GDPR and Consent for Authors

This post is a follow-on from my recent post on GDPR Privacy Policy. If you don’t know about GDPR and how it could impact you as an author, have a read of that first, then come back.

Some of the points seem contradictory, so I have listed the guidance, along with a best option that makes it easiest for you.

***Disclaimer *** I am not a lawyer, or an expert in this field. I am just someone that has done some research and asked a lot of questions. The following information is just my guide, and I advise you to do your own research on this topic if you haven’t already.

Today’s topic for discussion is:

Consent

Consentmanagement.eu speaks to the importance of consent under the GDPR:

All personal data processing activities must have a lawful basis. Consent is one of six lawful basis and under GDPR consent definition must be clear, unambigous and specific, and given consents should be easy to revoke.

For many of us this should be something that we have already considered and put into place. It’s one of the things that builds trust in your brand, and building your list by getting user consent first is the right way to approach email marketing. If that’s the way you work, then GDPR consent should not impact you greatly.

However, if you have old lists sitting around somewhere, or like me have lists that have been moved between several providers, you may want to take a look at changing your practices. One of the things GDPR requires, is that you can show exactly how and when the individuals on your list consented to receiving your email marketing / newsletter. one of the email list providers I have used in the past have been better at this than others, and as a result, keeping track of when everyone consented is sometimes difficult.

The Mailerlite blog discusses this topic:

Consent is a big deal within the new GDPR. Email marketers must obtain consent in accordance with the GDPR’s strict new requirements by ensuring active and explicit consent.

  • Active consent means your subscribers need to initiate the consent. You can no longer include the checks within the checkbox and make the user remove it. The user must click the checkbox.
  • Explicit consent means that you need to clearly communicate exactly what the user is agreeing to and what the data is being collected for.

Beyond being as transparent as possible with your consent forms, you must keep a record of every subscriber’s consent. The burden of proof is on you to prove that the individual consented to your terms. One way to accomplish this is through double opt-in, which provides a paper trail of the transaction.

GDPR recommends a ‘granular’ approach to consent, which means that users should have control over which bits they opt in to, and which bits they don’t.

Ecoconsultancy. com give this example:

Within the same consent request a retailer asks its customers for consent to use their data to send them marketing by email and also to share their details with other companies within their group. This consent is not granular as there is no separate consents for these two separate purposes therefore the consent will not be valid.

So how does this impact me as an author?

There are a number of implications that this could have on authors, including:

  • Clear information on what providing you with an email will get a reader
  • Giving away a freebie (a book, perhaps) in exchange for an email address
  • Use of sites like Instafreebie
  • Cookies on your site (see below for more details)
  • newsletter sign-ups

Let’s tackle them one by one:

Clear information on what providing you with an email will get a reader

Under GDPR, consent requires that visitors to your site take a positive action, which means that you shouldn’t have any pre-checked boxes, or any other form of implied consent (e.g. assume that by downloading a your book, they consent to receiving your email newsletter).

You should avoid making consent to using a person’s personal data a prerequisite for a service, which means that offering a freebie in exchange for an email address for your mailing list will not comply with GDPR.

For me, that meant changing some of the info on my website to explain specifically what readers can expect when they hand over their email address. A free book, but also a monthly newsletter:

  • You’ll hear from me once a month, possibly twice if there are offers that can’t wait (so I won’t clog up your inbox)!

  • Links to freebie book giveaways. These will be in genres similar to my own – horror and dark fiction. Load your Kindle up for FREE!

  • A brief update on what’s been happening in my life over the previous month. This section is generally shaped by you, the readers, so get involved!

  • Some months there is a discussion topic of something that may be current or in the news.

  • Info on books to read, films to watch, etc.

  • Fresh from the Grave section – what’s new in my writing, what am I working on, what is coming up and any other fresh information from fellow authors that is relevant to you!

  • How you can get involved – Occasionally there will be opportunities to comment on stories as I write them; tell me what you think works, and more importantly, what doesn’t! Opportunities to get early access to future work for FREE as a beta reader.

  • And in Other News – There is always a section promoting something I am working on, or any upcoming deals or offers I have currently.

  • Freebies – I link all of my work that is available for free, including ebooks and audio available on YouTube.

  • What else do you want? Just get in touch!

Giving away a freebie in exchange for an email address

GDPR Recital 32 states:

When the processing has multiple purposes, consent should be given for all of them

This means that the usual practice of having readers provide an email to get your book but then also signing them up to your newsletter with that same assumed consent, will have to change.

How do I do that?

Those of you that use Instafreebie may have noted that they have changed their policy on compulsory opt-ins when readers download a book from their website. They will continue to allow authors to run them, but they will not promote them in any way or feature them in their newsletters, nor will they be featured in their blog or social media posts. They recommend authors use optional opt-ins, meaning readers can get their book, but DO NOT have to give their email addresses to the authors.

If you are running a freebie on your website as an incentive to sign up to your newsletter, you may wish to consider a similar approach. You will have to check your own email list provider to see what sort of support they offer for GDPR. For me, I found that Wix was not able (currently) to offer what I was looking for, so I made the move back to Mailchimp, who offer a comprehensive set of signup options that are GDPR compliant, allowing readers to choose between getting my free book, signing up to the newsletter or both. There’s no two ways around it – you stand to lose subscribers, but so far, 90% of people that have signed up on my list have also chosen to take the monthly newsletter.

The ICO, however, further muddies the water:

It may still be possible to incentivise consent to some extent. There will usually be some benefit to consenting to processing. For example, if joining the retailer’s loyalty scheme comes with access to money-off vouchers, there is clearly some incentive to consent to marketing. The fact that this benefit is unavailable to those who don’t sign up does not amount to a detriment for refusal. However, you must be careful not to cross the line and unfairly penalise those who refuse consent.

The above statement would seem to imply that incentivising sign-ups is okay, and on your sign up form, you make it exactly what they are signing up for.

Best Option

If that all sounds a bit vague and contradictory, it is. My recommendation would be to be specific and clear what people are consenting to, and only collect information that is essential for the purpose for which you are using it. You could choose to add a check box on your sign-up form that people have to check to signify that they are happy to receive your email newsletter, thereby gaining ‘explicit’ consent.

Use of Instafreebie

See above

Use of cookies

About cookies, EUGDPRCompliant.com has this to say:

  • The users must have a choice. The fact that they use a website does not mean they agree to all cookies. The type of phrase used at the moment is barely informative enough and it certainly doesn’t give a choice. A website owner will not be able to constrict users to accept cookies in exchange for information.

  • Like all other consent under the GDPR, consenting to cookies needs to be a clear affirmative action. An example is clicking through an opt-in box or choosing settings from the menu. Pay attention to not have pre-ticked boxes on the consent form!

  • Let’s not forget about opt-out. The GDPR clearly states that a data subject should be able to withdraw consent as easily as they gave it. With cookies this will generally mean that they should be able to revoke consent through the same action as when they gave consent. For example, if they consented by clicking through some boxes, they have to be able to find the same form to revoke consent.

A lot of sites I visit (including my own) still have the ‘This site uses cookies’ pop up when you visit. My understanding is, that this is currently not compliant. Users are not given an opportunity to decline them being used, or to choose which ones are and which ones are not.

ITgovernance.eu  stress the following in referring to cookie:

  • Implied consent is no longer sufficient. Consent must be given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a site doesn’t count as consent.

  • ‘By using this site, you accept cookies’ messages are also not sufficientfor the same reasons. If there is no genuine and free choice, then there is no valid consent. You must make it possible to both accept or reject cookies. This means:

  • It must be as easy to withdraw consent as it is to give it. If organisations want to tell people to block cookies if they don’t give their consent, they must make them accept cookies first.

  • Sites will need to provide an opt-out option. Even after getting valid consent, sites must give people the option to change their mind. If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.

There are a number of costly options at the moment that can handle this task, but I have recently come across this open-source free option.  aboutcookies.org has a lot of information about cookies, how they are used, and how you can block them on your computer. Sites like WordPress have free plug-ins that you can configure to deal with the cookies on your website, and no doubt other options will appear over time elsewhere.

Best option 

Based on current European Commission ePrivacy regulation, and advice directly from the ICO website:

The ‘Soft’ opt-in approach

Ensure you ask visitors if they consent to cookies when they visit your site. Get them to take an action. For consent to be valid, it must be informed, specific, freely given and must constitute a real indication of the individual’s wishes. Some cookies will be necessary to the operation of your website (e.g. remembering items in your trolley before checking out), some will be ‘session cookies’ used only for the duration of the visitor’s stay and others will be analytics. The first 2 do not require consent, the 3rd does. In the same way you write a privacy policy, you may wish to have information available to visitors about the site cookies, how they are used and how long they are retained. A link to aboutcookies.org telling visitors how to control cookies may also be a good idea.

This may change when GDPR is finally implemented on May 25th. Ho hum.

Newsletter Sign-Ups

With all these changes that need to be made, you may ask yourself if you need to reconfirm your current subscribers.

The quick answer is: not necessarily. If you have a list of subscribers that you can show how and when they all consented to being on your list, you are all sorted.

If, like me, you have a list that has moved from list provider to list provider, or the names and emails have been garnered from a number of different giveaways, that paper trail may not be as easy to lay your hands on. Reconfirming your current list would be a useful exercise in those circumstances.

For sure you will lose a huge chunk of those people, as they chose not to take up your offer of reconfirming their consent, but the good news is that the people that are left will be more targeted and more engaged, so it could actually be a good thing!

Reconfirming is as simple as sending out your regular newsletter to your current subscribers, but including a link to sign up to your new ‘GDPR compliant list’. Then, simply delete the old list and work from the new list going forward, with all new subscribers being added to that list in the future.

Do subscriptions need to be Double opt-in?

Double opt-in requires readers to click to confirm their email address, giving another layer of protection for them to change their mind about subscribing. The good news, is that this is NOT a requirement of GDPR, however, it is probably good practice.

Your current email provider may already offer this as an option that you can select. Mine did not, so I chose to move my list over to Mailchimp, although there are a number of other providers that offer solutions for GDPR and GDPR reconfirmations.

Mailchimp have ‘GDPR’ signup form that can be customized in a similar way to their other forms.

It looks like this:

mailchimp signup

You can customise the sign-up options you want to include when you create the form, then it is a simple task to segment these lists to separate those that want just the book from those that want the newsletter, allowing you to only email those that want to receive the newsletter.

Best option

Check with the provider of your own email list. Do they offer a ‘GDPR’ compliant sign-up form? I’ve checked several, and some do, some don’t. My recommendation is to look at what you are currently using, and if it fits the bill, great, if not, have a look around. There are many excellent providers to choose from!

Conclusion

GDPR is just around the corner now (May 25th), so if you haven’t already considered it, now is a good time to do so. None of it is rocket-science, but it can seem to be confusing and somewhat contradictory, but ensuring a reader’s personal information is secure and protecting their rights is important and the right thing to do.

Being open, transparent and working towards compliance is a good starting point.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s