PrivacyJun 16, 2026 · 2 min read

Does the Fan Data Audit run into data-protection law? Quite the opposite.

The question comes up in almost every conversation. The honest answer: an artist's biggest data-protection risk isn't working with data — it's not working with it.

Gabriel Lupi
Gabriel Lupi
Ex-Amazon Music and Deezer
A crowd under a protective dome of light — privacy as protection
Editorial illustration generated with AI support

In a recent briefing I heard the question that always shows up: “This is a dream of an operation. I'm just left with one doubt — doesn't it run into the data-protection law?” It's the right question. And the answer starts with an uncomfortable truth: today, for most artists and festivals, fan data lives scattered across spreadsheets on each team member's laptop, in loose exports and WhatsApp threads. No access control, no records, no one accountable. That is the real risk — and it already exists, with or without a consultant.

Who actually owns it

Brazil's LGPD organizes responsibility by roles, and that changes the whole conversation. The artist, manager or festival is the Controller: the one who decides what the data is for and who the fans are. Whoever helps process that data — in this case, me — is the Processor: working on the client's behalf, under instructions, under contract. You don't lose control; on the contrary, it becomes clearer than ever, because it gets written down.

How the data is actually handled

Instead of spreadsheets floating around, access is read-only and encrypted — we never edit the client's platforms. Personal identifiers (email, phone) are pseudonymized: each fan becomes a code, and the identity is stored separately and protected. The cross-matching across sources — streaming, ticketing, social, merch — happens on those codes, not on the raw data. And when the work ends, the data is returned or deleted. No extra footprint.

Compliance isn't a blocker — it's the method

The irony is that the work, beyond activating the audience, does the first step of any compliance program: mapping where the data lives. By organizing, protecting and documenting it, it lowers the client's exposure rather than raising it. The question “doesn't this run into the law?” comes from a legitimate fear — that handling data is dangerous. It's the opposite: what's dangerous is not handling it.

If a fan asked your artist today to see or delete their own data — would you know where it is and be able to respond on time? If the answer hesitates, the risk is already there. And that is exactly what this fixes.

Sources — Brazil's LGPD (Law no. 13,709/2018); guidance from the National Data Protection Authority (ANPD).

Gabriel Lupi
Gabriel Lupi led content at Amazon Music and Deezer, and co-founded Agência 14. For a long time he thought those were two different careers — they're not: both are about invisible systems for visible moments. It's that method, now applied to fan data. This text is informational and not legal advice.

This piece was produced with the support of artificial intelligence and reviewed by Gabriel Lupi, with a critical, human eye.

The next step

Fan data, compliant from the start.

From audit to activation — under contract, read-only, pseudonymized. Shall we talk?