Youth Sports Media Company to Pay $1.10 Million Fine in CPPA Enforcement Action

Youth Sports Media Company to Pay $1.10 Million Fine in CPPA Enforcement Action

Blog WilmerHale Privacy and Cybersecurity Law

On March 3, 2026, the California Privacy Protection Agency (CPPA) announced a $1.1 million fine against PlayOn Sports, a youth sports media and technology company that operates the GoFan digital ticketing platform. The CPPA alleged violations of the California Consumer Privacy Act (CCPA) related to PlayOn Sports’ use of online tracking technologies and targeted advertising practices affecting students, parents and school communities throughout California. This marked the first CCPA enforcement action specifically addressing privacy violations involving students and schools.

This latest enforcement action emphasizes themes from previous CCPA settlements as well as highlights future risk areas for companies. Like previous enforcement actions, this settlement focused on an entity’s use of advertising trackers without complying with the CPRA’s opt-out requirements, including alleged failures to honor opt-out preference signals. However, the CPPA also took the position in this enforcement action that an entity is responsible for providing its own opt-outs to consumers related to targeted advertising activities and cannot solely rely on industry-approved opt-out tools as a means of complying with the law. The enforcement action further emphasized the potential compliance issues associated with requiring consumers to “Agree” to tracking technologies as a means of accessing a company’s underlying products and services. Companies should evaluate their data protection practices in light of this enforcement action, especially if they rely on industry opt-outs as a means of complying with the CPRA and/or potentially condition their services on consumers’ acceptance of the use of advertising trackers.

In addition to paying the $1.1 million monetary penalty, PlayOn Sports must implement remedial measures, including the deployment of company‑operated opt‑out mechanisms, recognition of opt‑out preference signals, revisions to privacy notices and consent banners, and the adoption of internal compliance measures designed to ensure ongoing adherence to the CCPA.

In this post, we identify key takeaways from the CPPA’s enforcement action against PlayOn Sports. To stay up to date on California privacy law developments, please subscribe to our Privacy and Cybersecurity Law Blog.

KEY TAKEAWAYS

Student Data Receives Heightened Regulatory Scrutiny

The CPPA’s press release emphasized that students constitute a uniquely vulnerable population whose personal information warrants heightened protection. The agency highlighted specific risks associated with profiling students for targeted advertising, including the creation of long‑term behavioral inferences and exposure to manipulative or harmful content. Although the CCPA is not a student‑specific privacy statute, this decision demonstrates the CPPA’s willingness to apply the law aggressively where data practices disproportionately affect what the agency deems to be a vulnerable population, including students. Companies whose products or services are widely used by students or schools should expect continued scrutiny of their data‑sharing and advertising practices.

Consumers’ Opt‑Out Preference Signals Must Be Honored

Another notable aspect of the order is the CPPA’s emphasis on opt‑out preference signals. The agency found that PlayOn Sports failed to recognize and process consumers’ opt‑out signals, despite CCPA requirements mandating such recognition. This aspect of the decision underscores that technical or implementation failures, particularly those involving automated consumer rights signals, can serve as an independent basis for enforcement even where other opt‑out options appear to be available. Businesses subject to the CCPA should ensure that their digital properties are capable of detecting and honoring opt‑out preference signals consistently across platforms and devices.

Businesses Are Expected to Provide Their Own Opt-Out Mechanisms

The CPPA’s order makes clear that businesses cannot satisfy their CCPA opt‑out obligations by directing consumers to third‑party, industry‑run tools such as those offered by the Network Advertising Initiative or the Digital Advertising Alliance. The CPPA found that PlayOn Sports’ practice of referring users to external opt‑out mechanisms, rather than providing effective, company‑operated functionality, did not meet statutory requirements. The decision underscores that businesses that sell or share personal information for targeted advertising remain directly responsible for offering meaningful and accessible opt‑out controls on their own digital properties, including site‑level mechanisms and recognition of opt‑out preference signals. In other words, reliance on industry frameworks alone does not relieve companies of their independent compliance obligations under the CCPA.

Targeted Advertising Remains a Core Enforcement Priority

Consistent with broader enforcement trends, the CPPA’s action against PlayOn Sports focused on the company’s use of tracking technologies to disclose personal information for targeted advertising purposes. The agency concluded that PlayOn Sports’ deployment of cookies and similar tracking tools resulted in the “sharing” of personal information under the CCPA, thereby triggering statutory obligations related to consumer choice and transparency. The order reinforces that targeted advertising practices, particularly when implemented through ubiquitous tracking technologies, remain a central area of regulatory scrutiny under California privacy law.

Consent Models That Condition Access on Tracking Are Under Heightened Scrutiny

The CPPA also focused on consent models that condition access to paid or essential digital services on acceptance of advertising‑related tracking. As described in the order, PlayOn Sports’ mobile interface required users to click “Agree” to tracking technologies before redeeming digital tickets they had already purchased. The agency concluded that this design eliminated meaningful consumer choice and conflicted with the CCPA’s opt‑out framework, which is intended to allow consumers to exercise their rights without being forced to accept tracking. The decision signals that interface designs presenting consumers with a take‑it‑or‑leave‑it choice between access and privacy present significant compliance risk.

Authors

Related Solutions

Critical industry insight and formidable strength across key practices.
We help companies protect data, comply with evolving regulations, and respond to investigations and litigation.
Guiding leaders in all industries through the evolving legal landscape in sports and gaming, offering strategic solutions to clients’ most sophisticated and novel challenges.

More from this series

Explore the Full Series

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link. (The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.

I Accept Cancel