We need to discuss the GDPR because it DOES affect you, unless you don’t target users in the EU – or anyone who is a citizen of the EU.
**Please note: Nothing in this post is to be considered legal advice. If you have questions about this or any other legal matter, please consult a law professional.**
What IS the GDPR?
GDPR is short for “General Data Protection Regulation,” a law passed by the European Union that gives EU citizens more control over their data and how it is collected, processed, and stored by others.
You might be thinking, “That doesn’t affect me!” But it does. If you are building an email list, this does affect you. Remember, things like a person’s name and email address are considered personal data and are protected under the law.
Since we are trying to build our lists, we need to make sure we are doing so in a way that is consistent with the terms of the GDPR.
The GDPR provides several important rights:
1) RIGHT TO INFORMATION
Users have the right to ask what personal data you have, how it is being used, and your reason for having it.
2) RIGHT TO ACCESS
Users have the right to see precisely what data you have and get a copy of their data.
3) RIGHT TO RECTIFICATION
If a user believes any of his data is inaccurate or not up to date, he may ask that it be modified.
4) RIGHT TO ERASURE (RIGHT TO BE FORGOTTEN)
This one is big. If a user wants to be removed from your list or database, you must comply. “Lose my number” isn’t a suggestion under the GDPR. If you no longer have a legitimate reason to retain and process a user’s data, you must remove it. A common example of this for us would be someone asking to be removed from our lists. At that point, the customer relationship has ended, and we no longer have a right to retain that data.
5) RIGHT TO RESTRICT PROCESSING
In some cases, users may request that their information not be processed. If that happens, you may store the information, but you can’t use it.
6) RIGHT TO DATA PORTABILITY
This provision gives users the right to ask that their data be transferred. This may mean the transfer of data from one data controller to another. He may also request a copy of his data, and that data must be in a usable, readable format.
7) RIGHT TO OBJECT
If previous consent was given for a user’s data to be used for XYZ, but now you’re using it for an additional purpose, a user has the right to say, “No, I didn’t agree to that.”
8) RIGHTS RELATING TO AUTOMATED DECISION MAKING
A user may object to use of his data to come to an automated decision. A good example of this would be a loan or credit application or other legal decision. He has the right to insist upon non-automated, manual review for a decision.
HERE’S THE TL;DR…
Some of these rules affect us more than others. But you need to know and understand your responsibilities.
One of my friends has a great post about the GDPR from a blogging perspective. If you’re not a blogger, some of her points won’t apply to you, but give it a skim anyway. This is important information.
I’m not in the EU. Why should I care about the GDPR?
Are you enjoying this riveting discussion? HA. Bear with me. I know legalese can make heads spin. I’ll try to explain things as I understand them, but I’m not a lawyer. So, again, please consult a lawyer if you have questions about the GDPR.
So, why SHOULD you care?
Well, two reasons:
Even without the GDPR, privacy is important.
We should always respect the privacy and rights of our subscribers.
How many times have you been added to an email list without your permission. It’s maddening. Maybe you signed up for a website, and then you started getting all sorts of unwanted crud.
Your data was probably shared with or sold to unscrupulous individuals who didn’t respect your privacy. Your data became fair game to the sharks of the internet. Maddening.
We shouldn’t ever be like that.
When someone signs up for your list, you should treat that data with respect. You don’t get to do anything you want with it.
If you don’t comply with the GDPR, you could be fined. Big time.
Now, the odds of you being fined for failing to comply with the GDPR are slim, but it certainly can happen.
Depending on the severity of the infraction, a fine may be thousands of dollars or more. That’s not a fun thought.
SO, it’s very important to make sure you are covered.
GDPR and Your Email List
GDPR is big. If you do business online, it does affect you. But how does it affect our list building efforts?
1) NEVER ADD SOMEONE TO YOUR LIST WHO DIDN’T CHOOSE TO SUBSCRIBE
This is huge. If someone didn’t agree to receive email from you, you have no right to add him or her to your email list. Adding him without permission would be a huge misuse of personal data and could get you in trouble under GDPR rules.
If you have someone on your list, you must have a legitimate reason. For our purposes, the most common reason is someone has agreed to receive a newsletter in exchange for a product or information. This is considered a legitimate reason to obtain and process data.
2) SUBSCRIBERS MUST BE ABLE TO UNSUB EASILY
Your autoresponder typically handles this for you. However, you need to know. If someone wants to be removed from your list, you don’t get to keep his name and info on file so you can keep sending emails. That’s not how it works.
Usually, when someone wants to be removed, he can click a button or a link in your message. Depending on your autoresponder, this should be added automatically. If not, you will need to explore how to add this link to your messages.
3) YOU MAY NOT GIVE AWAY OR SELL DATA
You may never take your subscribers’ data and give it to another person, and you may never sell it. Ever. Your subscribers didn’t agree to that, and you don’t get to make that decision for them. The only time this would be okay is if you ASK, “Hey, can I sell your data?” and they agree. And, let’s be realistic here. I wouldn’t agree to that. Would you?
4) NEVER BUY AN EMAIL LIST. EVER. EVERRR.
This goes with number 1. Don’t ever buy an email list. When you do, you’re emailing users who did not agree to receive messages from you. They may have agreed to receive from someone but not from you. Until you get their permission, you have no right to market to them.
GDPR and Your Optin Forms
In order to be GDPR compliant, we have to get explicit consent from a user before he can be added to an email list. That means we have to be sure our text tells the user exactly what it is he or she is signing up for.
I won’t make you read my ramblings. Instead, I’ll refer you to this well-written piece from the team behind MailerLite.
In most cases, you won’t have to change much about your opt in form to be compliant. But it’s important to be open and honest with people.
Don’t try to trick them into subscribing for an offer and then surprise them with a newsletter. Make sure people know exactly what they’re in for, and you’ll be fine.
Is your optin form compliant?
The TLDR About the GDPR
Mmm. Soup. I love soup. I don’t love alphabet soup, though.
The GDPR is no joke. It’s caused a stir in all sectors of the market, and it affects us too.
Remember, this new legislation from the EU gives people the following rights:
- The right to be informed
- The right to access what data you have collected
- The right to correct any errors in their data
- The right to be forgotten
- The right to restrict the processing of personal data
- The right to portability of data
- The right to object to your use of data and withdraw consent
- The right to demand non-automated decision making
The GDPR affects how you obtain, store, and process personal data.
It affects how you grow and use your list.
- Never add someone to your list who didn’t sign up.
- Subscribers must be able to be removed easily, and you must respect their decision.
- Never ever give away or sell user data.
- Don’t buy email lists.
It also affects your opt in forms.
People must be able to see precisely what they’re getting themselves into when signing up. Don’t give people the impression that they aren’t signing up for emails.
The penalty for not complying with the GDPR can be pretty steep. We’re talking fines of hundreds, thousands, or even millions of dollars.
Now, again, the chances of a small time person like you or me being targeted are very slim to none. BUT it could happen. It’s best to be safe.
Even without the GDPR, we should respect the privacy of our subscribers. It’s simply the right thing to do.
The bottom line is this: Don’t panic. Make sure you’re respecting the privacy and rights of your subscribers. Don’t fool people into subscribing, and make sure they give full consent to the use of their data by telling them exactly what they’re getting into.
If you have questions about the GDPR and how it affects you, consult a professional who is familiar with the law.
I will answer any questions I can, but I cannot guarantee the accuracy of what I say. I’m not a lawyer. But this is how I understand things.