If you run a YouTube channel, podcast, blog, or newsletter, you're collecting personal data — probably more than you realise. EU subscribers to your newsletter, viewers of your videos, supporters on Patreon, listeners on Spotify, customers who bought your merch: all of these relationships involve personal data, and GDPR applies to all of them if any of those people are based in the European Union.
The good news is that content creators are not in the same position as large enterprises. Your obligations are proportionate to your scale. But "proportionate" does not mean "optional." Here's a practical breakdown of every data touchpoint in a typical creator business and what you actually need to do.
What Personal Data Content Creators Actually Collect
Most creators are surprised by how many data streams they're managing simultaneously.
Newsletter Subscribers
Email lists are the most obvious source of personal data for creators. Every subscriber has given you their name (or display name) and email address at minimum. If you use tags, automations, or lead magnets, you may also hold data about their interests, what content they engaged with, when they joined, and which emails they opened.
This data sits in a platform — ConvertKit, Beehiiv, Substack, Mailchimp — and you are the data controller for it. The platform is your data processor, acting on your instructions.
YouTube Viewer Data
YouTube Analytics gives you aggregate data — watch time, demographics, impressions, click-through rates — but you don't receive individual viewer data. You don't know that "Jane Smith from Berlin" watched your video. YouTube (Google) is the data controller for that individual data, and you receive only anonymised, aggregated reporting.
What this means practically: you're not responsible under GDPR for viewer analytics data that YouTube holds. But if you use YouTube's community posts, run polls, or collect emails from your channel description links, you take on controller responsibilities for that data.
Podcast Listener Analytics
Spotify for Podcasters, Apple Podcasts Connect, and similar platforms work similarly to YouTube. You receive aggregate listener data but not identifiable individual data. The platforms control the personal data of individual listeners.
If you use a podcast host like Buzzsprout, Captivate, or RSS.com, your podcast host may share IP-level data or more granular download analytics. Review your podcast host's privacy policy and data processing agreement to understand what personal data they process on your behalf.
Patreon and Membership Platform Data
Patreon is different from YouTube and Spotify: you do receive identifiable personal data. Patreon shares supporter names, email addresses, pledge tiers, and payment history with you as a creator. This makes you a joint data controller with Patreon for that supporter data.
What you can do with Patreon data is governed by your agreement with Patreon and by GDPR. You can use it to fulfil membership obligations but cannot freely use it for unrelated marketing without a separate lawful basis. The same applies to Memberful, Ghost memberships, Buy Me a Coffee, Ko-fi.
Merchandise Customer Data
If you sell merchandise through Shopify, Gumroad, or a similar platform, you're collecting full purchase data: name, email, shipping address, order history, and payment details. For merchandise sales, the lawful basis for processing is contract. Shopify and Gumroad act as data processors and both offer Data Processing Agreements (DPAs) that you should sign.
Sponsorship Contact Data
Brand emails, manager contacts, PR outreach — this is personal data too. If you hold contact information for individuals at brands or agencies, you're processing personal data. The lawful basis here is typically legitimate interest. Keep your sponsorship contacts clean and delete contacts you no longer have a reason to hold.
Fan DMs and Messages
DMs on Instagram, Twitter/X, Discord messages, and emails from fans are personal data. Do not share or screenshot DMs publicly without consent, delete messages you no longer need if someone requests it, and be aware that a fan can submit a DSAR asking what data you hold on them — including DM content.
Lawful Basis: What Applies to Creators
- Newsletter marketing — Consent
- Merchandise order fulfilment — Contract
- Paid memberships (Patreon, etc.) — Contract
- Digital product delivery — Contract
- Sponsorship outreach — Legitimate interest
- Aggregate platform analytics — Not applicable (anonymised data is not personal data)
Consent must be freely given, specific, informed, and unambiguous. A pre-ticked checkbox or "by joining my list you agree" does not cut it.
Email Platforms: You Are the Controller, They Are the Processor
ConvertKit, Beehiiv, Substack, Mailchimp, and other email platforms all process personal data on your behalf. This makes them data processors under GDPR, and you need a formal Data Processing Agreement (DPA) in place with each one.
However, there's a wrinkle with Substack: Substack operates as a co-controller for subscriber data rather than a pure processor. Substack collects and uses subscriber data for its own platform purposes — recommending publications, running network features. If you want full control over your subscriber data, self-hosted email platforms or pure ESPs give you cleaner data ownership.
What to check for each platform:
- Do they have a signed DPA or Standard Contractual Clauses (SCCs) for EU data transfers?
- Where are subscriber email addresses stored?
- Can you export your full subscriber list, including consent timestamps?
Selling Merchandise: Shopify and Gumroad
Shopify is GDPR-compliant and provides a DPA under Standard Contractual Clauses for EU data transfers. Gumroad similarly acts as a processor for creator storefronts — review their current DPA.
Your privacy policy needs to disclose what customer data you collect at checkout, how long you retain order data, which third parties receive customer data, and how customers can request data deletion.
Responding to DSARs When You Only Have Basic Analytics
A DSAR (Data Subject Access Request) is a request from an individual to know what personal data you hold about them.
What you likely hold and can provide:
- Email address and signup date (from your email platform)
- Subscription tier and payment history (from Patreon or membership platform)
- Purchase history and shipping address (from your store)
- Any direct email correspondence
What you do not hold:
- Individual YouTube viewer data (YouTube holds this, not you)
- Individual podcast listener data (your podcast host or the directories hold this)
- Aggregate analytics data (not personal data)
When responding: verify the requester's identity, respond within 30 days, provide all personal data you actually hold, and direct them to platforms that hold additional data.
Using Audience Testimonials and Fan Content
If you feature testimonials in your content or website, you're publishing personal data. Get explicit written consent before publishing testimonials, be specific about where and how they will appear, and be willing to remove them on request. Social media screenshots are grey territory — get consent rather than assuming public posts are freely shareable.
Compliance Checklist for Content Creators
Email List
- Clear, unambiguous opt-in form (no pre-ticked boxes)
- DPA signed with your email platform
- Subscribers can unsubscribe and request deletion
- Welcome email confirms what they signed up for
Membership Platforms
- Privacy policy covers Patreon/membership data
- Process for deleting supporter data on request
Merchandise
- DPA in place with Shopify, Gumroad, or your storefront provider
- Privacy policy covers checkout data and shipping provider data sharing
- Order data retention period defined
Analytics
- You understand the distinction between aggregate platform analytics and first-party data
- First-party analytics tools noted in your privacy policy
Website
- Privacy policy published and up to date
- Cookie consent in place if you use tracking cookies or analytics
- Contact form has a clear privacy notice
DSARs
- You know where all personal data you hold is stored
- Process for responding within 30 days
- You can export subscriber, customer, and member data on request
Where to Start
The most common gap for creators is the privacy policy and cookie situation on their website. Your site is almost certainly collecting personal data through analytics or third-party scripts — and you may not know exactly what.
The fastest way to find out: run a free Custodia scan. It identifies every tracker, cookie, and third-party service your site is loading in 60 seconds — no signup required.
Privacy compliance does not require a legal team or enterprise software. For most creators, it means getting your email opt-in right, signing a couple of DPAs, and having an honest privacy policy. Get those three things in place and you're ahead of 90% of independent creators.
This article provides general guidance on GDPR obligations for content creators. It does not constitute legal advice. Consult a qualified data protection advisor for advice tailored to your situation.
Top comments (0)