by the SFWA Safety Committee

As social media becomes increasingly fractured, more authors are turning toward newsletters as a reliable form of direct marketing. Mailing lists are an invaluable way to keep in touch with readers who actively want to hear more about your work. They can also raise questions about how to properly set one up without being reported as spam, or revealing your own private contact information to everyone who signs up.

Any time you are handling the personal information of other individuals, you need to be aware of compliance with applicable spam laws, safe data storage, and the general consideration to not use anyone’s information without explicit permission.

Spam Laws

Numerous laws govern the sending of commercial email, with slight variations by country. The CAN-SPAM Act set national standards for the United States in 2003, enforced by the Federal Trade Commission (FTC). The General Data Protection Regulation (GDPR) law went into effect in the European Union in 2018, and applies to any organizations that collect data from people in the EU, regardless of where the organization is located. Additional laws include the CASL laws in Canada and the Privacy and Electronic Communications Regulations of 2003 in the UK.

The short version is: assume your country or any countries you do business in have some manner of spam regulation, and search them out.

Frequent themes appear in most of these laws:

• Don’t add anyone to your mailing lists without explicit consent.
• Be clear about how you intend to use any information you collect, and then do not use it for anything else.
• Don’t use misleading subject headers or contact information (more on this in a minute).
• Include simple, clear, opt-out instructions on every mailing, and honor unsubscribe requests promptly.
• Store personal data securely, and only as long as needed for your stated purpose.

For the average author sending a newsletter, this means a clearly labeled sign-up form that only collects email addresses. It also means providing an easy means to unsubscribe at any time and discarding data when it is no longer needed. If, for example, you collect contact information for a one-time giveaway, and you wish to add everyone who signs up to your mailing list, you need them to clearly indicate consent for you to do so, often by ticking an additional box on the sign-up form. Otherwise, that information must be discarded after the giveaway.

Double opt-ins are a common tactic for keeping sign-ups perfectly clear. A double opt-in occurs when a user signs up for an email list, and then an email is sent to the user with a link to confirm the subscription. The user is not added to the email list until after the confirmation is completed. This two-step process ensures that the user didn’t sign up in error; and that a third party can’t sign someone up without their cooperation.

The running themes between all of these laws are clarity of sender, clarity of use, consent to collect data, and an easy opt-out. Take a look at the SFWA Safety Committee’s page on Managing the Privacy of Others for deeper dives into various GDPR and CAN-SPAM clauses, and other privacy considerations.

Protecting Your Own Contact Information

One of the requirements of the CAN-SPAM Act is to tell recipients where you are located. This means including a valid physical address in every message sent. Many third-party newsletter services, such as MailChimp or MailerLite, will automatically add this information to the footer on your emails. If you’re managing your own list, you’re expected to add this in yourself.

Luckily, this doesn’t have to be your actual home address, as long as it is a real address through which you can be contacted. If you’re agented, you can ask your literary agency if they’ll let you use their address as your official place of business. If this isn’t an option, and you don’t have another business address available to you, you can consider setting up a P.O. Box for business purposes.

Safe Data Storage

Many of these laws require you to handle personal data as securely as possible. The GDPR, for example, specifies “appropriate technical and organizational measures.” Here are some considerations for safe data handling:

• If you have a personal assistant or social media team, be sure to limit data access only to people who genuinely need it. Do not sell or share your email lists without explicit permission.
• If you are managing your own mailing list, and sending mass mailings in batches through your email provider, use the Bcc field in your email so that your recipients don’t receive one another’s email addresses.
• If you are managing these lists yourself, consider storing them in password-protected files on a private device. If you are using a third-party service, use two-factor authentication wherever possible and a secure password to reduce the chances of anyone else gaining access to your accounts.

Outsourcing to a Newsletter Service

A popular solution for all of these safety concerns is to outsource data management to a third-party service that is already compliant with international spam laws (say, a newsletter service with clear opt-ins and automated unsubscribe links, and clearly detailed GDPR-compliant settings), But be aware that you are ultimately responsible for the data you manage, so you should review all of these settings carefully.

Many third-party services have already written pages to walk you through their GDPR settings and ways for you to ensure compliance. Here are some examples at MailerLite and MailChimp, but they are far from the only options.

Even in situations where spam laws do not apply, it is a general best practice to consider the privacy of anyone whose personal information you are handling, to be clear about the ways you will be using or sharing that information, and to obtain explicit consent to do so. Only collect information strictly needed for a specific purpose, and consider carefully what you share with others, even people doing work on your behalf.

And then: send away!

The SFWA Safety Committee maintains the Safety Resources on SFWA’s website at www.sfwa.org/safety. These resources contain useful information for creators maintaining an online presence and touch on safety considerations for in-person events for both attendees and event planners. We are here to help individuals and organizations navigate the speculative fiction publication industry with increased consideration for safety.