GDPR – Guest post by Marina Reznor
GDPR and how to get in Compliance.
Has your inbox been filling to the brim lately with online businesses suddenly reviewing their privacy policies? Are you being asked to re-opt-in to mailing lists you never knew you signed up for in the first place? Welcome to the GDPR Panic Club.
As businesses scramble to get in compliance with GDPR regulations scheduled to go into effect May 25th, Rae asked if I’d do a guest blog about what authors and bloggers need to know about the new regulations (yes, they do apply to you). Thank you, Rae for this opportunity to write about a topic near and dear to my online heart.
My name is Marina Reznor and I’m a romance author. My other day job is web developer, and I firmly believe that the two most important things an author owns are their website and their mailing list. I don’t care if you’re an independent author or have a five book deal with a major publisher–you should control your name and have direct access to your fans.
You should also want to be perceived as a professional who takes their reputation seriously, so complying with GDPR is a good idea. The fixes are not difficult, and if you can edit your own website they won’t cost you anything.
What is GDPR?
GDPR stands for the General Data Protection Regulation. It goes into effect May 25, 2018 after a two year roll out. You can read the entire text here OR watch a video here.
In a nutshell, the EU has ruled that a person’s personal information – name, email address, IP address (sort of a computer serial number), location, etc, are their property and not yours. And because it’s not yours, you have to handle it responsibly.
Why did they have to pass a law?
Because businesses were handling personal data in a sloppy fashion and people had no recourse. Yes, data breaches happen to the best of us, but they are happening too frequently. Even more frequently, information gets lost, stolen, shared, or otherwise in the hands of people who were never intended to see it. (Oh, hi Mark Zuckerberg).
Is GDPR enforceable?
Yes, although enforcement relies on customers reporting non-compliance. The old law didn’t work very well because it didn’t have an enforcement mechanism. The new regulation is much tougher, and will come with a big fine because asking nicely didn’t work.
But I’m an American, and this is a European thing.
GDPR specifically states that it applies to you if you store information on just one EU citizen. The huge fine – upwards of 20 million Euro’s (about $25 million US dollars) – is for big fish like Amazon and Google. But they have said they will not hesitate to go after smaller fish.
It only takes one EU citizen to rat you out. Please don’t give them the opportunity to make you their US example.
What’s this re-engagement thing?
GDPR rules say that all information collected (email addresses, primarily) must have been collected using the new rules, even though those rules were not in effect when you collected those emails. Nothing is grandfather’d in.
There is a silver lining – having a bloated email list is expensive, and trimming it down will save you money. I’ve received some clever re-opt-in email requests from authors that have made me happy to re-engage with, I’ve listed them below.
What should you do? 6 things to do to get in compliance:
1) Put a privacy policy on your website (keep reading for some technical points and examples). Great news! Google loves websites with Privacy Policies, and will reward you with a better page ranking.
2) If you are using cookies, put a cookie warning on your website.
3) Make sure your mailing list is using double-opt-in for sign ups. This is a good practice anyway; look at it as even more engagement opportunities with your new friend. (Note: for some reason, last October MailChimp made single-opt-in the default. You will have to go in and change that to double-opt-in).
4) Password protect your data, and be careful of who has access to it.
5) Make it easy for people to unenroll or delete themselves. Most email services like MailChimp and MailerLite have very good ‘unsubscribe’ buttons, but if you require commenters to sign in to your website, make sure it is easy for them to delete themselves.
6) What you can do if there are emails on your list that were not directly enrolled (meaning you bought, borrowed, swapped, or scraped them)? Do a re-engagement email campaign, where people can re-opt-in.
What should you NOT do? 4 things:
1) Don’t share your mailing list, sell your mailing list, or buy mailing lists. You can, however, use your mailing list to suggest that your subscribers might like to subscribe to other mailing lists and provide the links.
2) Don’t send unsolicited text messages via mobile phones.
3) Don’t send unsolicited emails.
4) Don’t refuse to delete or unsubscribe people who request it.
Does this apply to my Facebook, Goodreads, and other social media groups?
These social media providers have their own policies and data protection responsibilities. You are not responsible for them.
What about cross promotions?
Tricky question. Both Instafreebie.com and BookFunnel.com have changed their policies. After May 25th, Instafreebie.com will no long feature giveaways with mandatory opt-in. BookFunnel has made some big changes as well.
** Some technical points **
Privacy policies – should be tailored to fit your exact circumstances. I like Privacy Policy Generator Template. In most cases, creativity is not encouraged in privacy policies so it’s okay to duplicate verbiage. And in all cases, make sure to include contact information if anyone has any concerns.
Log data – If someone leaves a comment on a blog post, or buys something from you, the event comes tagged with quite a bit of log data. This is the time of visit, your IP address, your location, and many other things that you can’t help but collect. Most privacy policies have a section that discusses how log data is handled.
Do I have to have a cookie consent? Cookies are little files that store information about a user’s interaction with a site. They don’t identify you personally, but collect information about your habits. It’s how targeted advertising is created. If you are using any types of advertising plugins, you are probably collecting cookies. Good video about cookies from Guardian UK.
Do I have to send a re-engagement email to everyone on my email list? No, only the ones that you do not have a record of them signing up using two-part verification.
Good news if you’re using WordPress: The next version, currently in beta, will offer a privacy policy page template, give users the ability to remove themselves from your site, and the ability for users to opt out of cookies. Check out this article.
** Who’s doing it right? **
My privacy policy. It’s okay to be a little irreverent, the new law specifically says the wording must be clear and understandable. I’m a writer, and my job is to be entertaining.
Rae’s privacy policy, golf clap.
Excellent re-engagement campaign email – Nancy Stopper from nancystopper.com
Books I Love A Latte re-engagement campaign email – Rae Latte from booksilovealatte.com
Good variation on the privacy policy generator
You’ve made it this far, congratulations.
Having a website is tough, and this is one of the biggest changes I’ve seen come down the pike in a long time. I do a monthly email, Marina’s Academy, where we discuss author websites and mailing lists. It’s free, and you also get access to my resource page of tech topics for writers. Click here and scroll to the bottom (the footer) and click in the box that says ‘Academy’. You’ll be taken to a form where you can freely and knowingly sign up. I’d love to have you join.
Questions? Comments? Please post them below so we can all see them – if you have a question there’s a good chance ten other people do as well. Also feel free to email me at marina@marinareznor.com
** pictures are from Pixabay
