What GDPR means for Authors and Bloggers

On May 25, 2018 there are some major changes coming through the pipelines under a new law called the General Data Protection Regulation (GDPR). It’s being implemented to protect your constituents (aka readers, fans, i.e. bookish friends you have any type of data on) in the European Union (EU). Now before you mentally go shutting down and closing your browser thinking this doesn’t pertain to you because you don’t live in Europe or because you’re not a “marquee author” or “big blogger” … there is a damn good chance it does. So grab your coffee and listen up!

We live in a digital world where data privacy is of the utmost importance, so I predict this will be the first in a long line of countries creating new, protective laws for their citizens. So adapt early to cover yourself!

Let’s dive in and start at the very beginning, shall we?

What is GDPR?

The General Data Protection Regulation, otherwise referred to as GDPR, is a new legislature that take effect on May 25, 2018. Simply stated, the GDPR is the most significant ruling in the digital world for the past two decades and focuses on the data keepers to be transparent with everyone. And let’s be honest … the online world of 20 years ago hinged on AOL, that horrible dial-up sound, tragically awesome Geocities websites, and endless strings of pop-up banner ads that you couldn’t close fast enough. Things have changed and as a result the rules need a spit shine.

But don’t be annoyed that things are changes. Because what’s about to go down is a VERY GOOD THING.

The GDPR strives to put the control back in the hands of European Citizens when it comes to their personal information. Essentially it means that at any point in time, an individual can retrieve details on what personal information is being held, who is using it, how they’re using it, how it’s being store, they can request copies of this data, and even more, they can request to be completely deleted from their system (which goes beyond the simple “Unsubscribe” button). For some industries this has major implications (think higher education where you can essentially erase an individual’s academic record with this request or even banking, where you’d risk losing a digital record financial and credit statements).

Fortunately for our industry, the implications aren’t exactly life and death. But they’re still extremely important to understand and comply with, nonetheless.

Why is it important to me as an Author or Blogger?

I know what you’re thinking. This is some high-flying law that only major corporations need to worry about. Well, you’re wrong.

Anyone who has data or personal information kept about their EU readers or uses their information in marketing efforts will need to get their poop in a group.

Take some time and think about it …

  • Do you have a newsletter list with at least one person in the EU?
  • What about Facebook ads, do you do any targeting where someone in the EU could come across and engage with your ad?
  • Are you loading your mailing list into social media for re-targeting campaigns?
  • ChatBots where you’re messaging someone in Europe?
  • Paypal? Square? Any type of eCommerce platform where you’re accepting credit card information from one of your readers?

All of this (and dozens more scenarios) mean you need to educate yourself and prepare for the coming changes in data protection.

If one of your readers comes to you and elects to exercise their rights, you need to know how to fulfill the request. Which for many of us will mean relying on our third party partners. But there will be some instances where you are the gatekeeper of said data and need to handle the request.

What can I do to comply?

Fortunately for you, if you use a third party data processor (i.e. a company that hosts the information you’ve collected like your newsletter platform or online payment system or general CRM program), most of them have been busy making enhancements to their platforms to be compliant, which in turn makes you compliant … kind of. But it’s still up to you to understand what data they store on your readers, how they store this info, and how they’re using this data.

Furthermore, there’s a really good chance you’ve got other lists of reader data floating around your inbox or Google drive in spreadsheets or unprotected documents. If you’re nodding your head remembering all of those names, emails, and phone numbers you collected from signings on little slips of paper, this is something you need to address and get loaded into your database with a documented trail of how and when the individuals opted-in for your communications.

I suggest you begin by taking the time to look at your list of partners who make your author and blogging life easier. Off the top of my head, some of the popular ones are going to be Facebook, MailChimp, MailerLite, Author Reach, Bookfunnel, InstaFreebie, Square, and PayPal. Obviously there are lots more than are mentioned here, but it’s late at night right now and I’m not going into some deep rabbit hole of all vendors in Bookville.

I do want to call out that MailChimp has done a bang up job communicating their GDPR strategy to help its users navigate this new territory. So even if you’re not actively using the MailChimp platform, I would suggest reading what they’ve put out on the web.

Additionally, on March 14th, Mailer Lite came out with its official update, which can be read here.

So do your homework and learn what your trusted partners are doing on your behalf for GDPR, so if and when the need arises, you know how to respond to the data request in a timely fashion.

Opt-In. Opt-Out.

One key thing to remember is that individuals in the EU must explicitly opt-in to communications from you.

This is worth repeating.


No, you cannot just add them to your email list based on some unsanctioned sweepstakes that you are running on your own via excel spreadsheets.

Having them complete a Google Form and then copy and pasting their deets into your mailing list? Not so much. 

With GDPR, you must be able to provide a proof trail of how and when they opted-in, should you ever be asked to provide substantiation. That means you’ll want to be leveraging landing pages and third party sign-up forms that funnel directly into their respective database.

For those of you who use MailChimp or Mailer Lite, I highly recommend you download and start using their subscribe apps (linked here) at your upcoming events. iCapture is another excellent program where they can digitally provide you with their data in a safe and transparent way. Readers can sign up on a mobile device or tablet and drop right into your constituent database — no wifi needed!

Industry Pitfalls

The biggest implication I can think of will be for those doing unsanctioned giveaways and newsletter email swaps. If you’re doing this, we need to have a serious come to Jesus because this is simply not okay from a best practices and privacy standpoint. I cringe anytime I hear of authors sharing emails of their readers because if my email were on that list, I would be livid to learn my personal information was being passed around like a cheap hooker.

And we wonder why identity theft is so prevalent these days?!

So basically, any kind of giveaway or promotion where someone collects personal information and then distributes it to a group of participating authors or bloggers via email, excel, csv, etc. should be avoided. First of all, it’s shady. Second of all, it’ll be illegal under the GDPR.

However, if the data is being legally collected via a third party vendor, and the participants clearly understand they are signing up to receive communications from all participating authors after the fact, and that vendor then safely disseminates said information to all of the participating authors directly into their database/CRM program of record, then you’re covered.

Penalties for non-compliance

This is bad and should the hammer fall upon you, you need to know exactly what to expect … fines for noncompliance are to the tune of $20 million Euros.


They’re going to go out guns blazing to enforce this, and it doesn’t matter if you’re a Fortune 500 company or an indie author. You don’t want to be the one who gets stuck in the crossfire simply because you didn’t educate and prepare yourself.


All of this information is super top line and obviously doesn’t dive into the complexities of the new law. And this information shared is for general purposes only and is not intended as legal advice. I am simply sharing what I know for the betterment of the indie world and to help create awareness before things kick into gear this May.

If you have questions about the General Data Protection Regulation, you should consult your local RWA chapter, writer’s guild, or legal counsel for additional information.

Think what you see is helpful? Subscribe to my blog to stay on top of the Authors Helping Authors series. I’ve got more SEO posts scheduled and have some helpful AMS content in the works, too! And, of course, be sure to follow me over on Facebook and Twitter.

Last Updated March 14, 2018 to provide Mailer Lite support information.


5 thoughts on “What GDPR means for Authors and Bloggers

  1. So my question in reference to your comment about facebook ads, so should we exclude anyone in EU from all ad targeting then. I mean I completely understand the newsletter thing but to say “someone in the EU could come across and engage with your ad” that seems outrageous 😦 Any information on that would be appreciated 🙂

    • So for something like Facebook ads, there’s no reason to exclude EU from your targeting (unless you want to). If someone from the EU challenges the data used for the specific targeting, this falls upon Facebook and not you to fulfill the exercising of the constituents rights. And it can go deeper than just the targeted interests they self-identify with on their profile, but also data collected by your Facebook pixel for retargeting and lookalike campaigns as well. Does that help?

      • Oh, also! Say a user is a subscriber to your mailer lite list and they choose to exercise the right to be forgotten. However, you’ve already taken your list data and uploaded it for highly targeted campaign. Because your mailer lite data isn’t talking to your Facebook data (because you manually exported it and uploaded it into Facebook), YOU would be responsible for removing their information from the retargeting list within Facebook. Make sense?

        Also, mailchimp recently began adding Facebook advertising opportunities targeting your mailing list directly within the mailchimp platform. Under this kind of circumstance, mailchimp would be responsible for both the mailing list *and* the Facebook data because you didn’t export their data and then reupload it onto the other platform. It’s all controlled within the third party in this circumstance.

  2. Pingback: B.L. Berry: What GDPR Means For Authors And Bloggers | ResearchBuzz: Firehose

  3. Pingback: ProPublica, Facebook, Code.mil, More: Sunday Buzz, March 18, 2018 – ResearchBuzz

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s