Who Really Controls High-Value Attendee Data From Events?

Skift Take

Event tech providers take different approaches to how they collect and manage attendee data. Now, there is growing concern among organizers about how this data management may impact them down the road. Here’s what you need to know.

You know the debate around data is heating up when you receive PR emails from one platform bashing a competitor’s data management policy. Doug Emslie, CEO of Tarsus Group, even describes providers who retain user data as “barbarians at the gate.”

Providers that retain personal user data beyond the events that brought the users on the platform make the case that it helps them deliver a better user experience and richer insights. Some of the advantages promised by platforms who take this approach include the following:

1. A smoother sign-on for all events

2. More personalized recommendations and matchmaking (and better AI implementations in general)

3. Streamlined access to on-demand content across a user’s event history

4. More robust networking

But while personal data collected across multiple events (and even event brands) can be used to provide a better experience, it has also raised a lot of concern around the risk to planners. Some even speculate about the potential exploitation of user data down the road.

The sheer market value of user data means that the stakes are high. As Hugh Jones, CEO of Reed Exhibitions, put it in UFI’s organizer-led panel discussion on data, “How we handle that data as an industry will determine fundamentally the long-term viability of any data-driven growth we may come to rely upon.”

In an effort to clarify the issues and the arguments, here is a breakdown of some of the concerns that came up in an UFI-hosted debate earlier this year.


Event Data 101: The Terms You Need to Know Before We Dive In


In UFI’s initial attempt to address the Data Debate over the summer, Mark Brewster of Explori explained that attendee data generally falls into two categories of interest to event organizers:

1. Identity or personal data, which includes the individual’s name, email, company, and additional demographic information that could identify them

2. Behavioral or usage data, which includes what the participant actually does at the event — “what they click on, who they meet, what sessions they attend, how long they stay, what connections they build,” etc.

Issues of privacy and security primarily involve the first data category, and there is a long precedent of event organizers collecting it through registration systems that process the data for them.


This relationship usefully demonstrates two key roles in data management defined within GDPR legislation: data controllers and data processors.

According to an official European Union info page, the data controller determines why and how personal data is to be processed. Controllers can be any entity — individual, company, etc. — collecting data for whatever reason.

In the scenario above, event organizers are data controllers because they are both setting the purpose and selecting the method of data collection. That is, they’re collecting it for the purpose of registration by way of whatever platform they’ve chosen.

The data processor is the entity that processes the data on the controller’s behalf. In the scenario above, the tech provider is the processor.

The contract between the controller (typically the event organizer) and the processor (typically the tech provider) defines the latter’s duty towards the former. It governs decisions about, for example, what happens to the personal data a tech platform collects on your behalf after your event (that is, “once the contract has been terminated”).

This is in some sense left up to the two parties to decide, but it’s important to note that a data processor cannot use the data for anything outside of what both the controllers and the users themselves agreed to.


Where Things Get a Little Complicated

Tech platforms like Grip and ExpoPlatform say the normal way of things is for event organizers to be the sole controllers, and tech providers to be obedient processors without a vested interest in the personal data themselves. Tanya Pinchuk, the CEO of ExpoPlatform, has cemented this position in her company’s “data manifesto,” which gives exclusive control to event organizers and explicitly states that personal user data will be deleted at the end of an event’s contract.

Where’s the controversy?

What has event professionals concerned is that some event tech providers are essentially doing double-duty as both processors and controllers. In effect, they are entering into agreements directly with attendees when they sign into the platform for an event.

“I was stopped in my tracks [at] the belief that the [tech platforms] co-owned our data. […] It was a wake up call. There should be no doubt. This is Amazon going into the bookstores. This is Facebook coming after the media companies 10 years ago. We should be very clear here. The barbarians are at the gate.”

– Doug Emslie, Group CEO, Tarsus Group

By forming direct relationships and entering into user agreements with the attendees, platforms are able to retain their data beyond the duration of the event, or indeed even if the event organizer chooses to go with another platform in the future.

For example, event organizers cannot delete personal user data without first securing permission from the users themselves on platforms like Swapcard. While some take this as a sign that event organizers have handed too much control over to the platforms, Swapcard CEO Baptiste Boulard argues that it actually gives that control to attendees.

It’s worth noting that as one of the industry’s strongest competitors, Swapcard has been the primary target of these criticisms, but they are by no means the only event tech platform that retains personal user data and creates user accounts. In fact, some of the CEOs we spoke with who seemed to take a principled objection to personal data retention admitted that they wouldn’t rule it out if it became a competitive necessity.


Event organizers watching the debate may have felt alarmed by assertions of data “ownership,” but some of the controversy may be rooted in a poor choice of words.

In the UFI debate, Pinchuk’s criticism targeted a data management model “where the vendor owns and controls the data.” In contrast, her company’s “data manifesto” guarantees that event organizers are “the only controller and owner of the data.”

But the concept of ownership is a bit of a red herring. As Charlie McCurdy, president and CEO of Informa Markets, pointed out in UFI’s follow-up organizer panel, the only person who owns an attendee’s data is the attendee. Neither the event organizer nor the tech provider can own the data. Both are merely “custodians and stewards” of it.

“So let’s be clear: The customers own their data. They’re giving us consent to use the data. That’s unequivocal, that’s the law, that’s the practice, and that’s the appropriate behavior. Given that we’re receiving consent, we are stewards and custodians of this data, and it’s our duty first of all to keep it secure, and secondly, to use it only appropriately for the benefit of the customers and the marketplace that they’re active in.”

– Charlie McCurdy, President and CEO, Informa Markets

This is the crux of Boulard’s argument for Swapcard’s policy of entering data usage agreements directly with attendees, which allows them to protect their own data on a platform where they have invested in building connections with other attendees and content libraries. As such, the event organizer cannot request to have the data deleted themselves precisely because it’s not their data to remove, but per GDPR compliance, Swapcard will delete the user’s data on their request or automatically if they haven’t accessed their account in 3 years.


A Closer Look at the Arguments Against Shared Data

While there are some legitimate arguments for event organizers retaining total control, not all the arguments were created equal. Here are some of the main themes that emerged.

Shared Control Is a Reputational Liability for the Organizer

The first issue fundamentally rests on transparency. If more than one entity is contracting to collect personal data for their own purposes, they become joint controllers. While joint controllers must communicate their respective GDPR-related responsibilities to anyone whose personal data they collect, most people don’t read the fine print and don’t really realize what they’re consenting to. 

Rather, they blow through the consent forms and mash the checkboxes as they go through the various layers of an event’s tech stack, all the while believing they are entering into agreements exclusively with the event brand.

“When [customers] sign up to attend any show, [they] go through multiple third party partners that we work with. They always assume that they are really signing up to the organizer in any shape or form.”

– Lisa Hannant, Group Managing Director, Clarion Events

Therefore, any misuse of the data or failure to protect it is primarily a reputational liability for the organizer.

One solution would be to make it even clearer that users are signing up for platform-specific accounts, but in practice, the multi-partner nature of an event’s tech stack is often downplayed in the interest of a seamless onboarding. That’s why almost all platforms offer “white labelling”  as an add-on — a feature that traditionally appeals most to enterprise corporate clients. Those organizers presumably pay a premium precisely to minimize the friction and confusion of signing into third-party software.

There Is an Increased Risk of Leaks and Breaches

Of course, an event organizer’s liability is proportional to the actual risk of data leaks or breaches on the event tech platform in the first place. Given the unprecedented reliance on tech platforms, the stakes are at an all-time high.

“We are one data breach away from a disaster for our industry,” says Emslie.

One argument against having attendee data live on a platform long-term (rather than deleting it after every event) is that if a breach does ever occur, all the attendee data from all the events that have ever been hosted on it will be compromised. This has already led to increased due diligence on the part of event organizers when selecting platforms.

“A question that appears on every security questionnaire or section in an RFP is, can you explain how your data is being organized?” says Pierre Metrailler, CEO of SpotMe, adding that providers largely commit to the data architecture they lay down when first developing their product because of the cost of switching. “[They] would do a great service to their customers if they were honest about that.”

SpotMe is one platform that retains some user data for the purpose of facilitating easier logins and better access to on-demand content from previously attended events. Metrailler explains that his platform’s structural security is enabled through the segregation of its databases; the more segregated it is, the more secure it is.

“Designing your data architecture to be highly segregated is a pain to do, but it’s also much safer from a data delineation perspective,” says Metrailler, adding that providers with highly segregated data can still offer aggregated insights, but will have to work a little harder.

“Though it keeps everything more secure and isolated,” adds Carl Williams, CTO of MeetingPlay, “it makes some things like reporting across events more difficult.” If the databases are siloed per event, for example, determining how many attendees an organizer has engaged throughout the whole year requires “pulling the summary reports for each of those events and then aggregating that together.”

Aggregated insights, at least across a particular organizer’s portfolio, is a key feature of almost every platform — whether it operates as a joint controller or not. The concern that platforms like Swapcard represent a higher risk of breaches because they retain user data may be splitting hairs; most platforms keep personal user data at the organizer’s behest for the sake of community building anyway.

Platforms Don’t Actually Need Personal Information to Achieve the Benefits

Some form of data aggregation is necessary for any platform that claims to use AI effectively. When EventMB asked Aventri CEO Jim Sharpe how platforms build robust AI infrastructure, he explained that while a single event brand likely doesn’t produce enough data to power real artificial intelligence, the aggregated data of all the events on a platform would.

But Pinchuk of ExpoPlatform says you don’t actually need personal data to enable these benefits. Rather, platforms can still provide valuable insights and recommendations based purely on anonymized usage data.

Aventri’s recommendation engines, for example, operate on anonymous data. “When people with various attributes decline a connection, our AI recommendation engine learns to weigh those factors less without knowing any personal information about the person that turned it down,” says Sharpe.

Whether the user would benefit from the same level of personalization is unclear (read: unlikely) when data is anonymized in this way, but at least there seems to be some room for event organizers to negotiate the trade-off between forfeiting control of personal attendee data and gaining the benefits of aggregating user data across the platform.

And to make sure their clients are fully on board with the arrangement, some platforms like SpotMe offer this optionality a la carte:

“We actually market the analytics engine as a separate product, so that it’s super clear that the organizer actually opts into that data aggregation at the customer level. You cannot pretend you didn’t want to have it — you paid for it.”

– Pierre Metrailler, CEO, SpotMe

Creating Community Shouldn’t Enable Competitors

When it comes to generating richer insights and training a platform’s AI, you may be able to avoid collecting personal information, but this becomes much less practical for platforms that want to help organizers to build communities — and that’s where things are going, says Boulard.

“[Organizers] used to delete the data because there was no value between events. But virtual events have changed this by allowing organizers to keep the relationship with the audience. [Now organizers] can run monthly events and ongoing engagement within a community, so they don’t want to delete that data.”

– Baptiste Boulard, CEO, Swapcard

Attendee profiles must remain active to maintain engagement and build on your audience’s connections from event to event. The cumulative networking advantage is a powerful argument to return to the same event year after year. “The value of communities comes from the network effect,” says Boulard, “and you can’t build that if you delete your attendees after every event.”

But Groot challenges the need to have personal attendee data shared across event brands given what he calls “the threat of substitution” within the platform. The idea is broadly that the event landscape is becoming much more competitive, and that organizers shouldn’t participate in anything that levels the playing field with the competition.

For Groot, platforms that don’t silo attendee data by client could pose the greatest disadvantage to big industry players with large audiences.

“If you are Informa, and you’re the biggest organizer in the world, [you] are subsidizing the growth of all other event organizers that are smaller than you because you’re putting all your millions of participants onto a platform that all the others get to benefit from.”

– Tim Groot, CEO, Grip 

The most straightforward case of this is with event marketplaces like EventBrite and Hopin, which market, recommend, or connect users with competing events they haven’t yet registered for. As we covered in an earlier post, this kind of cross-marketing potential is mostly attractive to smaller event brands who could use the boost in reach. Large event brands, however, stand to lose exclusive access to their hard-won audiences.

But Boulard makes a distinction between audience acquisition and audience retention. It’s this distinction that separates platforms like Swapcard and SpotMe from platforms like EventBrite and Hopin. The former avoids alienating enterprise clients by preventing users from browsing events that they haven’t already signed up for. An attendee on Swapcard has already been won by the event organizer’s own marketing.

So if a platform just makes it easy to move between events that a user has already registered for, what’s the harm?

For Groot, a platform that allows data to be aggregated across event brands doesn’t have to be an event marketplace to confer a competitive advantage to other organizers. A platform that creates a user account that remembers the user’s login has reduced the friction for every event hosted on it going forward. Smoothing over the login process by bringing thousands of people on the platform is another way that large events make life easier for smaller events who follow in their wake, says Groot.

But this also seems like a competitive advantage that would be unlikely to have much impact on the acquisition of new customers. Normally, when people register for an event, they expect to have to log into it. Arriving on a platform that smooths out this process is a nice experiential perk, but by the time attendees encounter it, they would likely already have registered.

Many clients would probably be willing to accept what likely amounts to a minor boost to smaller competitors in exchange for the improvements to user experience. Moreover, Bouldard says there could be practical consequences for users when organizers remove their accounts on a virtual event platform without their permission. For example, an attendee who made 50 contacts in an event may lose out if an event organizer deletes their account before they have a chance to nurture those connections.

Event Platforms Might Become Audience Gatekeepers

These competitive advantages give platforms a commercial benefit by serving as a reason for more event organizers to choose them. Platform-controlled data collection also allows providers to amass a large, consistent user base, making them more attractive to investors. But for Groot and Pinchuk, this new precedent speaks to a much more fundamental concern: the shift in power from organizers to platforms.

Under normal circumstances, GDPR compliance makes it pretty tough for processors (tech platforms) to use data for anything other than the purposes explicitly indicated by the controller (event organizer). However, when tech companies themselves assume the role of controller, the organizer’s purposes and interests no longer define the appropriate use of their attendees’ data.

Effectively, the event’s attendees become the platform’s users.

The trouble, according to Pinchuk and Groot, is that once platforms have that data, they may be tempted to deviate from their standard business models in a way that abuses the user’s trust or disadvantages event organizers.

“There is a risk the technology platform will change the nature of their business and become the event networking platform, where all organizers are just renting a space,” says Pinchuk. “Organizers buy now, but pay forever with their data.”

Groot also sees the rapid valuation of platforms like Hopin as a testament to the existence of a slippery slope. In a similar vein to Doug Emslie of Tarsus, Groot likens the shift in power dynamic to the situation with “the media industry” and its impact on content producers.

“There is no value in content anymore. All the value sits with the Facebooks, the Twitters, the Googles. They’re the ones with huge valuations, and it’s because there is no longer a direct relationship between the reader and the publisher. There is a very similar trend where platforms are trying to establish themselves as a kind of gateway between the event participants and the event organizers. Establishing [the platform as a] co-controller and giving up your ownership enables this sort of end game.”

– Tim Groot, CEO, Grip

Event organizers may feel nervous about the prospect of feeding a database they can’t control, but platforms like Swapcard cannot just use the data for whatever they want. They are governed by the purposes explicitly set out in their contracts with event organizers and in their individual user agreements with attendees. “We always have an open discussion regarding data [with our clients], and we are bound by these agreements,” says Boulard.

Moreover, while some might criticize platforms for trying to achieve a better valuation through growing their user base, Boulard points out that venture capital fundraising somewhat cements the nature of the business:

“Running an event and being a platform is very different. [Organizing events] is not my core business. I have VCs behind me; we cannot change [our business model] unless it’s fully in the consent of everyone. […] If we disrupt [our clients], we lose all our revenue, and so that’s definitely the opposite of what we want.”

– Baptiste Boulard, CEO, Swapcard

Groot agrees that it’s very unlikely a venture capitalist will show up and overhaul a tech platform’s raison d’etre, but he nevertheless holds that “as an organizer, anything other than complete ownership is a devaluation of the relationship that you have with the customer.”


To meet new engagement requirements and survive the increasingly competitive landscape, Groot believes that many event brands will ultimately have to consider a subscription or membership model. Retaining exclusive control of their attendee data is central to that strategy: “Allowing a platform to become a co-controller of that data [undermines] one of the most fundamental assets [organizers can] leverage into a sustainable competitive advantage.”


Protect Yourself at the Contract Level

“We have a covenant of trust with our customers to handle and look after their data properly,” said Emslie, but even industry heavy-hitters like Tarsus Group don’t always have firm expectations for their data formalized in their contracts with providers.

At a certain point, the evolution of event tech will set new standards for the user experience, and all providers will have to adapt in order to compete in delivering what users want. Attendees, or ‘users’ from the platform’s perspective, are the ultimate stakeholders.

But in the meantime, your contract is what will govern your provider’s duties to you and your attendee data. “The only genuine way to prove that the data will not be used in any other way [is] to have this written in our agreement,” says Pinchuk.

“Awareness is critical,” adds Tim Groot, CEO of Grip. “And I think that organizers need to invest in independent advice from data consultants in order to really understand what the different positions are.” Event organizers need to have a full understanding of the differences between each approach, “and it needs to be written into the contracts and clearly communicated with clients.”



Whether you’re trying to respect the greater user journey on the tech platform you’ve chosen, or you’re just trying to build a community around your own event, odds are that your provider is retaining your attendee data on the platform. The real issue is around control, and whether the platform’s intention for that data is to your disadvantage.

Platforms that double as processors and controllers do enter into data management agreements with your attendees directly, but they’re generally pretty transparent about what they will use the data for. They have to be for the sake of their contracts. Not only are they firmly bound by those terms, says Boulard, but it wouldn’t be in their own best interest to alienate their sources of revenue or their investors.

And while there is some concern that event platforms might go rogue empowered by your data, the risk of it impacting your business on an ongoing basis can be managed through your contracts. At the end of the day, you have a right to know what is happening with your data, but also a duty to do your due diligence and familiarise yourselves with your contracts. Make your expectations clear and make sure your contract describes terms that don’t leave room for an outcome you’re not comfortable with. If your platform is entering into agreements directly with your attendees, ask to see those user agreements.

And finally, if you don’t feel comfortable or qualified to assess the risks at hand, there are plenty of providers who vocally differentiate themselves precisely on the grounds that they give you total control. Just keep in mind that if there is a business case to switch their data management approach, they may very well convert. It’s important to check your contracts every time you enter into them.