Resources
/
Email Marketing for Music PR
/
GDPR compliance for music mailing lists Checklist

Checklist

GDPR compliance for music mailing lists Checklist

GDPR compliance for music mailing lists

Last reviewed 12 March 2026

By TAP Editorial Team

GDPR compliance for artist mailing lists isn't optional — it's a legal requirement that protects both your artist's reputation and your subscribers' rights. UK music PR teams building fan databases must understand consent mechanisms, data storage, and unsubscribe obligations, or risk significant fines and loss of fan trust.

0 of 38 completed0%

Consent and List Building

Obtain explicit opt-in consent before adding anyone to the list
Critical
Under GDPR, pre-ticked boxes and silent consent don't count. Users must actively agree to receive emails. Use single or double opt-in mechanisms, with clear language stating what they're consenting to (e.g., 'promotional emails about new music releases'). Document the date, method, and exact consent given for each subscriber.
Use double opt-in for high-value subscriber segments
Double opt-in—where subscribers confirm consent via email after initial signup—provides stronger legal protection and reduces complaints. It's particularly important for VIP fan lists, presale groups, and venue-specific databases where you're building long-term engagement relationships.
Make consent granular, not bundled
Critical
Avoid forcing fans to accept all communications to access one benefit. Separate consent for 'new music announcements', 'tour dates', 'merchandise promotions', and 'fan community news' so subscribers control what they receive. This improves engagement and reduces unsubscribe rates.
Capture consent language and timestamp during signup
Critical
Store exactly what text the subscriber saw when they consented. If your signup form said 'I want exclusive access to new releases', that's the scope of your consent. This record becomes critical if GDPR complaints arise.
Distinguish between list-building channels
Consent collected at a live gig (via signup sheet or QR code) is different from consent from a website signup form or social media promotion. Record the source for each subscriber, as context matters if disputes arise about how consent was obtained.
Never inherit lists from previous PR or management teams without re-consent
Critical
Just because an old PR team had a mailing list doesn't mean those subscribers consented under current GDPR standards. You must re-engage the list with fresh consent or delete it. This is a common compliance trap.
Verify the artist or label actually owns the subscriber relationship
If fans signed up to a festival, venue, or playlist curated brand rather than the artist directly, you don't automatically have consent to email them as the artist. Clarify data ownership before claiming a list as yours.

Data Handling and Storage

Use a GDPR-compliant email platform with clear data processing agreements
Critical
Your email service provider (Mailchimp, ConvertKit, Braze, Substack, etc.) must have signed a Data Processing Agreement (DPA) in place. This legally confirms they're handling subscriber data on your behalf and meeting GDPR obligations. Check their GDPR documentation before importing any list.
Keep subscriber data current and delete inactive records regularly
GDPR requires data to be kept only as long as necessary. If someone hasn't engaged with email for 12-18 months, they should be either re-engaged or deleted. Set an automated purge schedule to prevent storing abandoned data indefinitely.
Encrypt subscriber data during transmission and storage
Critical
Whether you're uploading lists to your email platform, storing them locally, or sharing with collaborators, use SSL/TLS encryption. Never email a CSV of subscriber details unencrypted or store plaintext lists on shared drives.
Limit access to subscriber data to essential team members only
Critical
Not every collaborator needs the full mailing list. Only the PR lead and email manager should have access. Anyone else involved (designers, social media team) should work with templates or anonymised analytics instead.
Maintain a data inventory documenting what subscriber information you hold
Record what data fields you've collected for each subscriber (name, email, location, purchase history, etc.). GDPR requires you to know and justify what personal data you're processing. This inventory becomes crucial if a subject access request arrives.
Never share or sell subscriber data to third parties without explicit new consent
Critical
If you consent to share fan data with a merchandise partner, ticket vendor, or streaming service, you must tell subscribers upfront and get separate consent for that share. Bundling third-party sharing into general signup consent doesn't meet GDPR standards.
Have a data breach response plan in place
If you believe subscriber data has been compromised, you have 72 hours to report it to the ICO (Information Commissioner's Office). Prepare a documented process now so you're not scrambling if it happens. Include internal notification and subscriber communication steps.

Unsubscribe and Data Rights

Include a clear, functional unsubscribe link in every email
Critical
This is both a GDPR requirement and an email marketing law requirement under PECR (Privacy and Electronic Communications Regulations, the UK equivalent of CAN-SPAM). The unsubscribe link must work immediately—never require password entry, account login, or manual confirmation.
Process unsubscribe requests within a reasonable timeframe
Critical
Remove unsubscribed addresses from your main list within a few hours, definitely within 24 hours. Continuing to email someone after they've unsubscribed creates legal liability and damages the artist's reputation.
Honour preference centre requests (newsletter vs promotional emails)
If your email platform allows subscribers to manage preferences (e.g., 'receive tour dates only'), respect those settings. Don't send the 'tour dates only' subscriber merchandise promotions. Preference centres reduce unsubscribes and improve overall engagement.
Provide a simple way to request their data or delete their profile
Critical
Include a 'contact us' link or privacy email address in every newsletter footer. Subscribers have the right to request all data you hold about them (subject access request) or ask for deletion. Respond to these requests within 30 days—it's a legal obligation.
Clean your list of hard bounces and complainers immediately
If an email permanently bounces (hard bounce), remove it within a few days. If someone marks your email as spam, remove them from future sends. Continuing to email dead addresses or spam-flagged subscribers harms your sender reputation and IP.
Never use old data formats as an excuse to not honour unsubscribe requests
Critical
If you've migrated from an old email platform and someone unsubscribed years ago, that unsubscribe still stands. You don't get to re-engage them just because you have 'new systems now'. Document historical unsubscribes or exclude them from imports.
Maintain suppression lists for all unsubscribed and opted-out addresses
Keep a separate, permanent suppression list of anyone who's ever unsubscribed, hard-bounced, or complained. Check against it before every send to ensure you're not accidentally re-adding removed addresses.
Implement list segmentation to respect subscriber consent boundaries
Critical
If someone consented to 'tour dates' but not 'merchandise promotions', never put them in the same send group. Use dynamic segmentation in your email platform to ensure each send only goes to people who consented to that type of content.

Privacy Policy and Transparency

Publish a clear, accessible privacy policy on the artist's website
Critical
The policy must explain what data you collect, why, how long you keep it, and who can access it. Use plain language—don't hide behind jargon. Include a specific section on email marketing (what consent means, how to unsubscribe, etc.). Link to it from every signup form.
Update privacy policy whenever you change data practices
If you start collecting postal addresses for physical merchandise, add a new consent form and update your policy. If you change email platforms or add a third-party analytics tool, update the policy. Don't let privacy documentation drift from reality.
Make unsubscribe and data deletion information prominent and easy to find
Critical
Don't bury unsubscribe links in tiny grey text. Make them visible in email footers and on your website privacy page. Some PR teams intentionally hide this information—that's a serious compliance risk.
Document your lawful basis for email marketing clearly
Under GDPR, consent is the most common lawful basis for marketing emails. Document why you believe you have consent for each subscriber segment. If someone has a previous relationship with the artist (e.g., bought a ticket), you might use 'legitimate interest'—but be explicit about it.
Create a transparency statement about AI or data analytics used in personalisation
If you use email platform features that profile subscriber behaviour (open rates, click patterns, engagement scoring), tell subscribers how this data is used. If you plan to use generative AI for personalised email content, this needs explicit disclosure.

Email Sending Rules and Frequency

Never send marketing emails before 8 AM or after 9 PM unless subscriber-initiated
This isn't strictly GDPR, but it's required under PECR. Unsolicited marketing emails to personal numbers have quiet hours. Most email platforms let you schedule sends to respect timezone and time-of-day rules, so use them.
Include sender identification (artist name or label name) in the 'From' field
Critical
Emails must clearly identify who's sending them. Don't use vague subject lines like 'A message for you'—use 'Wombat Records' or '[Artist Name] Newsletter'. This builds trust and meets PECR requirements.
Avoid deceptive subject lines designed purely to trick opens
Subject lines like 'Re: Your ticket purchase' or 'Urgent: Action required' can mislead subscribers if the email is actually promotional. Subject lines should accurately reflect content. This reduces complaints and unsubscribes.
Monitor complaint rates and act on spam feedback
If subscribers mark emails as spam, your email platform reports this. Track your complaint rate (aim for under 0.1%). High complaint rates damage your domain reputation and can get you blacklisted. If complaints spike, review content and frequency.
Space promotional sends appropriately—don't overwhelm the list
Music PR campaigns are campaign-focused, but sending multiple promotional emails per week trains subscribers to unsubscribe. Mix promotional emails with content-focused ones (behind-the-scenes, story posts, etc.). Most artist lists thrive at 1-2 promotional sends per week maximum.
Include physical mailing address for label or artist entity in email footer
Critical
Under PECR, commercial emails must include a valid postal address (not PO box alone for companies). Include your label or artist's registered address in the footer. This is straightforward if you have a legitimate business, but easy to miss.

International and Cross-Border Considerations

Understand GDPR applies to any EU/UK subscribers, regardless of your location
Critical
If your artist has UK or EU fans and you email them, GDPR applies. You can't opt out by being based elsewhere. UK GDPR (post-Brexit) applies separately to UK data, but the rules are nearly identical.
Be cautious about transferring data internationally without legal frameworks
Critical
If your email platform or analytics provider is US-based, confirm they have Standard Contractual Clauses (SCCs) or other legal safeguards to handle EU/UK data. Transfers without these safeguards are illegal post-Schrems II ruling.
Consider country-specific laws for fans in other markets
While GDPR is the baseline for Europe, Canada (CASL), Australia (SPAM Act), and the US (CAN-SPAM) all have different email marketing rules. If the artist has significant international fan bases, review those rules separately—they can be stricter than GDPR.
Don't assume GDPR opt-out rules apply globally
Some markets require opt-in (like Canada); others require opt-out (like the US). Your email platform should let you manage different regions with different rules. Never assume one unsubscribe setting works everywhere.
Maintain separate consent records for different jurisdictions
If a subscriber is in both the UK and EU, or moved between territories, document consent separately for each jurisdiction they're associated with. This prevents compliance gaps if regulations diverge in future.

GDPR compliance isn't about restricting artist growth—it's about building a legitimate, owned fan relationship that survives regulatory scrutiny. Teams that prioritise consent and transparency build more engaged lists and avoid the reputational damage of ICO fines.

Pro tips

1. Before launching any email campaign, ask yourself: 'Do I have documented, explicit consent for this subscriber to receive this type of email?' If the answer is anything less than 'definitely yes', don't send. A 10-second pause now prevents a months-long ICO investigation later.

2. Use your email platform's audit trail features to log consent. Mailchimp, ConvertKit, and similar tools let you export subscriber join dates and consent method. This record is your legal shield—use it.

3. Segment your list by consent type from day one. Don't build a single 'all fans' list and hope GDPR compliance follows. Create separate segments for 'newsletter subscribers', 'presale access', 'merchandise buyers'—each with its own consent basis. This flexibility saves you when campaigns change.

4. Review your privacy policy annually, not just when something breaks. GDPR compliance isn't a one-time checkbox; it's ongoing. As your email strategy evolves (new platforms, new data fields, new partners), your policy must evolve too.

5. Request a Data Processing Agreement (DPA) from your email platform in writing. Don't assume it exists just because you use their service. Many platforms keep DPAs in their account settings or require a specific request. Having it signed and dated is non-negotiable.

Frequently asked questions

Can we email old fans from the artist's previous label or PR team without re-confirming consent?

No—consent doesn't transfer between organisations. You need fresh, documented consent from each subscriber under your current campaigns. Many PR teams treat inherited lists as usable, but GDPR requires you either re-engage with explicit new consent or delete them. It's a common trap that leads to compliance complaints.

What happens if someone unsubscribes but then attends a live event and signs up again—can we treat them as a new subscriber?

Technically yes, but be careful. Their previous unsubscribe is still valid, and re-adding them without clear new consent can look like circumventing their original request. Best practice: treat the live event signup as fresh consent, but note in your system that they previously unsubscribed. This shows good faith if questions arise.

Is a GDPR privacy policy required, or is a simple 'we don't sell your data' statement enough?

A full privacy policy is essential—not optional. It must explain what data you collect, why, how long you keep it, and how subscribers can access or delete their data. A casual statement doesn't meet GDPR standards. Your policy should be linked from every signup form and accessible from your website footer.

How long can we keep inactive subscriber data in our email list?

GDPR doesn't specify a hard limit, but data should only be kept as long as necessary. Most PR teams purge unengaged subscribers after 12–18 months of inactivity. Before deletion, consider a re-engagement campaign asking if they want to stay on the list—this respects their agency and can revive dormant fans.

If a fan buys a ticket via Ticketmaster, can we automatically email them as the artist without fresh consent?

No—Ticketmaster holds the ticket buyer's consent, not you. You'd need Ticketmaster's consent to contact their database, or you must get the fan's consent separately. Some platforms offer opt-in during ticket purchase that flows to the artist, but you can't assume. Always clarify data ownership and consent source before claiming a list.

From the field

Proof points

Time to first WARM play after pitch: 1-3 weeks for 6 Music, same week for community (Across recent campaigns)
Named contact reply rate vs studio@: 5x higher (Liberty Music PR campaign data, 2024-2026)
Best UK send window: Tue/Wed 09:00-10:00 UK (Across 60+ campaigns)
When spreadsheet workflow stops scaling: Around contact 500 + 3 active campaigns (Observed at Liberty + freelance practice)

What actually happened

Roam Belle, UK community + specialist radio: 96 plays, accelerated through weeks two and three then declined. Lesson: kill the follow-up wave at week five. (2025)

Email is the spine of music PR and most agencies treat it like a marketing channel. It isn't. A pitch is a one-to-one note that happens to go to forty people. Send window matters: Tue/Wed 09:00-10:00 UK is consistently best, Monday afternoons and Friday after lunch are dead. Studio inboxes get nothing. Named contacts get five times the reply rate of a generic alias. Everything else is decoration.

Chris Schofield, Radio plugger, Liberty Music PR

Related resources

Artist newsletter strategy for PR support: A Practical Guide

guide

Email marketing analytics for music PR: A Practical Guide