The California Privacy Protection Agency last month formally adopted a stipulated final order fining PlayOn Sports $1,100,000 for a series ofCCPA violations that, according to the agency, left thousands of students, parents, and other event attendees with no practical way to refuse the collection and sharing of their personal data. The board's decision, signed by Chair Jennifer M. Urban, became effective immediately on February 27, 2026. It is the first CCPA enforcement action that the agency has taken specifically addressing privacy practices involving students and California schools.

PlayOn Sports - formally 2080 Media, Inc., a Delaware corporation headquartered at 2990 Brandywine Road, Suite 300, Atlanta, Georgia - operates several well-known platforms in the high school sports market. These include GoFan, a digital ticketing service; MaxPreps, a sports statistics and recruiting platform; and the NFHS Network, a livestreaming service for high school athletics. According to the stipulated final order, the company "describes itself as the leading media and technology company in high school sports and other events." It operates in all 50 states, is the official ticketing partner for 80% of all state athletic associations, and has sold over 30 million tickets to high school events nationwide. GoFan is also the official ticketing platform for the California Interscholastic Federation, the governing body for high school sports in California responsible for state and regional championships.

California alone accounts for approximately 1,400 schools - both public and private - that have contracted with PlayOn for ticketing, fundraising, and other services. The company has contracted with schools across nearly every county in the state, from densely populated Los Angeles, San Diego, and Orange Counties to more rural areas such as Modoc, Mono, and Sierra Counties. That reach means the enforcement action touches a large and geographically dispersed population, many of them minors.

The core of the agency's complaint relates to how PlayOn deployed tracking technologies on its digital properties during the relevant period of January 1, 2023 through December 31, 2024. According to the final order, PlayOn's platforms collected personal information using "first- and third-party cookies, persistent trackers, and similar Tracking Technologies (e.g., MetaPixel) for the purpose of providing advertisements, among other things." PlayOn then sold and shared that personal information with advertising, social media, and analytics partners.

What made the situation particularly coercive, according to regulators, was how this consent was obtained. PlayOn's notice banners on both desktop and mobile sites contained a single button: "Agree." There was no equivalent button to decline or close the banner without clicking "Agree." On mobile devices, this problem was compounded by the layout of the GoFan ticketing interface. The notice banner covered the portion of the screen that displayed the user's ticket redemption option - specifically the "View my ticket" button. In effect, consumers arriving at a high school wrestling match or a homecoming dance were forced to click "Agree" to tracking before they could display their ticket at the gate. There was no alternative.

The GoFan platform supports multiple payment methods at the point of purchase, including credit and debit cards, Apple Pay, and Google Pay. Once purchased, the phone serves as the ticket. Sometimes, according to the order, digital redemption via GoFan is the only ticketing method available for a given event. That technical design - combined with the blocking consent banner on mobile - created what regulators characterized as a situation where users "were forced to first click 'Agree' on the notice banner in order to use their ticket."

What the CCPA requires - and where PlayOn fell short

The California Consumer Privacy Act gives consumers explicit rights to direct businesses not to sell or share their personal information. Businesses that sell or share personal data must offer at least two methods for submitting opt-out requests. One of those methods must be an opt-out preference signal - a browser-level signal that broadcasts a "do not sell or share" preference across every website a user visits, without requiring individual action on each site. California's AB 3048, which mandated browser-level opt-out settings, had been advancing through the legislature precisely to make these signals more accessible to ordinary users.

During the relevant time period, according to the order, PlayOn's only methods for consumers to request an opt-out were a toll-free phone number and an email address. These mechanisms addressed only direct requests from individuals - they did not turn off the data flow from tracking technologies deployed on the websites themselves. A consumer could call the phone number and ask to opt out, but the MetaPixel and other trackers embedded in the GoFan webpage would continue operating regardless. The order states that PlayOn "failed to configure its Digital Properties to recognize and honor Consumers' Requests to opt-out of Sale/Sharing using an Opt-out Preference Signal" throughout the relevant period.

Instead of providing its own opt-out mechanism for tracking-based data sharing, PlayOn directed consumers to opt out directly with third parties through the Network Advertising Initiative (NAI) and the Digital Advertising Alliance (DAA). This approach violated the company's legal responsibility to provide its own method for consumers to exercise their rights, according to the agency's findings.

The privacy policy failures extended further. Before PlayOn revised its privacy policy in February 2024, the policy had not been updated since July 2022 - a violation of the CCPA's requirement to update policies at least once every twelve months. That outdated policy also incorrectly claimed that PlayOn did not sell consumers' personal information and failed to explain consumers' right to opt out of sharing. It did not explain how an opt-out preference signal would be processed or how consumers could use one. The "Your Privacy Choices" link on the site similarly failed to include the required information and directed users to the deficient phone and email opt-out methods described above.

Tom Kemp, Executive Director of the California Privacy Protection Agency, said in connection with the decision: "We are committed to making it as easy as possible for all Californians - from high school students to older adults, and everyone in between - to make the choice of whether they want to be tracked or not." The statement underscores the agency's concern with the population affected. According to a LinkedIn post published by the agency's enforcement team, the board's decision represents the first enforcement action the California Privacy Protection Agency has taken to address privacy violations involving students and California schools.

That framing matters for the marketing and advertising community. The enforcement order specifically notes that notices and disclosures on platforms serving high school event attendees "must be easy to read and understandable to attendees of those events" - language that implicitly acknowledges that the audience likely includes minors. The final order additionally requires PlayOn to comply with California's privacy law provisions prohibiting the selling or sharing of personal information of consumers who are at least 13 and under 16 years old without their affirmative opt-in consent. Students in this age bracket receive heightened protections under the CCPA, and the order makes clear that PlayOn's practices did not adequately account for those protections.

The enforcement action follows a broader pattern of California regulators targeting companies that create friction for consumers exercising privacy rights. The Disney settlement for $2.75 million announced on February 12, 2026 addressed similar failures in opt-out implementation across Disney+ and Hulu. The Healthline settlement for $1.55 million in July 2025 penalized the continuing transmission of user data to advertisers even after users had activated opt-outs. And the $1.4 million Jam City settlement in November 2025 penalized a mobile gaming company for failing to provide any opt-out mechanism across 21 applications, including for minors aged 13 to 16.

The investigation timeline and PlayOn's response

The Enforcement Division opened its investigation into PlayOn's privacy practices in 2024. At some point during the investigation, it received a complaint from a consumer alleging that PlayOn did not allow consumers to opt out of the selling and sharing of personal information through tracking technologies. What followed, according to the order, was notable for how quickly PlayOn acted once it became aware of the problem.

In December 2024 - before hearing from the Enforcement Division - PlayOn made substantial changes to its website, privacy policy, and notice banners. The updated website was configured to recognize and process an opt-out preference signal. The notice banner was revised to present consumers with two clearly labeled choices - "accept" and "reject" - regarding the use of tracking technologies. The privacy policy was substantially rewritten to reflect the company's obligations under the CCPA.

The Enforcement Division acknowledged this voluntary remediation explicitly in the final order: "The Agency recognizes and credits PlayOn's remediation efforts. PlayOn has substantially revised its practices and has committed substantial financial and other resources to remediating the shortcomings identified in this Stipulated Final Order, even before PlayOn learned about the Agency's investigation." This credit did not, however, prevent the imposition of a significant fine. The $1,100,000 penalty must be paid to the California Privacy Protection Agency no later than 30 days after the effective date of the board's decision.

The stipulated final order was signed by Lesley Wainwright, Chief Legal Officer of 2080 Media, Inc., on January 16, 2026. The Enforcement Division signed on the same date, with Deputy Director Michael S. Macko, Senior Privacy Counsel Lisa B. Kim, and attorney Alex D. Berger representing the complainant. The case was handled by Enforcement Division attorneys Lisa Boyoung Kim and Alex Berger, with investigative assistance from research technologist Primal Wijesekera.

What the order requires going forward

Beyond the financial penalty, the stipulated final order imposes a detailed set of ongoing obligations on PlayOn. The company must conduct quarterly scans of its digital properties to maintain a current inventory of all tracking technologies deployed. It must maintain contracts with all third parties that receive access to personal information through those tracking technologies - contracts that must satisfy specific requirements under California Code of Regulations, title 11, section 7053.

Starting January 1, 2026, the company is required to conduct risk assessments under newly effective CCPA regulations. These assessments must cover all processing activities that meet the thresholds set out in Code of Regulations, title 11, section 7150(b), including the sale or sharing of personal information. The assessments must be reviewed by PlayOn's Board of Directors, who must be identified by name and date in the documentation. The order is explicit that PlayOn's risk assessments "shall consider whether it is coercing or compelling Consumers into allowing the processing of their Personal Information" - a direct reference to the ticket-blocking consent banner design that characterized the earlier violations.

Risk assessments under the order must be updated before any material change in processing that creates new negative impacts, increases the likelihood of previously identified harms, or diminishes the effectiveness of existing safeguards. They must be completed within one year of the effective date of the board's decision for current processing activities, and updated at least every three years thereafter, as required by the CCPA.

PlayOn must also post annual privacy metrics on its website for three years, as required by Code of Regulations, title 11, section 7102. The notices and disclosures on its digital properties must be rewritten to be easy to read and understandable to the actual audiences using those services - a requirement that, in the context of a ticketing platform for high school events, implies readability for teenagers. All process and system changes must be implemented within 180 days of the board's decision.

Why this matters for the ad tech community

For marketing professionals, this enforcement action illustrates several technical compliance requirements that have practical implications for how platforms deploy advertising technology. The order confirms that the use of tracking pixels - including Meta's pixel - on a website constitutes the sale or sharing of personal information under the CCPA, even if the company runs minimal paid campaigns. PlayOn ran only one targeted advertising campaign during the entire relevant period, yet the agency found that the mere deployment of such technologies on its properties triggered full CCPA opt-out obligations.

This interpretation has direct implications for publishers and platform operators who use advertising technology for measurement, analytics, or retargeting purposes while believing their exposure is limited because their advertising activity is modest. The CCPA's definition of "sale" and "sharing" is broad enough to capture many standard programmatic advertising practices.

The updated CCPA requirements that took effect January 1, 2026 expand these obligations further, adding new contractual requirements for data transfers and extending sensitive information protections. The PlayOn case offers a concrete example of what deficient practices looked like under the pre-2026 framework - and the order's prospective requirements show what adequate compliance under the current framework entails. The California data broker enforcement action from December 2025 and the series of CCPA settlements by the state Attorney General collectively signal that California regulators across multiple agencies are coordinating enforcement pressure on different segments of the data ecosystem simultaneously.

The involvement of students as a protected class introduces an additional dimension. The BeReal dark pattern complaint filed with French regulators in December 2024 raised similar concerns about consent mechanisms that made it practically impossible to decline tracking - though in that case the enforcement mechanism was GDPR rather than CCPA. The PlayOn case demonstrates that identical design patterns - presenting a single "Agree" button with no alternative - are treated as violations of consent requirements under California law. Companies operating event ticketing, mobile access control, or similar services where the product itself is blocked pending consent should treat the PlayOn order as a significant precedent.

Timeline

Summary

Who: 2080 Media, Inc., doing business as PlayOn Sports (parent company of GoFan, MaxPreps, and the NFHS Network), headquartered in Atlanta, Georgia. The California Privacy Protection Agency Enforcement Division, represented by Deputy Director Michael S. Macko, Senior Privacy Counsel Lisa B. Kim, and attorney Alex D. Berger, brought the action. The board of the California Privacy Protection Agency, chaired by Jennifer M. Urban, issued the final decision.

What: The California Privacy Protection Agency issued a $1,100,000 administrative fine and detailed compliance order against PlayOn Sports for multiple CCPA violations: failing to offer effective opt-out mechanisms for the sale and sharing of personal information through tracking technologies; failing to recognize and honor opt-out preference signals; deploying notice banners that blocked ticket redemption on mobile devices unless users clicked "Agree"; and maintaining an outdated privacy policy that did not inform consumers of their opt-out rights. The order additionally imposes ongoing obligations including quarterly tracking technology audits, annual privacy metrics disclosures for three years, and annual risk assessments reviewed by PlayOn's Board of Directors.

When: The violations occurred between January 1, 2023 and December 31, 2024. The Enforcement Division opened its investigation in 2024. The stipulated final order was signed on January 16, 2026. The board adopted it as its official decision on February 27, 2026, and it became effective immediately.

Where: The case involved PlayOn's digital properties accessible to California consumers, including www.playonsports.com, www.gofan.co, and www.nfhsnetwork.com and their respective mobile applications. PlayOn operates across all 50 U.S. states and has contracted with approximately 1,400 California schools. The proceeding was administered before the California Privacy Protection Agency in Sacramento, California.

Why: PlayOn's tracking technologies - including third-party cookies, persistent trackers, and MetaPixel - collected and shared consumer personal information for advertising purposes without providing consumers a meaningful way to decline. The absence of opt-out preference signal support, the blocking consent banner design, and the failure to maintain a current and accurate privacy policy collectively deprived California consumers, including students, of rights granted under the CCPA. The case is the first enforcement action by the California Privacy Protection Agency specifically addressing privacy violations involving students and California schools.

Share this article
The link has been copied!