Why American Authors Don’t Need to Worry About GDPR

138 Why American Authors Don’t Need to Worry About GDPR

Jim: In this episode we’re going to talk about the General Data Protection Regulation, or GDPR, and why you need to know about it and take action. You’ve probably gotten some emails about it. We want to dissect it and make it easy to understand.

Thomas: Before we get into this, I need to say I am not a lawyer, not an American lawyer, and not a European lawyer, and neither is Jim.

This is not legal advice. It’s a summary of our research, and it is not a replacement for talking to your own lawyer.

Jim: And Thomas is gracious when he says “our research.” Thomas did 99% of it. In this episode I’m going to interview Thomas and have him teach me along with everybody else. So where did the GDPR come from and why does it matter to us?

Thomas: The European Union is essentially the United States of Europe. Germany is part of the EU, and EU law sits above German law and French law. The GDPR is a privacy protection the EU Parliament passed. The idea is that as an EU member, you have control over your data, you can tell a company you don’t want them to have it, and any company collecting your data must have your consent. The EU says the law applies to EU citizens and to anyone working with those citizens, even if that person or company is not in the European Union.

That’s why you’ve gotten emails from American companies with GDPR in the subject line. Big companies in particular are rushing to comply, partly because a lot of what GDPR requires is just what we should have been doing anyway.

But here’s the thing: if you’re an American, this law doesn’t necessarily apply to you. Saudi Arabia could pass a law requiring Americans to pray five times a day, but just because they wrote it and said it applies to Americans doesn’t mean it actually does. A government has to have the ability to use force to make you comply. The EU’s ability to force an American citizen to comply is limited to what the United States government agrees to, and there is no treaty covering GDPR. The main emphasis of GDPR enforcement is on American companies that have a physical presence in the EU. If you, as an author, have no office or employee in the EU, their ability to come after you is dramatically reduced.

Jim: But we have a presence in the sense that people in Europe can access our websites.

Thomas: That’s the argument the Europeans are making, that if your website is available to Europeans you must follow the law. But just because they say we have to follow it doesn’t mean they have the ability to force us to. They can’t put your website in jail or fine it in Europe. Their ability to act is essentially nonexistent.

Jim: Then why is everyone acting like the sky is falling?

Thomas: Let’s say someone violates the GDPR and a European person complains to the European regulators. The regulators take action, enter it in European court, win, then take that judgment to American court. If they win there, then something bad could happen. That’s lottery odds. And if you’re still nervous about a lottery-odds chance of fees up to 20 million euros, then yes, look into these guidelines and follow them. But for a typical author, there’s no meat on the bones. If I were a European regulator and saw that you were sending Mailchimp emails without proper consent, I wouldn’t go after you. I’d go after Mailchimp. That’s how enforcement works, the same way the American CAN-SPAM Act primarily targets the bigger companies and forces them to make their users compliant.

What should authors actually do about GDPR?

Jim: You said some of the GDPR policies are just good common sense. What should we as authors actually do to our websites?

Thomas: Don’t do any of this out of fear. The European government’s ability to make your life unhappy is basically nonexistent. Do it because they’re actually asking you to do good things. No one likes their data abused, and this is a good time to be a good internet citizen.

Good Idea #1: Add a Privacy Policy to Your Website

The first thing you need, and this is not only good for GDPR but actually boosts your Google rankings, is a privacy policy on your website. Google gives preferential treatment in search results to sites that have one. Be aware that in American law, you are held to your own privacy policy, so don’t write one carelessly. It needs to reflect what you actually do. There’s an Italian company called iubenda.com, checked out by Randy Ingermanson, that has a wizard walking you through a series of questions about your site and generates a readable, GDPR-compliant privacy policy. We’ll have a link in the show notes.

Good Idea #2: Get Explicit Informed Consent

The other big GDPR issue for authors is email marketing. GDPR requires expressed, informed consent. If you have to email someone to ask if you have permission to email them, you don’t have permission. The industry best practice, which we’ve always recommended, is double opt-in consent: they click something on your website, they receive an email, and they confirm. In my opinion, that’s plenty of proof of consent.

Beyond that, make sure you’re telling people what kind of emails they’ll be getting. If you say “sign up to get a free ebook” and then also put them on your newsletter, they consented to receive the ebook, not necessarily the newsletter. Just adjust the wording: “Get the ebook and updates about future books.” That small change is what makes it GDPR compliant.

Another guideline: no pre-checked checkboxes on your contact forms. If the “sign me up for your newsletter” box is already checked, that’s not express consent. I made this change on my own site. You may get a few fewer signups, but the signups you do get will be better ones.

If you have affiliate links on your website, you need to disclose them in your privacy policy. When you click an affiliate link to buy a book, Amazon tracks that click so it can give the referrer credit. Your data is being captured, and that needs to be acknowledged. You don’t have to put “affiliate link” in brackets next to every link, but it should be in your privacy policy.

Good Idea #3: Delete Users’ Data When Asked

If someone from the EU asks you to delete their record, do it, and do it for Americans too. This right to be forgotten is a big European concept, and it’s becoming much easier to act on. Soon it’ll be: type in their email, pull up the record, click delete. You should do that anyway. Spamming is against American law too, and it’s just obnoxious.

What happens if you don’t take action by May 25th? I don’t think much, at least not right away. On May 26th, large companies that are clearly in violation will start getting prosecuted, establishing precedents through a court process that could take years. Regulators will go after easy, clear wins first and expand from there. They’re looking for people with millions of subscribers who are clearly spamming or doing data mining, because that’s really the heart of this law. It’s aimed at Cambridge Analytica-type operations, not authors collecting email addresses and sending book promotions.

One more thing: if you’re acting in good faith and not specifically targeting Europeans, that’s a real defense. If you write Southern romance set in Louisiana and you’re primarily marketing to people in Louisiana, it would be very hard for a European regulator to make a case against you in an American court.

Jim: The bottom line is you’re doing this for two reasons. A selfish reason, because it’ll actually help your Google rankings. And an unselfish reason, because you’re showing more integrity, respecting the people on your email list, and being upfront about how you use their data. Some people are treating this like Y2K. It’s not going to destroy civilization, but you should still take these steps because they’re the right thing to do.

Thomas: That’s right. You’re getting a lot of emails right now because the companies becoming compliant want to tell you they’re becoming compliant. Those companies are getting compliant on your behalf. I really don’t think this is something to panic about, but do respect people’s privacy.

And if you have a book deadline in two weeks, it’s okay to put off fixing your subscribe forms until after you turn in your manuscript.

Good Idea #4: Update to the Most Recent Version of WordPress

Thomas: WordPress should have released a new GDPR-compliant version by the time you hear this. Most of the services you use are already doing the heavy lifting to become compliant, partly because those big companies have actual offices in Europe and legitimately have to follow the rules. Google Analytics, for instance, is handling this on your behalf.

You can see all the relevant links and sources below.

GDPR is the General Data Protection Regulation. It is an 88 page EU regulation passed by the European Parliament in 2016. It takes effect on May 25 of 2018. According to the EU, the law applies to the whole world (more on that in a bit).

Why American Authors Don’t Need to Worry About GDPR

TL;DR: The EU is not the United Nations. They are not the government of the world. They are the government of Europe. Their laws apply to European citizens and European companies. If you are not a European citizen or company, they can’t force you to follow EU regulations.

Reason #1: The United States Won World War II

Just because a foreign country passes a law, it doesn’t mean you have to follow it.

As an American, you are protected by the American government from foreign laws. Another country cannot do anything to an American citizen in America without the US government’s consent. Remember, American troops occupy Europe. Not the other way around.

American companies with a nexus in the EU absolutely need to comply with the GDPR, because the EU can go after their EU office directly. But if you don’t have employees or an office in the EU, how can the EU force you to comply with their law?

The EU has to ask America nicely.

If the US won’t work with the EU on an issue like climate change when a specific agreement was already in place, why would it work with the EU on an issue like the GDPR, that has no specific treaty?

To my knowledge, There is no treaty between the EU and the US that specifically references the GDPR.

The hope of the EU is that one of the existing treaties might work. But these hopes are neither proven nor tested in court. The GDPR has not even been tested in an EU court yet, much less in American court.

Fortunately for the EU, most of the companies that matter (Apple, Google, Amazon, Facebook, etc.) have offices in the EU. So the EU doesn’t need a treaty to force them to abide by the GDPR. This is why you are getting so many emails about GDPR from big companies. These international companies are European as much as they are American.

Reason #2: American Authors Are Too Small to Target

There is a principle when it comes to regulation that “the tallest blade of grass gets cut first.”

The GDPR is a law designed to go after international companies like Facebook and MailChimp.  If you are violating GDPR with your Facebook account, the EU is much more likely to go after Facebook than it is to go after you. These big companies have a nexus in the EU and money to pay the fines.

If you are an American author who writes in English, and some Europeans happen to visit your website and sign up for your newsletter, the EU has an exceptionally weak case against you. A case, that they would have to enter into an American court in order to actually do anything with. Entering a case in the US would cost of hundreds of thousands of dollars for an indefinite payoff in the small chance they could win. It is just not worth it to spend that much money to go after you when there are large companies in the EU to go after.

I anticipate the EU is going to enforce the GDPR in this order:

1. Wealthy EU Companies
2. Wealthy US Companies with offices in the EU
3. Small EU Companies*
4. Everyone else

As an American author, you are way down the list in the “everyone else” category.

*If you are a European author, I think you are here. But I’m not an EU lawyer.

Reason #3: You Are Already Violating Lots of EU Regulations

There are perhaps thousands of EU regulations you are not following in your daily life.

For example:

• EU law prohibits you from calling Sparkling Wine “champagne” unless it is from Champagne, France.
• EU law requires you to buy all your Parmesan cheese from Italy. If you have a bottle of “made in America” Parmesan cheese in your fridge, you are in violation of EU regulations.

Good thing the EU has no way to enforce that law on Americans!

Why American Authors Should Comply with GDPR Anyway

So, with all that out of the way: There are good parts of the GDPR!

While it would be silly for you to hire a data protection officer, other parts of the GDPR are good ideas. Here are some of the regulations you should follow even if the EU can’t force you to.

Good Idea #1: Add a Privacy Policy to Your Website

Adding a privacy policy to your website is required by Google and might have a positive impact on your search rankings. Privacy Policies can also boost your conversion rates. Just realize that your privacy policy is a legally binding contract with your website visitors according to my understanding of U.S. law. So while you are crafting a privacy policy, you might as well craft a GDPR-compliant privacy policy.    

Privacy Policy Tips:

• Clearly mark affiliate links. If you are using Amazon affiliates, make sure you mention it in your privacy policy and make it clear on the page. If your visitors like what you are doing, they will want to support you by clicking your affiliate links.
• Use a privacy policy plugin like the Auto Terms of Service and Privacy Policy WordPress plugin.
• For a GDPR compliant privacy policy use Iubenda. They have a free service to help make very slick looking GDPR-compliant privacy policies.

Good Idea #2: Get Explicit Informed Consent

Email is most effective when it is anticipated by the recipient. So explicit informed consent is a good marketing practice even if it causes you to grow your list more slowly.

So here are some things you will want to do:

• Enable double opt-in on your email forms. You can test this by subscribing to your own list with one of your old email addresses. You should get an email asking you to confirm your subscription.
• Make it clear what kind of emails your visitors will get. Say “Get a free ebook and updates about future books and deals” rather than just saying “get a free ebook.”
• Uncheck all the subscribe checkboxes. Visitors should specifically have to click “subscribe” to get your emails.

Good Idea #3: Delete Users’ Data When Asked

• Include a one-click unsubscribe on all your marketing emails.
• When someone contacts you asking you to delete their information from your database, do it. All of the services you use are rolling out tools to make this easy to do.

Good Idea #4: Update to the Most Recent Version of WordPress

It is always a good idea to run the most recent version of WordPress. It keeps your website fast and secure. It also helps make your website GDPR-compliant since WordPress recently added new GDPR compliance features.

Tools to Make GDPR Compliance Easier

WordPress Plugins

There are some WordPress plugins that take you through the process of making your website fully GDPR compliant.

• WP GDPR Compliance
• GDPR by Trew Knowledge

Information Resources

• EU GDPR Information Portal
• GDPR for Authors by Randy Ingermanson Part 1, Part 2, Part 3.
• GDPR – What All Authors Need to Know – with Gemma Gibbs