Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
from Adam EchelmanCalMatters
This story was originally published by CalMatters. Sign up for their newsletters.
Before they could attend school football games or school plays, high school students in California had to provide their personal information to ticketing platform GoFan, which then sold that data to advertisers, state privacy regulators said. Parent company PlayOn, which contracts with roughly 1,400 California schools, repeatedly violated the state’s privacy law in 2023 and 2024, according to January disciplinary order submitted by the state agency for the protection of personal data.
California’s privacy protection agency, sometimes known as CalPrivacy, announced the order Tuesday, saying it fined PlayOn $1.1 million for failing to give students and families a way to opt out of data collection.
PlayOn offers a suite of online products that coordinate ticket and merchandise sales for schools and youth sports organizations, along with other services such as fundraising and streaming. Its subsidiaries include GoFan, MaxPreps and NFHS Network, which are used by school districts stretching from Los Angeles and San Diego to Modoc, Mono and Sierra counties, the warrant said. The company’s annual gross revenue is over $26 million.
When users tried to access tickets for school events through one of PlayOn’s platforms, GoFan, a pop-up appeared that prompted the ticket holder to agree to the company’s privacy policy, which allows the sale of personal data. There was no way to say no, the order read: the pop-up blocked the screen so it was impossible to access the ticket without agreeing to the company’s terms.
“Students trying to get to prom or a high school football game shouldn’t leave their privacy rights at the door,” said Michael Mako, CalPrivacy’s chief of enforcement, in press release on Tuesday. “You couldn’t attend these events without showing your ticket, and you couldn’t show your ticket without being tracked for advertising. California privacy law doesn’t work that way. Businesses need to ensure they offer legal ways for Californians to opt out, especially with a captive audience.”
PlayOn “admits no liability for any violation” of state law, according to the disciplinary order, which effectively functions as a settlement agreement. The order also noted that the company significantly changed its privacy policy in December 2024, allowing users to opt out of data collection, bringing the company into compliance with state law. Those data privacy issues have since been “fully resolved,” James Dickinson, the company’s senior vice president of marketing, said in an email.
The fine is the first time the state privacy agency has prosecuted a company for violating the rights of students and schools, according to the press release. The agency was created in 2020 when voters endorsed it statewide offer calls for stronger enforcement of data privacy laws.
Exceptions to California Privacy Law
California has some of the strictest data privacy laws in the country, including a landmark 2018 law that requires large for-profit companies to provide consumers with a relatively easy way to opt out of data collection or delete their data.
However, enforcing the law can prove difficult. last year, a CalMatters investigation found that more than 30 companies make it difficult for customers to exercise their privacy rights. While the companies technically complied with the law, which requires them to provide customers with a way to delete their information, they used special code to hide that information from Google search results.
The 2018 law also has a number of exemptions, including for nonprofits and companies that buy, sell or share data from fewer than 100,000 California residents or households.
The state privacy agency is responsible for enforcing the law. Over the past 12 months, the agency has identified violations by the menswear company Todd Snyderthe merchant of goods for the rural areas Tractor Supply Co. and the car manufacturer Hondaeach of which carries fines ranging from $345,000 to $1.35 million. In January, the state said in press release that it fined Datamasters, a data broker, for selling the names, addresses, phone numbers and email addresses of “millions of people with Alzheimer’s disease, drug addiction, bladder incontinence and other health problems for targeted advertising.” The broker also traded data on people’s perceived race, political views and banking activity.
California has additional protections regarding the collection and sale of student data, but those laws do not necessarily include apps and services used outside the classroom, even when that technology is a de facto requirement for participation in school sports or extracurricular activities. MP Dawn AddisDemocrat from San Luis Obispo, introduced a bill this year that would expand the number of tech companies that must comply with California’s education privacy rules, but the laws could still leave out many popular student services. CalMatters reports last month.
PlayOn did not respond to questions about compliance with the California school privacy law. PlayOn privacy policy says it does not collect personal information from “minors under 16 without proper consent” but makes no mention of students aged 16 or 17.
California law prohibits companies from selling any data on K-12 students, regardless of their age.
This article was originally published on CalMatters and is republished under Creative Commons Attribution-NonCommercial-No Derivatives license.