What is GDPR? And, more specifically, what does it mean for writers and bloggers trying to grow an email list in the US or outside of the EU? I’m NOT a legal expert, but am distilling some of the main ideas down into a helpful and actionable post.
GDPR is coming! GDPR is coming! I’ve been hearing this cry ringing out in the online space for months, though it’s been about two years in the making. What IS GDPR exactly and why is it relevant to those in the US? Does GDPR affect those outside of the EU? If you are using an email list, then this will likely affect you!
- If you need to take a step back from GDPR, you can check out my larger resource on email lists and list-building tips.
- Check out my more scannable list of GDPR FAQs.
One thing I’ve already noticed is that different companies like Instafreebie (which authors have used to grow an email list) have already changed their policies. Now you cannot offer a free book in exchange for an email address. You simply have to offer a free book and hope people sign up.
To me…that’s not a great option and I’m interested to see what this does to some of the businesses who have built their foundation on freebies like this. It’s an example, though, of how big of a deal this is!
WHAT IS GDPR?
The General Data Protection Regulation was designed as a way to harmonize laws throughout the EU concerning data usage and collection. With the recent Cambridge Analytica scandal and Facebook, people are more aware of data than ever!
In fact, data is being called the most precious commodity in the world, surpassing oil. (Read a fascinating article on the worth of data.) Basically everywhere we go online, data is being collected. The GDPR aims to protect consumers and make companies more responsible for upholding standards for how they collect and use data.
Sounds pretty good, right?
What GDPR means is that companies large and small are now responsible for how they manage the data of people living in the EU. It has put specific measures in place to protect consumers’ data, which is overall a good thing.
But personally, I’m not a fan of some of the specifics of how this works and what GDPR means for writers and bloggers trying to grow an email list. In this post I’ll dive into the specifics of how GDPR affects writers and bloggers in the US.
HOW DOES GDPR AFFECT PEOPLE OUTSIDE THE US?
Though I’m happily living in the US, when I have interactions with people in the EU, I am responsible for upholding GDPR regulations. PERIOD.
This may impact some of us more than others, but in general, if you’re writing and blogging and working in the online space, you will have some EU readers or consumers. Which means that you are responsible for compliance with GDPR for those people.
In the US we are still required to comply with the CAN-SPAM Act, but the terms are much more loose.
- You can read my posts on permission and double opt-in that touches on some of the CAN-SPAM Act.
WHAT DO WRITERS AND BLOGGERS NEED TO DO TO COMPLY WITH GDPR?
This is a simple and yet complex question to answer. So far I’ve heard a lot of varying opinions on what this means and what compliance looks like.
To start with, I want to remind you that I’m not a lawyer. I’m also not a GDPR expert. What I’ve been doing for the last few months is following the discussions both from the EU experts and those on the ground here in the United States, reading GDPR, and paying attention to how businesses are adapting.
It’s important to note that experts don’t all agree. There seems to be room for interpretation on GDPR and we won’t fully know what this looks like…yet. When all the lawyers don’t toe the same line, it’s hard for us non-legal peeps to be 100% sure.
I’m going to share some principles and actions that we can take to comply with GDPR but still grow an email list. I also plan to share what we learn once GDPR officially begins on May 25. I believe that we will start to see what the impact really is and how savvy marketers adapt to stay compliant.
- Subscribe to my weekly email, the Quick Fix, to get weekly emails with resources and tips, including how GDPR affects you!
SOME MAJOR PRINCIPLES OF GDPR
Processors & Controllers
Under GDPR, clear roles for handling data are defined. Controllers are those who decide what is done with the data and processors are the ones who handle the actual processing on behalf of the controller.
In case that’s not clear, YOU are the controller of the data. Processors are the companies you utilize for email lists like ConvertKit, Mailchimp, or Mailerlite. (If you’re not sure about data, that’s everything: email, name, birthday, country, etc.)
As a controller, it’s more important than ever to use a trustworthy processor. YOU are the one held responsible, but your processor does much of the fine-tuning.
If you are not sending email through a known, trusted email service provider, you are going to struggle to comply. All of the major companies are working to get compliance in order and make this easy!
ACTION ITEM – Check out your email service provider to see what they are doing to help you. ConvertKit has made this so easy by building out features to help compliance and even segmenting your EU subscribers FOR you. I’m an affiliate and user of ConvertKit and would love to offer you a free month to try it out!
Clear, Granular Consent for Email Lists
Here’s where things are really going to get sticky for writers and bloggers. Because so many of us use freebies or reader magnets or lead magnets (all the same things with different names), we have more things to take into consideration.
Under GDPR, you cannot offer a freebie and then send people in the EU other emails without clear consent that they are opting into marketing emails. I’ve seen lively debates about what this means, but here are a few options I’ve seen legal experts suggest:
- Checkboxes for every freebie – This would mean that if someone wants your freebie, but does NOT check the checkbox for marketing emails, they would get your freebie for, well, FREE. And you can’t email them again. I find this…ridiculous. While I like the principles of data protection, we are all adults and shouldn’t need that much hand-holding. This is the standard almost all EU people in the UK are suggesting, based on the UK interpretations of GDPR.
- Clear language about marketing – Another option that many (mostly in the US) have suggested is to be incredibly clear in the language on your form. Rather than saying, “Get my free book!” you could say something like, “Sign up for my email list to get great information and special freebies!” What seems to NOT be okay is bundling together a freebie with marketing emails. For example, you shouldn’t say, “Get this free book when you sign up for my marketing emails!” While that sounds like very clear consent that people understand to me, the act of bundling those together makes it non-compliant.
- Follow-up consent via email – While EU experts in the UK told me the consent must be on the form side before data transfer happens, experts on this side of the pond have assured me that following up a freebie download with a special EU welcome series asking for consent it okay. Those suggesting this point to the fact that this is essentially how we get consent from those EU peeps already on our lists, so it should also work for new people signing up.
- Exclude people in the EU – This is extreme, but I understand it. I find this particular part of GDPR incredibly frustrating. It means that the things that savvy bloggers and authors have been doing for years has to be modified. For US citizens, this means modifications across the board for what may be a tiny percentage. If you are able, you may consider having a note that people in the EU can’t download your free book, or hiding forms from people with EU ip addresses, if you are tech-savvy enough.
This is the part where I remind you that I’m not a lawyer! I don’t want to steer you wrong, so I’m presenting the options for how I’ve seen various trustworthy people talk about their plans for consent.
How you handle it is up to you, but you can be held accountable for fines under GDPR for how you use data for EU citizens, even if you are just a single person. (The fines will be proportionate, according to the law, so you won’t be getting the same fines as a giant corporation, but still. You can be fined.)
ACTION ITEM – Decide how you are going to handle your freebies. Again, I’m not a lawyer. I’m also not in the EU, so I will say that I tend to take a more American attitude about this. (Which may or may not include eye-rolling, groaning, and moaning.) Remember that the principle of GDPR is to be clear about your purposes and get specific consent for how you will use data.
If you are investigated for your compliance, you need to be able to prove that subscribers gave you consent. Double opt-in is the best way that you can do this. Read more about double opt-in to see what this means, but it’s a simple solution that should work to help you prove consent if you need to do so.
ACTION ITEM – Turn on double opt-in. This often is the default, but Mailchimp recently updated to have default single opt-in. (You’ll find this under each list’s account settings in Mailchimp.) Double opt-in is not enough of an action to make you comply with GDPR, but it will help you prove your compliance.
This is a very basic overview and doesn’t touch on a lot of the aspects of GDPR such as the right to be forgotten or how to handle data breaches. I’ll cover that in my GDPR FAQ post, but this is enough to get you started and get you thinking.
So, should you stop using email as many people are suggesting? NO. Email is still the most powerful tool that you have. Period.
Should you pay someone for help with this? NO. I’ve been super frustrated seeing people charge money for trainings on this. I would NOT suggest this, especially if you are a one-person operation, like a blogger or author. Plus, we honestly don’t know what this will look like because it’s not in effect and not being enforced. Don’t give people money yet. We need to see how this shakes out.
What should you do next? Calm down, make a plan. Read up on this if you’d like. Pay attention to the conversations about this. And if you’re concerned about your freebies and how you’ve been growing your list, sign up for this free training I’ll be doing specifically on freebies and what strategies you may want to implement in a post-GDPR world!