California's CPPA fines GoFan $1.1m for selling high-school students' data
Change
California's CPPA fined ticketing company GoFan $1.1 million on 27 February for requiring students to click a mandatory "agree" button that collected and sold personal information from users signing up for school events and for falsely stating its website did not sell data.
Why it matters
The CPPA's order enforces requirements that companies provide lawful opt-outs and accurate privacy disclosures, tightening compliance obligations for services used in captive-audience settings such as schools. Vendors that rely on single-button consent or outdated privacy notices now face heightened enforcement risk and must change data-collection and disclosure practices to remain lawful.
Implications
- • Ticketing platform operators serving K–12 schools must implement at least two distinct opt-out mechanisms for the sale of personal data and stop relying on mandatory single-button consent flows.
- • Online ticketing vendors must update and publish privacy policies annually and explicitly disclose whether they sell personal information.
Unlock the decision layer.
See what the change means — implications, exposure, timing — and ask AI about any brief instantly.
- Implications: What actually changes downstream.
- Who is affected: Which teams or operators are exposed.
- What to watch: Deadlines, triggers, and next moves.
- Real-time alerts: Know the moment a change is published.
- Ask AI: Clarify any brief instantly, in context.
14-day free trial. Full access. No credit card required.
Start free trial
Source
Topics