The Author's Guide to GDPR and Reader Data

GDPR Is Not Just a European Problem

When the General Data Protection Regulation came into force in May 2018, many authors outside the European Union assumed it did not apply to them. That assumption has cost some of them significantly.

GDPR applies to any organisation — including individual authors — that collects or processes the personal data of people in the European Union or United Kingdom, regardless of where that organisation is based. If a reader in Germany subscribes to your newsletter, if a reader in France buys your eBook, if someone in the Netherlands fills in your contact form — GDPR applies to those interactions.

For independent authors selling and marketing online, this means GDPR is almost certainly relevant to your business. The good news is that compliance does not require a legal team or expensive software. It requires understanding a few core principles and applying them consistently.

What Personal Data Are Authors Typically Collecting?

Before understanding your obligations, it helps to know what counts as personal data under GDPR. The regulation defines it broadly as any information that can identify a living individual, directly or indirectly. For authors, the most common types include:

• Email addresses collected via newsletter sign-ups or contact forms
• Names provided during purchases or sign-up
• Billing addresses and payment information collected at checkout
• IP addresses and browsing data collected by website analytics tools
• Purchase history associated with a specific reader account

If your author website collects any of these — and most do — you are processing personal data and GDPR applies to those interactions with EU and UK readers.

The Six Core GDPR Principles

GDPR is built around six principles that govern how personal data must be handled. Understanding these will guide most of the practical decisions you need to make.

1. Lawful Basis

You must have a legal reason to collect and process each type of data. For authors, the most relevant lawful bases are:

• Consent — the reader has clearly and actively agreed to you using their data for a specific purpose (e.g. subscribing to your newsletter)
• Contract — processing is necessary to fulfil a purchase (e.g. delivering an eBook or processing payment)
• Legitimate interests — you have a genuine business reason that does not override the reader's rights

The key point: pre-ticked boxes, bundled consent, or vague statements like "by using this site you agree to receive marketing" do not constitute valid consent under GDPR.

2. Purpose Limitation

Data collected for one purpose cannot be used for another without new consent. If a reader gives you their email to receive a free chapter, you cannot automatically add them to your marketing newsletter without a separate, explicit opt-in.

3. Data Minimisation

Collect only the data you actually need. If you are delivering a digital download, you need an email address. You do not need a phone number, date of birth, or physical address unless there is a clear reason for it.

4. Accuracy

Keep data accurate and up to date. Practically, this means honouring unsubscribe requests promptly and removing bounced or invalid email addresses from your lists.

5. Storage Limitation

Do not keep personal data longer than necessary. Define retention periods for different data types and stick to them. Purchase records may need to be kept for tax purposes, but marketing data from lapsed subscribers should be removed periodically.

6. Security

Take reasonable steps to protect the data you hold. Using reputable, secure platforms for email marketing and eBook sales — rather than storing email lists in unencrypted spreadsheets — goes a long way toward meeting this requirement.

What Authors Actually Need to Do

Write a Privacy Policy

Every author website that collects personal data needs a privacy policy. This document explains what data you collect, why you collect it, how you use it, how long you keep it, and how readers can exercise their rights. It must be written in clear, plain language — not legal boilerplate that no one reads.

Your privacy policy must be easily accessible from your website — typically linked in the footer on every page. AuthorLoft includes a customisable legal page where you can publish this.

Get Proper Newsletter Consent

Your newsletter sign-up form must make it clear what readers are signing up for and require an active opt-in (a checkbox that is not pre-ticked). The sign-up confirmation should state explicitly that the reader is agreeing to receive email marketing from you.

If you use a double opt-in process — where subscribers receive a confirmation email they must click — this provides stronger evidence of consent and is recommended for any list with EU subscribers.

Make Unsubscribing Easy

Every marketing email you send must include an unsubscribe link that works immediately. Honour unsubscribe requests promptly. Do not continue sending marketing emails to anyone who has unsubscribed, even if they remain a customer.

Know Your Third-Party Tools

If you use Mailchimp, ConvertKit, or another email marketing platform, you are sharing your subscribers' data with that provider. You need to ensure that provider is GDPR compliant (most major platforms are) and that your use of their platform is covered by a data processing agreement.

Similarly, payment processors like Stripe have their own privacy and data handling obligations. Using established, reputable platforms significantly reduces your risk exposure.

Respond to Data Subject Requests

Under GDPR, EU and UK residents have the right to request access to the data you hold about them, ask for corrections, request deletion, and object to processing. You are obligated to respond to these requests within 30 days.

For most independent authors, these requests are rare. But having a simple process in place — even just an email address readers can contact — is sufficient to meet this requirement.

What Happens If You Ignore GDPR?

For large organisations, GDPR fines can reach tens of millions of euros. For individual authors, the risk is considerably lower — regulators focus enforcement action on significant violations involving large amounts of data.

However, there are real practical risks. Readers who feel their data has been misused can complain to their national data protection authority. Email providers can suspend accounts that are not compliant with consent requirements. And the reputational damage of being known as an author who mishandles reader data is not something easily recovered from.

Compliance is not just about legal risk. It is about respecting the readers who trust you with their information.

A Practical GDPR Checklist for Authors

• Write and publish a clear privacy policy on your website
• Ensure all newsletter sign-up forms use active, unambiguous opt-in
• Include an unsubscribe link in every marketing email
• Do not add people to your list without their explicit consent
• Use reputable, GDPR-compliant platforms for email marketing and payments
• Define how long you keep different types of data and clean lists periodically
• Have a way for readers to contact you with data requests

GDPR compliance for independent authors is genuinely achievable without legal expertise. It requires clear thinking about what data you collect, honest communication with your readers about how you use it, and a commitment to handling that information with care. Most authors who approach it this way find that compliance and good reader relationships are the same thing.

Further Reading

• How to Build an Email List as an Author
• 7 Things Every Author Website Needs
• Selling Books Directly From Your Website: The Complete Guide