Data‑privacy fights: PlayON, LinkedIn, Maine

A high school student in California could buy a ticket to prom or a football game on GoFan and, according to state regulators, get pushed into ad tracking before they could even use the ticket. On March 3, the California Privacy Protection Agency said PlayOn Sports will pay a $1.1 million fine and change its practices after a settlement over those flows. (privacy.ca.gov) PlayOn is not a niche app. DLA Piper notes that PlayOn runs GoFan, MaxPreps, and the National Federation of State High School Associations Network, says it has sold more than 30 million tickets nationwide, and says about 1,400 California schools use its services. (privacymatters.dlapiper.com) California says the company used cookies, pixels, and other tracking tools for targeted advertising, but did not give Californians a proper way to say no on its own sites. Regulators also said PlayOn sent people to industry opt-out pages instead of building a working opt-out itself and failed to honor Global Privacy Control browser signals. (privacy.ca.gov) (privacymatters.dlapiper.com) The unusual part is where this happened. The agency called this its first decision involving students and California schools, which turns a cookie-banner case into a school-data case because the service sat in the middle of dances, games, and school events that families had to use. (privacy.ca.gov) (privacymatters.dlapiper.com) At the same time, LinkedIn is facing a very different privacy fight. A report published on April 3 alleged that LinkedIn’s website loads hidden JavaScript that checks visitors’ browsers for installed Chrome extensions and gathers device data that can help build a fingerprint. (bleepingcomputer.com) (osano.com) BleepingComputer said it independently verified that LinkedIn’s script checked for 6,236 browser extensions by trying to load files tied to each extension’s unique identifier. The same report said the script also collected details like screen resolution, language settings, time zone, memory, and battery information. (bleepingcomputer.com) That turned into lawsuits fast. Cybernews reported on April 10 that two proposed class actions were filed in the United States District Court for the Northern District of California, and it also reported that LinkedIn said the claims are “plain wrong” and tied the scanning to detecting scraping and terms-of-service violations. (cybernews.com) The Maine piece is not an enforcement action but a rules fight. Maine’s LD 1822, called the Maine Online Data Privacy Act, would cover companies doing business in Maine that handle data for at least 35,000 consumers, or 10,000 consumers if more than 20% of revenue comes from selling personal data. (verrill-law.com) The bill goes further than many state laws on sensitive data. Bill trackers and legal summaries say LD 1822 would ban the sale of sensitive data, bar targeted advertising or sale of minors’ data, and make violations enforceable by the Maine Attorney General under the state’s Unfair Trade Practices Act. (trackbill.com) (verrill-law.com) And the bill is still moving, not finished. Maine’s official bill pages and legislative trackers show the House failed an enactment vote on April 2, the Senate passed enactment on April 6, and the measure was then sent down for concurrence, which means the text and timing were still changing as of this week. (mainelegislature.org) (legiscan.com) Put those three fights together and you get the new privacy map in one glance. California is fining companies over ad-tech choices in school settings, plaintiffs are testing whether browser fingerprinting on a major platform crosses the line, and Maine is trying to write stricter limits on what data can be collected, sold, and used in the first place. (privacy.ca.gov) (cybernews.com) (verrill-law.com)