With GDPR (EU’s new data privacy regulation) in place starting May of 2018, and even companies like Facebook and Google not getting out fine-free, it’s clear that all event marketers will have to be hyper-conscious moving forward with every event they host and every piece of guest data they capture.
However, with any new regulation comes a lot of uncertainty and a lot of questions. How does GDPR affect badge scanning? How does it affect sponsorships and sharing lists? How do you track opt-outs when we have to comply under “the right to be forgotten”?
To help you navigate this new-to-all-of-us GDPR era, we’ve gathered the most common GDPR questions we’ve received from our customers.
For a more in-depth look into how GDPR affects event marketers, download our free guide, The Uncomplicated Guide to GDPR and Event Marketing.
Legal Disclaimer: One Clipboard, Inc. d/b/a Splash provides this blog post for informational purposes only and not as legal advice. Splash cannot determine whether or not the European Union’s General Data Protection Regulation (“GDPR”) applies to you or your organization, and following the compliance steps contained in this blog post does not guarantee compliance with the GDPR. Splash is not a law firm, and the information in this blog post is not a substitute for the advice of an attorney.
1. Do I need to obtain consent if I’m sending emails that are simply transactional (e.g., invoices and confirmations) and not promotional?
You do not need consent to send invoices and other transactional emails to your customers, if they are directly related to the service/product they opted in for.
A permission pass is a one-time double opt-in email campaign. It’s sent to all the contacts in your database who haven’t officially confirmed their subscriptions.
GDPR doesn’t only apply to contacts added after May 25 — it applies to all existing EU contacts in your database. If the contacts in your database have already appropriately given you consent — and you have history and records of all consent — you do not need to obtain consent again.
If you have not received consent that’s compliant to GDPR, you will have to collect consent again.
3. If I’m a sponsor or partner of an event and receive a list of leads, do I have to get everyone on my list to opt in or can I add them to my database and market to them immediately?
First things first: For the event host to be compliant, they must be upfront about data usage and obtain consent for any partners who will be receiving their data (with a checkbox on the registration form). Those EU attendees have to proactively agree that they want to receive emails from sponsors or partners. Also, make sure to check with the host to verify they have obtained consent.
But you’re still responsible for your own database (on the off-chance the host does not comply).
You must follow up with an email to the list of leads explaining the purpose and usage of their data simply and clearly. (You don’t necessarily need to ask them to opt in, but it's never a bad thing to double check and provide a clear and easy opt-out).
4. Does GDPR apply to EU residents who go to an event outside the EU? For example, if someone from France goes to an event in San Francisco, do I still have to add consent captures on all of our registration forms?
GDPR defines personal data as any information related to an individual or “data subject” in the EU that can be used to directly or indirectly identify the individual. So if your attendee resides in the EU, but their data is processed and stored outside the EU, you still need to obtain consent. To be safe, you should proactively obtain consent on all your registration forms.
In retargeting, cookies or device IDs are still considered “personal data” under GDPR. To gain consent, you should include language in your privacy policy that outlines the use of personal data for retargeting purposes and/or include a site banner that indicates the site collects cookies.
6. If badges are scanned at an event, is this implied consent or does the booth exhibitor need to obtain consent via email?
You don’t necessarily have to obtain consent for direct marketing purposes like badge scans or business card exchanges, but it's a good practice to tell the person how you'll be using their information (sales follow-up, add to mailing list, etc). Under Legitimate Interest, you can contact prospects, but you must provide the person with notice that you have their data, and explain the purpose and usage of their data (within the first 30 days of reaching out).
7. If we delete someone in our database at their request, it’s difficult to track who has actually opted out. How do you suggest managing this?
If they ask to be deleted, they are evoking their right to be forgotten. Therefore, some companies are choosing to anonymize the person’s personal data instead of deleting it. This means that any data that can be tied back to that individual needs to be masked so no one can tie the data back to the specific individual.
Of course, if you anonymize the person it will still be difficult to track who asked to be deleted — but you can at least retain the measurable data you want to keep intact. And the person’s identity will not technically “exist” in your database if you were ever to be audited.
8. Is there explicit guidance on whether it needs to be opt-in (check to give your consent) or opt-out (check if you don't want to give consent)?
Consent needs to be opt-in. You shouldn’t have a consent box pre-checked; it should be a check to opt-in.
When individuals request their personal data to be erased, controllers should be transparent with them about what will happen to the backups.
10. What are the implications of contacting someone by accident when they already opted out? Any tips to avoid this?
We all make mistakes. Though it is unlikely that accidental non-compliance would result in the maximum fine, the best way to avoid penalties is to be proactive and vigilant with regard to compliance.
Brett Boskoff is the Co-Founder and CTO of Splash, the leading event marketing platform. Brett leads the engineering and product teams at Splash and is committed to growing, building, and innovating the platform. In his spare time, he enjoys kicking rocks down the sidewalk and tending to his ant farm.