CalPrivacy’s $1.1 Million PlayOn Sports Fine: What Every Business Needs to Know About Tracking Technologies, Opt-Outs, and the New Era of Risk Assessments

On February 27, 2026, the Board of the California Privacy Protection Agency (CalPrivacy) adopted a Stipulated Final Order against 2080 Media, Inc. d/b/a PlayOn Sports, the leading digital ticketing and media platform for high school sports and activities, requiring the company to pay a $1.1 million administrative fine and implement sweeping compliance reforms. CalPrivacy’s announcement describes this as the agency’s first enforcement decision to address privacy violations involving students and California schools, and its second-largest fine to date.

The case centers on PlayOn’s GoFan platform, which thousands of California schools use to sell digital tickets to high school sporting events, prom, homecoming, and theater performances. CalPrivacy found that PlayOn used tracking technologies to collect personal information and then allegedly forced users, including students and parents, to click “Agree” before they could access their already-purchased tickets, without giving them any meaningful ability to decline. The company also failed to recognize opt-out preference signals like the Global Privacy Control (GPC) and maintained a deficient, outdated privacy policy.

The settlement carries lessons far beyond the high school sports world. For any business within scope that operates websites or apps, uses cookies and pixels, or engages in targeted advertising, the PlayOn order is a clear signal: California’s CCPA/CPRA enforcement machine is active, systematic, and increasingly focused on the mechanics of opt-out compliance, not just the words in a privacy policy.

Who Is PlayOn Sports?

PlayOn Sports is an Atlanta-based media and technology company that describes itself as the leading provider of high school sports and events. As the parent company of GoFan, MaxPreps, and the NFHS Network, PlayOn offers schools an all-in-one platform for ticketing, streaming, fundraising, concessions, merchandise, and website management. The company operates in all 50 states and has sold over 30 million tickets to high school events nationwide.

In California specifically, approximately 1,400 schools, both public and private, have contracted with PlayOn for its services. GoFan serves as the official ticketing platform for the California Interscholastic Federation (CIF), the governing body for high school sports in the state. This reach means that tens of thousands of California students, parents, faculty, and community members interacted with PlayOn’s digital properties on a regular basis.

The GoFan platform is often the only way to purchase or redeem tickets for school events. This captive-audience dynamic, where users effectively had no alternative, became a central theme in CalPrivacy’s enforcement narrative.

The Investigation and What CalPrivacy Found

In 2024, CalPrivacy’s Enforcement Division opened an investigation into PlayOn’s privacy practices and received a consumer complaint alleging that PlayOn was not allowing consumers to opt out of the sale and sharing of their personal information through tracking technologies. The relevant investigation period ran from January 1, 2023 through December 31, 2024.

In December 2024, before hearing directly from the Enforcement Division, PlayOn proactively overhauled its website, privacy policy, and notice banners. It updated its site to recognize opt-out preference signals and revised its notice banner to offer both “accept” and “reject” options. CalPrivacy credited these remediation efforts in the final order, but the prior violations remained actionable. PlayOn also cooperated fully with investigators throughout, producing documents, answering questions, and engaging candidly about its practices.

The Stipulated Final Order identified three primary categories of violations.

Violation 1: Coercive Consent — The “Agree-Only” Banner

During the relevant period, PlayOn deployed first- and third-party cookies, persistent trackers, and similar tracking technologies, including Meta Pixel, on its digital properties to collect personal information for advertising purposes. This activity qualified as the “sale” and “sharing” of personal information under the CCPA, triggering a legal obligation to give consumers a meaningful opt-out.

Instead, PlayOn’s notice banners presented users with only one choice: “Agree.” There was no way to close the banner without clicking it. On mobile devices, the consent banner physically covered the portion of the screen where users would redeem their tickets, meaning consumers were forced to consent to tracking just to use a ticket they had already purchased.

“Students trying to go to prom or a high school football game shouldn’t have to leave their privacy rights at the door. You couldn’t attend these events without showing your ticket, and you couldn’t show your ticket without being tracked for advertising. California’s privacy law does not work that way.” — Michael Macko, CalPrivacy Head of Enforcement

PlayOn’s only other opt-out methods, a toll-free phone number and an email address, were technically disconnected from the actual data flows created by tracking technologies. A user who called or emailed could not, as a practical matter, stop PlayOn’s website from firing those trackers. PlayOn’s privacy policy also improperly instructed users to opt out through third-party industry bodies, namely the Network Advertising Initiative (NAI) and the Digital Advertising Alliance (DAA), rather than offering its own mechanism. CalPrivacy found this insufficient.

These practices violated Civil Code § 1798.135(a)(1) each time PlayOn collected and then sold or shared personal information through tracking technologies without an effective opt-out. PlayOn also violated Civil Code § 1798.120(d) each time it continued selling or sharing personal information after receiving a consumer’s opt-out request via phone or email.

For a deeper look at how tracking technologies create legal liability, see our guide to pixel litigation under the CCPA, CIPA, and VPPA.

Violation 2: Failure to Recognize Opt-Out Preference Signals (GPC)

Under the CCPA and its implementing regulations, businesses must recognize and honor Opt-out Preference Signals, most prominently the Global Privacy Control (GPC), a browser-level setting that signals a user’s “do not sell or share” preference across every website they visit without requiring individual opt-out clicks on each one.

Throughout the relevant period, PlayOn failed entirely to configure its digital properties to detect or honor GPC signals. Every time a California consumer with GPC enabled visited a PlayOn website, their opt-out preference was silently ignored, and their personal information was sold and shared anyway.

This finding continues a pattern CalPrivacy has emphasized across all of its enforcement actions: GPC compliance is not optional, not a nice-to-have, and not satisfiable through workarounds. Every covered business operating a website in California must honor this signal.

Violation 3: Deficient and Outdated Privacy Notices

The CCPA requires businesses to maintain a comprehensive, accurate, and current privacy policy, updated at least once every twelve months. PlayOn’s privacy policy had not been updated since July 2022 before it was revised in February 2024, an 18-month lapse. During that period, the policy was also substantively deficient:

• It falsely claimed that PlayOn did not sell consumers’ personal information, when in fact its use of tracking technologies constituted “sharing” under the CCPA.
• It failed to inform consumers of their right to opt out of the sharing of their personal information.
• It did not explain how to exercise opt-out rights, including through the use of an opt-out preference signal.
• PlayOn’s “Your Privacy Choices” link directed users to the deficient opt-out mechanisms described above, rather than the full required information.

As a result, PlayOn sold or shared personal information collected during periods when it lacked an adequate Notice of Right to Opt-out of Sale/Sharing, a violation of Cal. Code Regs., tit. 11, § 7013(h). Privacy policies are not background compliance documents; they are live, enforceable instruments. For a detailed analysis of why annual privacy policy updates have become an enforcement priority, see our prior article on this subject.

The Settlement: $1.1 Million Fine and What Else PlayOn Must Do

The Fine

PlayOn must pay $1.1 million to CalPrivacy within 30 days of the Board’s decision. This makes the PlayOn action CalPrivacy’s second-largest fine to date, trailing only the Tractor Supply settlement of $1.35 million and exceeding the Honda settlement of $632,500 and the Todd Snyder fine of $345,178. There are also other enforcement actions via the California Attorney General, such as against Disney. (CalPrivacy and the California Attorney General hold concurrent authority to enforce the CCPA, and both have been active.)

Despite running only one targeted advertising campaign during the entire two-year investigation period, PlayOn’s use of tracking technologies on its digital properties was sufficient to trigger full CCPA sale/sharing obligations. As IAPP’s Cobun Zweifel-Keegan observed, that single ad campaign ended up costing $1.1 million in fines through this enforcement action.

Compliance Requirements

Beyond the fine, the order mandates a comprehensive set of operational changes, most of which must be completed within 180 days:

• Recognize and honor opt-out preference signals (GPC) and maintain fully functional opt-out mechanisms for all sale/sharing through tracking technologies
• Post a compliant “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” link that actually allows consumers to exercise their rights
• Conduct quarterly scans of digital properties to maintain a current, full inventory of all tracking technologies in use
• Maintain CCPA-compliant contracts with all third parties that receive or have access to personal information through tracking technologies
• Update privacy notices and disclosures to be easy to read and understandable for the intended audience, with a specific callout that notices on platforms serving high school events must be comprehensible to that age group
• Conduct a full review of privacy policies, notices, consent management platforms, and privacy rights mechanisms within 90 days
• Annually post consumer rights request metrics on its website for at least three years

Risk Assessments — With Board of Directors Sign-Off

Perhaps the most notable and forward-looking requirement in the settlement is the risk assessment mandate. California’s new risk assessment regulations took effect January 1, 2026, requiring businesses that sell or share personal information to conduct formal privacy risk assessments. PlayOn was not investigated for violations of these rules; they did not exist during the relevant period, but CalPrivacy has made compliance with them a condition of this settlement.

PlayOn must complete an initial risk assessment within one year covering its GoFan and NFHS Network services, and must update those assessments before any “material change” in data processing activity for three years thereafter. The risk assessments must specifically evaluate whether users are being coerced into consenting to sale or sharing of their personal information in order to participate in events, a direct reference to the ticket-gating problem at the heart of this case.

Most significantly, PlayOn’s risk assessments must be reviewed by its Board of Directors, and the assessments must document the date of review and the names of Board members who participated. As Holland & Knight noted in their analysis of the case, risk assessments are now required for any new selling or sharing, and regulators are increasingly expecting periodic website scans alongside them. The IAPP has characterized this Board-level review requirement as a model worth considering proactively, noting that, while a company would rather avoid it, “CalPrivacy makes clear through this enforcement action that swift and thorough compliance is essential.”

Why Students? The Children’s Privacy Dimension

CalPrivacy has been explicit: this is the first enforcement action to address privacy violations involving students and California schools. The agency stated that “students are a uniquely vulnerable population whose data should be used to enhance their own learning, not to fuel advertising and commercial surveillance,” and warned that targeted advertising systems “can subject students to profiling that can follow them for years, expose them to manipulative or harmful content, and develop sensitive inferences about their lives.”

The CCPA already provides heightened protections for minors: businesses cannot sell or share the personal information of consumers aged 13 to 15 without their affirmative opt-in consent, and cannot do so for children under 13 without parental consent. The PlayOn order specifically requires PlayOn to comply with these provisions going forward.

DLA Piper’s privacy team observed that the settlement reflects “a central principle of children’s privacy enforcement: companies cannot rely on formal characterizations of their services while ignoring the realities of use.” In other words, if students and families are your actual user base, regardless of whether you formally market to children, you need to design your privacy architecture with that reality in mind.

The PlayOn order places the company alongside prior enforcement actions against platforms used by minors, including Epic Games, Microsoft Xbox, Google/YouTube, and Disney, though most of those were COPPA actions at the federal level. CalPrivacy’s action signals that state-level regulators are now applying consumer privacy frameworks with an explicitly child-protective lens.

For more on the expanding legal framework around youth data, see our piece on how under-18 is the new under-13 and our COPPA compliance page.

CalPrivacy’s Enforcement Pattern: This Is Not a One-Off

The PlayOn action fits within a deliberate and expanding enforcement posture. CalPrivacy has now completed four public CCPA enforcement actions, and the underlying themes are remarkably consistent:

• Tractor Supply Co. ($1.35M) — cookie banner failures and inadequate opt-out implementation
• Honda ($632,500) — deficient privacy notices and opt-out mechanisms
• Todd Snyder ($345,178) — opt-out compliance and vendor management failures
• PlayOn Sports ($1.1M) — coercive consent, GPC failure, deficient notices, and captive-audience tracking

Each action has reinforced the same core message: CalPrivacy scrutinizes cookie banners and opt-out mechanisms directly, tests them in practice, and assesses end-to-end functionality, not just whether disclosures appear somewhere in a privacy policy.

As Venable’s team noted in their analysis of the PlayOn settlement, CalPrivacy is “looking for proof opt-outs are happening, not just looking for compliant language written in a policy.” The agency has also demonstrated its willingness to investigate beyond the initial complaint as PlayOn was cited for three separate categories of violations, each carrying independent penalties.

Fisher Phillips similarly highlighted that once CalPrivacy initiates an investigation, regulators “are empowered to assess the organization’s CCPA compliance beyond the scope of the initial allegation.” If officials uncover multiple violations, penalties increase correspondingly.

California has also launched the Consortium of Privacy Regulators, a bipartisan coalition coordinating enforcement efforts across states. Federal oversight of privacy may be uncertain, but state-level enforcement is accelerating, not retreating.

Key Compliance Lessons for Businesses

1. Tracking Technologies Trigger Sale/Sharing Obligations — Even Without Active Ad Campaigns

PlayOn ran just one targeted advertising campaign during the entire two-year investigation period. CalPrivacy found that its use of tracking technologies still constituted the sale and sharing of personal information under the CCPA. The mere presence of third-party cookies, pixels, or analytics SDKs on your website can create full opt-out obligations, even if you don’t consider yourself an advertising-driven company. See our guide to targeted advertising compliance.

2. Offloading Opt-Outs to Third Parties Is Not Acceptable

Directing consumers to opt out through the NAI or DAA was explicitly found to be insufficient. As Fisher Phillips summarized this lesson: “If your organization is sophisticated enough to gather the information, it is sophisticated enough to develop its own means by which users can disenroll.” Your consent management platform must actually stop data flows, not just link to someone else’s opt-out form.

3. GPC Compliance Is Mandatory, Not Optional

The Global Privacy Control must be recognized and honored in California. If your website or app does not detect and respond to browser-level opt-out signals, you are not compliant, regardless of what your privacy policy says. Our GPC and Universal Opt-Out Mechanism compliance page walks through how to implement this correctly.

4. Consent Obtained Through Coercive Design Is Not Valid Consent

An “Agree-only” banner that blocks access to services consumers have already paid for is not consent, it is coercion. CalPrivacy’s risk assessment mandate specifically requires PlayOn to evaluate whether users are being forced to consent to tracking in order to access events. Dark patterns in consent interfaces are now an enforcement priority, not just a UX design concern.

5. Know Your Audience — and Design Privacy for Them

If your platform is used by or foreseeably accessible to minors, your privacy design must reflect that reality. Notice language must be age-appropriate, opt-out mechanisms must be functional and accessible, and data practices involving users under 16 must comply with CCPA’s heightened requirements. CalPrivacy will look past your marketing labels to assess who is actually using your service.

6. Privacy Policies Must Be Current and Accurate

An 18-month-old privacy policy that falsely states you don’t “sell or share” personal information, while your website is firing Meta Pixel, is a multi-violation time bomb. Annual updates are legally required under the CCPA, and the content must be accurate as to your actual data practices, including all sale and sharing activity driven by tracking technologies.

7. Risk Assessments Are Now Enforceable — Including Board Oversight

California’s privacy risk assessment requirements are in effect as of January 1, 2026. The PlayOn order shows that CalPrivacy views these assessments as substantive compliance tools and is willing to impose enhanced obligations, including Board-level review, on companies that have demonstrated prior compliance failures. Businesses that sell or share personal information should not wait for enforcement to prompt this exercise.

Conclusion

The PlayOn enforcement is more than a cautionary tale about cookie banners. It reflects a maturing regulatory apparatus that is testing compliance in practice, expanding the scope of investigations beyond the initial complaint, and now embedding forward-looking obligations, like Board-level risk assessments, directly into settlement terms. The concurrent enforcement authority of CalPrivacy and the California Attorney General means businesses face scrutiny from two active regulators, each with its own investigative priorities and enforcement pipelines. For businesses that collect personal information through tracking technologies, serve audiences that include minors, or have not regularly revisited their opt-out infrastructure, the message from California is clear: the window for quiet non-compliance has closed.

---