Disclaimer. I’m no lawyer or by any means the end all source for what’s legal and right for you. These are just my thoughts on the GDPR situation based on what I’ve read and understood up to this point. This is not legal advice. Proceed at your own comfort level.
I’m sure by now you’ve heard or seen the effects of GDPR. Several months ago I started getting notifications from Google about GDPR and how data is managed. I didn’t think much of it until just about all of my other online affiliations sent me messages about privacy, consent, and protecting my data because of some new laws going into effect over in the European Union.
I finally opened one of those emails up and quickly found out this wasn’t something I should be ignoring. In fact, it impacted me in multiple ways. As an independent artist, this new law impacts you too!
So here’s the scoop…
What is GDPR?
GDPR can be a great reason to reconnect with your fans. Once you learn all the lingo, it can work to your benefit.
— The Crafty Musician (@IndieArtistsDIY) June 11, 2018
GDPR stands for General Data Protection Regulation. It is a new regulation created by the EU. In layman’s terms that means there are some laws in place governing how you handle and process the contact information and other data you collect and manage in your mailing list and from people visiting your website.
Who does GDPR pertain to?
Technically, GDPR only impacts those who serve or engage in business with residents of the European Union (EU). For example, people living in countries such as Austria, Italy, Germany, Ireland, UK, Greece, Hungary, etc. In total, there are 28 member countries of the EU. As a musician, you may not think you make contact with people living in these countries. But more than likely you do make contact with them on a daily basis, if you run an established website for your music.
If someone living in the EU comes to your site, these rules apply to you even if you’re not living in the EU. If you use a program such as Google Analytics to find out who’s coming to your site, pixels for social media advertising purposes, or use a program like Mailchimp to send newsletters, or even if you’re running ads on a blog, GDPR pertains to you.
What are these GDPR rules?
According to the official GDPR website, you have to get explicit consent from people to collect and use their personal data and you have to post on your website how you will be using their data, who will have access to it, for what purposes, and for how long. These rules are enforceable as of May 2018. So if you haven’t done anything to comply, you’ll need to catch up.
How to comply with GDPR rules?
At the very minimum, you should consider creating a Privacy Policy and Terms of Service Agreement and post it on your website. These agreements should thoroughly answer the following questions:
- Who are you
- What personal data you collect
- Why you collect the data
- Where the collected data is being stored
- How long the data is stored for
- For what purpose you are using the data
- How the data is secured
If you’re using any third party services dealing with ads or tracking visitors who come to your website such as Google Ads or Facebook Pixels, you should think about posting a cookie policy as well. These services use cookies to collect information about your website visitors such as browser history, recent internet activity, and similar information from your visitors.
If you’re collecting names and email addresses on your website, you’ll need to be absolutely clear about the fact that you’re adding them to your mailing list and you will be reaching out to them often. Some sign-up forms have GDPR specific language in them to help you get and prove consent. I use MailerLite and they have created opt-ins specifically for GDPR compliance that can be used with sign-up forms. I’m pretty sure other mailing list providers are doing the same thing. Here’s a round-up of popular mailing list providers with links to how they are helping their customers comply with GDPR:
MailChimp
MailerLite
Constant Contact
Aweber
ConvertKit
GetResponse
*Don’t see your mailing list provider on this list? Let me know in the comments section and I’ll add it.
You’ll need to say who you’re using to store names and email addresses and give a link to the third-party’s privacy policy and opt-out options. You also need to have a way for them to unsubscribe or opt out of it all or request how you received their data in the first place.
Another thing to do is to get consent from those currently on your mailing list. Some people are going as far as making everyone on their list rejoin. If you’re at all squeamish about whether or not you have proper consent, this might be a measure for you. However, this measure will do a good job of clearing out your mailing list almost completely. Other people are sending a basic email stating that they’ve updated their privacy policies along with a link to see it and then providing an unsubscribe link in case they want to opt out. Whichever route you decide to take, make sure it’s in compliance with the GDPR law and that it communicates clearly to your list subscribers. Here are some really cool examples of emails you can send to re-engage your subscribers and get consent at the same time.
To sum this all up, here’s what you need to do to adhere to the GDPR rules.
- Create a Privacy Policy and post it to your website. You can use any of these free templates.
- Create a Terms of Service and post it to your website. You can use any of these free Terms & Conditions templates.
- Create a Cookie Policy and post it to your website. You can use any of these free cookie policy templates.
- Make sure Privacy Policy, Terms of Service, and Cookie Policies are all easy to find on your website.
- Update all sign up forms to include GDPR friendly language. (i.e. By signing up for free tunes, I agree to be added to __________’s mailing list and receive weekly newsletters in my inbox.)
- Send out an email to your current mailing list subscribers letting them know that you’ve added a privacy policy, cookie policy, and terms of conditions to your site with a link for them to review it. You should also allow them a way to opt out of receiving any further communications from you by including an unsubscribe link and/or a re-subscribe link.
Another thought about GDPR is that a lot of us musicians collect email addresses with pen and paper at our shows. Once I get them into my mailing list database, I toss the sheet of paper in the trash. So there’s a lot of people on my mailing list that I really can’t prove I received consent from. So sending out a re-permission campaign is high on my priority list. It might be a good idea to save those papers from now on. I’m going to start scanning them in and saving them to my google drive.
What happens if I don’t comply?
You might get fined an obscene amount of money. If they get you, they might charge you anywhere from 2-4% of worldwide revenue from the previous year. Not your own individual revenue, but how much revenue the world made the year prior. I’ll give you the link to go look it up for yourself, but I’m here to tell you, it’s a good heap of dough.
In conclusion, you should do everything you possibly can to cooperate with these new rules. In the end it will be better for you and your subscribers in that you’ll avoid hefty fines and you’ll be able to reconnect with your fans in the process.
What are you doing to comply with GDPR? Did I miss anything? Anything else you think should be added to this discussion? Have you sent a re-permission campaign to your subscribers yet? What was the result? Please share in the comments section!?! We can all learn from each other!
Some of the links in this post are “affiliate links.” This means if you click on the link and purchase the item, I will receive an affiliate commission (with no additional cost to you). Regardless, I only recommend products or services I use personally and believe will add value to my readers.
