Every time you share a link, promote a show, or run an ad campaign targeting fans in Europe, two pieces of EU law come into play: the General Data Protection Regulation (GDPR) and the ePrivacy Directive. Together, they set out exactly what you are and are not allowed to do when tracking who clicks your links, fires your pixels, or lands on your pages.

This is not abstract legal theory. Fines for non-compliance reach up to 4% of global annual turnover under GDPR. France's CNIL issued over €139 million in cookie-related fines between December 2022 and December 2024. These are not rare edge cases.

For most artist teams, the practical question is simple: when you use a tool like Fan Capture to identify who clicks your links, what are you legally required to do? This article gives you a sourced answer, linking directly to the EDPB (edpb.europa.eu), CNIL (cnil.fr), the ICO (ico.org.uk), and the California AG (oag.ca.gov).

Most people have heard of GDPR. Fewer know that a second law specifically governs cookies, pixels, and device-level tracking: the ePrivacy Directive (Directive 2002/58/EC).

GDPR governs how personal data is collected, stored, and processed. Cookies that track individual user behaviour qualify as personal data. GDPR Article 6 sets out six lawful bases for processing, two of which are commonly misunderstood: Consent (Art. 6(1)(a)) and Legitimate Interest (Art. 6(1)(f)).

The ePrivacy Directive applies specifically to the storage of or gaining access to information already stored on a user's device. Cookies, tracking pixels, tracking links, browser fingerprinting, and unique identifiers all fall within its scope.

The rule under Article 5(3) is binary: consent required, or strictly necessary for a service the user explicitly requested. There is no legitimate interest exemption here. GDPR's six legal bases do not override this.

The EDPB published Guidelines 1/2024 on Article 6(1)(f) GDPR in October 2024. They clarify that even where a legitimate interest could theoretically be argued under GDPR, it does not override the ePrivacy Directive's consent requirement for device-level tracking. The EDPB's Cookie Banner Taskforce states directly: legitimate interest "is not a ground for data processing based on Article 5(3) of the ePrivacy Directive so it should not be included in the cookie banner."

In practice: you cannot claim "we have a legitimate interest in knowing who clicks our ticket links" to justify setting cookies without consent. A banner that defaults to data collection unless the fan objects is not valid consent. Making it harder to decline than to accept is a dark pattern regulators are actively fining.

The EDPB confirmed in Guidelines 2/2023 (finalised October 2024) that Article 5(3) applies beyond traditional cookies to: tracking links, tracking pixels, browser fingerprinting, local processing, and unique identifiers. The EDPB Chair stated: "These guidelines discuss solutions, such as tracking links and pixels, local processing, and unique identifiers, to ensure that the consent obligations set out by the article are not circumvented."

Fan identification and ad audience building do not qualify for the strict necessity exemption. Counting views server-side only (no device storage) is different and does not require consent.

GDPR Article 4(11) defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes." Article 7 adds that withdrawal must be as easy as giving consent. For fan tracking, valid consent requires all of the following: prior (cookies blocked until accept), active and affirmative (scrolling does not count), specific and granular (per category, not bundled), informed (clear language before consent), freely given (no penalty for refusing), and withdrawable (as easy to revoke as to give).

In Europe, tracking requires a yes. You cannot set a cookie or identify a device until the user has actively opted in. The default is no tracking.

In the US, tracking is the default. There is no federal privacy law equivalent to GDPR. The dominant framework is opt-out: data is collected unless the user acts to stop it.

California's CCPA (amended by CPRA) gives California residents the right to opt out of the sale or sharing of their personal data, the right to know what is collected, and the right to delete it. It is opt-out by default.

Other states have followed with their own laws: Virginia (VCDPA), Colorado (CPA), Connecticut, Texas, and others. Colorado required businesses to recognise the Global Privacy Control (GPC) as a binding opt-out signal from July 1, 2024. California, Colorado, and Connecticut jointly investigated GPC non-compliance in September 2025.

For artist teams: if you have US fans, you are generally permitted to track through standard redirect and pixel setups, as long as you provide a clear privacy policy, an opt-out mechanism, and do not sell data without disclosure.

Most artist link distribution is not geo-targeted. A link in an Instagram bio or newsletter goes to everyone. You cannot guarantee your audience is entirely outside the EU. The safe global default is Full consent mode. A fan in Texas seeing a consent banner loses nothing. A fan in Germany clicking a link with no banner is a legal exposure.

Both EU and US law require transparency about what you collect. For an artist team using Fan Capture, your privacy policy should cover: what data is collected when fans click a link (device identifier, IP address, timestamp, destination), whether cookies are set and for what purpose, whether third-party pixels (Meta, TikTok, Google) fire and what data they receive, how long data is retained, how fans can request deletion or opt out, and who is the data controller.

In the EU, this policy must be linked in your consent flow before the fan accepts. For Fan Capture's Full consent mode, this is the Cookie Policy URL you provide when setting up the link. In the US, it needs to be accessible and accurate but does not need to be presented pre-click.

No banner, no cookies set by AndR. Views counted server-side, which does not require consent. However, any linked ad pixels will fire. Third-party pixels require consent in the EU. Off mode with linked pixels for EU audiences is non-compliant.

A minimal Accept/Deny banner is shown, cookies set only after Accept. Framed as legitimate interest, which is technically incorrect under EU law. If implementation blocks all cookies until explicit acceptance and offers an equally prominent Deny, many regulators would treat this as closer to valid consent in practice. But it lacks granularity and the framing creates legal risk, particularly in France and Germany. For European audiences, Light mode is not recommended.

Fans must explicitly accept before any cookies are set. Linked to a Cookie Policy. Nothing collected without active opt-in. This aligns with GDPR Art. 4(11), Art. 7, and ePrivacy Art. 5(3). This is the compliant choice for any artist with European fans.

To set up Full consent mode, see Setting Up Fan Capture Links.

This article is informational and does not constitute legal advice. For specific questions, consult a qualified data protection lawyer or your DPO.

Related reading