Newsletter Compliance & Management Guide

Newsletter Compliance & Management Guide

Current Setup Issues & Solutions

1. Email Storage & Management

Current Issue: The frontend JavaScript sends emails directly to provider APIs, but we need:

• Email notification to newsletter@status.health
• GDPR compliance
• Double opt-in confirmation
• Unsubscribe mechanism

Solution: Implement a server-side handler or use a compliant email service.

Recommended Newsletter Architecture

Option 1: ConvertKit (Recommended for Compliance)

ConvertKit handles GDPR compliance automatically:

# In _config.yml
newsletter_provider: convertkit
newsletter_form_id: YOUR_CONVERTKIT_FORM_ID
newsletter_api_secret: # Don't put this in config! Use environment variable

Setup Steps:

1. Create ConvertKit account
2. Create a form for “blog.status.health”
3. Configure form settings:
   • Enable double opt-in
   • Set up email notifications to newsletter@status.health
   • Configure GDPR fields
4. Add webhook for notifications

Option 2: Custom Server Handler (More Control)

Create a serverless function (Vercel, Netlify Functions, or AWS Lambda):

// api/newsletter-subscribe.js
export default async function handler(req, res) {
  const { email } = req.body;
  
  // 1. Validate email
  if (!isValidEmail(email)) {
    return res.status(400).json({ error: 'Invalid email' });
  }
  
  // 2. Check for existing subscription
  // 3. Store in database with consent timestamp
  // 4. Send double opt-in email
  // 5. Notify newsletter@status.health
  
  await sendNotification({
    to: 'newsletter@status.health',
    subject: 'New Newsletter Signup',
    body: `New signup: ${email} at ${new Date().toISOString()}`
  });
  
  // 6. Return success
  return res.status(200).json({ success: true });
}

GDPR Compliance Checklist

Required Elements:

1. Explicit Consent
   • ✅ Already have “Subscribe” button (active consent)
   • ❌ Need consent checkbox for GDPR
2. Privacy Policy Link
   • ❌ Need to add link near signup form
3. Data Collection Transparency
   • ❌ Need to specify what data is collected and how it’s used
4. Double Opt-in
   • ❌ Currently missing - essential for compliance
5. Easy Unsubscribe
   • ❌ Need unsubscribe link in all emails
6. Data Portability
   • ❌ Need process for users to request their data
7. Right to Deletion
   • ❌ Need process for users to request deletion

Updated Newsletter Form

Here’s the compliant version to implement:

<!-- _includes/newsletter-signup.html -->
<form class="newsletter-form" id="newsletter-form-footer" data-provider="substack">
  <div class="form-group">
    <input 
      type="email" 
      name="email" 
      class="form-input" 
      placeholder="Enter your email" 
      required
      aria-label="Email address"
    >
    <button type="submit" class="btn btn-rainbow">
      Subscribe
    </button>
  </div>
  
  <!-- GDPR Consent -->
  <div class="form-consent">
    <label>
      <input type="checkbox" name="consent" required>
      <span>I agree to receive newsletters and accept the <a href="https://status.health/privacy" target="_blank">Privacy Policy</a></span>
    </label>
  </div>
  
  <div class="form-message" role="status" aria-live="polite"></div>
  <p class="form-privacy">
    We respect your privacy. Unsubscribe anytime. 
    <a href="https://status.health/privacy" target="_blank">Privacy Policy</a>
  </p>
</form>

Server-Side Email Notification

Create a GitHub Action to notify on signups:

# .github/workflows/newsletter-notification.yml
name: Newsletter Notification

on:
  repository_dispatch:
    types: [newsletter_signup]

jobs:
  notify:
    runs-on: ubuntu-latest
    steps:
      - name: Send Email Notification
        uses: dawidd6/action-send-mail@v3
        with:
          server_address: smtp.gmail.com
          server_port: 465
          username: $
          password: $
          subject: New Newsletter Signup - blog.status.health
          to: newsletter@status.health
          from: Blog Notifications
          body: |
            New newsletter signup received:
            
            Email: $
            Time: $
            Source: blog.status.health
            
            Total subscribers: $

Testing Newsletter Signup

1. Create Test Script

// test-newsletter.js
async function testNewsletterSignup() {
  const testEmail = 'test+' + Date.now() + '@status.health';
  
  const response = await fetch('/api/newsletter', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
    },
    body: JSON.stringify({
      email: testEmail,
      consent: true,
      source: 'blog-test'
    })
  });
  
  console.log('Test signup response:', await response.json());
}

2. Manual Testing Checklist

• Form validates email format
• Consent checkbox is required
• Success message appears
• Double opt-in email received
• Notification sent to newsletter@status.health
• Subscriber added to list
• Unsubscribe link works

Recommended Email Service Providers

For Immediate Setup:

1. ConvertKit (Best for creators)
   • Built-in GDPR compliance
   • Visual automation builder
   • Good API
   • $29/month for 1,000 subscribers
2. Mailchimp (Most popular)
   • GDPR tools included
   • Good analytics
   • Free up to 500 subscribers
3. SendGrid (Developer-friendly)
   • API-first approach
   • GDPR compliant
   • Email notifications easy to set up
   • 100 emails/day free

Quick Implementation Plan

Phase 1: Immediate (No backend required)

1. Sign up for ConvertKit/Mailchimp
2. Create form with double opt-in
3. Configure to notify newsletter@status.health
4. Update _config.yml with form ID
5. Add GDPR consent checkbox to forms

Phase 2: Enhanced (With backend)

1. Set up Vercel/Netlify Functions
2. Create API endpoint for subscriptions
3. Implement double opt-in flow
4. Store consent records
5. Add unsubscribe handling

Phase 3: Full Compliance

1. Create privacy dashboard
2. Implement data export
3. Add deletion requests
4. Regular consent renewal
5. Audit trail

Environment Variables Needed

# .env (don't commit!)
NEWSLETTER_API_KEY=your_provider_api_key
NOTIFICATION_EMAIL=newsletter@status.health
SMTP_HOST=smtp.sendgrid.net
SMTP_USER=apikey
SMTP_PASS=your_sendgrid_api_key

Testing Commands

# Test form submission
curl -X POST http://localhost:4000/api/newsletter \
  -H "Content-Type: application/json" \
  -d '{"email":"test@example.com","consent":true}'

# Test notification
curl -X POST https://api.github.com/repos/YOUR_REPO/dispatches \
  -H "Authorization: token YOUR_GITHUB_TOKEN" \
  -H "Accept: application/vnd.github.everest-preview+json" \
  -d '{"event_type":"newsletter_signup","client_payload":{"email":"test@example.com"}}'

Legal Requirements Summary

1. GDPR (EU):
   • Explicit consent required
   • Double opt-in recommended
   • Right to access/delete data
   • Data breach notification
2. CAN-SPAM (US):
   • Include physical address
   • Clear unsubscribe method
   • Honor opt-outs within 10 days
   • No misleading headers
3. CASL (Canada):
   • Express consent required
   • Clear identification
   • Unsubscribe mechanism

Next Steps

1. Choose email provider (ConvertKit recommended)
2. Update forms with GDPR consent
3. Configure notifications to newsletter@status.health
4. Test the flow end-to-end
5. Document the process for team

Would you like me to implement any of these solutions?