UPDATE: Please note that while many companies are reconfirming their lists, this may not be necessary. A podcast mentioned in the comments below which can also be found here featured a UK-based attorney who recommends not reconfirming your list. The attorney suggests asking for reconfirmation suggests you do not already have permission, and if you don’t have permission to contact them, you should not be emailing them to begin with. Please note that many newsletter companies are offering templates to revalidate subscribers, so they are expecting at least some subscribers to require additional validation. Use your own best judgment on what to do. We here at Indies Unlimited are not attorneys and do not offer legal advice. If you need legal advice, speak with a lawyer. We have free and low-cost legal services listed on our Legal Resource Page here.
New regulations passed by the European Union on data privacy are impacting everyone with a newsletter that has EU subscribers. The new regulations require those with EU citizens as subscribers to provide those subscribers with certain rights when it comes to data privacy. The new regulations aren’t hard for newsletter owners to implement, but they do require newsletters to be proactive. So, here we’ll break down everything you need to know about the new privacy regulations and how it affects newsletters.
What is it?
It’s called the General Data Protection Regulation (GDPR). The goal of the regulation is to ensure the data privacy of citizens of the EU. If you collect information from EU citizens, you must comply with the GDPR. So, if you’re collecting names and email addresses from readers in the EU, you must comply with GDPR, even if you are not an EU citizen yourself. The official site for the GDPR is https://www.eugdpr.org/.
When do I have to comply by?
Companies with EU citizen data must be in compliance by May 25.
Whoa!!! May 25 (looks at calendar)… That’s really soon!
Don’t panic. It is soon, but it is completely doable.
What is it I have to do?
GDPR is a pretty big set of rules, but as a newsletter operator, the first thing you need to be concerned about is consent. According the GDPR compliance site:
“Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of ‘opt in’ will suffice.”
Basically, you need to ensure your EU subscribers opt in to your newsletter, meaning you need to ask them again. How do you know who your EU subscribers are? You actually don’t, which is why most people are asking all their subscribers to opt-in again. If you use a newsletter service company, they can often tell the country where the person logs in from, but that’s not exact. An EU citizen who is temporarily working in the US, Canada, or China for a year still needs to opt-in again. So, it is best to ask everyone to opt-in again. Simply send out a newsletter to subscribers that asks them to opt in once more.
How do I get the new opt-in?
Like, I said, simply send out an email, to all subscribers, and ask them to actively opt-in again. The opt-in needs to be clear and easy to understand. Not sure what that looks like? Well, luckily for you, the newsletter companies out there are offering templates to their users and offering blog posts with tips. Here are some of the posts from the more popular newsletter service providers:
What if I don’t use a newsletter service?
If you’re just sending emails via your regular email account, then I would consider switching to a service. Many services do not charge for a small number of subscribers (some give you as few as 500 free subscribers and other go up to 2,000 free subscribers. I’ve written about mailing list providers in the past, if you’re interested. The newsletter service companies also keep track of who has opted in, so they make the record-keeping easy to show that you have complied with GDPF. If you don’t want to use a company and like how you’re doing things, then read up on GDPR and make sure you can make yourself compliant and keep all the records necessary for that.
So, once EU subscribers opt in again, I’m done, right?
Nope. While the big worry right now is getting people to opt-in again, GDPR includes several provisions to protect the data of EU citizens. There are four main components:
(1) Breach notice. You must notify citizens if their data has been compromised on your end.
(2) Access. You must tell citizens what information you keep on them, when they request it.
(3) Portability. If they want to take their data with them to another service, you must provide the data you have on them in a “commonly use and machine readable format” so they can transport it to another provider.
(4) Complete Removal. If they ask to be removed from your database, you must remove all information about them completely.
Those four things are the stuff you’ll possibly need to do for EU subscribers in the future. Those four items are likely to occur in a piecemeal fashion, with only a handful of subscribers needing any of those things at any one time. However, the opt-in should be done for all subscribers by May 25.