Attendee Data Shared With Event Organizers

What it is

When you sign up for an event on Eventbrite, your name, email, and registration details are sent directly to the person or company running that event, and they can use your data under their own privacy rules, not Eventbrite's.

Why it matters (compliance & governance perspective)

Your personal information leaves Eventbrite's control and goes to a third party whose privacy practices you may not have reviewed, potentially exposing your data to uses you did not anticipate.

Consumer impact (what this means for users)

Attendees' registration data including names, email addresses, and ticket information is transferred to event organizers who operate under their own privacy policies, meaning Eventbrite's protections do not govern what organizers do with that data after receipt.

What you can do

Institutional analysis (Compliance & governance intelligence)

1. REGULATORY LANDSCAPE: This provision implicates GDPR Articles 13 and 14 regarding transparency obligations when data is shared with third-party controllers, and CCPA/CPRA disclosure requirements for third-party data sharing. Where organizers qualify as independent data controllers under GDPR, Eventbrite's obligations shift to ensuring transparent disclosure rather than controlling downstream use, but the adequacy of that disclosure may be assessed by EU supervisory authorities. The FTC may evaluate whether the disclosure is sufficiently prominent to avoid being characterized as deceptive under Section 5 of the FTC Act. 2. GOVERNANCE EXPOSURE: High. The transfer of attendee personal data to event organizers as independent controllers is one of the most significant data governance risks in this policy. The organizers may span an enormous range of entities with widely varying data practices, and Eventbrite's policy explicitly disclaims responsibility for organizer data use, creating a structural gap in data protection continuity that compliance teams and privacy-sensitive consumers may find material. 3. JURISDICTION FLAGS: EU and UK users face heightened exposure because GDPR requires that data subjects be informed of the identity of joint or independent controllers receiving their data, and the policy's general reference to 'event organizers' without specific identification may not satisfy Article 13 requirements in all cases. California residents have the right to know the categories of third parties with whom their data is shared, which this policy addresses at a category level but without identifying specific organizers. 4. CONTRACT AND VENDOR IMPLICATIONS: Organizations procuring Eventbrite for corporate events should assess whether their employees' registration data being shared with Eventbrite and potentially with co-organizing third parties creates obligations under their own internal data handling policies or vendor agreements. Eventbrite's terms with organizers regarding data use are not publicly disclosed in this policy, creating a due diligence gap. 5. COMPLIANCE CONSIDERATIONS: Legal teams should evaluate whether the consent or notice provided to attendees at the point of registration is sufficient to satisfy transparency requirements under GDPR and CCPA, and whether a layered or just-in-time notice referencing the organizer's privacy policy is implemented. Data mapping exercises should account for the organizer transfer pathway as a separate data flow with its own legal basis and disclosure obligations.

Applicable agencies

Provision details

Other risks in this policy

• Behavioral Advertising and Data Sale Opt-Out high
• Broad Personal Data Collection Scope medium
• Children's Privacy Restriction medium
• International Data Transfers medium
• User Privacy Rights (Access, Deletion, Portability, Correction) medium
• Data Retention low