Reader Data Privacy

Authors who collect reader email addresses are responsible for protecting subscriber data. This guide explains how GDPR, CAN-SPAM, privacy policies, cookie consent, unsubscribe rights, and email platform compliance apply to indie author newsletters and author websites.

Updated on June 12, 2026 by Randall Wood

Reader Data Privacy - Image

The Law You Didn't Know Applied to You

You built your newsletter list one reader at a time — signup forms, reader magnets, giveaways, backmatter CTAs. You think of it as a marketing asset, which it is. What you may not have realized is that by collecting those email addresses, you became something with a legal name: a Data Controller.

Under the European Union's General Data Protection Regulation (GDPR), any person or organization that collects and uses personal data about EU residents is a data controller — regardless of where that person or organization is located. A self-published author in Florida with readers in Germany, France, and the UK is a data controller under GDPR. The law doesn't stop at the US border.

This isn't meant to alarm you. The practical obligations for an indie author with a newsletter list are manageable, and the major email marketing platforms (including ScribeCount Email) handle the technical compliance mechanics. But understanding what's required — and what can go wrong if you don't — is essential business knowledge for anyone who collects reader email addresses.


What Is Personal Data Under GDPR?

Personal data is any information that can identify a living person. For indie authors, this includes:

  • Email addresses — the most obvious example

  • Names collected alongside email addresses on sign-up forms

  • IP addresses logged by your website when visitors interact with it

  • Location data that your website's analytics tools collect

  • Any behavioral data tied to an identifiable individual (what links they clicked, what emails they opened)

If your author website uses Google Analytics, you are collecting personal data. If you have an email list with names and email addresses, you are collecting personal data. This data collection creates legal obligations under GDPR if any of those people are EU residents.


GDPR — What It Requires of Authors

Lawful Basis for Processing

You need a legal reason to collect and use personal data. For author newsletters, the most appropriate basis is consent — the subscriber explicitly agreed to receive emails from you. Consent under GDPR has specific requirements:

  • It must be freely given — not bundled with a requirement to receive something else

  • It must be specific — the subscriber must know what they're consenting to (your newsletter, not a generic "contact list")

  • It must be informed — you must tell them what they'll receive

  • It must be unambiguous — a pre-ticked checkbox does not constitute valid consent; the subscriber must actively opt in

Reader magnet compliance: offering a free ebook in exchange for signing up to your newsletter is generally compliant IF the subscription is voluntary — the reader must be able to download the free book without being required to join your newsletter list. The two actions should be separable. A download page that requires newsletter signup as the only way to access the freebie is a grey area that GDPR enforcement has increasingly scrutinized.

The Right to Unsubscribe (and to Be Forgotten)

Every subscriber has the right to withdraw their consent at any time. This means:

  • Every email you send must include a functioning unsubscribe link

  • When someone unsubscribes, you must stop sending them emails promptly — industry standard is within 10 business days

  • Subscribers can also request that you delete all personal data you hold about them (the "right to erasure" or "right to be forgotten") — you must honor this request

  • Subscribers can request a copy of what personal data you hold about them — you must provide it

Privacy Policy

If you have an author website that collects email addresses or uses any analytics tracking (Google Analytics, Facebook Pixel, etc.), you are required by GDPR to have a privacy policy that discloses:

  • What personal data you collect

  • Why you collect it (your legal basis for processing)

  • How long you retain it

  • Who you share it with (your email platform, your analytics provider)

  • How subscribers can exercise their rights (unsubscribe, access their data, request deletion)

Your privacy policy should be linked from your website footer and from your sign-up forms. Many free privacy policy generators (Termly, iubenda, Privacy Policy Generator) can produce a GDPR-compliant policy for an author website in minutes.

Sign-Up Form Requirements

Your newsletter sign-up forms should:

  • Clearly state what the subscriber is signing up for

  • Include a link to your privacy policy

  • Not pre-tick any opt-in checkboxes

  • If collecting multiple types of communications, allow separate consent for each


CAN-SPAM — The US Law

CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing Act, 2003) is the US federal law governing commercial email. It is significantly less strict than GDPR but still imposes requirements that US-based authors must meet:

  • Every commercial email must include an accurate physical postal address — a PO box is acceptable. Your home address is not required, but a deliverable postal address is.

  • Every commercial email must include a clear, visible mechanism to opt out of future emails

  • Opt-out requests must be honored within 10 business days

  • Subject lines must not be deceptive — you cannot disguise a promotional email as a personal message

  • The "From" name must accurately identify the sender

CAN-SPAM does not require opt-in consent — you can email people who haven't specifically asked to receive your emails, as long as you give them an easy way to opt out. However, in practice, email marketing to people who didn't opt in produces poor results and high spam complaint rates, which can damage your email deliverability.

The practical approach: follow GDPR's stricter standard for all your subscribers, regardless of where they're located. This means opt-in consent for everyone, clear disclosure of what they're signing up for, and easy unsubscribe. GDPR compliance makes you CAN-SPAM compliant, not the other way around.


Cookie Consent — Your Website

If your author website uses cookies for any purpose — Google Analytics tracking, Facebook Pixel for ad retargeting, embedded content from YouTube or social platforms — EU visitors must be able to consent to or reject those cookies before the cookies are placed.

This requires a cookie consent banner that:

  • Appears before any non-essential cookies are set

  • Clearly describes what the cookies do

  • Allows visitors to accept or reject them

  • Does not use dark patterns that make it harder to reject than to accept

Cookie consent plugins for WordPress (Complianz, GDPR Cookie Consent) and services like Cookiebot automate the technical implementation. This is a set-it-and-check-periodically task, not an ongoing operational burden.


What Happens If You Don't Comply

GDPR enforcement is handled by national data protection authorities in each EU member state. Fines can reach €20 million or 4% of global annual revenue — whichever is higher. These maximum penalties are reserved for large organizations with systemic violations. Individual authors with small newsletter lists who make good-faith compliance errors are not typically the enforcement target.

However, the low end of GDPR risk is not zero. Authors who receive complaints from EU subscribers, who are found to be collecting data without a valid legal basis, or who fail to honor deletion requests can face regulatory attention. More practically, large email platforms including Mailchimp and ConvertKit have increased their own enforcement of GDPR compliance among their users — accounts found to be non-compliant can be terminated by the platform.

CAN-SPAM violations can result in penalties of up to $51,744 per email per recipient. Enforcement is handled by the FTC and state attorneys general.


The Practical Checklist for Author Email List Compliance

  1. Install a privacy policy on your author website. Use a generator if needed; link it from your footer and every sign-up form.

  2. Use an email marketing platform that manages technical compliance — suppression lists, unsubscribe processing, consent logs. ScribeCount Email, Mailchimp, Kit, MailerLite, and others all provide this infrastructure.

  3. Configure your sign-up forms for active opt-in — no pre-checked boxes, clear statement of what the subscriber is signing up for.

  4. If your website uses analytics or social media pixels, install a cookie consent banner.

  5. Include a physical postal address and clear unsubscribe link in every email you send.

  6. Honor unsubscribe requests promptly — your email platform should handle this automatically.

  7. If a subscriber requests deletion of their data, remove them from your list and confirm deletion within 30 days.

  8. Review your sign-up flows and privacy policy annually — the law and best practices continue to evolve.


ScribeCount Email:

Built for Compliance 

ScribeCount Email — the native email marketing module of the Author OS — handles the technical compliance mechanics that GDPR and CAN-SPAM impose on email lists. Consent is tracked at the subscriber level, suppression lists are maintained automatically, and every campaign includes the required unsubscribe mechanism. When a subscriber unsubscribes or requests deletion, the platform processes it without requiring manual intervention. The platform's compliance infrastructure means your obligation is primarily to understand the rules and configure your sign-up forms and privacy policy correctly — the technical enforcement runs in the background.

Conclusion

Reader data privacy law is not glamorous, and understanding it doesn't feel like the creative part of being an author. But your email list is your most durable business asset — and keeping that asset legally clean is how you ensure you can continue using it without interruption.

The compliance requirements for a typical indie author newsletter are modest: a privacy policy, compliant sign-up forms, and an email platform that handles the technical mechanics. None of it is technically complex. All of it is necessary.

Take an afternoon, work through the checklist above, and it's done. Then you can go back to writing.

  - Randall

Ready to Take Control of Your Author Career?

Join thousands of authors who trust our platform to manage their sales, streamline their reporting, and focus on what they love—writing!

Start Your 14-Day Free Trial