Parents and students shouldn't have to trade their personal data just to watch a high school football game. That is the message California regulators sent this week by fining PlayOn, the parent company of the popular ticketing platform GoFan, 1.1 million for violating state privacy laws.
What Happened
The California Privacy Protection Agency (CPPA) announced the settlement following an investigation into how PlayOn collected and sold user data. According to the agency, the company forced families into a corner: share your personal information with advertisers or forfeit your ability to buy tickets.
When users tried to purchase tickets for school events through GoFan, they encountered a pop-up demanding they agree to the company's privacy policy. This policy allowed PlayOn to sell user data to third parties. Crucially, there was no option to say "no". The pop-up blocked the entire screen, making it impossible to access the tickets without clicking "agree."
Michael Macko, the CPPA's head of enforcement, criticized the practice of targeting a "captive audience." He noted that students could not attend their own proms or games without submitting to tracking. While PlayOn did not admit liability, the company updated its privacy practices in December 2024 to allow users to opt out of data collection.
The Bigger Picture
This enforcement action highlights a growing "gray area" in student privacy. While California has strict laws like the Student Online Personal Information Protection Act to protect data within the classroom, third-party vendors used for extracurriculars often operate under different rules. PlayOn, which also owns MaxPreps and the NFHS Network, contracts with roughly 1,400 California schools and generates over $26 million in annual revenue.
The fine is significant because it enforces the rights of minors. State law prohibits selling the data of children under 16 without affirmative consent, or "opting in." For children under 13, data sales are banned entirely. Regulators found that PlayOn failed to check users' ages effectively or provide a clear way to opt out, instead directing users to complex third-party tools.
This case also underscores the pervasive nature of tracking in educational technology. Research indicates that 96% of apps used in schools share information with third parties, often creating detailed profiles of students that follow them long after they graduate.
What This Means for Families
For parents, this settlement is a reminder that school-required apps are not always safe from commercial tracking. Just because a school mandates an app for tickets, yearbooks, or lunch money does not mean the vendor puts student privacy first. The data collected—often including location and device information—is frequently sold to advertisers unless families actively intervene.
What You Can Do
- Check the Privacy Policy: Before using a new school app, look for a "Do Not Sell My Personal Information" link. If you don't see one, the app may be non-compliant.
- Use Opt-Out Tools: Services like the Global Privacy Control (GPC) allow you to set a browser preference that automatically signals websites not to sell your data.
- Ask Your School: Contact your school administration to ask how they vet third-party vendors. Ensure they are choosing partners that respect student privacy rights by default.