California Privacy Protection Agency issues $1.10 million fine against youth sports media platform over CCPA opt-out and consumer notice failures
8 min read
On March 3, 2026, the California Privacy Protection Agency (CPPA or "Agency") Board issued a decision requiring PlayOn Sports to pay a $1.10 million fine and change its practices following a settlement reached by the Agency's Enforcement Division. The Stipulated Final Order resolves allegations that PlayOn’s digital properties collected personal information using tracking technologies to provide advertisements, with PlayOn subsequently selling and sharing that personal information with advertising, social media, and analytics partners — without providing consumers with an effective and compliant opt out mechanism.
This action underscores the Agency's intensifying focus on the technical adequacy of opt-out mechanisms, the recognition of browser-based opt-out preference signals, and — for the first time — the privacy rights of students and other users of school-facing digital platforms. Additionally, the obligations imposed under this enforcement action introduces mandatory privacy risk assessments tied to PlayOn's services that are separate and distinct from similar requirements under amendments to the CCPA that became effective this year. Notably, the CPPA's action here confirms that even a single instance of non-compliance — PlayOn ran only one targeted advertising campaign on its ticketing platform during the relevant period — can give rise to regulatory liability and directing consumers to opt out with third-party networks rather than providing a first-party opt-out mechanism does not satisfy CCPA requirements.
Background
PlayOn Sports, operating as the parent company of GoFan, MaxPreps, and the NFHS Network, is a media and technology company that provides schools and other youth sports organizations an all-in-one platform for ticketing, streaming, fundraising, concessions, merchandise sales, and website management. PlayOn has a particularly significant presence in California, having contracted with approximately 1,400 schools across nearly every county in the state.
Key Violations and Findings
The CPPA identified several significant violations:
1. Failure to Provide an Effective Method to Opt Out of Sale/Sharing — Including Through Third-Party Referrals
During the relevant time period (January 1, 2023 through December 31, 2024), PlayOn's digital properties collected personal information using first- and third-party cookies, persistent trackers, and similar tracking technologies for advertising purposes, with PlayOn subsequently selling and sharing this personal information with advertising, social media, and analytics partners.
A key focus of the CPPA's findings was PlayOn's approach to opt-out compliance. Rather than providing its own compliant opt-out mechanism, PlayOn's privacy policy directed consumers to opt out directly with third parties via the Network Advertising Initiative (NAI) and the Digital Advertising Alliance (DAA). The CPPA found that this approach does not meet CCPA requirements. Businesses must provide consumers with a direct and effective method to opt out of the sale and sharing of their personal information — relying on industry self-regulatory programs or redirecting consumers to third-party opt-out tools is not a sufficient substitute.
Additionally, PlayOn's notice banners required consumers to click "Agree" to the use of tracking technologies and provided no other way to close the banner without doing so. On mobile devices, the banner covered the portion of the screen needed to redeem tickets, meaning consumers were effectively forced to click "Agree" in order to use the service. PlayOn's only other opt-out methods — a toll-free phone number and email address — did not address the sale and sharing of personal information through tracking technologies, leaving consumers who used those channels without an effective means of opting out.
2. Selling of Personal Information through a Single Targeted Advertising Campaign
PlayOn ran only one targeted advertising campaign on its ticketing platform during the relevant period. Nevertheless, the CPPA found that PlayOn's use of certain tracking technologies on its digital properties constituted the sale and sharing of personal information under the CCPA. The CCPA does not require a pattern of conduct or a sustained advertising program — one campaign, combined with inadequate opt-out mechanisms, is enough to give rise to liability. This finding has significant implications for businesses that treat advertising compliance as an ongoing program rather than a per-campaign obligation.
3. Failure to Recognize and Honor Opt-Out Preference Signals
Consumers can submit a request to opt out of sale/sharing by configuring their web browsers to transmit During the relevant time period, PlayOn failed to configure its digital properties to recognize and honor consumers' requests submitted via an opt-out preference signal (such as Global Privacy Control), in direct violation of the CCPA.
4. Deficient Notices to Consumers
Before revising its privacy policy in February 2024, PlayOn's policy had not been updated since July 2022. That policy failed to inform consumers of their right to opt out of the sharing of their personal information and falsely claimed that PlayOn did not sell consumers' personal information. PlayOn also failed to inform consumers how to exercise their right to opt out of sale/sharing, including through the use of an opt-out preference signal. PlayOn's "Your Privacy Choices" link similarly failed to include all the information required in a Notice of Right to Opt-Out of Sale/Sharing.
Settlement Terms
1. Mandatory Risk Assessments Under New 2026 Regulations
A particularly notable feature of this settlement is the imposition of formal risk assessment obligations tied to the CPPA's newly effective 2026 regulations. Beginning January 1, 2026, the selling or sharing of personal information, among other things, requires a business to conduct a privacy risk assessment. PlayOn must conduct such an assessment within one year of the effective date of the Board's decision, and for a period of three years following its completion, must update its risk assessments before any material change in the processing of users' personal information. PlayOn's risk assessments must be reviewed by its Board of Directors, with the assessment documenting the date of review and the names of the individuals who reviewed it.
Critically, in identifying negative impacts to consumers' privacy, PlayOn's risk assessments must consider whether it is coercing or compelling consumers into allowing the processing of their personal information — for example, whether users are required to consent to the selling or sharing of their personal information in order to participate in certain events. This requirement — specifically flagging coerced consent as a risk factor — is a novel and consequential regulatory requirement that extends well beyond standard privacy compliance programs.
2. Audience-Appropriate Notices
The order requires PlayOn to evaluate the notices and disclosures on its digital properties to ensure that the language used is easy to read and understandable to consumers who use its services, taking into consideration the age of the intended audience — with the explicit requirement that notices on services selling tickets to high school events must be easy to read and understandable to attendees of those events. This age-appropriate disclosure requirement foreshadows a broader regulatory direction toward consumer-context-specific notice standards.
Key Takeaways and Recommendations
In light of this enforcement action, businesses subject to the CCPA — particularly those operating digital ticketing platforms, event management services, media platforms, or any service used by minors — should consider the following steps:
1. Do Not Rely on Third-Party Opt-Out Programs as a Substitute for First-Party Compliance. The CPPA has made clear that directing consumers to opt out via the NAI, DAA, or similar industry self-regulatory programs does not satisfy CCPA opt-out requirements. Businesses must implement their own direct, functional opt-out mechanism that prevents the sale and sharing of personal information through tracking technologies on their digital properties.
2. Treat Every Advertising Campaign as a Potential Compliance Trigger. PlayOn ran only one targeted advertising campaign during the relevant period, yet this was sufficient to create CCPA liability for the sale and sharing of personal information through associated tracking technologies. Businesses should apply full CCPA opt-out compliance protocols to every campaign — regardless of scale, frequency, or duration — and should not assume that limited or one-time advertising activity falls below the regulatory threshold.
3. Audit Opt-Out Mechanisms End-to-End. Simply providing a "Do Not Sell or Share My Personal Information" or "Your Privacy Choices" link is not sufficient. Businesses must verify that submitting an opt-out request through any available method — webform, phone, email, or in-app toggle — prevents the sale and sharing of personal information across all tracking technologies, including third-party pixels and cookies. The technical back-end must match the front-end promise.
4. Implement and Honor Opt-Out Preference Signals Immediately. Browser-based opt-out signals — such as Global Privacy Control — must be detected and honored in a frictionless manner across all digital properties. Failure to configure digital properties to recognize these signals constitutes a direct CCPA violation.
5. Eliminate Consent Barriers and "Agree-Only" Banners. Businesses should audit their cookie banners and consent interfaces to ensure consumers are presented with a genuine and equally prominent choice to reject tracking, and that consent is never conditioned on access to a core service or feature.
6. Conduct Quarterly Tracking Technology Inventories. Scan digital properties at least quarterly to maintain a full and current inventory of tracking technologies as was required by the order. All businesses subject to the CCPA should adopt this practice — knowing which tracking technologies are active on a platform is a prerequisite to providing any lawful opt-out mechanism.
7. Update and Maintain CCPA-Compliant Privacy Policies Annually. Businesses should implement a mandatory annual review cycle and verify that privacy policies accurately reflect all current data practices and opt-out mechanisms. Businesses serving mixed or younger audiences should review the readability and accessibility of all consumer-facing notices and adapt them to the comprehension level of the intended users.
8. Review Third-Party Contracts for CCPA Compliance. Maintain CCPA-compliant contracts with all third parties that receive or have access to personal information through tracking technologies. Businesses should audit all service provider and third-party contracts to confirm they contain the contractual provisions required under the CCPA.
9. Prepare for Mandatory Privacy Risk Assessments. Businesses that have not yet begun the risk assessment process under the CPPA's 2026 regulations should do so promptly and in advance of statutory effective dates. Risk assessments must now evaluate whether the business is coercing or compelling consumers into consenting to the processing of their personal information.
10. Strengthen Protections for Minor Users. Any business with actual or constructive knowledge that its platform is accessed by minors must audit its data collection, sharing, and advertising practices against the CCPA's heightened standards — which extend to individuals under 16 and require affirmative opt-in consent for the sale or sharing of their personal information.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2026 White & Case LLP
