Progress or Impediment? Global Privacy Law’s Impact on the Data-Driven Music Industry

By: Michaela Cappucci

Cappucci Blog

The commercial use of personal data—accumulated via digital streams, online searches and applications that capture an individual’s musical tastes and listening habits—drives the way music is commoditized, consumed and promoted. This data is used by (1) record labels to determine which artists to sign and which to drop, (2) music streaming services to deliver content to listeners, and (3) concert promoters to route artists’ concert tours.

Music is also a vital component of social media platforms, as research displays that nine out of 10 social media users engage in a music related activity on their apps. Evidently, controlling and exploiting personal music data is valuable; however, trends in global privacy law relating to personal data protection and personal privacy rights threaten to reduce widespread accessibility to this resource.

In May 2018, the global privacy law landscape began to change with the European Union’s (EU) enactment of the General Data Protection Regulation (GDPR)—the most stringent privacy law in the world. The GDPR offers a comprehensive approach to personal data protection that applies to any organization in the world which collects data related to EU citizens. The regulation permits users to find out how their data has been shared, and to prevent it from being sold. Further, to ensure compliance with the regulation, fines for violating the GDPR can be astronomically high.

Taking heed of the GDPR, in early 2020, California passed the California Consumer Privacy Act (CCPA). The statute secures new personal privacy rights for California consumers such as the right to know about the information businesses collect, which includes how it is used and shared. Specifically, the statute grants Californians the ability to request the deletion of personal information, to opt out of sharing data with third parties, and to not be discriminated against based on any exercise of these rights. The CCPA applies to any business using data from California consumers, and while the penalties for violations of the law are smaller than those imposed by the GDPR, they can still be expensive. After the CCPA was passed, multiple states, such as Colorado and Virginia, proposed similar legislation to protect the personal data and privacy rights of their consumers. This suggests that robust personal data governance may become the norm in the United States—or, at least, that state legislatures are moving in that direction.

The music industry cares about the impact of the GDPR and the CCPA because this affects music companies’ ability to swiftly collect personal music data on consumers residing in these locations. For instance, if streaming data reveals that a particular artist is not connecting with fans located in the EU, then a record label may adjust its marketing campaign strategy for promoting the artist’s music. The EU is a vibrant music market, and the access to—and usage of—personal data helps to maintain this. Californian consumer data is equally valuable because the state is “synonymous with the music industry”— meaning that the rich music history and thriving music culture make the state a critical aspect of the global music economy.

Some view these regulations as an important step in protecting global privacy rights and promoting transparency. Others see them as a detrimental barrier to data-dependent growth in music. Regardless, music-based businesses have incurred significant compliance costs in order to update procedures, policies and websites in accordance with these new laws. Leading companies in the music industry, like Spotify (a streaming service), Live Nation Entertainment (a concert promotion firm and ticketing company), and Universal Music Group (a major record label), have clearly explained to consumers how to exercise their rights under the CCPA. The unanswered question remains: Why is it necessary for these businesses to “sell” personal data to create the best possible music experience for fans?

Data provides stakeholders in major music companies with a comprehensive overview of an artist’s radio airplay, streaming playlist adds and positions, social media engagement, and geolocated listener demographics. Data allows artists to strategically build their fan base, and music industry executives to predict the next breakthrough act. The GDPR and the CCPA’s stance on privacy law impacts every aspect of this process. On the one hand, consumers may be indifferent to the new laws and continue to permit music companies to collect their personal music data. On the other hand, if consumers on a mass scale choose to exercise their new rights by either deleting or opting out of sharing their personal data, the process of developing and sustaining meaningful music experiences could be significantly hindered.

Timing is everything for success in the world of music, as the industry is constantly making personal data-driven changes to fuel our society’s demand for immediacy. For example, consumers expect Spotify to recommend tunes that perfectly fit their music taste or appreciate when an Instagram ad informs them when their favorite artist goes on tour. These targeted suggestions are not a coincidence; rather, music companies need to quickly gather and use data to curate these interactions. Since the music industry looks to both the EU and California for guidance, these locations’ stances on privacy law are of the utmost importance. While evolutions in privacy law are significant, imposing hurdles on data collection and distribution in the music industry also restricts the pace at which companies can innovate and deliver the music content listeners have come to crave.

Michaela Cappucci is a second-year law student at Wake Forest University School of Law. She holds a Bachelor of Science in Industrial and Labor Relations from Cornell University with two minors in Law & Society and Anthropology. Michaela intends to pursue a career as an entertainment attorney in the music industry.