The GDPR and Your Art Business

by guest blogger Mckenna Hallett

What you need to know to comply with new online privacy laws.


GDPR and your art business. Learn what you need to do to comply with the new laws.


By now, everyone has likely seen the activity by so many large (and not so large) companies who are announcing new privacy policies or asking you to opt-in to stay on an email list. This barrage of emails and new pop-ups on websites to announce changes are the result of the new GDPR law which took effect on May 25, 2018.

This is a quick look at some top questions. Of course, this is not to be considered the final word. Everyone needs to pay attention and hire legal help if you have any specific concerns.

Now, let’s try to get to some of the meat and potatoes of this issue.

Q: What is the GDPR?

GDPR stands for General Data Protection Regulation (Regulation (EU) 2016/679) and at its most basic it specifies how “Personal Data” should be lawfully processed. The intention is to give people residing in the EU more control of how their data is collected, used, protected or interacted with in general.

The GDPR replaces a somewhat looser set of directives adopted by the European Union nations in 1994. The most alarming change is the level of fines; businesses can see multi-million or even billion dollar fines levied. In response to this, US-based companies have spent in excess of eight billion dollars to gain the necessary compliance since the regulations were adopted in 2016. Try to move your website and online marketing towards more transparency.

Q: I am a very small business located in the United States. Do I need to comply?

Forbes Magazine is blunt: “Any company processing, storing or using [personal] data related to an EU citizen will be subject to citations and accompanying fines for noncompliance — even if it’s just one customer.”

While there is some debate as to your liability if you are not directly “targeting” your marketing to entities in the EU, one thing is clear as mud – you might be liable. This is direct from the regulations: You are liable if you are “a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.”

Monitoring certainly includes gathering cookies, which all sites do. Facebook pixels and Google analytics are central figures in monitoring, too.

But, here’s the thing: even if you are not “targeting” your marketing to residents in the EU when they land on your site, don’t you want them to feel like you care about their privacy? Don’t you want to get everyone’s full-throated and enthusiastic consent when they sign up for your emails?

Whether or not you are liable – the parsing of words will probably go on for months – the GDPR is considered a “living document” and tests (lawsuits being one form of testing) over time will continue to clarify the meanings.

With all that in mind, many large (and financially vulnerable) US-based businesses are actually blocking access from any EU-based IP addresses, concerned that if someone lands on their website from an IP address located in the EU they might be liable. They aren’t willing to test the theory, despite the high cost associated with blocking IP addresses.

But liability aside, there is a good argument to be made for compliance for appearance sake alone.

The Sore Thumb Principle

With so many of the main players in the US adhering to the regulations, those who are not playing by the new rules will begin to look less trustworthy. In other words, if you appear less transparent and don’t use the standards that are increasingly in use by the rest of the internet, you may look like you are not properly handling personal data. You may risk standing out like a sore thumb.

There is no reason to panic though; the “deadline” was last week, after all. However, you should try to move your website and online marketing towards more transparency. Being trustworthy is your strongest online marketing strategy.

Worldwide Adoption Seems Inevitable

In addition to trying to keep up your appearances, it is believed that most other nations will simply adopt the principles behind GDPR.

In fact, an initiative seeking to establish new consumer privacy rights and expand liability for consumer data breaches is on the ballot in California’s November 2018 election. And just like the GDPR, it aims to give consumers more control over how their data is used and would apply to every company, anywhere, that uses data from Californian residents. If that passes, that’s a game changer.

You might be tempted to raise your fist in the air and curse “regulations”. However, I’m sure most of you agree that this is good news! Don’t we all want to know how our personal data is used? Wouldn’t it be great if there was a universal law that required data breaches (especially that may have included our banking information and/or our Social Security number) to be reported within 72 hours?

Equifax, a consumer credit reporting agency, had their data banks breached over a 3 month period. They didn’t alert the public for another two months! 145.5 million consumers had data stolen, including Social Security numbers, dates of birth, in some cases, driver’s license numbers.

(Okay. Now you can shake your fist and curse.)

Q: I am getting re-permission emails from some lists I am on. Do I need to get fresh opt-ins from everyone on my email list, too?

Maybe yes, maybe no. Or, maybe just some of your lists. If you have been complying with the CAN-SPAM Act (US anti-spam laws) along with CASL (Canadian laws), both countries are nearly in compliance with the GDPR regarding email marketing. If you don’t have a clue what’s required of those laws, let’s review what “consent” means and specifically what is required for consent in gathering personal data in the GDPR era – and potentially other countries beyond the EU, US, and Canada.

Consent, Transparency, and Legitimate Interest

Consent is the key to compliance and “unambiguous” permission must be obtained. The GDPR wants every EU resident to be on your list with solid permissions in place. Of course, you want that for everyone on your list, right?

With that said, it’s very unlikely that most of you will need to get fresh opt-ins. If you are using a properly configured email service provider, like Constant Contact, you were already in 100% compliance with US and Canadian spam laws. Constant Contact started months ago to overcome any additional issues for GDPR compliance. (I cannot vouch for other systems, although I have seen some new “compliance” activities in emails coming from MailChimp recently.)

Whatever email service provider you use, you still have responsibility.

Consent is measured by “active” opt-in actions by a subscriber with full transparency on your part as to exactly what they can expect after giving you their personal data. Did you download a bunch of emails addresses into your account and claim to have permission when the pop-up asked you to validate the addresses? That is not within the spirit of the law of consent.

In other words, you need to be clear about your intentions. They must be giving you permission and know exactly what they are giving permission to you to do.

Examples of what might not qualify are most of the third party templates for a “lead magnet” or a “squeeze page”, or even a third-party pop-up to get email subscribers. Most of the templates lack vital criteria, like clearly stating what you will do with the data and that you are putting them on a list.

Further, they must actively agree to be added to the list. No pre-ticked boxes! And there must be a privacy policy available for them to read before they hit that submit button. That’s the law in the US and Canada already.

A best practice to fix any weakness in your gathering models is to have a statement which outlines what to expect. Here’s my sign-up statement:

Ready to Learn More About Marketing? I post a new blog every other week. I recently added podcasts to the mix. I also send out special announcements from time to time, too. I don’t send out massive amounts of stuff, but you can instantly unsubscribe anytime. Most people stick around for years. ;’)

In other words, be transparent. Being transparent has always been the gold standard. Tricking someone into giving you their email address by suggesting they will get a free e-book or calendar, but not telling them they will also be automatically added to your list is, and has always been, a bad idea. Now, it’s a fineable offense if that person lives in the EU.

However, if you have some people on your list for which you don’t have clear and verifiable permission, there is still something in the GDPR called “Legitimate Interest”. Beyond your “properly configured” online sign-up, most of you reading this have grown your email lists very organically. You got them directly at in-person events or from purchasers online.

When someone makes a purchase and begins getting your “purchase-related” marketing emails, that is a “legitimate interest”. And as long as you include your full physical address, easy-to-find unsubscribe link, and a link to your privacy policy (traditionally in the footer of your emails), you are good to go.

Q: How serious should I take this whole thing? Are they really going to come after me?

All of this must be tempered by common sense. We can assume that you are at a very low risk of having someone file a complaint, right? The fact of the matter is you are not running some scam operation. You and your collectors and admirers have a loving and respectful relationship and the only way someone gets into the spotlight of these regulations, or the CAN-SPAM Act or CASL is with a complaint.

Just don’t underestimate the Sore Thumb Principle.

Final thoughts

One thing for sure, email marketing is still your greatest marketing asset. It’s way more effective at gaining trust and building sales than social media sites.

So it’s worth your time to get the cosmetics right. Be seen as a responsible, caring, and transparent marketer of your fabulous art. Being trustworthy is your strongest online marketing strategy.


Mckenna Hallett, of, is a frequent guest blogger, motivational speaker, and selling coach. She is called a “Marketing Therapist” by her followers for her insightful and human approach to marketing. She is the author of the “E’s of Selling Art System” – a guidebook and flashcards to help with those face-to-face selling opportunities.


Want to stay current on cutting edge business articles from Artsy Shark, plus artist features, and an invitation to the next Call for Artists? Subscribe to our twice-monthly Updates, and get a free e-book on Where to Sell Art Online right now!


Speak Your Mind