Author Topic: GDPR  (Read 2957 times)  

Offline Jonathan C. Gillespie

  • Status: Arthur Conan Doyle
  • ****
  • Posts: 995
  • Gender: Male
  • Atlanta, GA
  • Relentlessly Patient
    • View Profile
    • Fiction For Every Reader
GDPR
« on: May 14, 2018, 02:32:49 pm »
So after reading through the GDPR guidelines, I am rapidly approaching the point where I am just about ready to cease using a mailing list and stick solely to Facebook. I'm not a prominent author and my mailing list was only 500 people deep before--now about 130 after sending the re-validation campaign related to GDPR--and the new requirements are an absolute pain. I don't have my own counsel or lawyer available because I can't justify that expense for a tiny little mailing list. I've never had a publicly-stated privacy policy and I've never auto-checked signup consent boxes or anything like that, and I've always made it clear (and stuck to) not swapping newsletter subscriber info or spamming.

It's like there was no thought in this legislation for a small business or micro-business user, though.

At this point I can't see how I could make a GDPR-compliant signup form short of writing up my own policies, and why on Earth would those stick? I'm not a lawyer. Am I overthinking all of this? Are any of you just dumping your mailing lists and walking away over this legislation? I know everyone says mailing lists are the way to go, but I'm seriously debating if they're worth the headache or legal landmines now.
« Last Edit: May 14, 2018, 02:34:25 pm by Jonathan C. Gillespie »


I write worlds on paper, then destroy them.
Jonathan C. Gillespie | Official Site | Twitter | facebook | Newsletter

KBoards.com

  • Advertisement
  • ***

    Offline PermaStudent

    • Status: Arthur Conan Doyle
    • ****
    • Posts: 707
    • Gender: Female
    • Be so good they can't ignore you. --Steve Martin
      • View Profile
    Re: GDPR
    « Reply #1 on: May 14, 2018, 02:43:17 pm »
    Take a deep breath, don't panic, and read this: https://www.kboards.com/index.php/topic,263080.0.html

    And as others in that thread recommend, watching Mark Dawson's podcast on the subject is very helpful: https://selfpublishingformula.com/episode-117/

    Good luck. :)
      I write urban fantasy.  There are girls in gowns and glowy hands on my covers.

    Offline archaeoroutes

    • Status: Scheherazade
    • *****
    • Posts: 1638
    • Gender: Male
    • Somerset, England
      • View Profile
      • Alasdair Shaw
    Re: GDPR
    « Reply #2 on: May 14, 2018, 02:44:25 pm »
    There's not much to it. Pretty much everything was in legislation already.
    One issue has been scaremongering and misinformation. The need to revalidate your list was debunked by the Information Commissioner's Office. Indeed, doing so is frowned upon (I know, loads of companies are doing it).
    A big improvement is the requirement to write your privacy policy in plain English rather than lawyer speak. Here's mine: http://www.alasdairshaw.co.uk/privacy.php

    Offline Dolphin

    • Status: Scheherazade
    • *****
    • Posts: 1954
    • Gender: Male
    • Under the Sea
    • Skree'ee--eee, eeek!
      • View Profile
    Re: GDPR
    « Reply #3 on: May 14, 2018, 03:00:00 pm »
    My sense has been that requesting revalidation is a mistake. You either have permission to contact your mailing list or you don't. If you don't, then you can't contact them to ask for permission to contact them. It's more likely to condemn than protect you, and I fear many of the people who unsubscribed from your list won't even have been shielded by the GDPR in the first place.

    As noted already, the most helpful resource I've found on this is Mark Dawson's Self Publishing Formula Podcast episode on the topic. If you'll consent to sign up for their mailing list (from which you may unsubscribe at any time!), they've got a PDF handout with a model privacy policy, signup CTAs, and more. They give you both the risk-averse opinion of practicing lawyers they paid for advice, as well as their more pragmatic, risk-tolerant position.

    The bottom line is that very little of this is knowable at present. Legislative bodies pass laws, then the courts tell us what they meant, often some years later. There'll be no certainty about what things like "informed consent" mean in the context of GDPR until somebody gets taken to court for an alleged breach. The good news is that it'll almost certainly be someone like Honda Motor Company, Ltd., before it's Jonathan C. Gillespie.

    Remember that risk is always a double-edged sword. There are simple steps you can take to reduce your risk, like purging subscribers you got from dubious sources like giveaways (without asking them, I fear), but ultimately there's a non-zero risk you'll be called on the carpet. That is set against the certainty that if you voluntarily cancel your mailing list, you'll lose any benefits you might've gotten from it. That's huge. Maybe you haven't cracked the code yet, but the necessity of a mailing list has about as close to a consensus as anything in the indy author community.

    To put it in maths, on one side you've got the potential costs of a relatively arcane, untested European lawsuit, multiplied by the likelihood of such a thing ever happening. On the other side, you've got the potential benefits of growing and calling upon a mailing list for the rest of your career/life. Which dollar figure is higher?

    ETA: I should add that estimating dollar figures certainly isn't the end-all and be-all of assessing risk. If you've got a comfortable, sustainable life and don't need to improve your writing profits, minimizing risk makes a ton of sense. If you're a few thin months away from the breadlines--or writing longhand while standing in one--that's a different story.
    « Last Edit: May 14, 2018, 03:12:46 pm by Dolphin »

    Offline Used To Be BH

    • Status: Dostoevsky
    • ******
    • Posts: 3694
    • Gender: Male
      • View Profile
    Re: GDPR
    « Reply #4 on: May 14, 2018, 04:04:19 pm »
    Dolphin is right in thinking it may be a long time before the courts interpret some of these provisions.

    Mailing list providers seem to want you to revalidate, but that's probably coming from an excess of caution (or from an uncertainty about where subscribers came from if you . If you were already using mailing list best practices, you should be fine. I contacted Mailchimp, described what I had been doing, and got a thumbs up (with the caveat that the person I was dealing with wasn't a lawyer, etc., etc.

    I always stuck to the description of mailing list content that I gave people, I always used double opt-in, and I never manually added anyone--the only people on my list are people who went through the Mailchimp process.

    It's worth noting that the EU has long had a pretty strict policy about the kind of data websites can collect, yet I've never heard of a small website owner being prosecuted or sued under that statute. Have you?
    I have not consented to the new Terms of Service, which were implemented without any announcement and without the ability to accept or reject them. My continued participation on the forum is related only to addressing this issue and cannot be construed as implied consent.  9/19/2018

    Offline Neil Carstairs

    • Status: Dr. Seuss
    • *
    • Posts: 25
      • View Profile
    Re: GDPR
    « Reply #5 on: May 15, 2018, 02:41:01 am »
    Something I saw out in Internet land

    Q: Does anyone know an expert in GDPR?
    A: Yes
    Q: Can you send me their email address
    A: No


    Neil Carstairs | Facebook | Goodreads

    Offline 102069

    • Status: Dr. Seuss
    • *
    • Posts: 34
      • View Profile
    Re: GDPR
    « Reply #6 on: May 15, 2018, 04:16:02 am »
    Oh man, I just did all my GDPR stuff yesterday. Okay, so IANAL and this is what I kept in mind:

    In the immortal words of Douglas Adams, "don't panic!" 

    There's a lot of confusion about the GDPR because it's new, and it's written by a bunch of politicians who really don't understand how the internet works on a technical level, and it's pretty vague in a lot of ways. There are gonna be a lot of legal challenges before it's sorted. There's also lot of scaremongering about it, especially from people who are selling GDPR compliance solutions.

    The EU is notorious for legislation aimed at big corporations that includes tiny business under its umbrella, but with zero understanding of the impact on those businesses. (Remember the VAT changes in 2015, which were because Amazon was using Luxembourg as a tax dodge?) The maximum penalties that people are freaking out over are just that: maximum. They're designed with those multinationals in mind. The EU isn't insane and even if I'm doing something wrong and it somehow came to their attention, it's not going to fine one little self publishing guy with a mailing list four million dollars.

    This law is really about big companies (ahem Facebook) that are harvesting data and selling it on, or using it to profile and target people with certain kinds of ads, or who aren't properly securing financial information, aren't being honest with people about the data they're collecting and how it's used, and generally handling a lot of data in a creepy and irresponsible way. In terms of scale, we're plankton compared to the whales that prompted this law.

    As far as mailing lists go, the main thing is informed consent. No auto opt-in and no bait-and-switch. As in, the "subscribe to my newsletter" box shouldn't be on by default if a site visitor comments or buys something on my web site, I shouldn't tell people "sign up for a free book" and then they get my book release newsletter, people should be asked to "sign up for news about my upcoming books and get a free story as a thank you", and I should have a double confirmation set up, like an opt-in subscribe form, and then a confirmation where they have to reply or click a link. (Most setups already do this.)

    I haven't seen anything about a legal requirement to revalidate your list. Just make sure you have unsubscribe directions in the footer, and that your software is honoring those requests. (I set up a test email and subscribe, then unsubscribe, from my own list.) And maybe take the opportunity to send a newsletter about your updated privacy policy and unsubscribe directions. ;)

    As long as I'm being respectful and responsible with people's info, not collecting more than I need, and making clear how I'm using that info, I should be alright. I made sure to include my email address on the privacy page in case there are any questions I didn't answer.

    And the ICO GDPR page was a really helpful resource for me. It has lots of check boxes and bullet lists.
    « Last Edit: May 15, 2018, 05:04:45 am by frankie saxx »

    Offline TromboneAl

    • Status: Dostoevsky
    • ******
    • Posts: 3942
    • Name IRL: Al Macy
      • View Profile
    Re: GDPR
    « Reply #7 on: May 15, 2018, 11:48:24 am »
    A big improvement is the requirement to write your privacy policy in plain English rather than lawyer speak. Here's mine: http://www.alasdairshaw.co.uk/privacy.php

    That's excellent. Did you have a template that you wrote that from?

    Would you be willing to give your permission for me to copy that?

    Thanks,

    Al
     
    Al Macy | Web Site

    Offline Matt.Banks

    • Status: Lewis Carroll
    • **
    • Posts: 157
      • View Profile
    Re: GDPR
    « Reply #8 on: May 15, 2018, 12:00:24 pm »
    Greetings! Unpublished author here, what is GDPR? And why has it resulted in such a response that people are considering consulting lawyers?

    Offline munboy

    • Status: Lewis Carroll
    • **
    • Posts: 211
      • View Profile
    Re: GDPR
    « Reply #9 on: May 15, 2018, 12:59:25 pm »
    Greetings! Unpublished author here, what is GDPR? And why has it resulted in such a response that people are considering consulting lawyers?

    European law that deals with emailing lists and subscribers. Basically, they want people and companies to be 1000% clear to people that they are signing up for a mailing list....I'm not sure how it affects mailing lists retroactively.

    Offline archaeoroutes

    • Status: Scheherazade
    • *****
    • Posts: 1638
    • Gender: Male
    • Somerset, England
      • View Profile
      • Alasdair Shaw
    Re: GDPR
    « Reply #10 on: May 15, 2018, 01:08:23 pm »
    That's excellent. Did you have a template that you wrote that from?

    Would you be willing to give your permission for me to copy that?

    No template, just a mix of what seems like an honest way to do things and the guidance from ICO about what to include.
    By all means use it as the basis for yours, but be aware you may need to tweak to match how you do things.

    Offline Jonathan C. Gillespie

    • Status: Arthur Conan Doyle
    • ****
    • Posts: 995
    • Gender: Male
    • Atlanta, GA
    • Relentlessly Patient
      • View Profile
      • Fiction For Every Reader
    Re: GDPR
    « Reply #11 on: May 15, 2018, 01:24:03 pm »
    I'm not trying to freak out or anything, and I appreciate the call to step off the ledge :) For me it's just a question of balancing risk.

    I'm not going to go into major detail, because I wasn't doing anything nefarious anyway, but since the EU wants an audit trail of signups, including which methods were used and the like, I felt it made sense to re-authorize. I don't see or agree with that being an indication of guilt as this is all being done prior to the May 25th implementation of the law anyway. Further, I've seen this recommended as the approach if one needs to have a documented "paper trail" on hand; Mailerlite has an entire article about it. So in my case, at least, this had less to do with permission to contact my mailing list--because I know folks had already given it; and I've had a lifetime zero spam reports as a result--and more about being absolutely sure the consent trail was in place in case the EU came knocking.

    Quote
    The bottom line is that very little of this is knowable at present. Legislative bodies pass laws, then the courts tell us what they meant, often some years later. There'll be no certainty about what things like "informed consent" mean in the context of GDPR until somebody gets taken to court for an alleged breach. The good news is that it'll almost certainly be someone like Honda Motor Company, Ltd., before it's Jonathan C. Gillespie.

    I agree. The problem is the *cheapest* you'll get off should you actually get dinged in court is 10 million, if I'm interpreting this properly:

    https://www.gdpreu.org/compliance/fines-and-penalties/


    I write worlds on paper, then destroy them.
    Jonathan C. Gillespie | Official Site | Twitter | facebook | Newsletter

    Offline Cactus Lady

    • Status: Scheherazade
    • *****
    • Posts: 1698
    • Gender: Female
    • Arizona
      • View Profile
      • Welcome To My Worlds
    Re: GDPR
    « Reply #12 on: May 15, 2018, 01:40:23 pm »
    it's written by a bunch of politicians who really don't understand how the internet works on a technical level, and it's pretty vague in a lot of ways.

    ...

    The EU is notorious for legislation aimed at big corporations that includes tiny business under its umbrella, but with zero understanding of the impact on those businesses.

    Much truth in this.

    The EU isn't insane

    Not so sure about that :-X
    Tales of Fantasy, Heroism, and Romance
    Genres: Epic Romantic Fantasy, Fantasy-western
    http://www.kyrahalland.com

    Offline Used To Be BH

    • Status: Dostoevsky
    • ******
    • Posts: 3694
    • Gender: Male
      • View Profile
    Re: GDPR
    « Reply #13 on: May 15, 2018, 01:54:23 pm »
    I'm not trying to freak out or anything, and I appreciate the call to step off the ledge :) For me it's just a question of balancing risk.

    I'm not going to go into major detail, because I wasn't doing anything nefarious anyway, but since the EU wants an audit trail of signups, including which methods were used and the like, I felt it made sense to re-authorize. I don't see or agree with that being an indication of guilt as this is all being done prior to the May 25th implementation of the law anyway. Further, I've seen this recommended as the approach if one needs to have a documented "paper trail" on hand; Mailerlite has an entire article about it. So in my case, at least, this had less to do with permission to contact my mailing list--because I know folks had already given it; and I've had a lifetime zero spam reports as a result--and more about being absolutely sure the consent trail was in place in case the EU came knocking.

    I agree. The problem is the *cheapest* you'll get off should you actually get dinged in court is 10 million, if I'm interpreting this properly:

    https://www.gdpreu.org/compliance/fines-and-penalties/
    The language says, "up to ten million euros." So no, that isn't the lowest fine.

    In a previous thread, there was discussion of how two large corporations got dinged for doing exactly what you're suggesting--reconfirming their lists. That doesn't make sense to me, either. It seems as if it would be best practice. Apparently, someone in the EU has interpreted reconfirming to be an admission that you didn't have--or at least aren't sure you had--consent to email those people in the first place.

    Also, such a process would require you to remove anyone who didn't reconfirm--which means anyone who didn't open that particular email. Most people don't have open rates very close to 100%, which means a lot of lost subscribers.

    Mailchimp has the same kind of article as Mailerlite, but when I asked someone, I got a very different response. I think the email list providers want to cover themselves in the event subscribers have been manually added. If you didn't add any outside the normal list signup process, told people what they were signing up for, didn't have any boxes checked automatically, and used double opt-in, your list provider should have a record of that. Consent is pretty unambiguous in that kind of situation.
    I have not consented to the new Terms of Service, which were implemented without any announcement and without the ability to accept or reject them. My continued participation on the forum is related only to addressing this issue and cannot be construed as implied consent.  9/19/2018

    Stella S. Fitzsimons

    • Guest
    Re: GDPR
    « Reply #14 on: May 15, 2018, 04:13:38 pm »
    I'm not trying to freak out or anything, and I appreciate the call to step off the ledge :) For me it's just a question of balancing risk.

    I'm not going to go into major detail, because I wasn't doing anything nefarious anyway, but since the EU wants an audit trail of signups, including which methods were used and the like, I felt it made sense to re-authorize. I don't see or agree with that being an indication of guilt as this is all being done prior to the May 25th implementation of the law anyway. Further, I've seen this recommended as the approach if one needs to have a documented "paper trail" on hand; Mailerlite has an entire article about it. So in my case, at least, this had less to do with permission to contact my mailing list--because I know folks had already given it; and I've had a lifetime zero spam reports as a result--and more about being absolutely sure the consent trail was in place in case the EU came knocking.

    I agree. The problem is the *cheapest* you'll get off should you actually get dinged in court is 10 million, if I'm interpreting this properly:

    https://www.gdpreu.org/compliance/fines-and-penalties/

    Are you in the EU? How much of your list subscribers are actually in the EU? When I checked mine, I found it was less than 5%. And since I don't plan on misusing anyone's data or spamming anyone and my sign-ups have always been double opt-in, I've decided I'm not going to do a single thing.

    Offline 102069

    • Status: Dr. Seuss
    • *
    • Posts: 34
      • View Profile
    Re: GDPR
    « Reply #15 on: May 15, 2018, 11:42:40 pm »
    Not so sure about that :-X

    Haha! I would say byzantine and often myopic, but not insane. Though sometimes the results) are indistinguishable. And it does keep politicians occupied and off the streets. So there's that.

    Offline 102069

    • Status: Dr. Seuss
    • *
    • Posts: 34
      • View Profile
    Re: GDPR
    « Reply #16 on: May 16, 2018, 12:05:08 am »
    European law that deals with emailing lists and subscribers. Basically, they want people and companies to be 1000% clear to people that they are signing up for a mailing list....I'm not sure how it affects mailing lists retroactively.

    It's not just mailing lists. The GDPR is about any personal data you collect. Also the directive explicitly mentions IP addresses and cookies as online identifiers that may be used to identify natural persons when combined with other data, so if you use any tracking or analytics or software like a forum or blog commenting that collects IP addresses, you should probably disclose that, and how you use that data.

    It also requires you to handle data in a responsible way, like taking reasonable efforts to secure that data (so make sure your software security updates are applied ASAP) and notify people if there's a data breach that might have exposed their info.

    Among other things. It's a pretty hefty piece of legislation.

    This is the privacy information I wrote for my site. It will probably evolve a little bit, like I'm thinking of adding a text game which might probably use more cookies. The one linked above is pretty great too. Especially the layout, which breaks it up into bite size pieces.
    « Last Edit: May 16, 2018, 12:19:37 am by frankie saxx »

    Offline A. N. Other Author

    • Status: Arthur Conan Doyle
    • ****
    • Posts: 871
    • Gender: Male
    • Staffordshire, UK
      • View Profile
    Re: GDPR
    « Reply #17 on: May 16, 2018, 06:21:04 am »
    Lots of panic and unnecessary digital traffic flying everywhere about this.

    All my subscribers went through a double opt-in with clearly laid out details as to how their data will be used: "After signing up to this list, you will receive news about the author's work, occasional free gifts, and information about promotions in which the author is involved. Your details will never be shared with third parties, and you can unsubscribe at any time." This means it's now illegal for me to contact them about anything else.

    Pretty much everything in GDPR has been British law for years, though, so I was already compliant. It's about consent and using the data you've obtained in a way the customer is aware of. The only difference is, the EU might enforce it - predominantly against big companies obtaining data without consent (such as buying the email addresses from Facebook "like" farms).

    From everything I've gathered (from the excellent Mark Dawson podcast and elsewhere) you should only need to "revalidate" if you received a list of email addresses from someone and added them to your newsletter list without them opting-in directly. And even then, be careful - check out what happened to Honda.

    https://ico.org.uk/action-weve-taken/enforcement/honda-motor-europe-limited/

    Offline Nic

    • Status: Arthur C Clarke
    • *****
    • Posts: 2767
    • Gender: Male
      • View Profile
    Re: GDPR
    « Reply #18 on: May 16, 2018, 06:41:47 am »
    Something not mentioned here at all so far, this law applies to any kind of data.

    It has designers and photographers currently in a huge panic, because it means that you can't anymore use any shots taken in Europe which contain recognisable faces/people. You can't even use old photos, taken before this law, because people have the retroactive right to demand they be not used. And what is worse, this may even apply to portraits and stockphotos with a model release, because retroactive cancellation of the model release also is allowed. So far I haven't come across any solution for that little quirk.

    Also, this really is not just email addresses or mailing lists. It includes IP addresses when people surf onto your website or data you need to fulfill contracts.

    Offline Used To Be BH

    • Status: Dostoevsky
    • ******
    • Posts: 3694
    • Gender: Male
      • View Profile
    Re: GDPR
    « Reply #19 on: May 16, 2018, 07:07:40 am »
    Something not mentioned here at all so far, this law applies to any kind of data.

    It has designers and photographers currently in a huge panic, because it means that you can't anymore use any shots taken in Europe which contain recognisable faces/people. You can't even use old photos, taken before this law, because people have the retroactive right to demand they be not used. And what is worse, this may even apply to portraits and stockphotos with a model release, because retroactive cancellation of the model release also is allowed. So far I haven't come across any solution for that little quirk.

    Also, this really is not just email addresses or mailing lists. It includes IP addresses when people surf onto your website or data you need to fulfill contracts.
    Using images with recognizable people in them who are not model-released has really only been used in editorial contexts (for example, news reporting) before now. Even in the US, it hasn't been legal to post photos of people without model releases for commercial purposes.

    Probably, it would have been wiser not to make the law retroactive, but the model release thing doesn't worry me that much. If you're a model, how rapidly will your career come to an end if you start revoking old releases? That's one provision I think will likely get tossed in court. After all, models get paid by photographers as well as signing model releases, and many of them are under contract. Was it really the intent of GDPR to allow one party to unilaterally terminate a contract? And, if it was, wouldn't the model have to repay the photographer? Would the photographer or stock photo company have to repay the customers who bought the stock photos in good faith and are now being told they can't use them? This seems as risky for the models as it is for the stock photo end users, and, if someone really attempted to invoke that provision, it seems likely it would be in court for years and spawn a massive number of civil suits.

    It's true that some models in stock photos aren't paid--the photographer uses a relative or friend--but how many of those are EU citizens, and how many of that group will decide to revoke, given their personal relationship with the photographer?

    Data collection on websites might be more of a concern. However, many authors probably don't require signups to access the site content, and, if they do, collect only name and email. Yes, analytics plugins collect approximate location and IP address (which may or may not be personally identifiable). I'm not sure about the EU, but in the US, a lot of residential plans use dynamic IP addresses (address is assigned when the customer connects). My IP address today isn't the same as my IP address yesterday, and, unless I let an app detect my exact location, only places me in a general area. Also in the US, the people most concerned about privacy tend more and more to surf via virtual private networks, in which case the IP address has no connection to their real IP address. Is the same true in the EU? I don't know, but it's at least a possibility. 
    I have not consented to the new Terms of Service, which were implemented without any announcement and without the ability to accept or reject them. My continued participation on the forum is related only to addressing this issue and cannot be construed as implied consent.  9/19/2018

    Offline Nic

    • Status: Arthur C Clarke
    • *****
    • Posts: 2767
    • Gender: Male
      • View Profile
    Re: GDPR
    « Reply #20 on: May 16, 2018, 07:22:21 am »
    I don't think anyone writing this law checked for potential results. That's not how legislative processes work. Unfortunately. Also unfortunately it doesn't matter what one logically expects, compared to what the law says. GDPR has been expressly written with the caveat that the courts of the various European countries should define how it plays out.

    At the moment, and as a designer I talk a lot about this with colleagues, it is as I said. It is not even clear whether, for example, an American model whose stock photo is being used on an erotica cover of a book sold on European soil or to European customers, could demand a retroactive cessation of the use of her data (said photo). The law is clear however that this may not come at any cost to the person whose data this is.

    As to websites, I was talking at the level of the site server collecting the access IPs in a logfile, which is standard practice of all servers (they don't work without such processes). Already this is "gathering of data" under this law. How people surf is of no import regarding the collection of data and need to apply GDPR. And anyone who sells books off their own site, or has similar interaction with European customers, also needs to account for the gathered data.

    Yes, I do agree. This is a cluster[expletive].



    Edited.  PM me if you have any questions.  --Betsy/KB Mod
    « Last Edit: May 21, 2018, 04:41:33 pm by Betsy the Quilter »

    Offline 102069

    • Status: Dr. Seuss
    • *
    • Posts: 34
      • View Profile
    Re: GDPR
    « Reply #21 on: May 16, 2018, 07:54:46 am »
    Data collection on websites might be more of a concern. However, many authors probably don't require signups to access the site content, and, if they do, collect only name and email. Yes, analytics plugins collect approximate location and IP address (which may or may not be personally identifiable). I'm not sure about the EU, but in the US, a lot of residential plans use dynamic IP addresses (address is assigned when the customer connects). My IP address today isn't the same as my IP address yesterday, and, unless I let an app detect my exact location, only places me in a general area. Also in the US, the people most concerned about privacy tend more and more to surf via virtual private networks, in which case the IP address has no connection to their real IP address. Is the same true in the EU? I don't know, but it's at least a possibility.

    The GDPR specifically mentions IP addresses as an example of "online identifiers" because when it's put together with other data it's possible they can be used to identify a natural person. In the EU, ISPs are required to keep logs of address assignment, so even if your address changes, giving the ISP the IP address with the timestamp would identify the person using it. (ISPs only hand over that information when legally required obviously.)

    Dynamic allocation doesn't necessarily change that often, either. Your computer has a lease on an IP, and depending on how long that lease period is, and whether your client is automatically renewing the lease, you can keep the same address for a long time - months, even. There's some really boring case law about this where European courts have ruled in some cases an IP can be considered personal data; since I have no way of knowing which IPs those are, it's better to remind people that when they visit my site, that data is logged.  :)

    Mailing lists require explicit consent, but not all data collection does, but people still have a right to know that data is being collected and how it's used.

    Offline RomanceAuthor

    • Status: Lewis Carroll
    • **
    • Posts: 225
      • View Profile
    Re: GDPR
    « Reply #22 on: May 16, 2018, 09:19:40 am »
    This GDPR madness among authors is...insane. I live in the EU. I get at least 40 newsletters a week from EU-based companies. I read every single one of them. Want to know how many mentioned GDPR or asked me to "confirm" that I want to remain on their list? ZERO.
    That's right. ZERO.

    The ONLY ONES who are sending these maddening GDPR emails are AUTHORS. I've received about twelve of those!!!!! I am not sure how this manic episode started, but the author world is overreacting....

    Offline 102069

    • Status: Dr. Seuss
    • *
    • Posts: 34
      • View Profile
    Re: GDPR
    « Reply #23 on: May 16, 2018, 10:19:53 am »
    This GDPR madness among authors is...insane. I live in the EU. I get at least 40 newsletters a week from EU-based companies. I read every single one of them. Want to know how many mentioned GDPR or asked me to "confirm" that I want to remain on their list? ZERO.
    That's right. ZERO.

    The ONLY ONES who are sending these maddening GDPR emails are AUTHORS. I've received about twelve of those!!!!! I am not sure how this manic episode started, but the author world is overreacting....

    Also in the EU, also have gotten zero requests for reconfirmation. I wish a bunch of these lists would ask for reconfirmation because I never asked to be on them, I just bought something from them one time, and the unsubscribe link apparently goes to a dummy page, because it tells me I'm unsubscribed, but next week there's another mail...

    I've gotten a number of mails from companies asking me to review their new privacy & data handling policies though, and I had to confirm I was over 16 to Skype.
    « Last Edit: May 16, 2018, 11:06:11 am by frankie saxx »

    Offline Anarchist

    • Status: Arthur C Clarke
    • *****
    • Posts: 2945
    • Methodological individualist
      • View Profile
    Re: GDPR
    « Reply #24 on: May 16, 2018, 10:27:51 am »
    This GDPR madness among authors is...insane. I live in the EU. I get at least 40 newsletters a week from EU-based companies. I read every single one of them. Want to know how many mentioned GDPR or asked me to "confirm" that I want to remain on their list? ZERO.
    That's right. ZERO.

    The ONLY ONES who are sending these maddening GDPR emails are AUTHORS. I've received about twelve of those!!!!! I am not sure how this manic episode started, but the author world is overreacting....

    The indie author community thrives on rumor, speculation, and paranoia, and operates in an echo chamber.
    "Opportunity is missed by most people because it is dressed in overalls and looks like work." - Thomas Edison

    "Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat." - Sun Tzu

    KBoards.com

    • Advertisement
    • ***