Articles

Event Compliance Guide: GDPR, SOC 2, PCI, Accessibility, and Fundraising Rules for Event Organizers

Learn why GDPR, SOC 2 Type II and other regulations matter for your event and what they mean for your organization.

Philip Enders Arden
Content Marketing Manager

Philip Enders Arden is a storyteller at heart who brings his love of narrative to the haku marketing team.

Share Article:

Event compliance is a legal matter, but you can’t ignore the trust factor either.

When someone registers for a race, buys a ticket, donates to a campaign, joins a fundraising team, signs a waiver, purchases merchandise, or volunteers, they are giving the organizer more than a transaction. They are giving personal information, payment details, communication preferences, and sometimes sensitive context about their health, accessibility needs, family, employer, or charitable giving.

The goal of this article is to provide education on some of the most relevant compliance and regulatory matters event organizers need to care about and it does not constitute legal advice. Event organizers should work with qualified counsel or compliance professionals to understand their specific obligations, but this serves as a starting point to understand the very basics.

Why event organizers should care about compliance

Events capture a massive volume of sensitive data, including names, birth dates, payment details, and accessibility needs, in very short time windows. Risk is inherent in any data collection process, but not all risk is the same. In fact, it’s significantly increased when your participant or attendee data is scattered across disconnected tools for registration, donations, and waivers. 

Outsourcing software does not remove your responsibility as an organizer. A strong platform can support compliant operations, but organizers still need to make sound decisions about what they collect, why they collect it, who can access it, how long they keep it, and how they communicate with participants, donors, volunteers, and supporters. haku enables you to manage your data safely and securely. You can learn more in our privacy policy and trust center.

GDPR and international privacy laws

The General Data Protection Regulation (GDPR) is the premier global standard for privacy, applying to personal data processing within the European Union and extending to international organizations that monitor or provide goods and services to EU residents. A core concept for event organizers is the distinction between the data controller, who determines the "why" and "how" of processing, and the data processor, who handles the data on the controller's behalf.

In practice, event organizers act as controllers by deciding what data to collect on registration, donation, or ticketing forms. Technology providers then function as processors by handling that data according to the organizer's instructions, though platforms may also act as controllers for their own security or product analytics purposes. GDPR compliance is crucial for endurance events attracting international athletes or marketing in the UK/EU, and for nonprofits with international volunteers, sponsors, or donors.

Questions for organizers to consider:

  • What specific personal data is being gathered, and what is its purpose?
  • Is every piece of information truly necessary, or is it collected out of habit from legacy forms?
  • Do privacy notices provide a transparent explanation of how donor, volunteer, and participant data is managed?
  • Are there mechanisms for individuals to access, amend, remove, or object to the use of their data?
  • Have vendors clarified their roles as controllers, processors, or both?
  • Are marketing tools, pixels, and cookies configured correctly for every region served?

Organizers in the United States should note the significant transatlantic differences in regulation. The GDPR and UK GDPR often impose more rigorous structural requirements than many US state laws. Relying solely on a US-focused privacy strategy may be insufficient for events involving participants or marketing activities in the EU or UK.

haku’s privacy policy states that haku complies with the EU-U.S. Data Privacy Framework regarding the collection, use, and retention of personal information transferred from the European Union to the United States. 

CCPA, CPRA, and US state privacy laws

In comparison to Europe, U.S. privacy regulation is increasingly state-driven. Beyond California's CCPA and CPRA, numerous states have established laws based on revenue, data volume, and consumer location.

For organizers, these laws apply wherever participants or donors reside, regardless of the event's physical location. A single race or fundraiser can trigger obligations across multiple jurisdictions simultaneously. Because requirements differ by state, organizers must not assume that a uniform approach to privacy will always work.

Key inquiries for event organizers:

  • Are we aware of the geographical distribution of our supporters, donors, and participants?
  • Is there an established protocol for addressing requests regarding data privacy?
  • Does our current platform provide the necessary tools to delete, export, correct, or access personal information as mandated?
  • Is the retention period for various data classifications clearly defined and understood?
  • Have we identified the sub-processors and vendors who might be handling event-related data?

haku's platform is designed to help organizers manage varied data privacy obligations across multiple US states or internationally by providing the tools to address individual data rights requests (access, deletion, correction, etc.) and by vetting all sub-processors. Learn more in haku's Privacy Policy.

SOC 2 Type II

SOC 2 is an audit and reporting framework, not a law, designed to assess controls at service organizations. In particular, tech providers that store, process, or transmit customer information, can comply with the SOC 2 framework. For event organizers, SOC 2 Type II is relevant because it covers the critical operations your platform facilitates, such as registration, fundraising, logistics, and financial oversight.

It is crucial to distinguish between Type I and Type II reports: Type I assesses control design at a specific moment, while Type II measures both the design and the operational effectiveness of those controls over a set period. Type II means that not only does a company have a plan, but that they successfully follow it over the course of their evaluation period.

These reports utilize Trust Services Criteria, security, availability, processing integrity, confidentiality, and privacy, with professional standards maintained by the AICPA's SOC Suite of Services.

Key considerations for organizers evaluating vendors:

  • Is a SOC 2 Type II report available from the vendor?
  • Which specific Trust Services Criteria were assessed?
  • What was the duration of the review period?
  • Which firm conducted the examination?
  • Is the report accessible for customer review under an NDA?
  • How are internal processes like incident response, access management, and vendor risk handled?

On April 30, 2026, haku confirmed the completion of its SOC 2 Type II audit, scrutinizing controls related to Privacy and Security Trust Services Criteria. 

This achievement is significant for nonprofit and endurance organizers, as event technology often serves as the hub for donor, participant, and payment data. While the report does not grant automatic compliance to the organizer, it offers a robust framework for performing thorough vendor due diligence.

PCI and payment security

Financial transactions are central to most events, spanning registrations, donations, and merchandise sales. To safeguard this sensitive data, organizers must adhere to standards established by the PCI Security Standards Council.

Using a third-party processor does not eliminate an organizer's responsibility. It is essential to understand how payment data is handled, who has access to financial reports, and how disputes or refunds are managed.

Consider these key questions for your organization:

  • Who is the payment processor?
  • Does the platform store card data or use a dedicated provider?
  • How are refunds, chargebacks, and reconciliations managed?
  • Which team members can access financial reports?
  • Are workflows consistent across registrations, donations, and merchandise?
  • Can finance teams reconcile transactions without unnecessary data exports?

As outlined in haku’s privacy policy, organizers determine the payment methods and data collected from participants, while haku collects necessary financial information from organizers to facilitate secure payments and tax compliance.

Accessibility, ADA, and WCAG

Accessibility is a fundamental requirement that ensures everyone can participate in an event. It encompasses both digital experiences, such as registration forms, donation pages, and checkout flows, and physical environments, including venue access, route planning, and signage. To support inclusive participation, organizers should align digital content with WCAG 2.2 standards and ensure physical locations comply with ADA requirements.

Organizations like Level Access also help to make digital touchpoints for endurance events more accessible for people with disabilities.

Organizer questions to ask:

  • Can someone register, donate, buy a ticket, or complete checkout using assistive technology?
  • Are forms, buttons, labels, contrast, error states, and keyboard navigation accessible?
  • Are PDFs, maps, packet pickup instructions, and race day guides usable for people with disabilities?
  • Do we provide a clear way to request accommodations?
  • Do staff and volunteers know how to handle accessibility requests respectfully?
  • Do our vendors test against WCAG or other recognized accessibility standards?

CAN-SPAM, TCPA, consent, and event communications

Event communication is diverse, ranging from operational messages like registration confirmations and results to marketing and fundraising appeals. Organizers must manage this mix while complying with federal regulations. 

The CAN-SPAM Act governs commercial email, establishing rules for sender identification and granting recipients the right to opt out of commercial messages. Detailed compliance guidance is available from the Federal Trade Commission

For SMS and calls, TCPA rules apply, emphasizing that the burden of proof is on the sender to demonstrate that applicable consent was obtained, as outlined in the Federal Register on TCPA rules

Charitable solicitation and fundraising rules

Nonprofits likely already know about the charitable solicitation and fundraising rules they need to follow, but these impact endurance events as well. For example, Endurance events involving charity bibs or peer-to-peer campaigns to fundraise can trigger state-specific registration and reporting obligations.

The IRS recommends checking state requirements before soliciting, as many jurisdictions require formal registration. Additionally, state laws often impose specific rules for activity involving paid solicitors and fundraising counsel.

Be sure to ask yourself:

  • Are we registered for charitable solicitation where required?
  • Do donation pages include necessary disclosures?
  • Are donor receipts and tax language accurate?
  • Have paid solicitors, partners, or peer-to-peer activities been reviewed for compliance?
  • Are auctions, raffles, and games of chance reviewed separately?

HIPAA and health-related information

HIPAA is often misunderstood in the event space; it is a US health regulation that primarily applies to covered entities and business associates regarding the electronic exchange, privacy, and security of health information.

Organizers should exercise caution with health details like medical conditions or emergency contacts, adhering to the principle of data minimization to collect only what is necessary for safe operations.

How haku helps organizers run better events in a compliant way

By consolidating your events operations into one platform, haku helps you eliminate the risks of scattered data and disconnected systems. This unified approach enables stronger workflows and cleaner data governance, ensuring a more trusted experience for every participant and donor.

Organizers gain peace of mind through haku's transparent framework for managing individual data rights and secure processing. Further building this foundation of trust, our SOC 2 Type II Announcement confirms that haku maintains the highest standards for security and privacy, giving organizers a robust basis for their vendor due diligence.

Final takeaway

People do not sign up for a race, buy a gala ticket, or donate to a campaign because they are excited about compliance. But compliance does shape whether they can trust the experience.

Strong compliance practices help organizers protect data, respect preferences, process payments safely, support accessibility, manage fundraising obligations, and keep teams aligned during high-pressure moments.

For endurance events and nonprofits, that trust is part of the event itself.

Ready to run more connected, trusted, and compliant event experiences? Request a demo to see how haku can help.

By clicking "Accept All", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Preferences
DenyAccept All
Get Started
Who We Serve
haku's AICPA SOC certification badge. haku is SOC 2 type II certified.
Platform
Resources
About
Customer Support
AccessibilityLegal NoticePrivacy Policy haku Trust Center
© 2025 hakuapp.com