GDPR for Authors, Part 4

May 23, 2018 by Randy Ingermanson 2 Comments

in Websites Tagged: contact forms, email lists, gdpr

Over the last week and a half, I’ve been blogging about the new GDPR rules that will go into force on May 25. I covered what I consider the first three steps—creating your Privacy Policy, updating your Contact forms, and updating your Blog Comments form.

Today, I’ll talk about a step that most authors care about deeply—their e-mail list.

Once again, the standard disclaimer: I am not a lawyer, and nothing I say here should be considered legal advice. I’m blogging about my own journey to get my websites GDPR-compliant. If that helps you on your own journey, very good, but you should consult a lawyer versed in GDPR if you want legal advice.

Why E-mail Lists Matter

I’ve talked many times in my Advanced Fiction Writing E-zine and a few times here on this blog about the importance of managing an e-mail list. The reason is simple—nothing converts like e-mail.

I won’t try to prove that here. Most authors know it’s true, and in the last few years, we’ve all seen numerous authors build large e-mail lists. (My latest book is currently a best-seller in a couple of categories, largely because of the strength of my e-mail list.)

But now it’s important to make sure that your e-mail list-building is done in a GDPR-compliant way.

The exact process for doing this will depend on who manages your e-mail list. I can’t possibly cover all the e-mail service providers, so I’ll focus on the one I use and that many authors use—MailChimp.

MailChimp is free if you have fewer than 2000 subscribers, so that’s a nice reason to start out with them. I’ve been a MailChimp user for several years now. This blog feeds to a MailChimp e-mail list that sends out an e-mail containing every new blog post. That’s how most of my Loyal Blog Readers receive this blog.

How To Update Your MailChimp List

As I noted in my last blog post, MailChimp has a very nice article on their site with detailed instructions on how to update each of your MailChimp lists to be GDPR-compliant. (If you’re not using MailChimp, your own e-mail service provider probably has a similar article on their website.)

There’s no point in me trying to write MailChimp’s article all over again. They put a huge amount of work into it, and it’s very good.

But let me point out one issue that might make their article confusing to some: They essentially explain the process twice. The first time, they explain it in words. Then they have a couple of long sections that explain what some of the words mean that they just used. Then they explain it all again with more details and some pictures.

The overall process has four steps, and I’ll use exactly their headings so you can look for them in their article. These are the key tasks you need to do:

Enable GDPR Fields
Edit GDPR Fields
Segment Your List by Marketing Permissions
Collect Consent

What Do Those Four Tasks Do and Why Are You Doing Them?

It’s worth taking a moment to say in simple language why you do each of those four tasks (at least as I understand things):

The reason you Enable GDPR Fields is so that your mailing list now contains more information about each user. It has always contained at least an e-mail address, and probably also a name and other info. But now there will be information on exactly what “marketing permissions” each user granted you. There are a number of different “marketing permissions” but the essential one for you is “Email.” Your users now will explicitly grant you the “marketing permission” to send you e-mail. Or they can take away that “marketing permission” at any time.
The reason you Edit GDPR Fields is because you need to decide exactly what your signup form will say. It will have some legal language. MailChimp provides you with suggested legal language. You can tweak it if you want. Or you can just use what MailChimp provides you.
The reason you Segment Your List by Marketing Permissions is to make sure that after May 25, you only send e-mail to people who gave you a “marketing permission” to send Email. And what is a “segment?” It’s just a subset of your subscribers. MailChimp lets you choose a “segment” in many ways. One of those ways is to choose the set of all subscribers who granted you a particular “marketing permission.” Then when you send e-mail after May 25, you send it only to that “segment.”
The reason you Collect Consent is because you’ve just changed your e-mail list to contain more information about the “marketing permissions” that your list members have given you. But as yet, none of them have specifically opted in to the precise GDPR language (using the words “marketing permissions” and all the legal lingo) that you just set up in your signup forms. So before May 25, you need to send out an e-mail to your current subscribers asking them to confirm their “marketing permissions” using this new language. Very likely, the reason they joined your list in the first place was because they wanted e-mail from you. But you may or may not have proof of exactly what they agreed to when they signed up long ago. Now if they update their settings on your new signup form, MailChimp will have proof of exactly what “marketing permissions” each subscriber agreed to and when they agreed to it.

MailChimp recommends that after May 25, you should not send e-mail to anyone who didn’t check the Email checkbox in your “marketing permissions.”

What I Did

I worked through the above four steps for each of my main lists—my fiction reader list, my Advanced Fiction Writing E-zine, and the list for this Advanced Fiction Writing Blog.

The first time, I had to read the MailChimp article very carefully to make sure I understood everything. And I took the time to figure out why they wanted me to do each step.

The second and third times, it was quicker and easier.

Yesterday, I sent out e-mails to each of my three lists, asking my subscribers to update their subscription settings. Many subscribers have already done so, but of course a lot haven’t. So my lists will be smaller. I’m not thrilled with that, but it’s not going to kill me.

MailChimp suggests later sending out a followup e-mail to remind people to update their settings.

If you’re receiving this blog post via e-mail, please consider this your reminder, if you haven’t updated your subscription settings yet. At the very bottom of this email on the right side, there’s a link that says “update subscription preferences”. If you click that link, it’ll take you to a form you can fill out. To continue receiving this blog via e-mail after May 25, you’ll need to click the “Email” checkbox on that form and then click the button at the bottom that says “Update Profile.”

And That’s the Core of GDPR

There are more things to do for GDPR-compliance if you have a more complicated website. But I think I’ve covered most of the basics that apply to most authors. So this may be my last blog post on GDPR—I’m still thinking about if there’s anything left to say.

One final note: I discussed Contact forms last week, but now I have an update. If you have a Contact form on a WordPress blog and you’re using Gravity Forms (a popular plugin to create Contact forms), you should be aware that everytime somebody sends you an e-mail from your site, a copy of their message is stored in your WordPress database. That copy will contain the sender’s name and e-mail address, which is personal information. You probably don’t need that in your database, as long as those e-mails are actually being delivered to you. If you decide you don’t want all that personal information in your WordPress database, it’s possible to delete it by going to the Entries page for Gravity Forms in WordPress and trashing all the entries. (This is a little tedious.)

The problem is that as soon as somebody uses your Contact form again, another entry will go into your WordPress database, and you can’t prevent it. (Gravity Forms doesn’t give you the option of not saving those entries.)

However, there’s a nice plugin that will delete new Contact form entries from your WordPress database automatically, almost as soon as they get added. The plugin is called Wider Gravity Forms Stop Entries. It’s free and you can find it on this page on the official WordPress plugin site. I installed it today on my site and it seems to work well.

GDPR for Authors, Part 3

May 20, 2018 by Randy Ingermanson 1 Comment

in Websites Tagged: blog, gdpr

Last week, I blogged a couple of times about the new GDPR rules that will go into force on May 25. I covered what I consider the first two steps—creating your Privacy Policy and updating your Contact forms.

Today, I’ll talk about another step in the process—updating your blog comment form.

Blog Comments and GDPR

If you have a blog on your website and allow comments, then you typically require people to give some sort of personal information in order to make a comment. For example, you might require them to give a name and an e-mail address and optionally a website.

You ask for their name because that creates some accountability. Anonymous comments can be vicious comments, and that’s not what you want on your blog.

You ask for their e-mail address, even though that doesn’t get displayed, because you might want to contact them privately. And you may also have things set up so commenters can be notified by e-mail if somebody responds to their comment.

You ask for their website (if they have one) so that people can click on their names and go learn more about them.

You might also have a cookie that can fill in their info next time they want to comment.

This is all pretty innocuous stuff, but it is personal information, and therefore GDPR applies.

So you need to get permission to collect and process this personal information.

What I Did To Make this Work

A new version of WordPress (version 4.9.6) was released last Thursday, May 17. It had a number of new features that make GDPR-compliance easier. There’s a very nice and detailed review of the new features on MaAnna Stephenson’s blog here. This may be the best summary of GDPR I’ve seen yet.

One of the new features in WordPress is that the form for blog-commenters to fill out now includes a checkbox that says: “Save my name, email, and website in this browser for the next time I comment.”

That clearly tells people that their info will be stored in a cookie. Then the cookie will fill in that info next time.

So to get this working on my site, I updated WordPress to version 4.9.6. (Actually, my web developer updated it.) My understanding is that the new checkbox now automatically appears in the comment form. (You should check me on this to be sure, since I didn’t do this myself. But I don’t see any way to eliminate this checkbox from your form.)

My understanding is that there should also be a checkbox that people have to check to accept the website’s Privacy Policy. That feature is not built into WordPress, but there’s a new plugin that does the trick.

The plugin is called “WP Comment Policy Checkbox.” It inserts into the Comment form a checkbox that says: “I have read and accept the Privacy Policy.” And it adds a link to the website Privacy Policy.

If you look at the Comments page of this blog entry, you’ll see the two new checkboxes. They weren’t there a week ago. This is progress, right?

There’s Still More to GDPR

One of the major GDPR requirements is that you inform people of exactly what they’re getting into when they subscribe to your e-mail newsletter (or your blog, if they’re subscribing to your blog by e-mail).

That takes some work, but I’ll defer that to another post. I’ve spent some time today learning how to do this, and I’ve almost completed it on one of my websites. I’m not a MailChimp guru, and it’s been awhile since I spent much time looking at all its many powerful features. So I got kind of side-tracked looking at all the whiz-bang goodies. But I’m now pretty clear on how GDPR-compliance works in MailChimp. It’s not that hard.

If you want to get a running start on it, check out MailChimp’s article Collect Consent With GDPR Forms. Even if you don’t use MailChimp, this will give you a reasonably clear idea of what sort of work you need to do to get your e-mail lists up to snuff for GDPR.

GDPR for Authors, Part 2

May 14, 2018 by Randy Ingermanson 6 Comments

in Websites Tagged: contact form, gdpr

Yesterday, I blogged about the new GDPR rules that will go into force on May 25. I covered what I consider the first step—creating your Privacy Policy.

Today, I’ll talk about what I consider the next step on the road to GDPR-compliance—revising your Contact forms.

Contact Forms

You probably have a Contact page on your website that lets people send you an email using a Contact form. A Contact form has fields for a site visitor to type in their name and email address and their message. It’s a lot more primitive than a regular email program. Why do most websites have such primitive Contact forms? That calls for a little history…

In the old days, a Contact page usually had a simple email link in a format called “mailto,” which contained the email address of the website owner. When a website visitor clicked on a mailto link, their email program popped up, loaded with the email address of the website owner and ready to type in the email message. That was very convenient.

But the problem was that spammers could send out bots looking at Contact pages to read those mailto links. Then the spammers had the email address of the website owner, and they sent him tons of spam.

That’s why most websites these days have a Contact form instead of a bare mailto link. It’s protection for website owners from the spammers.

But here’s the problem for GDPR compliance: A Contact form usually puts the website visitor’s name and email address into the website database. There are good, sensible reasons for this. But now the website is storing personal information of any site visitor who uses the Contact form. And GDPR is all about letting website visitors control their personal data.

Please note that it’s possible to use a Contact form that saves no personal information to the website database. In that case, you don’t have to worry about letting your website visitors control this particular information, because there’s nothing to control.

On my website, I have Contact forms created using a WordPress plugin called Gravity Forms. I checked and found that Gravity Forms does save information to the site database. It saves the site visitor’s name, email address, and the message they sent.

While this might seem pretty innocuous, it is personal data. And therefore GDPR covers it. GDPR says that this personal data can’t be collected without consent.

So our next step is to get the website visitor to give consent before the Contact form collects that personal data.

Getting Informed Consent

As I understand it, the website visitor must voluntarily give informed consent. That means you need to tell them what you’re doing, and then they need to freely take some positive action to consent to it, and then you need to keep evidence that they gave consent. And they must have the option later on to revoke consent.

That all sounds complicated, no? How is this supposed to work out in practice?

First of all, you should already have your Privacy Policy available in the standard location on every page of your website. That Privacy Policy spells out in fair detail what you’re doing with their personal data. So there’ll be a section in your Privacy Policy that says what information you collect on your Contact form and what you do with it. (Presumably you at least store it, but your site may do other things with it than simply storing it.)

If your Privacy Policy is well-written, then your website visitor has been informed (or at least has the option to have been informed).

Now how do they give consent?

They give consent in the Contact form itself. There needs to be a checkbox in the Contact form that makes clear they are giving consent to have their personal information used. The checkbox should start out unchecked. The site visitor then checks that box. If they don’t check the box, then the Contact form refuses to send their email to you.

What I Did To Make This Work

Today I went to all the Contact pages on my site. In each form, I added a checkbox with wording something like this: “You consent for your name and email to be stored electronically.”

The checkbox is a “required field” which means that the user can’t send the email unless the checkbox has been clicked.

And the checkbox starts out unchecked, which ensures that the user has to take positive action to give consent.

As I understand it, this takes care of the requirement that I get informed consent.

Yes, this is a bit of a hassle. Yes, it seems like bureaucratic rigamarole. But it only needs to be done once, and it’s done.

If you’re not techie, this may seem like a lot of work. But if you’re not techie, you probably had a webmaster create your Contact form to begin with, and I expect they could revise it pretty quickly, if you tell them what to do.

You should of course do your own legal homework to choose wording that you believe meets the GDPR requirements. You shouldn’t assume that I got the wording right. Remember, I’m not a lawyer. I’ve done my best, but I can only be responsible for my own site.

There’s More, But We’ll Leave That For Later

GDPR also requires that your users should later be able to find out what personal information you’ve stored that originally came from your Contact form. They should be able to get the information in electronic format. They should be able to make you delete it from your system.

How do you make that happen?

I’m going to leave that for another day. WordPress will be releasing the new version of WordPress (version 4.9.6) on Thursday, May 17. As I understand it, the new release will have tools needed to handle these particular GDPR requirements. So I’m going to hold off talking about that until I’ve seen the new release. If the new release doesn’t do the trick, there are some plugins that might handle it. More on that in a few days.

GDPR for Authors, Part 1

May 13, 2018 by Randy Ingermanson 19 Comments

in Websites Tagged: gdpr, privacy policy

For the last few weeks, I’ve been trying to wrap my head around the new GDPR (General Data Protection Regulation) which goes into effect on May 25, 2018. I’m starting to get clear on how it affects me and other authors. This is my first blog post about GDPR, but I expect it won’t be my last.

First, the standard disclaimer: I am not a lawyer and this blog post is not legal advice. This blog post is an attempt to explain in simple language what I’ve been learning. This post may not be completely accurate, but it’s my best shot.

What is GDPR and Why Should You Care?

The GDPR is a regulation created by the European Union to protect the personal data of European citizens. It applies to anyone who is offering goods and services (free or paid) to people in the European Union. That means if you have a website or blog that could ever be visited by someone from the EU, the GDPR applies to you.

You may be thinking that you don’t collect any personal data, so how could the GDPR apply to you? If you really don’t collect any private data at all, then you still need a privacy statement that says so. And that privacy statement needs to be clearly posted on your website or blog.

But don’t be so sure you’re not collecting any private data at all. Websites are complicated beasts with a lot of moving parts under the hood. Here are some ways you may be collecting private data on your website or blog that you may not have thought of:

Do you have a contact form that lets people email you?
Do you have an email newsletter list?
Do you allow people to post comments on your blog or your website?
Are you an affiliate of Amazon or Apple iBooks or any other online store?
Do you have Facebook Like buttons? Or Twitter Tweet buttons? Or any other social media buttons?
Do you track visitors to your site with Google Analytics or some other tracking tool?
Do you have any sort of cookies on your site?
Do you have a Facebook “pixel” on your site?
Do you use Feedburner for your blog?
Do you use a spam protection service, such as Akismet?

And there are hundreds of other ways your blog or website might conceivably be collecting personal information.

Now, it’s not wrong to collect and use personal information. That’s what allows you to serve people. But when you collect people’s personal information, such as names or email addresses, the GDPR says that you need to provide people with basic information: Who you are, what data you’re collecting and why, how long you hold on to that data, who you share that data with, how people can find out what data you’ve collected about them, how people can tell you to delete their data, and who they can contact in case they have questions.

You may be thinking this is getting complicated. Yes, it is a bit, but remember, this is for a good cause. This will benefit you. You will now be able to find out who has your personal data and what data they have. You will now be able to make them delete your personal data if you ask. Here’s why you will get this benefit: The GDPR gives European citizens the right to control their personal data. Therefore, virtually all websites and blogs will provide that right to Europeans—and at the same time, they’ll provide the same right to everyone else in the world, including you. (There may be a few sites that will find the GDPR too onerous and will refuse to serve European citizens. But the vast majority of sites are going to follow the GDPR.)

If you have a blog or a website, there are several things you need to do to get ready for GDPR. And the deadline is May 25, so now is a good time to begin.

So what do you need to do in order to make sure your website or blog is GDPR-compliant? What actions do you need to take?

That depends on what your site does. Most authors have simple “brochure websites” that will probably not take too much tweaking to get compliant.

In this blog post, I’ll talk only about the first step in the process. I don’t think you can do anything else until you take this first step.

First Things First—A Privacy Policy

From what I can see, the very first step is to get a good solid Privacy Policy.

In the old days, people put a one-line statement on their e-mail signup form that said something along the lines of “I respect your privacy and would never spam you.”

That’s not good enough anymore. You need a Privacy Policy that meets the requirements of the GDPR, using the correct language. I strongly, strongly, strongly recommend getting one written by lawyers who actually know all the regulations and can keep things up to date as the laws change. Because it’s a good bet that the laws are going to continue to change over the next few years.

Here’s a link to my Privacy Policy: https://www.iubenda.com/privacy-policy/901398

As you can see, it’s got some legalese built into it. I didn’t write that policy. I got it from a company named Iubenda that specializes in writing Privacy Policies for websites. They have a free Basic version. The Pro version costs $27 per year. I don’t remember the different between the Basic and Pro versions, but I paid for the Pro version. Iubenda generates the policy for you and keep it constantly up to date. If you need to make changes at any time, you can just click a few buttons and update your policy at no extra charge.

Here’s my affiliate link to their site: http://iubenda.refr.cc/2N349LZ

Full disclosure: The link just above is an affiliate link. That means if you click on it and buy a Privacy Policy from Iubenda, I’ll get paid an affiliate fee for referring you. And you will get a 10% discount for the first year of service.

If you don’t want the discount for yourself nor the affiliate fee to go to me, I’m OK with that. You can just use this non-affiliate link: http://iubenda.com You’ll pay full price and I’ll get nothing. I would recommend Iubenda even if they had no affiliate program, because I think they do a good job at a fair price. I’ve been using their service for quite some time and I am happy with it.

Here’s what I like about Iubenda. When you create a Privacy Policy for your site, they show you a large list of many possible things that a website typically does. (Running an email newsletter, having a contact page, taking blog comments, allowing social media buttons, and many many more.) You select the ones your site actually does. Then Iubenda creates a custom Privacy Policy that tells what your site does. It’s written in GDPR-compliant language. Yay!

At the end of the process, Iubenda gives you a link to your policy. They host the policy on their site, so if they ever change the language to meet new regulations, it’s always up to date. You can put that link on your own site, and you’re good.

Posting Your Privacy Policy

You need to put a link to your Privacy Policy on every page of your website. The standard place where Privacy Policy links go on a website is at the very bottom, in the footer of the page. You can see an example on this page you’re reading right now, if you scroll down to the very bottom. You’ll see a button labeled Privacy Policy that brings up a screen on this page.

How do you put your Privacy Policy button on your own site? Iubenda gives you a piece of code to do that, along with instructions. Depending on how techie you are, you may find their explanation easy or hard to understand, but any webmaster will be able to follow their directions.

If you’re using WordPress, there is a plugin named Head, Footer, and Post Injections that lets you put a link in the header or footer of every page of your site. If you don’t know how to do this yourself, then you probably have a webmaster who does. Do it promptly and then check to make sure it’s right.

If you’re not using WordPress, then whatever technology you’re using should have some way for you to put a link to your Privacy Policy on the footer of every page.

You Need a Cookie Policy Too

Along with the Privacy Policy, Iubenda will generate for you a Cookie Policy, which you also need. You should post this in a link in your footer in the same way you did the Privacy Policy. The Cookie Policy doesn’t cost anything extra and it gets created at the same time as the Privacy Policy, so the only extra work is to add the Cookie Policy link.

You can see my Cookie Policy button at the very bottom of any page of my site here.

And Finally You Need a Cookie Solution

Finally, you probably need to inform visitors to your site that you’re using cookies and get their consent before they do anything else on your site. Iubenda will provide you with code to do that, which you can put in the header of every page of your site. Iubenda calls their code the “Cookie Solution.” It’s a piece of Javascript that does all the magic.

When somebody visits your site, the Cookie Solution will create a banner across the top of the page saying that your site uses cookies. The banner will ask for the visitor’s consent, and give the visitor information on how to refuse consent.

There’s more to GDPR

So far as I can tell, there are at least two more steps that most authors will need to take to get GDPR-compliant. (The two steps are to tweak your Contact page and your email newsletter signup form.) Both steps require that you have a Privacy Policy already written and that you have a link to that Privacy Policy. So get that Privacy Policy done first. Do it today. Do it now.

I haven’t yet done these next two steps, but I think I know what to do. I’ll be working on those shortly, and as soon as I’ve got them done, I’ll try to blog about it here (if I have the energy). That way, you can benefit from what I learn. And I hope that if I make any mistakes along the way, one of my Loyal Blog Readers will tell me where I’m wrong, and again we’ll all benefit.

If you’re thinking this is all a massive pain in the butt, well, I can’t disagree. I wish it were all super easy. But the reality is that this is going to take most people a few hours to get it done. And the clock is ticking.

Organizing Your Writing

Creating Your Story

Marketing Your Work