California Privacy Agency Slaps Tech Company with $1.1 Million Fine for Student Data Violations
The California Privacy Protection Agency (CPPA) has levied a substantial $1.1 million penalty against technology firm GoFan for systematically collecting and selling personal data from high school students across the state. The enforcement action stems from violations of the California Privacy Protection Act during the 2023-24 period, marking one of the most significant student privacy cases in recent memory.
Forced Consent and No Opt-Out Options
GoFan, a ticketing business owned by media company PlayOn that streams high school sports, required students to accept extensive data collection terms before they could purchase tickets for school events. The software presented users with a mandatory white "agree" button that had to be clicked to proceed with ticket purchases for football games, school plays, senior prom, and other activities. Critically, the interface provided no alternative option for users to opt out of having their personal information collected and sold to advertisers.
"Students trying to go to prom or a high school football game shouldn't have to leave their privacy rights at the door," declared Michael Macko, CalPrivacy's head of enforcement, in an official press release. "You couldn't attend these events without showing your ticket, and you couldn't show your ticket without being tracked for advertising. California's privacy law does not work that way."
Multiple Legal Violations Uncovered
The CPPA's investigation revealed several serious breaches of California privacy regulations. State law explicitly requires companies to offer at least two distinct methods for consumers to opt out of having their personal information sold. Additionally, California residents possess the legal right to demand that companies delete their personal data upon request, protections that GoFan failed to implement properly.
Further compounding the violations, GoFan's privacy policy contained false statements claiming the company did not sell users' personal information. The policy also failed to undergo required annual updates and neglected to inform users about their legal right to opt out of commercial data collection practices.
Widespread Impact Across California Schools
The scale of the privacy violations is particularly concerning given GoFan's extensive reach within California's educational system. According to the CPPA order, PlayOn has sold more than 30 million tickets to high school events nationwide and maintains contracts with approximately 1,400 schools throughout California alone.
The CPPA initiated its investigation into PlayOn in 2024 after receiving multiple consumer complaints. During the course of the inquiry, the agency discovered that PlayOn had begun revising its privacy policies before becoming aware of the official investigation.
Company Response and Resolution
In a formal statement addressing the enforcement action, PlayOn emphasized its commitment to student privacy. "PlayOn takes the privacy and safety of the students and school communities we serve very seriously," the company stated. "The CPPA's recent inquiry was focused on certain aspects of PlayOn's privacy practices prior to December 2024, and those matters have since been fully resolved."
The company noted that it cooperated fully with the CPPA throughout the review process and implemented additional measures to address the agency's concerns about data protection practices.
This landmark enforcement action underscores California's increasingly aggressive approach to protecting consumer privacy, particularly for vulnerable populations like high school students who may not fully understand the implications of data collection practices when accessing essential school activities and events.
