A website that allows users to create, promote and sell tickets to events has apologised to users for a clause in its terms of service that allowed it to attend, film and use the footage for its own purposes.
Eventbrite hosts more than 2m events a year, ranging from small free gatherings of friends to large paid-for conferences.
Buried near the bottom of the website’s 10,000-word merchant agreement was a section titled “Permissions you grant us to film and record your events”. It gave Eventbrite wide-ranging powers to use private events for its own purposes, including in adverts for the site.
The terms and conditions also allowed the company to film behind the scenes as an event was being set up or packed away, and required event hosts to obtain, at their own expense, all the “permissions, clearances and licenses” required to allow Eventbrite to do what it wanted, and left the question of whether it had to even credit performers or hosts “in its discretion”.
The clause, which affected the British version of the site as well as the American, was added to the merchant agreement at the beginning of April, but it took until Friday for user Barney Dellar to bring the rights grab to wider attention.
Eventbrite apologised for the clause on Sunday night, and removed it from its site. A spokeswoman told the Guardian: “Earlier this month we made an update to our terms of service and merchant agreement that would allow us the option to work with individual organisers to secure video and photos at their events for marketing and promotional purposes.
“We’ve heard some concerns from our customers and agree that the language of the terms went broader than necessary given our intention of the clause.
“We have not recorded any footage at events since this clause was added, and upon further review, have removed it entirely from both our terms of service and merchant agreement. We sincerely apologise for any concern this caused.”
Many companies are rushing out large updates to their terms of service in the runup to 25 May, the enforcement date for Europe’s general data protection regulation (GDPR), which strengthens individuals’ data protection rights.
In the last week, Facebook, Tumblr, and Airbnb have all notified users of their new terms of service.
Q&A What is GDPR?
The European Union's new stronger, unified data protection laws, the General Data Protection Regulation (GDPR), will come into force on 25 May 2018, after more than six years in the making.
GDPR will replace the current patchwork of national data protection laws, give data regulators greater powers to fine, make it easier for companies with a "one-stop-shop" for operating across the whole of the EU, and create a new pan-European data regulator called the European Data Protection Board.
The new laws govern the processing and storage of EU citizens' data, both that given to and observed by companies about people, whether or not the company has operations in the EU. They state that data protection should be both by design and default in any operation.
GDPR will refine and enshrine the "right to be forgotten" laws as the "right to erasure", and give EU citizens the right to data portability, meaning they can take data from one organisation and give it to another. It will also bolster the requirement for explicit and informed consent before data is processed, and ensure that it can be withdrawn at any time.
To ensure companies comply, GDPR also gives data regulators the power to fine up to €20m or 4% of annual global turnover, which is several orders of magnitude larger than previous possible fines. Data breaches must be reported within 72 hours to a data regulator, and affected individuals must be notified unless the data stolen is unreadable, ie strongly encrypted.