Picture this: Your teenager wants to go to the big football game or prom, but there’s a catch. Before they can even buy a ticket, a pop-up demands they hand over their personal data to a company called GoFan. No opt-out button. No way around it. Just agree or don’t go. That’s exactly what was happening across California, and regulators are not having it.

The California Privacy Protection Agency just fined PlayOn, the parent company of GoFan, $1.1 million for forcing students and families to surrender their data in exchange for attending school events. The company operates ticketing services used by roughly 1,400 California schools, making this a massive breach of student privacy that affected thousands of young people.

Here’s how the scheme worked: When students tried to access tickets through GoFan, an inescapable pop-up would appear forcing them to agree to PlayOn’s privacy policy, which explicitly allowed the company to sell their personal information to advertisers. The screen was completely blocked. You literally couldn’t get your ticket without hitting “agree”. Michael Macko, the head of enforcement at CalPrivacy, put it perfectly: “Students trying to go to prom or a high school football game shouldn’t have to leave their privacy rights at the door”.

What makes this especially infuriating is that PlayOn’s violations happened in 2023 and 2024, meaning thousands of teens had their data harvested without meaningful consent. The company’s annual gross revenue tops $26 million, so this wasn’t some mom-and-pop operation, it was a major player with serious resources that chose profit over privacy.

The $1.1 million fine represents the first time California’s privacy agency has gone after a company specifically for violating student privacy rights. While PlayOn claims it “does not admit liability,” the company did change its privacy policy in December 2024 to finally allow users to opt out of data collection. Basically, they got caught and scrambled to comply.

But here’s the thing: PlayOn’s current privacy policy still has some sketchy language. It says the company doesn’t collect data from minors under 16 without consent, but says nothing about 16 and 17-year-olds. Meanwhile, California law prohibits selling data from all K-12 students regardless of age.

The bigger picture is that California has some of the strongest data privacy laws in the nation, but enforcement remains complicated. The state has been cracking down on companies like Honda, Tractor Supply Co., and data brokers selling health information to advertisers. Yet many tech companies used in schools operate in gray areas, technically not required to follow education privacy rules if they’re used outside the classroom, even when attendance is basically mandatory.

Your kids deserve better. They shouldn’t have to choose between their privacy and participating in school activities.