Managing the Privacy of Others
Managing the Privacy of Others is part of a larger resource for members of the writing community on personal and event safety concerns, both in-person and online. To see all the resources available, visit our Safety homepage. This section includes information on how to manage the privacy of others when you handle their personal information, including adhering to international spam laws when setting up mailing lists.
Managing the Privacy of Others
Any time you are handling the personal information of other individuals, you need to be aware of several things: compliance with applicable laws such as GDPR and CAN-SPAM; safe storage of the data; and the general consideration not to make anyone’s information public without explicit permission.
Circumstances in which you may be handling the personal information of other individuals includes, but isn’t limited to:
- Collecting information for mailing lists;
- Collecting names and addresses for giveaways;
- Managing contact information and preferences via subscription services, such as newsletters or Patreon accounts;
- Receiving submissions for magazines, contests, or awards reading;
- Making contact information public for con staff, magazine/project personnel, or awards judges.
Even in situations where spam laws do not apply, it is a general best practice to consider the privacy of anyone whose personal information you are handling, to be clear about the ways you will be using or sharing that information, and to obtain explicit consent to do so. Only collect information strictly needed for a specific purpose, and consider carefully what you share with others, even within the same organization.
Here are some examples of ways you can protect the privacy of others:
Patreon: Consider making your patron list private, rather than publicly visible on your page.
Magazines/Anthologies/Contests: Only request strictly necessary identifying information on initial submissions. If you need legal names and mailing addresses at the acceptance stage, consider only requesting that information upon acceptance, rather than having this information visible to all members of the organization throughout the submission process.
Award Judges: For juried awards in which authors and publications can submit work directly to the judges, ensure that your judges are aware of exactly how their contact information may be shared. Do not share or post online (or allow other venues to publicly post) anyone’s personal email or home address without explicit permission. This consideration should also be extended to volunteers in other situations: convention staff, editors and first readers at publications, and so on.
These are only a few examples of situations in which you may be managing the privacy of others, and you should apply similar consideration to any other platform on which you are collecting information. The following sections include more specifics about your legal obligations. This is not a comprehensive list.
GDPR Compliance
The General Data Protection Regulation (GDPR) is a privacy and security law passed by the European Union (EU) that went into effect in 2018. It is applicable to any organizations who collect data related to people in the EU, regardless of the location of the organization itself, with violations punishable by hefty fines.
If you process data, you have to do so according to seven protection and accountability principles outlined in Article 5.1-2:
- Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
- Accuracy — You must keep personal data accurate and up to date.
- Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
- Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
There are six “lawful bases” for you to “process” (collect, store, use, etc.) people’s data. These are listed in Article 6. The first is consent, which must be obtained unambiguously and after a full explanation of what you plan to do with the data. Specifically:
- Consent must be “freely given, specific, informed and unambiguous.”
- Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
- Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
- Children under 13 can only give consent with permission from their parent.
- You need to keep documentary evidence of consent.
For the average author collecting information for a mailing list, this means getting clear consent to collect only the necessary information for a specific purpose (one example: a clearly labeled newsletter sign up form with a double opt-in*). It also means providing an easy means to unsubscribe at any time and discarding data when it is no longer needed (for example, deleting physical addresses after mailing giveaways and only retaining contact information for a mailing list if the individuals who signed up for the giveaway gave explicit consent to also be added to your list).
Some additional considerations for managing visitors to a website include acquiring consent before using any cookies other than strictly necessary cookies, posting a privacy notice, and removing personal information when requested, including deleting blog comments.
A popular solution is to outsource data management to a third-party service that is GDPR-compliant (say, a newsletter service with clear opt-ins and automated unsubscribe links, or website builders with GDPR-compliant settings), but be aware that you are ultimately responsible for the data you manage, so you should review all of these settings carefully.
Many third-party services have already written pages to walk you through their GDPR settings and ways for you to ensure compliance. Some examples:
More Information: There is an informational site about navigating the GDPR here. It is co-funded by Project REP-791727-1 of the Horizon 2020 Framework Programme of the European Union, but is not an official EU Commission, and does not replace legal advice. The website includes compliance checklists (a general one here and a U.S.-specific one here), as well as articles on email encryption, the full text of the regulation, and more.
* A double opt-in occurs when a user signs up for an email list, and then an email is sent to the user with a link to click and confirm the subscription. The user is not officially added to the email list until after the confirmation click is completed. This two-step process ensures that the user did not sign up in error; and that a third party cannot sign someone up without their cooperation.
CAN-SPAM Act
The CAN-SPAM Act is a law that was passed in the United States in 2003, setting national standards for the sending of commercial email, with financial penalties enforced by the Federal Trade Commission (FTC).
You can find the FTC’s compliance guide for businesses here. There is a large overlap with GDPR compliance, in that you must be clear about what you are sending and provide recipients an easy option to unsubscribe. The main requirements are as follows:
- Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
- Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.
- Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.
- Tell recipients where you’re located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.
- Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.
- Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.
- Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.
https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business
On a personal information security note: pay special attention to Item #4: tell recipients where you are located. Whether you are managing your own mailing list manually, or using a third-party newsletter service, your emails must contain a physical mailing address, most commonly placed in the footer. If you are agented, you can ask your literary agency if they will let you use their address as your official place of business.
If this is not an option, and you do not have another business address available to you, you should consider setting up a P.O. Box for business purposes rather than put your home address on all of your email.
Additional Spam Laws
The GDPR and the CAN-SPAM Act are not the only laws guiding the use of email marketing. Additional laws include, but aren’t limited to:
The CASL laws in Canada: These laws also require meaningful consent when collecting email addresses, prompt response to unsubscribe requests, and maintaining do-not-call lists. You can find more information from the Canadian Radio-television and Telecommunications Commission here, including FAQs and compliance tips.
The Privacy and Electronic Communications Regulations of 2003 in the UK: The short version: “You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’.” You can find more information from the Information Commissioner’s Office here, including regulations regarding other forms of marketing.
The running theme between all of these laws are clarity of use, consent to collect data, and an easy way to opt-out, but it is always worth researching the laws in your own country to ensure you aren’t missing the finer points of spam law compliance.
Safe Data Storage
The GDPR requires that you handle data securely using “appropriate technical and organizational measures.” Organizational measures may include staff trainings, adding a data privacy policy to your employee handbook, and limiting data access only to employees in your organization who need it.
Use two-factor authentication wherever possible, especially on services where you will be managing other people’s data (Patreon, newsletter services, your email account, your website, etc.). This will significantly reduce the chances of someone gaining access to your accounts, and therefore your customer/visitor/marketing data.
Consider moving your website to HTTPS, which encrypts communications between your website and a user’s browser.