GDPR for little guys?

Anyone have a simple checklist for those of us selling products in the EU? Yeah, I know, it’s a little late, considering that tomorrow is the deadline.

Everything I’ve found online is a little overwhelming and it’s hard to make sense of what’s actually applicable.

I use Fastspring for all sales so I’m wondering what are still my responsibilities, seeing as though they are actually the seller of record. But still, I’m sure I’m not alone in wanting this to be as painless as possible…so I can get back to coding.



1 Like

Here’s what I did:

  1. Removed the pre-selected “add me to your mailing list” checkbox from my checkout page. I may add it back later, unchecked, and with the necessary verbiage explaining the privacy implications.

  2. Activated GDPR fields and disclaimers on my mailing list signup forms. If you use Mail Chimp this is easy to do.

  3. Emailed everyone on my mailing list who had subscribed during checkout (i.e. had not given active consent), and asked them to resubscribe. The email included a link to a GDPR compliant Mail Chimp form. Watched as my mailing list shrank by 80% :wink:

  4. Added a privacy policy to my website, using Shopify’s policy generator as a starting point.

Edit: Regarding Fastspring, you may want to mention in your privacy policy that they are the third party service who will be handling user’s personal information when they make a purchase. Check out Audio Thing’s new policy, which specifically mentions Fastspring


My understanding was that if your mailing list consisted only of members who have expressly consented to be a part of your list already, you don’t need to ask them to resubscribe. This is only for the case in which you only send occasional emails, not the case where you use their membership for additional marketing/advertising.

Am I misunderstanding that?

Roughly, but not at all. I am not a lawyer, but if you gave the subscribers something in return, this may void the consent as well, since a customer shall not be treated different depending if he/she signed up or not.
What I heared was, that companies would consider all not consent and therefore sent out a newsletter BEFORE the new rule came into effect asking to give new consent with no strings or incentives attached. I am afraid you cannot approach your mailing subscribers now, since technically you are no longer allowed to have that data.
But as I said, that is hearsay, IANAL.

That’s the gist of it, I think. You only need to reconfirm subscribers who joined your list in a manner that is not consistent with consent as the GDPR defines it.

In my case I only recontacted subscribers who had joined my list via a pre-selected checkbox, which is a GDPR no-no, since it is considered silent consent rather than active consent.

Ok got it, thanks guys!