CalPrivacy Fines PlayOn Sports $1.1M for CCPA Opt-Out and Notice Violations
Highlights
- The California Privacy Protection Agency (CalPrivacy) fined digital ticketing platform PlayOn Sports $1.1 million for failure to offer consumers appropriate mechanisms to opt out of sale and sharing of personal information through tracking technologies in violations of the California Consumer Privacy Act (CCPA).
- The Stipulated Final Order emphasized that phone and email opt-out methods alone are insufficient when a business uses digital tracking technologies. It also noted that directing consumers to third-party opt-out tools such as the Network Advertising Initiative and Digital Advertising Alliance does not satisfy legal obligations.
- This is CalPrivacy's fourth CCPA enforcement action overall. PlayOn was fined despite recognition that it had already begun significant remediation efforts before learning about the agency's investigation.
The California Privacy Protection Agency (CalPrivacy) adopted a Stipulated Final Order (the Order) against 2080 Media Inc., d/b/a PlayOn Sports, on February 27, 2026, addressing allegations that the digital ticketing platform for high school events failed to provide an adequate mechanism for consumers to opt out of disclosures through online tracking technologies in violation of the California Consumer Privacy Act (CCPA).
Background
PlayOn Sports is a media and technology company headquartered in Atlanta that operates digital platforms serving high school sports and events in all 50 states and has sold more than 30 million tickets to high school events nationwide. Its subsidiaries – GoFan, MaxPreps and NFHS Network – provide ticketing, streaming, fundraising and other services to schools and youth sports organizations. PlayOn's GoFan ticketing platform is used by approximately 1,400 schools in California and is the official ticketing partner for the California Interscholastic Federation.
The CPPA's Enforcement Division opened its investigation into PlayOn in 2024 and also received a consumer complaint alleging that PlayOn failed to provide individuals with the ability to opt out of disclosures of their personal information through tracking technologies.
Identified Violations of Law
The Order identifies the following alleged violations occurring between January 1, 2023, and December 31, 2024.
Failure to Provide an Effective Opt-Out Method
PlayOn's digital properties collected personal information using first- and third-party cookies, persistent trackers and similar tracking technologies (such as MetaPixel) for advertising purposes. This activity constituted "sale" and "sharing" of personal information under the CCPA.
PlayOn's only identified methods for submitting requests to opt out of sale or sharing were through a toll-free phone number and email address, but a request submitted through these methods could not, technically, result in changes to the disclosure of personal information through website tracking technologies. Additionally, PlayOn's privacy policy instructed consumers to opt out directly with third parties via the Network Advertising Initiative (NAI) and Digital Advertising Alliance (DAA), which did not satisfy the company's own obligations under the CCPA.
Compounding the problem, PlayOn Sports deployed cookie banners, but these banners presented website users with only one option: to "Agree" to the use of tracking technologies. On mobile devices, the notice banner covered the portion of the screen that allowed consumers to use or redeem their tickets, effectively forcing consumers to click "Agree" in order to access the tickets they had already purchased.
Failure to Honor Opt-Out Preference Signals
PlayOn Sports failed to configure its digital properties to recognize and honor consumers' requests to opt out of sale or sharing submitted through an Opt-Out Preference Signal (such as Global Privacy Control).
Privacy Notice Deficiencies
Before revising its privacy policy in February 2024, PlayOn Sports' policy had not been updated since July 2022 – exceeding the required annual update. The policy failed to inform consumers of their right to opt out of the sharing of personal information, incorrectly claimed PlayOn did not sell consumers' personal information and did not explain how to exercise opt-out rights, including through the use of Opt-Out Preference Signals. PlayOn's "Your Privacy Choices" link similarly failed to include all information required in a Notice of Right to Opt Out of Sale/Sharing. PlayOn, therefore, sold or shared personal information collected during the period it did not have an adequate Notice of Right to Opt Out of Sale/Sharing.
Consequences for PlayOn
PlayOn Sports is required to pay an administrative fine of $1.1 million. It is also required to adopt compliant methods for giving "full effect" to consumer requests to opt out of "sale" and "sharing." In addition, PlayOn Sports agreed to the following remedial measures, among others:
- conducting quarterly scans of digital properties to maintain a full and current inventory of tracking technologies
- conducting risk assessments regarding the "sale" or "sharing" of personal information, reviewed by its board of directors; the risk assessments must specifically address whether consumers are required to consent to the selling or sharing of their personal information in order to participate in certain events
- posting metrics about the number of consumer rights requests received and complied with annually for at least three years; these metrics are otherwise required from companies that collect personal information for commercial purposes from more than 10 million California residents
- maintaining CCPA-compliant contracts with all third parties that receive or have access to personal information through tracking technologies on its digital properties
Implications
The Order once again highlights the need for all businesses subject to the CCPA to review their privacy notices and implement controls around website tracking technologies – not just Big Tech or the largest industry players. These controls are publicly visible and easily tested by CalPrivacy and other regulators. The Order also demonstrates the agency's expectation that compliance should include periodic website scans to identify and document tracking technologies, as well as risk assessments evaluating their use. Risk assessments have been required under CalPrivacy regulations since January 1, 2026, for any new "selling" or "sharing," and regulators are increasingly likely to expect them from companies that deploy tracking technologies on digital properties.
For more information or questions about how this may impact your business, please contact a member of Holland & Knight's Data Strategy, Security & Privacy Team.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.