US California Privacy Protection Agency fines GoFan $1.1m for selling students' data

The Guardian
Change
US California Privacy Protection Agency fined GoFan $1.1m for collecting and selling personal information from high-school students who were required to click an 'agree' button with no opt-out when signing up for school events.
US California Privacy Protection Agency fines GoFan $1.1m for selling students' data
Why it matters
The order blocks the use of forced-consent purchase flows for captive school audiences and requires firms operating in California to provide functioning opt-out mechanisms for data sales. It also establishes that inaccurate or outdated privacy policies that conceal data-selling practices can trigger enforcement and statutory deletion obligations under state law.
Implications
  • Online ticketing platform operators serving California users must implement at least two functioning opt-out methods for the sale of personal data.
  • Operators that use captive purchase flows must redesign checkout processes so users can obtain tickets without consenting to data sales.

Unlock the decision layer.

See what the change means — implications, exposure, timing — and ask AI about any brief instantly.

  • Implications: What actually changes downstream.
  • Who is affected: Which teams or operators are exposed.
  • What to watch: Deadlines, triggers, and next moves.
  • Ask AI: Clarify any brief instantly, in context.

14-day free trial. Full access. No credit card required.

Start free trial
Source

The Guardian

Topics

Regulatory Actions Compliance Data Privacy

Stay updated

Don’t check for changes.
Get them as they happen.

Get real-time alerts for executed changes, a daily briefing of what matters, and a weekly summary to stay on top — without having to check constantly.

Start free trial

14-day free trial. Full access. No credit card required.