Data protection guide event organisers

Hosting a public event in the coming months? You might want to pay attention to the event’s privacy practices. What personal information do you gather from attendees and how will you use it? Will there be photography? How long can you keep attendees’ information? 

Event-goers might be uncomfortable at the prospect of their information ending up in new places, like company mailing lists. If you’re responsible for a networking mix or a big-name concert coming to town, pay attention. Here’s the low-down on what to expect and how to handle privacy at events.

In this article, we’ll cover a few privacy best practices for your next event:

  • Location legal requirements 
  • Establish purpose and collect only what you need 
  • Include a privacy notice when collecting information 
  • Individual participation: get active consent before you use that data
  • Issues with photographs 
  • Photography in public vs. private events
  • Facial recognition at events
  • What about CCTV monitoring?
  • Data safeguards
  • When to get rid of attendee information
  • What if I de-identify the data?
  • Using a third-party management app or service
  • Can attendees enjoy the event without using a third-party app?

Location legal requirements 

Where is the event going to be? 

Holding this year’s annual conference in Japan, for instance, might be a popular move, but pay attention to the Act for the Protection of Personal Information. Depending on the event’s country, state, or province, different regulations may apply. In Canada, paid events may be subject to the Personal Information Protection and Electronic Documents Act. Most recently in the United States is the California Consumer Privacy Act. The law only applies when there are data processing of over 50,000 customers however, so small or local events may not be required to comply. On the other hand, popular events like the San Diego Comic Convention, are known to attract over 135,000 attendees. How many individuals are you expecting?  

If expecting an international audience, things may become a bit more complicated. For example, visitors from the European Union will no longer have GDPR protections if visiting an event on American soil. According to HIPAA Journal

“GDPR requires the personal data of an individual residing in an EU country to be subject to certain safeguards and their data rights and freedoms must be protected. When an individual leaves an EU country and travels to a non-EU country, they are no longer protected by GDPR.”

Yet as email vendor Dispatch points out, there are times when the GDPR applies to US citizens, such as when a US resident visits France. 

Event organizers should also be aware of privacy regulations during online processing. If events are promoted to European markets and allow for online booking, the GDPR will apply to any personal information collected while the resident is booking from home.  

Establish purpose and collect only what you need 

When future attendees sign up for an event, what information do you ask from them? One surefire way to be privacy-conscious is to reduce the data attendees hand over. This will lower your risk by having less information in your custody. Privacy-conscious attendees will also appreciate it if you avoid intrusive questions and data gathering.

Weigh what information is essential for the event against what info might be nice to have but is not necessary. Demographic information, for example, can be valuable for later analysis, but is it necessary for attendance? Is there a reason you need both a guest’s email and phone number, or would one be enough?  Other things to consider include:

  • What value might there be for the attendee to provide their information?
  • Are there restrictions that require information for attendee verification? An indoor venue that requires booked seatings, for example, is different than an anything-goes meetup at a public park.
  • Do you need to verify age? Not all events are family-friendly, but before collecting full birthdates to confirm ages, consider using the year of birth alone.
  • Are there other restrictions for guests, such as tickets limitations for residents of specific areas, or members of an organization? Prepare to explain why you need specific details if asking.  

Include a privacy notice when collecting information 

Tell attendees what your plans are for their information. Privacy notices provide information on what you collect and why, and how you intend to handle their personal data. Questions you should answer in your privacy notice include:

  • What information is collected?
  • How will the information be used? 
  • Who will see it? Will the information be shared with any third parties for other uses?
  • How long will personal data be retained? 
  • Will it be aggregated or anonymized? 
  • How will it be secured?
  • Can attendees access and/or update their information?
  • Are you using any third parties for information processing?
  • Who do they contact if they have questions or concerns?

The goal is to be open and transparent with attendees. Your privacy notice should be easy for prospective attendees to read and easy to access. Provide your attendees the opportunity to read the notice before handing over information. Add privacy notice links in online signup forms and on websites providing event details. Potential guests should always have the option to understand what happens to their information before they sign up. Be aware that additional information in your privacy notice may be required depending on the law.

If you need aid crafting the notice, plenty of options are available online. Useful resources include:

Individual participation: get active consent before you use that data

If the attendee agrees to the terms of the privacy notice, then get informed, opt-in consent before collecting or using personal information. 

One best practice is to provide attendees options about information sharing. Do you want to place their contact details in a mailing list? Would you like to analyze demographic data for future improvements? Present a choice that allows attendees to decide whether to share their information for additional purposes.

While it might be tempting to get consent with a pre-checked box during registration, don’t. Instead, when obtaining consent to use personal information, checkboxes should be blank, or set to  ‘no’ by default. Under some legislation, the consent may not be valid otherwise. 

If the personal information includes an email address, the Canadian Anti-Spam Legislation requires opt-in before use of contact information. According to The Canadian Radio-television and Telecommunications Commission, “You cannot use a pre-checked box to request consent from a consumer as it assumes consent.” The GDPR takes this further. Article 25 requires compliance using data protection by design and by default. 

Issues with photographs 

Will there be photography at your event? Do you have plans for any official photos? Are you expecting or encouraging guests to take their own pictures? Could the images be shared on social media? Event privacy and photography is an area that can be difficult to navigate. Prior to the rise of smartphones, taking pictures at an event meant planning ahead of time. Participants would need to remember to bring a camera, and later would share developed photos with a select few. Now, most of your attendees will have a powerful camera on-hand, that can share pictures worldwide instantly. 

Yet not everyone at the event may be fine appearing in public pictures. Parents of young children for example, may be uncomfortable with their child’s face appearing in social media highlights. Writing for HuffingtonPost, Caitlin McCormack writes parents have safety concerns with their children in pictures, particularly images shared online. Other times, employees may face reprimands for photos taken at events that conflict with professional reputations. Writing on Why social media can be a minefield for teachers, Geoff Bartlett recalls cases of educators facing disciplinary action for social media photographs that include them drinking alcohol. If running an event, when do you need to step in and how?

Photography in public vs. private events

When considering photography restrictions, consider the venue and type of event. When might guests expect frequent photography in the area? The location makes a difference. For example, consider Filming and Photography on University Property by the University of Calgary.  The policy states that it “is not generally an unreasonable invasion of privacy to take photos of people attending or participating in a university-related public event such as a graduation ceremony, sporting event, or cultural program.”  

But there’s a distinction in UoC’s stance between public and private events. At private events, the University requires informing attendees of the presence of photography. Announce the presence of photography, and be ready to assist individuals with questions. “Signage should be used and a verbal announcement can also be made to reinforce the message.”  In other words, be clear what attendees should expect, and if they are uncomfortable allow them to decide not to go. 

Taking the university’s policy as a guideline, include information on photography within the event’s privacy notice when attendees sign up. Smaller notices, or a sign on photography limits when attendees arrive is also a good reminder.  Avoid a full wall of legal text: simple is better. Consider a no-camera sign if not allowing photography, or a statement if photographers will be present. For events on sensitive topics or where minors are present, consider a reminder. 

You may not be able to police all actions, but most will respect requests if asked. Above all, if individuals request to be kept out of pictures or social media afterward, honor their wishes. 

If taking photos where children are present, ask their parent or guardian first. If you frequently hold events where children will be photographed, The Resource Centre, a website that assists with community events, recommends getting consent in writing. “Parents/guardians can sign this to say that they give permission for their child to be photographed/filmed, and for the images to be used in certain ways.”

Facial recognition at events

Will facial recognition be making an appearance at your event? Certainly, some software developers hope so. Some startups are trying to break into event planning by using facial recognition tools. The idea is to provide personalized experiences for attendees, track real-time engagement, or enforce security. Some event management software companies, including ExpoLogic, now allow facial recognition check-in. Zenus Biometrics is another hopeful player, advertising “superhuman event analytics.”

However, facial recognition makes guests weary, and for good reason. New stories on potential abuse of the technology are cropping up each month. Most recently, Kashmir Hill and the New York Times exposed Clearview AI, a startup already in use by over 600 law enforcement agencies. According to Isaac Carey with Skift, privacy is a major hurdle for event organizers who want to incorporate face recognition.

“As facial recognition becomes more common, privacy concerns are rising.” 

What about CCTV monitoring?

CCTV monitoring offers slightly different concerns than general photography. On one hand, closed-circuit images hold limitations on where images are viewable. On the other hand, CCTV technology is synonymous with video surveillance for a reason. According to Richard Perkins with Nice, CCTV plays a vital role in police investigations. 

If the images can identify individuals, they qualify as a form of personal information and privacy must be taken into account. How will you let guests know that CCTV cameras are in action? If the event venue includes CCTV monitoring, do you know how attendees can exercise privacy rights? Bloggers for TinsleyNET Admin advise doing a little homework.

 “You’ll need a way to supply CCTV footage to a user if they submit a request for information, or if a legal requirement exists that requests the information. Can you easily retrieve and supply the requested information?”

You’ll also want to confirm how the images will be put to use, and how long the information will be held. Consider the 2006 Winter Olympic and Paralympic Games, which saw 900 CCTV cameras deployed at Olympic venues. According to a report by the Office of the Privacy Commissioner of Canada, the event fell under the jurisdiction of the Privacy Act, requiring the ISU to create guidelines for  the “collection, use, disclosure, retention and disposal of video images.” If CCTV monitoring will be in effect, review privacy compliance with the venue, or ask if they can connect you with the monitoring suppliers. 

Data safeguards

Once you have attendees’ personal information in your possession, it will be up to you to protect it. When storing the information on a home PC or your organization’s network, be sure to do a security check. What safeguards do you have in place? Safeguards will depend very much on what information you’ll be asking for, how you’ll collect it, and where it will be retained.

  • If processing and storing the data yourself, don’t skip on system security updates or anti-malware, and be sure to encrypt the data. Encryption is a particularly valuable safeguard for privacy, as a code that hides information. You can implement encryption tools in two areas. First, consider encrypting information in transit, such as when capturing data via online forms. To do this, you’ll need to get a valid SSL certificate for your website so it uses HTTPS. Second, store the data in an encrypted format when at rest; when not in active use.  For more details on encryption types, see Josh Lake’s Common Encryption Types, Protocols and Algorithms Explained.
  • Using a third-party for data processing? Companies including Convention Data Services offer to do a lot of the heavy lifting for you, but that means trusting their security. Do your homework: does the service offer any insight into their own practices, such as encryption and keeping data behind a firewall. Is there any promotional information you can access, or someone you can speak to? A good third-party won’t be able to inform you of all the details, such as software, they use for protection, but they should be able to provide a solid list of safeguards. If the third-party skips basic protection measures, find someone else: in the event of a data breach, regardless of where the data is stored, you may be responsible.
  • If hosting a paid event, will you accept credit cards or be cash-only? Credit cards are popular. According to Rick Maughan with the New York Post, only one in four Americans carries cash. Overseas the outlook is similar, according to Amelia Hill in The Guardian. This means you’ll want to consider taking electronic payment, but if so there’s a hitch:  higher security should be top of mind. Nothing says ‘theft’ like credit card processing with no protection. If your event is on the smaller side, your best bet is to skip the risk and use third-party providers. Companies including PayPal, Stripe, Chase and Square handle credit card processing for their clients. These services often charge a fee, but it’s nothing compared to the costs of setting up your own process for taking payments, or as Square emphasizes, the heavy fines if the data is breached.
  • If your event includes a website, what security is in place to protect visitors? You’ll need to protect a few things, including anything submitted by attendees. Joyce Tammany of SiteLock offers a solid introduction to web security, including the types of attacks you’ll need to be on guard against, and the types of tools to lock things down. 
  • Do you have others helping you organize the event? No matter where attendees provide their information or where it is retained, put limits on access. Personal information should always be on a need to know basis. Unless one of your team needs the information to process as part of the event, keep personal data out of reach. Limiting access can be done by limited user accounts, database restrictions, or locking physical media when not in use. 

If new to security controls and need assistance, consider online guides including Small business guide to data protection, How small businesses improve cybersecurity without breaking the bank, or The Small Business Guide to Network Security Essentials.

When to get rid of attendee information

All good times must come to an end, and so should your data holdings. Best practices state only hold personal information so long as it serves its original purpose. For events, this means once the date is over you’ll need to destroy the personal information you hold. Erasing data you’ve taken the time to curate might appear harsh, but in reality an important protection measure. 

First, if complying with PIPEDA, the GDPR, or other privacy laws, the law may limit data retention. “Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” In the case of the GDPR, attendees will have the right to erasure of personal information, unless the information is required to comply with other legal obligations.    

The practice is also a safeguard, protecting past attendees and your own reputation in the event of a breach. As Bob Violino writes for CSO Online, “A key part of any information security strategy is disposing of data once it’s no longer needed. Failure to do so can lead to serious breaches of data protection and privacy policies, compliance problems, and added costs.”

Some laws might require you to provide attendees with contact information for the data controller–the person in charge of storing and securing user data. Guest must be able to contact this person for requesting updates to or erasure of their data.  

What if I de-identify the data?

If you feel the data may still hold valuable insights even after the event is over, consider de-identification. This will remove names, email addresses, phone numbers, and physical addresses that could identify an individual, but leaves other non-identifying information about attendees. Aggregate, pseudonymous, and anonymous data offer safer storage of personal information. 

Be aware, however, they are not exempt from privacy concerns. If planning to keep de-identified information after the event, inform attendees in your notice. For more information, see Understanding aggregate, de-identified and anonymous data.

Using a third-party management app or service

Are you planning to use third-party applications when organizing your event? You certainly have options. Eventbright and Meetup are popular for boosting event awareness, and for handling signups. Other apps like Whova provide enhancements for the event itself, such as opening up networking opportunities or participating in discussions. A blog by VenturePact lists 17 mobile event apps for conferences, offering everything from mobile guides to real-time updates. 

Before you start new accounts and planning app integration however, pay attention to how these third parties will be using your attendee data. Applications like Eventbright make it easier for guests to sign up, but the company also keeps “personal information provided by you and the people registering for your events,“ writes Seth Shoultes with EventEspresso. “Eventbrite also markets to your customers after purchasing tickets. So ultimately, your client data is out of your control.” Other competing products offer similar terms. Ticket Tailor, for example, includes the ability to  “carry out retargeting advertising” as part of fulfilling the company’s legitimate interest. 

Find out what personal information the app collects and processes from attendees. Does it have internal privacy settings that individuals can adjust? Are there any privacy options you have control over, such as Whova’s options for collecting consent? If your event must comply with privacy regulations, is the app also compatible? The GDPR places the responsibility of confirming processor compliance with the controller, who may be the organizer of the event. Above all, whether you’re using Google Analytics on the event website to track visitors, or a full event application suite to support visitors, let guests know they’re in use. TermsFeed strongly advises communicating the existence and data processing of apps and third parties within the privacy notice.

“Even if you don’t collect personal information from users, but you have a third party that stores the clients’ details to process billings information, you should clearly communicate this.”

Can attendees enjoy the event without using a third-party app?

While online tools for event organizing are commonplace, not every guest will have access or be comfortable using them. Facebook, for example, has released Facebook Local, an app made for browsing events in the area. Users can’t buy tickets in-app, but Casey Newton with The Verge reports the app’s development is “a strong suggestion that’s coming soon”. If it does, this will likely raise questions and concerns on requiring Facebook accounts to attend. 

When deciding to use a third-party app, consider guest options. Will your guests need to create an account with the application to attend your event, or are other sign-up options available? If using a third-party application to collect payments, will there be other options such as a selection of more than one payment processor, or accepting cash at the door?  Apps like CrowdCompass enhance events with features like making it easier to engage in event discussions, but will there be opportunities for participation without it? Will they be comfortable trusting both you and the third party with their personal information?  Provide details on why apps are in use, and allow guests to make a selection based on their own privacy preferences.