GDPR and Newsletters

(I’ve put this in ‘Marketing’, but I guess it could also go in ‘Data’ - please move if you want!)

As people in the UK and Europe cannot fail to be aware, this month marks the deadline for GDPR compliance for privacy and data policies on websites, newsletters, etc. I don’t collect much - I use cookies and I have a newsletter - but even so I need to get my head around what to do.

My main concern is the newsletter. However, I’ve received conflicting advice about this. Some say that it’s enough to contact all my current subscribers with a link to my new privacy policy. Others that I need to unsubscribe everyone and get them to sign up again, explicitly ticking the new ‘Iv’e read the privacy policy’ box.

So, my question to you good folk is: do any of you know what to do?

Secondly - and this is more addressed to Patreon (@erin, @carla, etc): what is Patreon doing to make itself compliant? Do I need to worry about that side of things, or does Patreon have it all in hand?

The thing to keep in mind is that GDPR concerns “organisations” or more generally “establishments”:

“Organisations are subject to EU data protection law if they have an establishment in the EU. The word “establishment” is not precisely defined. The key question is whether there is effective and real exercise of activity through stable arrangements (e.g., a branch or subsidiary can be an “establishment”, but a travelling salesperson is unlikely to constitute an “establishment”).”

I don’t yet know if “a creator” constitutes an “establishment” or an “organisation”. If not, it seems that rules of GDPR do not concern you. If yes but you are ‘just a creator’, a single person running a very small business, then I would go with writing a privacy policy and letting everybody know about it. There are cases where active re-establishment of consent allowing processing of personal data is necessary per GDPR and cases where it is not.

For example (and most probably) instead of getting active consent you can process personal data on the basis of your “legitimate interest”.

The other lawful basis can be “contractual performance”. If you offer rewards and you need to send them by post, you cannot do this if subjects don’t give you their address and name. for such cases you don’t need consent. if your reward is crediting your patrons on end titles of video for example, you cannot do this without their names. to do what your contract between you and them demands you need that particular personal data.

there’s more about lawful basis for processing of personal data here (see commentary on “legitimate interest” below that table: https://www.whitecase.com/publications/article/chapter-7-lawful-basis-processing-unlocking-eu-general-data-protection

and, uh, ignore the whole part about “sensitive personal data”.

but i would first ask the specialist where is the line between personal and ‘establishment/organisation’.

I’m in the same situation as you. My understanding of this, and the reason why I’m getting everyone to confirm they want to stay on (otherwise they’re getting unsubbed) is simply to cover my back thoroughly. When people resubscribe/confirm, their consent to receive my newsletter is recorded. They cannot claim otherwise down the line. If I just inform them of my new privacy policy, and let subscriptions stand as they are, a complaint about spam or whatever could end up with me being fined, since the person would never have opted-in. I don’t actually think anyone on my mailing list is a dick, but it is true that I don’t know most of them, and I added many of them myself manually after they signed up on paper during an event or a course. So I’d rather be totally in the clear and have a mailing list 100% opted in, even if I lose half of it in the process – those will be the people who’re not really interested/paying attention anyway.

In short, I’ve personally decided to play it safe because the legalese is confusing. If it helps, everyone I know on Etsy is going through the process, and they’re all one-person businesses as well.

Hi @lukaprincic. Thanks for your reply. However, I’m pretty sure that GDPR does apply to individuals (sole traders), or basically anyone that keeps data that may be used to identify individuals (email addresses, names, IP addresses).

@joumana: Well, it’s perhaps reassuring that others are unsure! I think I may still have the sign-up confirmations, as I started my newsletter fairly recently. However, this was before I had a privacy policy that they could agree to, so as you say, I’m tempted to play it safe. Which is a pain, because you inevitably end up losing subscribers because people are either pissed off or lazy. What are you using for your privacy policy? I’m a member of the Association of Illustrators, who are promising to produce one, but it may not be available before the deadline (useful!). I also wonder about cookies… (the electronic kind, obv)

How recently did you start it? Are you with MailChimp? Because they started implementing this GDPR opt-in some time ago (I’m not sure how long exactly), so anyone signing up now has to tick the box to confirm permission, so they’re sorted. If all of your subscribers have signed up of their own accord, that is also very helpful and in that case it may be enough to inform them prominently of the new policy and state (in a nicer way) that carrying on with their subscription means they agree to it. That’s what big corp like FB, Twitter etc do when they update their policy, for instance. The need to make people re-subscribe applies more to those of us who have added people manually to our mailing list. Some companies do that automatically when you purchase from them. I do that a lot because people ask me to, or they fill out a form at my events where I ask if they’d like to receive monthly news. In this case the record shows that they did not sign up themselves, which is where it could snag for me. If you haven’t done this, if all your subscribers are self-subscribed, I think you’re fine.

What policy exactly, is where I’m a bit confused. But if your mailing list is with Mailchimp, that will refer to their policy (see my signup page for instance, which is their own automated one. It’s unambiguous: the new policy is provided by them). Personally, in the announcement where I asked them to re-subscribe, I just made this statement which basically is my policy: “I take your privacy very seriously. I will never share your details with any third party, and I do not use them for any other purpose than to send you the newsletter you signed up for.” There’s nothing more for me to say because that’s really all. For most artists this covers it, I think!

I use the Newsletter plugin for Wordpress, so I don’t think there’s a boilerplate policy that I could use. I think it needs to specify what data you keep. In my case it would be names, emails, and possibly something related to their location (IP address) and if they’ve opened or clicked on the emails I send out. This functionality all comes as a standard part of the plugin.

I think I may try to contact the Newsletter authors and see if they have a policy. Apparently Mailchimp do a resubscribe option.

Ahhh I see.

Is this of any help? It just came my way. https://ico.org.uk/media/for-organisations/documents/2258293/eight-practical-steps-for-micro-business-owners.pdf

OK, for anyone who’s interested, here’s my privacy policy:

http://www.garethsouthwell.com/privacy-policy/

I’ve also installed a plugin for cookie acceptance, that allows users to disable cookies. I’m not completely sure that this disables all information gathering (maybe I can still tell what browser they’re using, etc), but it should stop tracking. I think.

God, this is a nightmare.

I have always had double opt-in for my newsletter. In a nod to GDPR, I’ve beefed up my privacy policy, but I’m not going to email it to everyone and I’m certainly not going to make them sign up again. If double opt-in isn’t good enough, nothing is.

I have double opt-in too. The issue is consent, I think - but to what? If your privacy policy is new, then you can’t assume consent to something you’ve just created. GDPR requires that you find some way to determine that your current subscribers see your privacy policy and consent to it - whether implied or explicit consent is the debatable point (concerning existing subscribers).

Sorry for the delay in my response about Patreon.

We have been going through an internal process, and each team has been in the process of individual preparation for this. We are working through any updates to process we have to make (for example, in marketing this could mean something as literal as the following: someone registers for an event, decides not to come, and then wants us to delete their data, we have to have a process). This process has been underway for a while -and if we have to make any updates to the privacy policy or anything else, we’ll share those to everyone.

Great - thanks Carla. Good to know it’s all in hand.

Happy you posted about this, because I am trying to figure this out too aaaand it’s not easy!

I was hoping I didn’t have to do or change much, since I don’t plan on doing any targeted promotion/marketing automation stuff anyway.
But according to this infograpic I have to get specific separate consent (so segment my list and have different checkboxes) for all of the specific things I am going to use their email for, like “weekly newsletter” and “general promotional emails (season sales, product specials etc)”…
I was hoping I could just have it all in one checkbox, as “newsletter and relevant offers”. But no?

The infographic: https://www.sendinblue.com/blog/gdpr-infographic-email-marketing/?utm_source=adwords&utm_medium=cpc&utm_term=%2Bgdpr%20%2Bemail&utm_content=Email&utm_campaign=EN_North_Europe_Search_GDPR&km_adid=265601531653&km_adposition=1t1&km_device=c&gclid=Cj0KCQjw5-TXBRCHARIsANLixNwa8MX7YQ0x7Yby5rMKFEuLEow6I-SjCVcDkus-Cku6X2tnyFBj1JAaAuD6EALw_wcB

Also want to point out that GDPR affects everyone with customers in the EU, or email list subscribers in the EU, even if you are based outside of EU.

Copy-pasting some interesting info I found in the comments of this blog: https://www.zettasphere.com/gdpr-consent-opt-in-examples/

"Under GDPR, i understand that a tickbox isn’t even required if all you are collecting is personal data, i.e name email etc. You DO need a tick box if you are collecting sensitive data, i.e. political preference, race etc. The act of inputting your email and clicking submit is unambiguous consent. (given the clear language about privacy policy etc.)

What is unclear is if legitimate interest comes in when you combine a lead magnet with your opt-in as gdpr says you cannot bundle consent with a service. legitimate interest could apply if your emails are related to the topic of the lead magnet.

So, panic mode over, it may not even be necessary to have check boxes at all if all you’re collecting is basic data like a name and email."

"Absolutely, tick boxes are not a requirement, the requirement is positive affirmative action to get consent. If you’ve got a subscribe form for a newsletter, then the act of clicking a ‘subscribe’ button is positive action.

A tick box or other positive action is needed when collecting data for marketing during another process, such as account setup or purchase and wish to get consent to marketing too.

In respect of lead magnets if someone completes a form to get a whitepaper or other download and that makes no mention of the data being used for any other purpose than supplying the whitepaper then there is no legal ability to send marketing. Legitimate interest does not permit marketing to be sent, though would allow the data to be used to send the person the whitepaper requested."

(Sorry for almost spamming here but… ) So apparently we don’t need check-boxes if we’re just collecting names and email addresses.

But even if checkboxes are not needed, it seems we still need to segment the list and get specific consent for all the types of info we want to email them, or? This is the question I’m not sure of, and I rather not have to segment it hmm.

I have seen lots of companies etc sending emails and saying that “if you consent to his you don’t have to do anything” basically. Just got an email from Discord saying “We updated out privacy policy. By using Discord on or after that date, you’ll be agreeing to the changes.”
Can’t I just do it this way too?

as far as I understand under GDPR it goes like this:

do you need customer’s email to send them the goods - or to contact them about their purchase (like sending an invoice)? you have legitimate reason to collect the email without consent (because of contractual obligations).

do you want somebody to subscribe to your news? if they click button subscribe, you have their active consent.

previous practice was to take an email address from the former case (buying the goods) and automatically subscribe them to newsletter (latter case). this is not allowed anymore and people you have on your mailing list for newsletter have to resubscribe - give active consent. that’s why the post you mention is talking about segmenting - those who gave an email as part of their purchase must not be sent the newsletter if they havent actively consented to it.

above all, all these people have to know about your new privacy policy which states pricisely what you are doing with all their personal information and how they can request deletion or retrieval of everything you have on them.

sorry if i’m writing the obvious and already known.

Thank you for this. I have never added anyone to my list without their consent through a purchase or something (always though this was kind of rude), they have all subscribed themselves, so I guess that means I don’t have to make them all resubscribe! Phew

I suppose all I need to do, I hope, is update my sign up form with more clear info about what I use their email for, and in my next newsletter share this with everyone.
Also add more info to my imbedded forms on my website.

I don’t have any specific privacy policy on my website, because I don’t have any cookies or anything on my website.

Thanks everyone for your replies. I’m still not sure about the tick box thing. I would say the safest thing is, when people sign up to your newsletter, have a simple tick box that says “I’ve read your privacy policy and I consent to its terms”. Otherwise, I think, their consent isn’t explicit, because you can’t prove that they knew they were agreeing to your use of their data/under what terms you would contact them.

As for cookies, I’m afraid most sites use them. I hope you don’t mind, @nymla, but I entered your site address into www.cookie-checker.com, and it lists a few cookies. So it seems you’ll need some sort of policy for that.

What a useful website!