Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IN SUMMARY:
The state Privacy Protection Agency fined PlayOn $1.1 million for violating state law. The company that runs the GoFan ticketing service requires students and parents to share their details to access tickets for high school events.
This article is also available in English. Read it here.
Before they could attend football games or school plays, high school students in California had to provide their personal information to ticketing platform GoFan, which then sold that data to advertisers, state privacy regulators said. Parent company PlayOn, which contracts with about 1,400 California schools, repeatedly violated the state’s privacy law in 2023 and 2024, according to disciplinary order filed in January by the state agency for personal data protection.
The California Privacy Protection Agency, sometimes known as CalPrivacy, announced the order on Tuesday, saying it was fining PlayOn $1.1 million for failing to give students and families a way to opt out of having their data collected.
PlayOn offers a wide range of online products that coordinate ticket and merchandise sales for schools and youth sports organizations, as well as other services such as fundraising and live streaming. Its affiliates include GoFan, MaxPreps and NFHS Network, used by school districts spanning from Los Angeles and San Diego to Modoc, Mono and Sierra counties, according to the order. The company’s annual gross revenue exceeds $26 million.
When users attempted to access tickets for school events through GoFan, one of PlayOn’s platforms, window or popup window which asks the ticket holder to accept the company’s privacy policy that allows the sale of personal data. The order stated that there was no way to refuse: the window covered the screen and thus did not allow access to the entrance without accepting the company’s terms.
“Students trying to get to a high school prom or football game should not have to give up their right to privacy,” said Michael Mako, chief compliance officer at CalPrivacy, in press release on Tuesday . “You couldn’t attend these events without showing your ticket, and you couldn’t show your ticket without being tracked for advertising purposes. That’s not how California privacy law works. Companies need to make sure they offer Californians legal options to opt out, especially with captive audiences.”
PlayOn “admits no liability for any violation” of state law, according to the disciplinary order, which effectively functions as a settlement agreement. The order also notes that the company significantly changed its privacy policy in December 2024, allowing users to opt out of data collection, bringing it into line with state laws. Those data privacy issues have since been “fully resolved,” James Dickinson, the company’s senior vice president of marketing, said in an email.
The fine marks the first time the state privacy agency has taken legal action against a company for violating the rights of students and schools, according to the news release. The agency was created in 2020 when voters approved it state proposal who called for stricter enforcement of data privacy laws.
Exceptions to California Privacy Law
California has some of the strictest data privacy laws in the country, including a landmark law passed in 2018 that requires large for-profit companies to provide consumers with a relatively easy way to opt out of data collection or delete their data.
However, enforcing the law can be complicated. last year, a CalMatters investigation found that more than 30 companies make it difficult for customers to exercise their privacy rights. Although these companies technically complied with the law that requires them to offer their customers a way to delete their information, they used special code to hide that information from Google search results.
The 2018 law also has a number of exemptions, including for nonprofits and companies that buy, sell or share data on fewer than 100,000 California residents or households.
The state privacy agency is responsible for enforcing the law. Over the past 12 months, the agency has identified violations by the menswear company Todd Snyder a retailer of country goods Tractor Supply Co. and the car manufacturer Honda each of which resulted in fines ranging from $345,000 to $1.35 million. In January, the state announced in press release which fined Datamasters, a data broker, for selling the names, addresses, phone numbers and email addresses of “millions of people with Alzheimer’s, drug addiction, urinary incontinence and other health problems for targeted advertising.” The broker also shared data on people’s perceived race, political views and banking activity.
California has additional protections regarding the collection and sale of student data, but these laws do not necessarily include apps and services used outside the classroom, even when such technology is a de facto requirement for participation in school sports or extracurricular activities. The deputy Dawn Addis D-San Luis Obispo, introduced a bill this year that would expand the number of tech companies that must comply with California’s education privacy rules. However, the laws can still exclude many popular student services, as reported by CalMatters last month.
PlayOn did not respond to questions about compliance with the California school privacy law. The Privacy Policy PlayOn states that it does not collect personal information from children under the age of 16 without proper consent, but does not mention students aged 16 or 17.
California law prohibits companies from selling the data of all students from preschool through high school, regardless of age.