENTION TO EMAIL.
I’ve heard people freaking out about this, saying they’re done with email. Calm down, son. Email is still incredibly powerful. We’ll survive GDPR just like we survived Y2K. If nothing else, it’s a great reminder that your email should not be an afterthought. Here are more resources and list-building tips to get you started!