DEV Community

Custodia-Admin
Custodia-Admin

Posted on

GDPR for Musicians and the Music Industry: How to Handle Fan and Client Data Compliantly

#gdpr #music #privacy #creative

If you're an independent musician, band manager, music teacher, or run a small music business, you almost certainly collect personal data — even if you've never thought of it that way. Fan mailing lists, ticket buyer details, student contact information, session musician contracts, sync licensing correspondence — it all counts under GDPR.

This guide cuts through the legal jargon and gives you a practical framework for handling that data compliantly, without needing a lawyer or enterprise compliance software.

What Data Do Musicians and Music Businesses Actually Collect?

Let's start with the obvious question: what counts as personal data in the music world?

Fan and audience data:

  • Email addresses collected via mailing list sign-ups (Mailchimp, ConvertKit, Substack)
  • Names, emails, and billing details from ticket purchases
  • Social media usernames from DMs and follower interactions
  • Survey or competition entry data

Teaching and education data:

  • Student names, contact details, and those of their parents or guardians (if minors)
  • Lesson scheduling information
  • Payment and invoicing records
  • Notes on learning progress, ability, or special educational needs

Session and live performance data:

  • Session musician contracts (including bank details for payment)
  • Performer names and contact details
  • Licensing and sync deal correspondence

Streaming and sync licensing:

  • Distributor account data (DistroKid, TuneCore, CD Baby)
  • Publisher, label, and sync agent contact details
  • PRO (PRS, ASCAP, BMI) registration data

All of this is personal data. GDPR applies to any information that can identify a living individual — and it applies to you if any of those individuals are based in the UK or EU.

Lawful Basis: Why You're Allowed to Process Each Type of Data

GDPR requires you to identify a lawful basis before processing personal data. There are six to choose from, but most music businesses will primarily use three:

Consent — for fan marketing

When someone signs up to your mailing list, buys your merch, or enters a competition, they're trusting you with their data. If you want to send them marketing emails — newsletters, tour announcements, new release alerts — you need their freely given, specific, informed, and unambiguous consent.

That means:

  • A clear, un-pre-ticked checkbox at sign-up
  • Plain language explaining what they're signing up for
  • The ability to withdraw consent at any time (an unsubscribe link in every email)

You cannot add someone to your mailing list just because they bought a ticket or followed you on social media. That's not consent under GDPR.

Contract — for students and session musicians

If you teach music or hire session musicians, you're entering into a contractual relationship. Processing data that is necessary to fulfil that contract — scheduling lessons, paying session fees, managing bookings — is lawful under the contract basis. You don't need separate consent for this.

Legitimate interest — with caution

Some music businesses try to use legitimate interest as a catch-all basis for marketing to existing fans or past ticket buyers. This is possible, but requires a documented balancing test. For most small music businesses, it's simpler and safer to stick with consent for marketing activities.

Special Category Data: Music Teaching and Learning Needs

If you teach music — especially to children — you may collect information that qualifies as special category data under GDPR Article 9. This includes:

  • Health conditions that affect a student's ability to participate (hearing difficulties, dyspraxia, ADHD)
  • Learning disabilities or neurodivergent diagnoses
  • Mental health information shared in a pastoral context

Special category data carries much higher obligations. You need an additional lawful basis beyond the standard six — typically explicit consent or a substantial public interest condition.

In practice:

  • Only collect health or learning need information where it's genuinely necessary for teaching
  • Store it securely and separately from general student records
  • Ensure only the teacher who needs it can access it
  • Have a clear retention policy — don't keep it indefinitely

Ticketing Platforms: Eventbrite, DICE, and Ticketmaster as Data Processors

When fans buy tickets through a third-party platform, those platforms become data processors acting on your behalf. Under GDPR, you may still be a data controller for some of that data.

What this means practically:

  • Read the platform's terms carefully regarding data ownership
  • If you receive buyer data (e.g. a CSV export), you become a data controller for that data
  • You cannot automatically add ticket buyers to your mailing list without separate marketing consent
  • Your privacy policy should disclose which ticketing platforms you use

Check whether you have a Data Processing Agreement (DPA) in place with the platforms you use for ticketing.

Mailchimp, ConvertKit, and PECR Compliance for Fan Newsletters

Email marketing for musicians sits at the intersection of GDPR and PECR (Privacy and Electronic Communications Regulations).

PECR rules for email marketing:

  • You must have prior consent to send marketing emails to individuals
  • That consent must meet GDPR standards: specific, informed, freely given
  • Every marketing email must include an easy, free unsubscribe mechanism
  • You must honour unsubscribe requests promptly

When using Mailchimp or ConvertKit:

  • Both platforms act as data processors — you need to accept their DPA
  • Keep a record of when and how subscribers consented
  • Don't import contacts without verifying they've consented to email marketing from you specifically
  • Enable double opt-in — it creates a clear audit trail of consent

Social Media DMs: A Data Handling Grey Area

When you screenshot a DM, copy contact details into a spreadsheet, or save someone's message to act on later, you become a controller of that data.

Practical guidance:

  • Don't save or transfer DM contents outside the platform unless necessary
  • Only use contact details from DMs for the purpose they were given
  • Don't add DM contacts to your marketing list without explicit consent

Recording Session Contracts and Data Handling

Session musician contracts necessarily involve personal data: names, addresses, bank details for payment, agent contact information.

Key GDPR considerations:

  • The lawful basis is contract
  • Bank details are sensitive — store them securely and don't retain them longer than necessary (typically 6 years for UK tax records)
  • If you share session musician data with a label or studio, document that data sharing arrangement
  • Include a brief data protection clause in your contracts

Music Licensing and Sync Data

Sync licensing involves B2B correspondence where GDPR applies more lightly, but:

  • GDPR still applies to personal data of individuals, even in a B2B context
  • Keep licensing correspondence and contact records organised and secure
  • If you use a CRM, ensure it has a DPA in place
  • Retain contract records for your standard business retention period, then delete

Compliance Checklist for Musicians and Music Businesses

Mailing list and fan marketing:

  • [ ] Sign-up forms include a clear consent statement (not pre-ticked)
  • [ ] You use double opt-in or can evidence when/how each subscriber consented
  • [ ] Every marketing email includes an unsubscribe link
  • [ ] You have a DPA in place with your email marketing platform
  • [ ] Ticket buyer data is not added to your list without separate marketing consent

Teaching practice:

  • [ ] Student contact forms explain how their data will be used
  • [ ] Health and learning need information is stored securely
  • [ ] Parental consent is obtained for under-18 students
  • [ ] You have a clear retention policy

Session and contract work:

  • [ ] Contracts include a brief data protection clause
  • [ ] Bank details are stored securely and deleted after the retention period
  • [ ] Data sharing with labels/publishers/studios is documented

Website:

  • [ ] You have a privacy policy covering all data processing activities
  • [ ] Your cookie consent banner obtains valid consent before loading analytics
  • [ ] Third-party services are listed in your privacy policy

General:

  • [ ] You know where all your personal data lives
  • [ ] You have a DSAR response process (30 days)
  • [ ] You know how to report a data breach to the ICO within 72 hours

Take the Next Step: Scan Your Website

Your website is often the first place personal data is collected — and the most overlooked. Run a free privacy scan at app.custodia-privacy.com/scan to see exactly what your website is collecting, which third parties it shares data with, and whether your cookie consent banner meets UK GDPR and PECR standards. No sign-up required — results in under 60 seconds.

This post provides general information about GDPR and PECR obligations for musicians and music businesses. It does not constitute legal advice. Consult a qualified data protection solicitor or registered DPO for advice tailored to your situation.

Top comments (0)