CalPrivacy’s $1.1M PlayOn Sports fine: “Agree-to-enter” personal data sharing

March 11, 2026

mins read

Joel Lim

Privacy Content Creator

California’s privacy regulator (CalPrivacy) isn’t messing around. Any company operating in California needs to know that “agree-only” consent banners and broken opt-out signals are now a seven-figure problem in any UX where users can’t participate unless they surrender privacy.

What you need to know (TL;DR)

Company involved: 2080 Media, Inc., a Delaware-based company doing business as PlayOn Sports (brands include GoFan, MaxPreps, and the NFHS Network).
Outcome: $1,100,000 administrative fine and mandatory privacy practice changes.
Primary reasons for the decision: Users on PlayOn Sports websites were effectively forced to click “Agree” to personal data sharing to use tickets and access services. Privacy-mandated opt-out methods and opt-out preference signals were not properly honored.
Why it matters: As CalPrivacy says, “Students are a uniquely vulnerable population whose data should be used to enhance their own learning, not to fuel advertising and commercial surveillance.” Companies cannot force anyone, especially vulnerable users, to relinquish privacy in “must-access” experiences such as ticketing, portals, and essential services.

Facts of the CalPrivacy fine and timeline

Announcement date: March 3, 2026. The decision is dated February 27, 2026.
Case: ENF24-S-PL-24
Relevant period: January 1, 2023, to December 31, 2024.
How this started: In 2024, CalPrivacy’s Enforcement Division opened an investigation into the privacy and data practices of PlayOn Sports after receiving a consumer complaint alleging that PlayOn “did not allow consumers to opt-out of the selling and sharing of personal information through tracking technologies.”
Pre-investigation remediation: Before learning of the investigation, PlayOn changed banners and updated its systems to recognize and process opt-out preference signals in December 2024.
Scale in California: More than 1,400 schools contract with PlayOn for activities including attending games, streaming them online, and looking up statistics about teams and players. GoFan is also the California Interscholastic Federation’s (CIF’s) official ticketing platform.

Nationwide, PlayOn Sports’ various brands are used in “9,000 U.S. high schools and streaming over half a million events annually,” according to a November 2025 press release.

What happened

The California Privacy Protection Agency Board issued a decision requiring PlayOn Sports to pay a $1.10 million fine and change its practices. This is also the first CalPrivacy Board decision framed around privacy violations involving students and California schools.

Schools use GoFan for tickets to sports, theater, homecoming, and prom. Because attendees for these events must get tickets from GoFan, regulators noted they are a “captive audience” being coerced to give up their privacy rights.

According to the decision, PlayOn used tracking technologies to collect personal information (PI) and deliver targeted ads. Users were allegedly forced to click “Agree” to personal data sharing without sufficient opt-out paths.

CCPA violation summary: PlayOn Sports

An “agree-only” consent banner without a clear and working opt-out path is a CCPA violation when personal data is shared with advertisers
Ticket redemption UX was allegedly blocked unless users clicked “Agree.”
Opt-out mechanisms were ineffective for online personal data sharing. Users were directed to phone or email, and in some cases pushed to external Network
Advertising Initiative (NAI) and the Digital Advertising Alliance (DAA) mechanisms, instead of being given a simple opt-out mechanism within the PlayOn Sports website or app.
Opt-out preference signals (OOPS/GPC-style) were not recognized or honored during the relevant period.
PlayOn Sports’s websites also violated the CCPA’s prohibition on selling or sharing personal information of consumers who are at least 13 and less than 16 years old without their affirmative opt-in consent.

CCPA violations summary

A) Coercive banner design

CCPA regulations are clear on this point. Any consent mechanism tied to access to services needs to provide a real choice. An organization cannot gate core access behind agreement to tracking.

Violations described in the decision

A key UX banner required users to click “Agree” to access tickets they had already bought and needed to redeem at the door.

For users needing to access core services, there was no other way to proceed without agreeing to tracking.

On mobile, the banner covered the “use/redeem” ticket area, forcing users to click “Agree” to access purchased tickets.

Required compliant approach

Add a clear reject option, and enforce it technically. There cannot be advertising pixels firing before the user makes a choice.
Test mobile redemption flows specifically, especially where overlays and webviews can break intended privacy controls.

B) Broken opt-out methods for tracker-based sale/sharing

CCPA expectations are also clear here. Businesses that sell or share personal data must provide at least two methods to opt out. For online services, that includes an opt-out preference signal (OOPS) and another compliant method.

Violations described in the decision

Only toll-free phone and email were offered, and those methods did not effectively address online personal data sharing.

PlayOn’s privacy policy also directed users to opt out through the NAI (Network Advertising Initiative) or the DAA (Digital Advertising Alliance), rather than through a business-controlled opt-out for relevant third-party tracking technologies.

Required compliant approach

The “Do Not Sell/Share” control must actually govern the tracking layer, including tag managers, pixels, and SDKs, not just collect requests.

C) Opt-out preference signals were not honored

CCPA is also direct on this. If a consumer sends an opt-out preference signal, the business must recognize and effectuate it.

Violations described in the decision

PlayOn failed to configure its digital properties to recognize and honor OOPS during the relevant period.

Required compliant approach

Organizations need to treat OOPS as a release gate.

This needs to be verified with regression tests, continuous monitoring, and evidence such as network logs.

D) Weak privacy notices and policy-to-practice drift

CCPA requires a privacy policy to be updated at least every 12 months and to explain opt-out rights, including how OOPS will be processed.

Violations described in the decision

The privacy policy had not been updated within the required cadence and did not accurately reflect the data flows on websites and apps, including claims around selling or sharing and the processing of opt-out rights.

Required compliant approach

Continuous privacy auditing to check data flows against policies
Disclosures and actual data processing must match and comply with CCPA

What PlayOn needs to do to stay CCPA compliant

Pay $1,100,000 within 30 days of the decision date, which was February 27, 2026
Scan digital properties at least quarterly to maintain a current inventory of tracking technologies and verify that they are compliant
Maintain compliant contracts with third parties that receive or access personal data
Configure properties to recognize and fully effectuate opt-outs submitted through OOPS and other required methods
Within 90 days, review the privacy policy, notices, CMP, and rights mechanisms for compliance
Conduct risk assessments within one year and update them before material changes. These assessments must include a coercion and compulsion analysis and board-level review.
Comply with California’s rule prohibiting the selling or sharing of personal data of consumers aged 13 to 15 without affirmative opt-in consent.

With all of that in mind, request a free Privado AI audit of your website to confirm whether you have similar age-related consent, data-sharing, or tracking-control gaps.

What to audit this week: Practical test plan for privacy and engineering teams

Below is a practical checklist you can use to pressure test your opt-in and opt-out workflows.

Step 1: Map your data flows first

Do a data inventory and policy review:

Confirm your data inventory is durable and reflects the latest release, not a one-time spreadsheet
Verify your privacy policy was updated within the last 12 months
Check that the policy explains how opt-out preference signals (OOPS/GPC) are processed
Flag any policy claims of “no selling/sharing” and validate those claims against live behavior later in the audit

Step 2: Test your consent action matrix

Run all four states and capture evidence for each, including cookies set, network requests, and third-party recipients:

No action: What fires before any consent interaction?
Reject all: Does rejection actually suppress pixels, cookies, and requests?
Accept all: Use this as the baseline to compare against reject
OOPS/GPC signal on: Does the site acknowledge the signal and suppress sharing?

Step 3: Replicate the entire captive-audience journey end to end

Browse event → buy ticket → open ticket on mobile → redeem at door
At each step, confirm that no consent banner blocks a core action unless “Agree” is clicked
Ensure users have a way to opt out of data sharing before personal data is shared with advertising third parties
Capture network requests at each stage and confirm reject and OOPS suppress third-party sharing throughout the full journey, not just on the homepage

Step 4: Verify “Do Not Sell/Share” is a technical control

Confirm opt-out is enforced at the technical layer. If it is just a mailbox that does not govern the tracking layer, it is not a control
Validate whether opt-outs on websites, apps, and other channels actually opt users out of sharing at the account level, including across devices where relevant
Cross-reference this against policy claims from Step 1. Do pixels still fire despite a “no selling/sharing” claim?

Step 5: Verify OOPS/GPC readiness

Confirm that your websites indicate that GPC is honored
Validate that sharing is actually suppressed when the signal is present
Keep evidence showing that signal detection and downstream suppression are working as intended

Step 6: Operationalize and document everything

Export evidence artifacts such as network logs, HAR files, and third-party recipient mapping
Schedule monthly if not weekly scans, not ad hoc checks, and tie them to release cycles so your tracking inventory stays current
Because websites change constantly with new trackers and data flows, non-compliant third parties and data processing should be flagged immediately before they affect large numbers of users
Use evidence for internal sign-off, remediation tracking, and vendor conversations

How can Privado AI help?

Privado AI produces an evidence-based view of whether your consent and opt-out journeys actually work the way your policy says they do and meet CCPA requirements.,

Web Auditor continuously monitors website data flows and verifies that manual and GPC opt outs actually suppress pixels, cookies, and network requests from advertising third parties. All compliance risks are flagged in real-time with evidence for exactly what needs to be fixed.App Auditor extends the same governance to mobile apps

Privado AI also helps teams produce exportable evidence, including: