CPPA Fines PlayOn Sports $1.1 Million Over Student Data Privacy Violations

Student data has become one of the most sensitive categories of personal information in the digital ecosystem. A recent enforcement action by the California Privacy Protection Agency (CPPA) highlights just how seriously regulators are taking the protection of minors’ data.

The regulator fined PlayOn Sports $1.1 million for violating privacy rules related to student data through its ticketing platform GoFan ticketing platform, widely used by schools across the United States.

The case serves as a reminder that forced consent, unclear privacy disclosures, and improper opt-out mechanisms can lead to significant regulatory action.

What Happened

PlayOn Sports operates GoFan, a digital platform used by schools to sell tickets for sporting events, dances, theatre shows, and other school activities.

According to the CPPA, the platform collected personal data using tracking technologies that enabled targeted advertising. However, users, including students and parents, were not given a meaningful option to opt out of this tracking.

Instead, users had to consent to tracking to access their tickets or use the platform.

Regulators determined that this practice violated California privacy law, which requires companies to provide users with a clear, accessible way to opt out of tracking or data sharing.

Another issue raised by the regulator was the lack of transparency. The company did not clearly explain how personal data was being collected, processed, or shared. As a result, many students and parents may not have fully understood how their information was being used.

Why the Case Matters

The GoFan platform is widely used in the education ecosystem. In California alone, approximately 1,400 schools rely on the system, and it serves as the official ticketing platform for the state’s high school sports governing body.

This widespread adoption meant that a large number of students and families were potentially affected by the company’s data practices.

For regulators, this raised concerns not only about consent and transparency, but also about how companies handle personal data belonging to minors.

California privacy law imposes stricter requirements when it comes to children’s data:

• Personal data of children under 13 cannot be sold or shared

• Users under 16 must provide affirmative consent before their data can be used for certain purposes

Because the platform operates in the education sector, regulators considered these protections especially important.

Why is student data considered sensitive? 

Student data often involves minors, and privacy laws impose stricter protections to prevent misuse, profiling, or unauthorised sharing of children’s personal information.

What the Company Must Do Now

As part of the enforcement action, PlayOn Sports has agreed to update its privacy practices.

The company must now:

• Provide clearer disclosures explaining how personal data is collected and used

• Implement proper opt-out mechanisms for tracking and data sharing

• Conduct risk assessments related to its data practices

• Strengthen compliance with privacy rules governing children’s and students' data

These changes aim to ensure that users, especially minors and their families, have greater transparency and control over their personal information.

Key Privacy Lessons for Organisations

This case highlights several important lessons for organisations that collect or process personal data.

1. Student Data Requires Stronger Protections

Data belonging to students and minors is considered highly sensitive, and organisations must apply stronger safeguards when collecting or processing it.

2. Opt-Out Must Be Simple and Direct

Privacy laws require companies to provide clear and accessible opt-out mechanisms. Redirecting users to external industry programs may not meet regulatory requirements.

3. Forced Consent Is Not Valid Consent

If users must agree to tracking or data sharing just to access a service, regulators may treat this as invalid consent.

4. Transparency Is a Legal Requirement

Organisations must clearly explain what data is collected, why it is collected, and how it is used or shared so users can make informed decisions.

5. Privacy Enforcement Is Increasing

The $1.1 million fine signals that regulators are actively monitoring how companies manage personal data and are willing to impose penalties when organisations fall short.

Final Thoughts

The enforcement action against PlayOn Sports reflects a growing global focus on accountability in data privacy, particularly when it comes to children’s and students' data.

For organisations operating digital platforms in education, e-commerce, or any environment involving minors, the message is clear:

Privacy-by-design, transparent data practices, and meaningful user consent are no longer optional; they are regulatory expectations.