UPDATE: Please note that while many companies are reconfirming their lists, this may not be necessary. A podcast mentioned in the comments below which can also be found here featured a UK-based attorney who recommends not reconfirming your list. The attorney suggests asking for reconfirmation suggests you do not already have permission, and if you don’t have permission to contact them, you should not be emailing them to begin with. Please note that many newsletter companies are offering templates to revalidate subscribers, so they are expecting at least some subscribers to require additional validation. Use your own best judgment on what to do. We here at Indies Unlimited are not attorneys and do not offer legal advice. If you need legal advice, speak with a lawyer. We have free and low-cost legal services listed on our Legal Resource Page here.
###
New regulations passed by the European Union on data privacy are impacting everyone with a newsletter that has EU subscribers. The new regulations require those with EU citizens as subscribers to provide those subscribers with certain rights when it comes to data privacy. The new regulations aren’t hard for newsletter owners to implement, but they do require newsletters to be proactive. So, here we’ll break down everything you need to know about the new privacy regulations and how it affects newsletters.
What is it?
It’s called the General Data Protection Regulation (GDPR). The goal of the regulation is to ensure the data privacy of citizens of the EU. If you collect information from EU citizens, you must comply with the GDPR. So, if you’re collecting names and email addresses from readers in the EU, you must comply with GDPR, even if you are not an EU citizen yourself. The official site for the GDPR is https://www.eugdpr.org/.
When do I have to comply by?
Companies with EU citizen data must be in compliance by May 25.
Whoa!!! May 25 (looks at calendar)… That’s really soon!
Don’t panic. It is soon, but it is completely doable.
What is it I have to do?
GDPR is a pretty big set of rules, but as a newsletter operator, the first thing you need to be concerned about is consent. According the GDPR compliance site:
“Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of ‘opt in’ will suffice.”
Basically, you need to ensure your EU subscribers opt in to your newsletter, meaning you need to ask them again. How do you know who your EU subscribers are? You actually don’t, which is why most people are asking all their subscribers to opt-in again. If you use a newsletter service company, they can often tell the country where the person logs in from, but that’s not exact. An EU citizen who is temporarily working in the US, Canada, or China for a year still needs to opt-in again. So, it is best to ask everyone to opt-in again. Simply send out a newsletter to subscribers that asks them to opt in once more.
How do I get the new opt-in?
Like, I said, simply send out an email, to all subscribers, and ask them to actively opt-in again. The opt-in needs to be clear and easy to understand. Not sure what that looks like? Well, luckily for you, the newsletter companies out there are offering templates to their users and offering blog posts with tips. Here are some of the posts from the more popular newsletter service providers:
What if I don’t use a newsletter service?
If you’re just sending emails via your regular email account, then I would consider switching to a service. Many services do not charge for a small number of subscribers (some give you as few as 500 free subscribers and other go up to 2,000 free subscribers. I’ve written about mailing list providers in the past, if you’re interested. The newsletter service companies also keep track of who has opted in, so they make the record-keeping easy to show that you have complied with GDPF. If you don’t want to use a company and like how you’re doing things, then read up on GDPR and make sure you can make yourself compliant and keep all the records necessary for that.
So, once EU subscribers opt in again, I’m done, right?
Nope. While the big worry right now is getting people to opt-in again, GDPR includes several provisions to protect the data of EU citizens. There are four main components:
(1) Breach notice. You must notify citizens if their data has been compromised on your end.
(2) Access. You must tell citizens what information you keep on them, when they request it.
(3) Portability. If they want to take their data with them to another service, you must provide the data you have on them in a “commonly use and machine readable format” so they can transport it to another provider.
(4) Complete Removal. If they ask to be removed from your database, you must remove all information about them completely.
Those four things are the stuff you’ll possibly need to do for EU subscribers in the future. Those four items are likely to occur in a piecemeal fashion, with only a handful of subscribers needing any of those things at any one time. However, the opt-in should be done for all subscribers by May 25.
Thank you. I need to get on that.
I’d recommend any writer read the Self-Publishing Formula’s guide to GDPR before doing anything GDPR related: (see RJ’s comment below)
They also did a podcast with an attorney that was very valuable.
Thanks for the tip, Larry. I’m going to have the admin remove your link, and post a link to the podcast here: https://selfpublishingformula.com/episode-117/. This link does not require users to sign up for a mailing list.
I’ve been pondering this all day and have a question. Let’s say we have 500 names on our email list, but we don’t know where these folks live. If we send out an email asking them to opt-in again due to the new EU regs, how do we know which ones live in European countries and don’t opt back in? How do we separate them out from the US names? It almost sounds like we’d have to clear our entire list and start from scratch again.
Hi Melissa. Give Mark Lawson’s podcast on GDPR a listen. I think it will help you answer that Q. 🙂
I hear what you’re saying. You don’t want to start from scratch. Depending on your mailing list provider, they may be able to offer you some location data, and you can prioritize EU opt-ins. But there’s no way to know for certain where the EU citizens are for sure. And, of course, if you have a complete record of opt-ins, you don’t need to revalidate. The issue of concern for GDPR is that users information collectors must have a record of the Opt-in. If your opt-ins are fairly organic, you should have a record of them. If you used various sites that collected emails (such as those that give away a book in exchange for signing up for your mailing list) and that site sent you a spreadsheet of names that you imported to your list, you don’t necessarily have a record of their opt-in.
The good news is that moving forward, your subscribers will all be compliant, as most companies are updating their forms to meet the EU compliance (though if you’ve got an old page you use to collect email addresses, you want to update it).
Thank you for setting this down so clearly. I’ve been hearing about this for a while and procrastinating! Now I’m on it.
Great post, RJ and something all Indies have to look at very seriously, because very few know exactly what the Newsletter companies are doing with their own data and the data of their /subscribers/. This ignorance, and the responsibility that goes with it, will not disappear with a simple opt-in form.
I don’t use a newsletter service but I decided to check out your link to Mailchimp, as it’s a very popular one. The following quotes are taken straight from their various pages:
INFO COLLECTED
‘That information may include your IP address….and other information about how you interacted with our Websites or other websites.’
[the important bit is ‘or OTHER websites]
TRACKING DEVICES & PERSONAL INFO
‘In some cases we may use cookies and other tracking technologies described in this Cookie Statement to collect Personal Information, or to collect information that becomes Personal Information if we combine it with other information.’
[the important bit is ‘that becomes Personal Information if we combine it with other information’]
THIRD PARTIES
‘The third parties that set these third party cookies can /recognise/ your computer both when it visits the website or service in question and also when it visits /certain other websites or services/.’
[the important bit is that Third Parties can include every tech company on the internet including Facebook, Google, Amazon and countless others. Seriously].
TRACKING SUBSCRIBERS
We also enable our users [that’s people who use Mailchimp for newsletters] to employ cookies and similar tracking technologies in connection with their use of our Services in order to allow us and our users to track their subscribers.
[the important bit is ‘to track their subscribers’].
“Do Not Track” or “DNT” signals. Since uniform standards for “DNT” signals have not been adopted, our Websites do not currently process or respond to “DNT” signals. MailChimp takes privacy and meaningful choice seriously and will make efforts to continue to monitor developments around DNT browser technology and the implementation of a standard.
[the important bit is that Mailchimp IGNORES do not track requests. In other words, until they’re forced to obey, your choices don’t matter doodly squat to them].
Now that the EU is bringing in such strong regulations [and other countries may follow], we all have to make choices about how we treat other people’s privacy and security [because data gathered by ad companies can be hacked and used by anybody with the technical skills].
Thanks for the reminder. After going in circles on MailChimp, I found this Youtube on how to actually make my list compliant. He does a great job explaining step by step directions. https://www.youtube.com/watch?v=F8O5w4BglTA
Mail chimp just emailed directions 😉 it’s always something. Thanks RJ