California Schools Demand Data for Events

The ticketing platform GoFan, owned by PlayOn, was recently fined $1.1 million by the California Privacy Protection Agency for selling student data to advertisers. The company, which has contracts with approximately 1,400 California schools, required students to agree to have their personal data collected and sold to access tickets for school events like football games and prom. This enforcement action highlights the complexities of student data privacy laws. California law prohibits companies from selling the data of any K-12 student. However, existing regulations don't always cover apps and services used for extracurricular activities outside the classroom. The GoFan case is the California Privacy Protection Agency's first enforcement action related to student and school privacy violations. Regulators noted that students were a "captive audience," unable to attend events without agreeing to the data collection, which made the practice particularly problematic. This incident occurs as new legislation aims to strengthen student privacy. Assembly Bill 1159, introduced in February 2025, would prohibit the use of student information from educational services for training AI systems, unless for explicit educational purposes. Additionally, Assemblymember Dawn Addis has introduced a bill to expand the scope of tech companies that must comply with California's education privacy regulations. For consumer health apps, which often fall outside the direct scope of HIPAA, this case underscores the importance of transparent data practices. While HIPAA protects health information held by healthcare providers, most consumer apps are governed by broader consumer privacy laws like the California Consumer Privacy Act (CCPA). The growing digital health market, projected to reach over $50 billion by 2030, is increasingly leveraging AI and data from wearable devices to offer personalized health insights. This makes user trust and clear consent for data use critical for user acquisition and retention, especially as consumers become more aware of how their data is being used. For founders in the health tech space, particularly those focused on AI and personal data, understanding the nuances of privacy regulations is crucial. Early-stage digital health startups are attracting significant venture capital, with a focus on AI-driven solutions. However, navigating the complex web of state and federal privacy laws, including the CCPA and the FTC's Health Breach Notification Rule, is essential for long-term success. The longevity and biohacking communities, which rely heavily on personal health data and predictive AI models, also face scrutiny regarding data privacy and the accuracy of their algorithms. As these fields grow, establishing clear governance and consent frameworks for the use of sensitive health information will be paramount to building and maintaining user trust.