California regulators fined the parent company of a popular school ticketing app $1.1 million for violating student privacy. The platform forced students to accept data tracking to access tickets for school events, highlighting the growing privacy risks hidden in everyday educational software.
What Happened
As we previously reported, the California Privacy Protection Agency (CPPA) issued a $1.1 million fine against PlayOn Sports, the company operating the GoFan digital ticketing platform. Around 1,400 California schools use GoFan for athletic events, dances, and theater productions.
According to the CPPA's stipulated order, the app required users to click "agree" to tracking technologies before they could view or present their digital tickets. PlayOn then used this personal information for targeted advertising. CPPA Enforcement Director Michael Macko noted that students should not have to surrender their data simply to attend a football game or prom.
PlayOn Sports is a massive player in high school athletics. Beyond ticketing, the company provides platforms for streaming, fundraising, and merchandise sales. Regulators found that the company routinely ignored opt-out preference signals—automated browser settings that tell websites not to track users. By forcing the tracking agreement as a strict barrier to entry for mobile tickets, the app left families with no realistic alternative if they wanted to watch their children compete or perform.
The Bigger Picture
The California Consumer Privacy Act (CCPA) explicitly prohibits the sale or sharing of personal information for minors aged 13 to 15 without prior opt-in consent. Despite these rules, companies often design interfaces that bypass or obscure these protections. PlayOn failed to provide a direct opt-out mechanism, instead linking users to confusing third-party advertising groups.
This is a systemic issue across education technology. According to a recent CalMatters investigation, many software vendors continue to exploit legal loopholes to package and sell student data. Lawmakers are currently pushing new legislation, such as Assembly Bill 1159%201159), to close these gaps and give families more power to sue companies that mishandle student information.
Furthermore, regulatory expectations are getting stricter. New CCPA rules that took effect in early 2026 now require businesses to actively demonstrate they have processed opt-out requests, rather than just passively receiving them.
What This Means for Families
This enforcement action exposes a "pay-to-play" privacy model that puts parents and students in a difficult position. When a school mandates a specific app for essential activities, families feel they have no choice but to accept the terms of service. The PlayOn case proves that just because a school endorses a vendor does not mean the vendor has safe or legal data practices.
This settlement establishes a crucial precedent: digital access to education-adjacent activities cannot be held hostage in exchange for consumer data. When a school district contracts with a third-party vendor to manage operations, that vendor becomes an extension of the school environment. Forcing students to navigate complex, third-party opt-out websites places an unfair burden on minors trying to protect their own digital footprints, undermining the trust between schools and families.
What You Can Do
- Check default settings: When downloading a school-mandated app, look for a "minor" or "student" profile option. These should restrict data sharing by default.
- Demand direct opt-outs: Companies must offer a direct, easily accessible way to opt out of data sharing within their own app or website. Do not settle for links to external advertising networks.
- Question school vendors: Ask your school board or administration how they vet third-party platforms like ticketing, fundraising, and streaming services to ensure they maintain strict compliance with the CCPA.