.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.webp?width=1220&height=1090&name=Osano-guarantee-seal%20(1).webp)
Hello all, and happy Thursday!
CalPrivacy has notched another of its many firsts in US data privacy enforcement–this time, with the first enforcement action involving the privacy of students and California schools.
PlayOn Sports, the company associated with the GoFan ticketing platform used by many high schools, was hit with a $1.1 million fine by CalPrivacy for CCPA violations. Here’s why:
- PlayOn Sports forced users, including high school students, to agree to tracking for targeted advertising before they could access digital event tickets.
- They also didn’t provide an opt-out mechanism, ignored opt-out preference signals (e.g., the GPC), and failed to get affirmative opt-in consent for teens aged 13–15.
Given that this is the first CCPA enforcement involving Californian students and schools, what should businesses learn from this action?
I think there’s a mistaken belief out there that US privacy law is all opt-out consent, all the time. (If you’re not familiar with the difference between opt-in and opt-out consent, our blog provides an overview.) Not so–in California, for example, opt-in consent is required when collecting the data of consumers aged 13 to 15, and parents must opt in for data collection for under-13-year-olds. Coupled with CIPA risk in California, we recommend defaulting to an opt-in standard of consent across the board when collecting data from Californians.
Interestingly, PlayOn also directed students to opt out via third parties (the Network Advertising Initiative and the Digital Advertising Alliance). The CPPA ruled this was not compliant; businesses must provide their own direct method for consumers to opt out.
Best,
Arlo
New from Osano
Blog: DPDPA Rules: How India’s Privacy Law Will Be Put into Practice
Indian regulators have now implemented the rules that will operationalize India’s flagship data privacy law, the DPDPA. What are they, what do you need to do to stay compliant, and starting when? Find out in our blog.
In Case You Missed It…
Product Launch: Introducing Osano Compliance Check: Automated Proof of Website Privacy Compliance
Privacy compliance doesn’t fail in theory; it fails in practice. Websites change constantly, regulations evolve, and enforcement is accelerating. Even teams with strong privacy programs can struggle to keep up with what their sites are actually doing in real-world conditions. That’s why we built Osano Compliance Check: an automated, recurring website scanner that verifies real-world privacy compliance.
Top Privacy Stories of the Week
Youth Sports Media Company to Pay $1.10 Million CCPA Fine Over Privacy Violations
The California Privacy Protection Agency (CPPA) has issued a decision requiring PlayOn Sports to pay a $1.10 million fine and change its practices following a settlement reached by CalPrivacy’s Enforcement Division. The enforcement action is the first to address privacy violations involving students and California schools.
Meta's AI Display Glasses Reportedly Share Intimate Videos with Human Moderators
Users of Meta's AI smart glasses in Europe may be unknowingly sharing intimate video and sensitive financial information with moderators outside of the bloc, according to a report from Sweden's Svenska Dagbladet released last week. Employees in Kenya doing AI "annotation" told the journalists that they've seen people nude, using the toilet, and engaging in sexual activity, along with credit card numbers and other sensitive information.
A New App Alerts You if Someone Nearby Is Wearing Smart Glasses
Smart glasses often look indistinguishable from regular eyewear, meaning you might be recorded without knowing it. But now there is an app that can detect and alert you when someone nearby is wearing smart glasses, or potentially other always-recording tech. The Android app, aptly named Nearby Glasses, constantly scans for nearby signals that emit from Bluetooth-enabled tech, such as wearable devices made by Meta (and Oakley) and Snap.
Europe Pressed to Slow Digital Age-Verification Push Amid Privacy Fears
Hundreds of academics urged governments to halt plans for mandatory age checks on social media, rather than accelerating deployment without assessing the risks. The warning arrives as several European states consider restrictions on children’s access to online platforms and as companies promote verification tools such as live selfies or uploads of government-issued IDs.
US Supreme Court Blocks California Privacy Protections for Transgender Students
The US Supreme Court blocked a series of California laws that can limit the sharing of information with parents about the gender identity of transgender public school students without ​the child's permission. The justices in a 6-3 decision granted an emergency request by the challengers to reinstate a ‌judge's ruling that the privacy and anti-discrimination measures at issue undermined their religious and parental rights under the U.S. Constitution's First and 14th Amendments, while litigation continues.
Like what you see in the Privacy Insider newsletter?
There's more to explore:
🎙️The Privacy Insider Podcast
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
📱 The Osano Subreddit
Join our official subreddit to stay up to date on the latest news, analysis, guidance, and content from Osano!
đź“– The Privacy Insider: How to Embrace Data Privacy and Join the Next Wave of Trusted Brands
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!
