I kept on hearing about the EU's new GDPR law so I thought I'd look into that as well and see what I need to do, if anything, to comply. It didn’t take long before I fell down the GDPR rabbit hole.
What is GDPR? you ask and why is an author in the United States even bothering to learn about it?
The GDPR (General Data Protection Regulation) is a law passed by the EU that goes into effect May 25th. It covers data protection and privacy for EU citizens as well as addressing the export of such data outside of the EU. While this law isn’t really aimed at authors, it does apply somewhat to us. Since I have a newsletter and an EU citizen could sign up for it from my Facebook author page or on my website, it seems that it does apply to me. So I decided to look into what other authors were doing.
In the U.S., we have the CAN-SPAM act (Controlling the Assault of Non-Solicited Pornography and Marketing) (betcha didn’t know what that stood for! I didn’t.). The act establishes requirements for commercial email, establishes the right of people to ask that you stop emailing them and imposes penalties for those who don’t comply. We’ve been dealing with that since 2004, one reason why I use MailChimp to send out my newsletter. It has items built in to help me comply.
The GDPR seems to go further regarding the keeping of someone’s personal data including email addresses. You have to have proof of how they signed up, for one thing.
To figure out what I have to do, I started looking around online, quickly discovering that the reaction to the law varies from “OMG, what a lot of work I have to do to comply” to “you really don’t have to do much.” I went to MailChimp’s website to see what they said I have to do. What they suggested seemed like an awful lot to me.
Here are some of the other posts I read:
What GDPR Means for Authors and Bloggers
Author Marketing Help Desk: GDPR and Your Email List
6 Myths GDPR Email Marketing Debunked
I also listened to this podcast, specific to what authors should do to be compliant with the GDPR. It was interesting (it’s an hour and fifteen minutes long, BTW).
The more I looked into it, the more I realized no one really seems to know what the appropriate thing to do is. Opinions vary between lawyers even on what’s necessary.
MailChimp advises asking everyone on your current list to opt in again. However, articles such as this one from The Guardian note that doing that is generally unnecessary and possibly illegal. This is where I mentally threw up my hands.
Right now I figure I have 3 options: (1) completely ignore it, figuring I have few EU residents on my newsletter list and the powers that be in the EU aren’t going to be interested in little old me, anyway, (2) do everything MailChimp says or (3) take a middle of the road approach and do a few minor tweaks.
I think I’m going for the third option. I’m going to make sure the newsletter signup forms I have make it clear that people are signing up for my newsletter and that I understand how the people on my list currently got onto the list. I never put anyone on my list unless they specifically request it so I don’t have to get rid of people that didn’t opt-in. And I’ll be ready to get rid of someone’s data if they so request. Just seems like common sense stuff to me.
This is my take on the GDPR. It’s not legal advice, etc., etc. Everyone should decide for themselves what they need to do.
For the authors out there, what are you doing to comply with GDPR? Anything?