GDPR: What It Means for Crowdfunders

24 May 2018 | 17 Comments

I’ve been getting a lot of mass e-mails recently asking me to confirm that I still want to subscribe to something that I already gave my consent to subscribe. Perhaps you have too.

The emails were all about GDPR (General Data Protection Regulation). This is a new law regarding how companies collect, use, and process the personal data of EU citizens. Basically, if anyone in Europe can sign up for your e-newsletter, this applies to you.

Before I continue, I want to be abundantly clear that I am not an expert on this subject. Feel free to read and absorb the following, but do your research and do what’s best for your company.

Yesterday I endeavored to figure out what Stonemaier Games needed to be GDPR compliant. I use Mailchimp for e-newsletters, and they have a number of helpful articles, including this one.

Mailchimp has specific instructions about how to update your subscriber sign-up form so it meets GDPR guidelines. I followed those instructions, which took about 5 minutes. It’s easy.

But then it came time for me to send out a notice to existing subscribers to get GDPR-level consent. Something just felt odd about this, though. These were people who had already opted into my e-newsletter. I’ve been very careful about this. Was such a notice really necessary?

That’s when I found this article. The gist of it is that if subscribers specifically gave you consent to receive communication from you (perhaps through a sign-up form or on a Kickstarter survey where you asked if they wanted to subscribe to your e-newsletter), you’re fine.

However, if you’ve been adding people to your mailing list without their consent, you are not fine. If someone backs your Kickstarter project, that does not equal consent for you to subscribe them to your e-newsletter.

You might be thinking, “Well, just in case, I should probably contact existing subscribers to get GDPR-level consent. It can’t hurt.”

The problem is, it’s already illegal for you to be mass e-mailing people who didn’t give you their consent. So if you send those people another mass e-mail, you’re just driving a nail into the coffin. So it’s better for you to simply delete the information of any subscribers who didn’t opt in (your subscription service can help you do this).

Otherwise, though, you’re right–it doesn’t really hurt to get more consent from existing subscribers who have already provided consent. It’s probably unnecessary, but it’s not going to hurt.


That’s my perspective. Again, this is just a brief summary of the research I’ve done. If you have thoughts you’d like to share in the comments, I absolutely welcome the conversation.

Also read: Canada’s New Anti-Spam Laws and You: How Kickstarter Creators Can Avoid $10 Million in Fines

If you gain value from the 100 articles Jamey publishes on his blog each year, please consider championing this content!

Leave a Comment

17 Comments on “GDPR: What It Means for Crowdfunders

  1. Hi. yes, absolutely, ALL data controllers require a privacy policy or data management policy (they can be 1 and same) email me if you want help. I have just finished helping some large (and some tiny) games companies.

    1. Sure, if someone filled out the form to be contacted about something, it’s okay to contact them. It’s not okay, however, if someone signed up to be contacted about one specific thing, but you instead subscribed them to a monthly mailing list (for example).

      1. Cool, cool. Thanks a lot. Just last question. Because mail chimp has their privacy policy and their terms, it’s limited. Did you think small publishers need one?

  2. Here’s my translation of some of the GDPR guidelines of the Danish (Denmark is in the EU) consumer protection agency:

    “Do I have to do anything with the permissions I have already obtained for sending marketing?

    If the permissions to receive marketing from you, which you have previously obtained, comply with the requirements of the marketing regulations, then the answer is NO – you do not need to have new permissions as a result of the data protection regulations.


    If the permissions you have obtained for sending marketing do NOT comply with the requirements of the marketing regulations you may not send an email to ask recipients to renew their permission.”

  3. Mighty Boards has consulted with a GDPR expert and a second major law firm to help us with this process. What we’ve been told is that emails gathered through Kickstarter qualify as legitimate interest and thus are fine to keep for the purposes of keeping your backers informed about your work through, for example, a newsletter as long as you have given them the option to opt out when you’ve been mailing them. What must have been done before the 25th though is updating the manner in which you handle data and your terms etc to be GDPR compliant and informing the people on your list about this and give them a clear option to opt out.

    So one doesn’t necessarily have to destroy mails given through Kickstarter or through a sign up form on one’s website.

    Apologies for contradicting the main article here but some smaller creators are fairly dependent on such lists for future projects so I figured it’s worth noting what our lawyers have told us.

    A small note: GDPR is obviously not only about mailing lists but a more holistic manner in which a company handles data and communicates that process to its clients. In Malta at least you are required to get a full GDPR audit from an authorised law firm to make sure you are aligned with the new laws and the mailing list aspect is just a small part of that.

    1. Thanks for sharing! I appreciate that perspective…though, honestly, I’m wary of it. Previous anti-spam laws (like the Canadian law I link to in the article) are pretty clear that you can’t subscribe people to an e-newsletter without their permission, even if it’s easy for them to opt-out.

  4. Thanks for providing an explanation on why these are hitting my inbox. What bugs me is that not everyone makes the opting in easy. Some a simple click and I am done. Others are asking me to provide all of my contact info again. If it was one or two, no big deal. When I have way more than that i start to question if it’s worth my time.

  5. If anybody wants to know more, this is what I have been living and breathing as a job for years. Happy to chat and help! Many people and organisations are assuming consent is the only legal basis to process data but this is not true. Legitimate Interests, which still allow people to ‘object’ this is actually more likely to be a better approach for many.

    Happy to chat!

    Jamey, I also have been working with White Wizard Games to get them updated, happy to help you if you need help too.

    1. Thanks John! That was a really interesting quote from the Guardian article I mentioned: “Consent is only one ground. The others are contract, legal obligation, vital interests, public interest and legitimate interests.”

  6. I deal with GDPR with my day job as I help companies set up SAP solutions for managing customers and for marketing. I’m amazed at how many companies have left it too late to send out these emails – basically GDPR comes into force on 25/05 and its 24/05 today, so you need to get those emails out today.

    As you rightly say though Jamey, the principle is that you shouldn’t be contacting anybody or holding/processing their data without their explicit consent. If they have signed up already and given that consent, then you’re fine.

  7. Awesome, thanks for this Jamey. I just started a newsletter of my own so I was wondering what this all meant!

    Man after doing some further reading on this, I feel sorry for folks who’ve been adding people to email lists without their consent. Well, not too sorry. It is pretty bogus.


© 2020 Stonemaier Games