Providing Your Attendee List as a Sponsorship Offering is Against the Law
I have spent 20+ years working in federal privacy legislation. And despite having a new love and passion here in the events industry I can't seem to get away from my privacy background. It is ingrained in me and when I see a privacy violation it jumps out at me.
When working with a new client and reviewing their sponsorship prospectus I noticed that the attendee list was one of the sponsorship offerings. An attendee list as a sponsorship offering is against the law. I reviewed their registration form and there was no advisory for attendees that their information was going to be shared. And there was no opt out check box.
When I raised the issue with the client she said that no other planner had ever mentioned this as an issue before so why is it an issue now. I explained that this was not new and it was because of my background that I noticed it right away and that by "selling" the attendee list they were violating privacy laws. Thankfully at this point registration had only just begun and we were able to add an opt-in box.
Selling your attendee list as part of your sponsorship package is illegal
I can hear it now, "But our sponsors want that list!". I understand but unfortunately selling your attendees' information to your sponsors is against the law. My background is in the federal legislation here in Canada but the same rules apply provincially. And if you are reading this in another country there is a good chance that your privacy legislation has the same requirements for protection of personal information.
What the legislation generally says is that no one's personal information should be shared without their knowledge. Essentially, a person should have the right to choose who gets access to their personal information.
Remove your event planner hat for a moment and think about this as a member of the general public. If you were attending an event in your neighbourhood, a trade show for example, and following the show you were suddenly bombarded with email marketing from 10 of the companies that were there, how would you feel? You don't remember talking to them at the show so how did they get your email? You didn't give them permission to spam you with their hottest trends and deals? Then suddenly your phone rings, and it's one them. How did they get your number?
This is what happens when we sell our attendee lists to our sponsors. They are paying you to get access to the direct contact information for everyone who attended the event. Once you share it with them, there is really nothing you can do to stop them from using it how they wish. You have made the personal information of your attendees public.
10 Privacy Principles
Canada's newest legislation provides us with the following 10 principles that we must follow when dealing with personal information. These principles can be used as a guide pretty much anywhere in the world.
- Accountability - someone within your organization must be responsible for the management of personal information
- Identifying Purposes - when gathering personal information you must tell the individuals why you are collecting their personal information
- Consent - you must have the individual's consent to gather their personal information
- Limiting Collection - you can only collect the personal information that is required to do what you need to do with it (I will address this some more below)
- Limiting Use, Disclosure, and Retention - once you have collected the information you can only use it for exactly what you said you would use it for, you can only disclose it to who you said you would disclose it to and you must destroy it when and how you said you would when you collected the information (yes, this means you must be telling them all of this when you collect their information)
- Accuracy - it is your responsibility to make sure that the information you have about them is accurate
- Safeguards - you must provide the appropriate safeguards to protect their personal information
- Openness - you must be open and transparent about how you collect personal information, for what purpose and how you safeguard and dispose of their personal information
- Individual Access - should anyone want access to the personal information you hold about them you must provide it to them
- Challenging Compliance - if any individual is not happy with how you collected their information, shared it or that you denied them access to their personal information, they can submit a complaint with the Privacy Commissioner's office (in Canada)
Although most of these principles are self explanatory I want to review a couple of them in more detail.
Consent - The law says that you must have consent to collect personal information. What this means is that you can only collect an individual's personal information if you have their permission to do so. Permission can be given with a simple check mark or by requiring a signature. (There is lots more to this but I don't want to bog you down with details here. If you have more questions about this please feel free to reach out)
Limiting Collection - This is a big one. You are only allowed to collect the personal information you NEED in order to complete the purpose. Someone is buying tickets to your event. They will receive the tickets immediately via email once they make their online payment. Do you NEED to have their mailing address to complete that transaction? Nope. You need their name and their email address. When creating your registration page be sure to assess each line to make sure that it is information that you actually NEED.
Want and nice to have are very different from need.
Challenging Compliance - Legislation can be very intimidating...and dry... But you have to remember that this is the law. Taking the time to put systems and processes in place now is much less time consuming and stressful then trying to explain to an investigator from the Commissioner's office why you didn't do it in the first place. The legislation has been around long enough now that "but I didn't know" is not really working as an excuse anymore.
Now, I know that providing that list of attendees is key to securing some of your big sponsors. I get it. There is a way to do that and be in compliance with the law; have an opt-in check box on your registration form. On your registration form include a description of why you would like to share their information and with who. Be honest and straight up. And make sure the language you use is clear and concise. No tricking people into agreeing.
Sample text
Here is an example of some verbiage you can use on your form. Feel free to use it for your forms.
I agree to my name and email address [insert what information is being shared, remember to only share exactly what is necessary] being shared with the Platinum and Premium Sponsors [change this to reflect which sponsors, even better if you can include the exact name of the companies] of the [insert name of the event] taking place on [insert event dates]. I understand that my information is being shared so that the above named sponsors can contact me following the event to promote their business and services [if this information is being shared in advance of the event be sure to specify that and adjust the text to match the purpose].
You can certainly offer an opt-out option, instead of the opt-in. However I do believe that it is a bit of a less honest way of getting what you want. Asking people to opt-in will certainly reduce the number of people on the list but those people will be on the list because they really do want to be contacted. Encouraging your sponsors to see the reduced list as a more direct sales line should be easy. No sense wasting time on people who don't want to talk to them anyway.
Seth Godin, This is Marketing
Seth Godin talks about permission marketing in his book This is Marketing. This marketing concept is right in line with the legislation. And if you think about it, it's just common sense and good business practice. Here are a couple of quotes from this section of the book that I love and I hope resonate with you and help to make this privacy concept make sense to you.
"Real permission is different from presumed or legalistic permission. Just because you somehow get my email address doesn't mean you have permission to use it. Just because I don't complain doesn't mean you have permission. Just because it's in the fine print of your privacy policy doesn't mean it's permission either."
"Permission doesn't have to be formal, but it must be obvious. My friend has permission to call me if he needs to borrow five dollars, but the person you meet at a trade show has no such ability to pitch you his entire resume, even though he paid to get in."
"In order to get permission, you make a promise. You say, "I will do x, y, and z; I hope you will give me permission by listening." And then - this is the hard part - that's all you do. you don't assume you can do more. You don't sell the list or rent the list or demand more attention. You can promise a newsletter and talk to me for years, you can promise a daily RSS feed and talk to me every three minutes, you can promise a sales pitch every day (the way internet retailer Woot does). But the promise is the promise until both sides agree to change it. you don't assume that just because you're running for President or coming to the end of the quarter or launching a new product that you have the right to break the deal. You don't."
If you are getting ready to launch your sponsorship program be sure that you have reviewed your offerings and are making sure that any information you have agreed to share, specifically personal information, is being done legally. And really, it is just common sense and good business practice.
I know this is a heavy topic but it's essential. If you need more information and would like to chat about this in more detail please don't hesitate to contact me. I am also happy to provide consulting services on the potential privacy weaknesses at your event. Let's make sure you are meeting the requirements of the law.