US California Privacy Protection Agency fines GoFan $1.1m for selling high-school students' data
Ticketing services in California must provide a lawful opt-out from the sale of personal information, including when access to an event depends on completing an in-app purchase flow. “Agree-to-proceed” consent screens without an opt-out are treated as noncompliant in this context.
Change
US California Privacy Protection Agency fined GoFan $1.1m after finding the ticketing service forced users to click a mandatory "agree" button that blocked opt-outs and sold high-school students' personal data to advertisers.
Why it matters
Companies that collect personal information from captive audiences in California must now provide clear, lawful opt-out routes and truthful, annually updated privacy notices. Enforcement creates a compliance constraint: consent gates that prevent opt-outs or produce false privacy statements are subject to penalties.
Implications
- — Online ticketing platforms' product and legal teams must remove mandatory consent gates and implement at least two distinct opt-out mechanisms for California residents or face enforcement fines by the California Privacy Protection Agency.
- — Privacy compliance teams at companies that collect or sell Californians' personal data must annually update privacy policies to accurately disclose data-sales practices and enable deletion and opt-out rights or risk regulatory penalties.
Unlock the decision layer.
Know what's at risk and what to do next.
- Implications: What this forces you to change — operations, exposure, or compliance.
- Who is affected: Which roles, contracts, and obligations are exposed.
- What to watch: Binding deadlines and enforcement dates.
- Real-time alerts: Delivered the moment a binding change is published.
- Ask AI: Ask what this means for your specific role.
No credit card · 14-day trial · Active in seconds
Unlock the decision layer