[co-author: Melda Gurakar]
On March 3, 2026, the California Privacy Protection Agency (CPPA) introduced a $1.1 million positive towards PlayOn Sports, a youth sports activities media and know-how firm that operates the GoFan digital ticketing platform. The CPPA alleged violations of the California Consumer Privacy Act (CCPA) associated to PlayOn Sports’ use of on-line monitoring applied sciences and focused promoting practices affecting college students, dad and mom and college communities all through California. This marked the primary CCPA enforcement motion particularly addressing privateness violations involving college students and faculties.
This newest enforcement motion emphasizes themes from earlier CCPA settlements in addition to highlights future danger areas for firms. Like earlier enforcement actions, this settlement centered on an entity’s use of promoting trackers with out complying with the CPRA’s opt-out necessities, together with alleged failures to honor opt-out choice alerts. However, the CPPA additionally took the place in this enforcement motion that an entity is accountable for offering its personal opt-outs to customers associated to focused promoting actions and can’t solely depend on industry-approved opt-out instruments as a method of complying with the legislation. The enforcement motion additional emphasised the potential compliance points related to requiring customers to “Agree” to monitoring applied sciences as a method of accessing an organization’s underlying services. Companies ought to consider their knowledge safety practices in mild of this enforcement motion, particularly in the event that they depend on {industry} opt-outs as a method of complying with the CPRA and/or doubtlessly situation their providers on customers’ acceptance of using promoting trackers.
In addition to paying the $1.1 million financial penalty, PlayOn Sports should implement remedial measures, together with the deployment of firm‑operated choose‑out mechanisms, recognition of choose‑out choice alerts, revisions to privateness notices and consent banners, and the adoption of inner compliance measures designed to guarantee ongoing adherence to the CCPA.
In this put up, we determine key takeaways from the CPPA’s enforcement motion towards PlayOn Sports.
KEY TAKEAWAYS
Student Data Receives Heightened Regulatory Scrutiny
The CPPA’s press launch emphasised that college students represent a uniquely weak inhabitants whose private data warrants heightened safety. The company highlighted particular dangers related to profiling college students for focused promoting, together with the creation of lengthy‑time period behavioral inferences and publicity to manipulative or dangerous content material. Although the CCPA just isn’t a pupil‑particular privateness statute, this resolution demonstrates the CPPA’s willingness to apply the legislation aggressively the place knowledge practices disproportionately have an effect on what the company deems to be a weak inhabitants, together with college students. Companies whose services or products are extensively utilized by college students or faculties ought to count on continued scrutiny of their knowledge‑sharing and promoting practices.
Consumers’ Opt‑Out Preference Signals Must Be Honored
Another notable side of the order is the CPPA’s emphasis on choose‑out choice alerts. The company discovered that PlayOn Sports failed to acknowledge and course of customers’ choose‑out alerts, regardless of CCPA necessities mandating such recognition. This side of the choice underscores that technical or implementation failures, notably these involving automated client rights alerts, can function an unbiased foundation for enforcement even the place different choose‑out choices seem to be accessible. Businesses topic to the CCPA ought to be sure that their digital properties are able to detecting and honoring choose‑out choice alerts persistently throughout platforms and gadgets.
Businesses Are Expected to Provide Their Own Opt-Out Mechanisms
The CPPA’s order makes clear that companies can not fulfill their CCPA choose‑out obligations by directing customers to third‑get together, {industry}‑run instruments comparable to these provided by the Network Advertising Initiative or the Digital Advertising Alliance. The CPPA discovered that PlayOn Sports’ follow of referring customers to exterior choose‑out mechanisms, relatively than offering efficient, firm‑operated performance, didn’t meet statutory necessities. The resolution underscores that companies that promote or share private data for focused promoting stay instantly accountable for providing significant and accessible choose‑out controls on their very own digital properties, together with web site‑stage mechanisms and recognition of choose‑out choice alerts. In different phrases, reliance on {industry} frameworks alone doesn’t relieve firms of their unbiased compliance obligations underneath the CCPA.
Targeted Advertising Remains a Core Enforcement Priority
Consistent with broader enforcement developments, the CPPA’s motion towards PlayOn Sports centered on the corporate’s use of monitoring applied sciences to disclose private data for focused promoting functions. The company concluded that PlayOn Sports’ deployment of cookies and related monitoring instruments resulted in the “sharing” of private data underneath the CCPA, thereby triggering statutory obligations associated to client selection and transparency. The order reinforces that focused promoting practices, notably when carried out by means of ubiquitous monitoring applied sciences, stay a central space of regulatory scrutiny underneath California privateness legislation.
Consent Models That Condition Access on Tracking Are Under Heightened Scrutiny
The CPPA additionally centered on consent fashions that situation entry to paid or important digital providers on acceptance of promoting‑associated monitoring. As described in the order, PlayOn Sports’ cellular interface required customers to click on “Agree” to monitoring applied sciences earlier than redeeming digital tickets they’d already bought. The company concluded that this design eradicated significant client selection and conflicted with the CCPA’s choose‑out framework, which is meant to enable customers to train their rights with out being compelled to settle for monitoring. The resolution alerts that interface designs presenting customers with a take‑it‑or‑go away‑it selection between entry and privateness current vital compliance danger.