California Privacy Agency Settles $1.1 Million Case Against PlayOn Sports

This week, the California Privacy Protection Agency (CalPrivacy) announced a significant settlement of $1.1 million with PlayOn Sports, known for its digital ticketing platform, GoFan. This settlement marks the agency’s second-largest enforcement action in its history, highlighting the ongoing challenges surrounding privacy compliance.

Background of the Case

PlayOn Sports’ business model revolves around partnering with high schools to offer ticketing services for sporting events. The settlement results from allegations that the company violated California’s privacy regulations by requiring students and parents to accept tracking technologies as a condition for acquiring digital tickets. They failed to provide adequate options to opt-out of the sale or sharing of personal information, raising red flags regarding the handling of sensitive data, particularly that of minors.

According to CalPrivacy, PlayOn did not fully update its opt-out options or notice compliance during the initial two years following updates under the California Privacy Rights Act.

A Costly Advertising Campaign

One of the striking allegations in the stipulated order is that PlayOn conducted only one advertising campaign during the investigated time frame. Despite this limited marketing effort, the use of specific tracking technologies on its digital platforms constituted the “Sale and Sharing of Personal Information” under the California Consumer Privacy Act (CCPA). As a result, the company’s alleged failure to timely refine its opt-out mechanisms resulted in multiple charges.

In essence, PlayOn’s single marketing campaign could be viewed as a costly endeavor, culminating in a $1.1 million penalty—a stark reminder of the financial implications of non-compliance.

The Critical Need for Timely Risk Assessments

An essential lesson from the PlayOn settlement is the importance of timeliness in privacy compliance. The agreement highlights the new requirements under California’s risk assessment regulations, which came into effect on January 1st. Although these requirements were not obligatory during the investigation period, PlayOn has agreed to adopt them moving forward.

California mandates annual summaries of risk assessments to be submitted to CalPrivacy, with the first submission due by April 2028. This proactive approach distinguishes California from other states like Colorado, where assessments must only be available upon request by the attorney general.

Key Requirements for Risk Assessments

Under California’s regulations, a formal risk assessment is required whenever there is a “significant risk” to consumer privacy, particularly when personal information is sold or shared, when sensitive data is processed, or when automated decision-making technologies are employed. Risk assessments should document:

• The specific purposes for data processing.
• The minimum necessary data to achieve those purposes.
• A formal evaluation of risks against potential benefits.

California’s guidelines are notably strict compared to other states, as they require annual updates or immediate updates within 45 days following any material change in risk profiles.

Board of Directors Review Requirement

Another noteworthy aspect of the PlayOn settlement is the explicit requirement for the company’s Board of Directors to review future risk assessments. While previous regulations implied oversight from a chief privacy officer or legal lead, the PlayOn case mandates board sign-off to ensure systemic compliance. The assessments must also document the names of board members involved in the review process.

Organizations may benefit from voluntarily incorporating board approval into their privacy risk assessment procedures. This measure could bolster privacy governance and accountability, averting future compliance issues.

Conclusion

The $1.1 million settlement between PlayOn Sports and the California Privacy Protection Agency serves as a crucial reminder of the evolving landscape of privacy regulations. The significance of timely compliance, proactive risk assessments, and board approval will undoubtedly shape the future of data governance. As regulatory oversight increases, organizations must adapt their privacy practices to avoid costly penalties and ensure the responsible handling of personal information.

For further insights on data privacy regulations, visit CalPrivacy and stay informed on best practices in the industry.