Have you heard of GDPR (that’s General Data Protection Regulation to its friends)? Don’t worry if you haven’t, it’s an EU regulation about how companies handle personal information. But as an indie author, you might have to take some steps to comply with too. There are plenty of confusing guides out there about GDPR, so I thought it might be handy to compile the stuff that’s relevant to indie authors in one place. So, if you’re an indie author, here’s what you need to know about GDPR.
Disclaimer: I’m not a lawyer, so please don’t take this as legal advice. I’ve just done a bunch of reading so you don’t have to.
Double disclaimer: the specific guidelines around GDPR are constantly changing, so I’ll update this post as and when I learn anything new.
Now, with that out of the way, let’s begin.
What is GDPR?
It’s the EU’s new data privacy law designed to make sure companies handle your personal data carefully, store it securely, and don’t abuse it (i.e. they don’t use it to send you mountains of spam or sell it on to other people). GDPR is a good thing. It just means we might have to make a few changes to how we do things.
When does GDPR come into force?
25th May 2018.
Why do I have to comply with GDPR?
Anyone who processes personal data needs to comply with this regulation.
Wait, doesn’t GDPR just apply to people in the EU?
It applies to anyone who holds data about people in the EU. If that’s not you, you can ignore GDPR but, if you’ve got readers in the EU, you’ll have to comply with the regulations.
How do I comply with GDPR?
It looks like there are a variety of ways to comply with the regulation, but it seems to me like the best bet is to get consent.
In the context of GDPR, consent means you presented the user with a clear option to agree to the use of their data.
It isn’t enough to assume consent in small print (you know the kind: “by clicking submit you agree to receiving my email newsletter, daily pictures of my dog, and also I’ll own your soul a little bit”). You need to be able to demonstrate that the user took a specific action to agree to the use of their data. You also have to record and be able to demonstrate how this consent was provided.
So what do I need to do differently?
First of all, I’m not a lawyer, so none of this is legal advice. I’m only writing about this because I have to deal with this in my day job, and I found out some stuff I think might help out indie authors, such as:
1. Forms on your website
Do you have any forms on your website? Whether it’s contact forms, comment forms, or something else, you’ll likely be collecting people’s names, email addresses, maybe even IP addresses. That’s right, WordPress not only collects commenter’s IP addresses, it stores them too. If that seems unnecessary to you (as it did to me), you can stop your WordPress site from storing them using this guide (as I did).
It sounds like you’ll need to change your comment form to include a checkbox and make sure the consent provided is recorded somewhere. This plugin appears to help with this; I’ve installed it myself and it seems to be working so far. If you use a spam filter, your checkbox text will have to inform users that you’ll pass their data onto the makers of that filter.
2. Your email newsletter
Naturally, you collect personal data when someone signs up to your email newsletter; if you didn’t, you wouldn’t be able to send them emails!
The most important thing you need to do is include within your signup form check boxes that a subscriber can select when you subscribe to your email mailing list. These boxes will enable them to provide you with permission to use their data to, for instance, send them emails, or use their email address to create look-alike audiences for online advertising.
It’s also a good idea to send a confirmation email after a user has clicked the subscribe button. Until they click the link in the confirmation email, they aren’t subscribed to your newsletter. This is often referred to as “double opt-in”, and it not only helps you establish consent, but it also verifies that the form was filled in by the same person whose data you now hold (unless this third party has access to their email account too, of course).
3. Growing your list
If you use third party services to build your email list, you need to make sure that they’re obtaining consent and passing the record of it to you. After all, the data is being added to your list, so it’s your responsibility.
I reached out to Bookfunnel and they told me that they plan to add a checkbox to their signup form. They’ll also timestamp that consent and pass it along to Mailchimp, giving you a record of the consent provided. This is a great start, but it doesnt allow you to obtain the granular permissions (email, online advertising, etc.) that you might require. If you’re using Bookfunnel, think carefully about what you want to do with a reader’s email address and send a follow-up email to ask for the relevant permissions.
Instafreebie, on the other hand, aren’t as impressive. When I reached out to them, they didn’t seem to know what GDPR was. And their site uses the dreaded small print, assumed consent (“By clicking a button, you agree to emails etc.”).
Right now, Instafreebie is not GDPR-compliant, meaning you won’t be able to use it after 25th May. I’m waiting for further news and I’ll update this post with any updates. Fingers crossed!
Update: Instafreebie have made changes to their service in light of GDPR, but all they have done is stopped featuring giveaways that require a mandatory opt-in to your newsletter. That isn’t good enough, and my previous statement stands: Instafreebie isn’t GDPR compliant.
4. Selling ebooks on your site
This is something I’m afraid I have no experience with. However, if you’re selling ebooks directly from your website, you’ll need to be collecting personal data in order to send them their purchases. That means you’ll need a clear method to obtain and record your customers’ permission to collect their data and process it. So if you’re planning on adding them to your newsletter after they make a purchase, make sure you can prove they agreed to that!
If you don’t have one, get one. It doesn’t have to be fancy. It’s just a document explaining what data you request, what you use it for, and how users can ask you to stop using it. You can take inspiration from mine, if you like, or Slack has a rather good one (although it’s probably more in-depth than you’d need!)
7. Google Analytics
If you have Google Analytics installed on your website, you’ll know it can tell you all sorts of useful things such as how many people visited your site, what part of the world they’re in, and even what kind of device they were using.
Google has introduced a new tool that allows you to set a period of time after which data is deleted. This allows you to control how long to retain that information. There’s no hard and fast rule as to how long you should retain it; GDPR only says you shouldn’t keep it for longer than is reasonable. So, you know, how long is a piece of string?
And, while Google Analytics doesn’t truck in personal data, it does use visitors IP addresses to figure out what part of the world they’re in. That IP address could be used to identify your visitors, so you’ll need to anonymise IP addresses.
I won’t lie, this is a bit of a tricky one. If you’re using a plugin to integrate Google Analytics into your site, there’s probably an option to you can simply select. Otherwise, you’ll need to change the Google Analytics code you’ve used for your site. This is somewhat beyond my technical skills; if this makes sense to you, you’re a smarter cookie than I am!
8. Asking for consent again
This was brought to my attention by the Self-Publishing Formula podcast which, bizarrely, is telling authors that they’ll be fined for asking their email subscribers to confirm they want to keep receiving emails. And this just isn’t true!
It’s true that two companies, Honda and Flybe, were fined for sending out emails to people asking them to confirm they wanted to receive marketing emails. But they were fined for emailing people who had already unsubscribed! Big no-no.
But, because GDPR raises the bar for consent, it’s possible that the consent you previously received doesn’t match the new requirements. Perhaps the consent box was pre-ticked, for example, or perhaps there was small print saying “by clicking submit, you agree to join my newsletter”. These used to count as consent, but not anymore.
Where you’ve been given consent that doesn’t match the new requirements set by GDPR, you must ask these subscribers to confirm they want to keep receiving your emails. It isn’t just a good idea; it’s set out very clearly on the ICO website, (an entity that enforces GDPR in the UK).
Obviously, asking your subscribers to confirm their consent will mean some people ignore you or even unsubscribe. But that’s okay; you only want to send emails to people who want to receive them, right?
As I said, I’m not a lawyer. I’ve just had to read a lot about GDPR as part of my day job (I have an exciting day job). Feel free to ask any questions in the comments, or to tell me if you think I’ve got something wrong!