What You Need to Know About GDPR


I recently attended a seminar by the U.S. Commercial Service on the upcoming General Data Protection Regulation (GDPR). This new regulation is the most comprehensive online privacy policy to date, and even though it pertains to the European Union, it can significantly affect you and your music business.

As CEO of an online marketing firm that focuses on the music industry, this issue hits home to all of my clients, and NAMM membership in general. In short, the GDPR takes full effect on May 25, 2018, and if email marketing or e-commerce is part of your business or business plan, you need to be well-informed about this comprehensive set of regulations. We live in an interconnected world, and although your business may be locally focused, this law could affect you!

Here’s a recap of what I learned at the seminar. Note: This article is not intended as legal advice. For more information on the GDPR, visit eugdpr.org.

What You Want to Know
There are some very specific actions that you’ll want to take to safeguard your music business. You have an email list that you market to. If anyone on that list resides in the EU, you must have explicit permission to send them email marketing. Further, if your website tracks users through cookies or other tracking methods, again, you need to have permission from users in the EU to gather that data from them.

The penalties are potentially severe, and without going into excessive detail, if you’re a small or medium-sized business, you could be fined “up to 10 million euros or 2 percent of the worldwide annual revenue of the prior financial year, whichever is higher.” The fines for larger businesses can be double that figure.

Action Plan
To protect yourself and your business, here are steps to get started, based on what I discovered at the session. (Again, this is not intended as legal advice. Visit eugdpr.org for more information.)

• Create a privacy policy that conforms to the GDPR guidelines, and post it prominently on your website. I recommend a clear link to the policy in the footer of each page.

• Use an opt-in form that requires email signups to agree to your Privacy Policy and website practices. This form cannot be pre-checked! The visitor will have to check the box indicating acceptance of your privacy policy.

• Keep records that prove your email subscribers have opted in to your policy. If there’s ever a complaint, it will be your obligation to prove you have done your due diligence.

• Create a cookie consent notice on your website.

• Make sure your existing email list is updated and that subscribers have opted in. This is a challenging one, and there may be ways to segment your list to figure out who’s based in the United States depending on your email provider. You may wish to create a special offer in conjunction with a request for subscribers to re-opt in. There’s definitely the danger that you could lose a big portion of your list if this isn’t done optimally.

“Any Website That Targets EU Consumers”
This was a shocker for me. The law as written requires these compliance measures for “any website that targets EU consumers.” I made the assumption that this detail would exempt the great majority of U.S.-based music business from much of the regulation. I was wrong.

If you sell anything to a customer in the EU, you are considered to be “targeting EU consumers.” So, that $29 software download that you sold to a student in Orlando or even the set of strings you sold from your store could turn out to be “targeting the EU” when that student or customer returns home to France, and you send her a marketing email.

Help Is Available
The U.S. Digital Service has not forgotten you. There’s a framework that you can follow and a mechanism to comply with the regulations. The service is called Privacy Shield, and if you choose to self-certify, you will pay a reasonable fee and be guided through the process. When you are approved, the policy you have put in place should, in fact, be a shield from compliance issues.

I personally believe that any business whose sales are in the millions should seriously consider the Privacy Shield framework. Like any new law or regulation, there could be unintended consequences for non-compliance. So, I would highly recommend staying current with news as the policy takes effect.

Peter Malick is the CEO of Inbound AV, an online marketing firm focused on the music industry.

Additional resources:
• Privacy Shield Framework

• NAMM GDPR Resource Page