To attend prom or a football game, California students first had to surrender their data

By Adam Echelman, CalMatters

Before they could attend school football games or school plays, high school students across California had to give their personal information over to a ticketing platform, GoFan, which then sold that data to advertisers, state privacy regulators said. The parent company PlayOn, which has contracted with roughly 1,400 California schools, repeatedly violated state privacy law in 2023 and 2024, according to a January disciplinary order filed by the state’s privacy protection agency.

The California Privacy Protection Agency, sometimes known as CalPrivacy, announced the order Tuesday, saying it is fining PlayOn $1.1 million for failing to give students and families a way to opt out of their data collection.

PlayOn offers a slew of online products that coordinate ticket and merchandise sales for schools and youth sports organizations, along with other services, such as fundraising and streaming. Its subsidiaries include GoFan, MaxPreps, and NFHS Network, which are used by school districts stretching from Los Angeles and San Diego to Modoc, Mono, and Sierra counties, the order says. The company’s annual gross revenue is over $26 million.

When users tried to access tickets for school events through one of PlayOn’s platforms, GoFan, a pop-up appeared, prompting the ticket-holder to agree to the company’s privacy policy, which allowed the sale of personal data. There was no way to say no, the order said: The pop-up obscured the screen so that it was impossible to access the ticket without agreeing to the company’s terms.

“Students trying to go to prom or a high school football game shouldn’t have to leave their privacy rights at the door,” said Michael Macko, CalPrivacy’s head of enforcement, in a press release Tuesday. “You couldn’t attend these events without showing your ticket, and you couldn’t show your ticket without being tracked for advertising. California’s privacy law does not work that way. Businesses must ensure they offer lawful ways for Californians to opt-out, particularly with captive audiences.”

PlayOn “does not admit liability for any violation” of state law, according to the disciplinary order, which effectively functions as a settlement agreement. The order also notes that the company significantly changed its privacy policy in December 2024, allowing users to opt out of data collection, bringing the company into compliance with the state law. These data privacy matters have been “fully resolved” since then, said James Dickinson, the company’s senior vice president of marketing, in an email.

The fine is the first time that the state privacy agency has gone after a company for violating the rights of students and schools, according to the press release. The agency formed in 2020 when voters backed a statewide proposition calling for increased enforcement of data privacy laws.

Exceptions to California’s privacy law

California has some of the strongest data privacy laws in the country, including a landmark 2018 law that requires large for-profit companies to give users a relatively easy way to opt out of data collection or delete their data.

Enforcing the law can prove tricky though. Last year, a CalMatters investigation found that more than 30 companies made it difficult for customers to exercise their privacy rights. While the companies were technically abiding by the law, which requires them to give customers a way to delete their information, they used special code to hide that information from Google search results.

The 2018 law also has a number of exceptions, including for non-profit organizations and for companies that buy, sell or share data from less than 100,000 California residents or households.

The state privacy agency is responsible for enforcing the law. In the past 12 months, the agency has found violations by the menswear company Todd Snyder, the rural supply retailer Tractor Supply Co. and the automaker Honda, each resulting in fines ranging from $345,000 to $1.35 million. In January, the state said in a press release that it fined Datamasters, a data broker, for selling the names, addresses, phone numbers, and email addresses of “millions of people with Alzheimer’s disease, drug addiction, bladder incontinence, and other health conditions for targeted advertising.” The broker also traded data on individuals’ perceived race, political views and banking activity.

California has additional protections regarding the collection and sale of students’ data, but those laws do not necessarily include apps and services used outside of the classroom, even when that technology is a de facto requirement for participation in school sports or extracurriculars. Assemblymember Dawn Addis, a San Luis Obispo Democrat, introduced a bill this year that would expand the number of tech companies who need to abide by California education privacy rules, but the laws could still leave out many popular student services, CalMatters reported last month.

PlayOn did not respond to questions about its compliance with California school privacy law. The PlayOn privacy policy says it doesn’t collect personal information from “minors under the age of 16 without proper consent” but it doesn’t mention anything about students who are age 16 or 17.

California law prohibits companies from selling all K-12 students’ data, regardless of their age.