California's privacy regulator continues to target businesses that rely on tracking technologies and use personal information. This week the California Privacy Protection Agency (CalPrivacy) announced a $1.1 million settlement with 2080 Media, Inc. d/b/a PlayOn Sports, the agency's first public action of 2026 that alleges student privacy violations. While the student privacy aspects of the case are novel, the underlying allegations continue the trend of CalPrivacy's focus on cookie banners and opt-out tools.
Alleged CCPA Violations: Cookies Banners, Notices, and Opt-Out Compliance
PlayOn provides its GoFan platform to schools, which use it for high school sports-related activities, including ticket sales, live streaming, and sharing athlete statistics. The GoFan platform is licensed to schools and is the official ticketing platform of California's governing body for high school sports.
According to CalPrivacy, PlayOn used tracking technologies (e.g., cookies/pixels) to collect personal information and engage in the sale of that information through "tracking technologies" on its digital properties. In addition, PlayOn allegedly required users to click "agree" to cookie use before they could use digital tickets or access sites, allegedly without providing a sufficient opt-out path or required disclosures about consumer rights.
The Agreement:
The order outlines alleged compliance concerns that many companies with adtech integrations and California Consumer Privacy Act (CCPA) programs may recognize.
- Inadequate opt-out methods for sale/sharing. CalPrivacy alleged PlayOn did not provide an effective way to opt out of sale/sharing tied to tracking technologies (e.g., allegedly relying on an email and a toll-free number method that do not practically stop online tracking technologies was deemed insufficient)
- Failure to recognize and honor opt-out preference signals (e.g., GPC-like signals). CalPrivacy alleged PlayOn did not configure its website/apps to recognize and honor opt-out preference signals during the relevant period
- Deficient notices and "Your Privacy Choices" implementation. CalPrivacy alleged PlayOn’s privacy policy and opt-out notice mechanisms fell short, particularly around explaining how opt-out preference signals are processed and providing a compliant "Your Privacy Choices" pathway for consumers to opt out of sales/sharing of personal information
Notably, CalPrivacy continues to look at cookie banners. The PlayOn order called attention to the "Agree" banner and the inability to reject cookies but did not use the term "dark pattern" or point to the lack of "equal or symmetrical choice." CalPrivacy instead discussed the alleged lack of end-to-end opt-out functionality and notice deficiencies.
The Fixes:
The order requires a set of operational controls that go beyond simply “adding a link” or adding new disclosure language:
- Quarterly tracker scans and inventory. PlayOn must scan its digital properties at least quarterly to maintain a full and current inventory of tracking technologies
- Opt-out implementation (including preference signals). PlayOn must give full effect to opt-out requests submitted via opt-out preference signals and other required methods
- Contracts. PlayOn must maintain compliant contracts with third parties that receive or access personal information obtained via tracking technologies
- Risk assessments. The Order points directly to California's risk assessment framework that applies to selling/sharing, requiring assessments for at least 3 years and afterward, as required by the CCPA
- Plain-language notices. The Order requires notices/disclosures to be easy to read and understandable, considering the age of the intended audience, with updates to be made within 90 days. The Order specifically called out platforms targeting a high school audience needing to have disclosures for that age group
Practical CCPA Compliance Takeaways for Your Business
The PlayOn settlement reinforces a few themes that California regulators keep returning to:
- Know what's happening on your digital properties. Failure to account for what partners you work with, how their services impact legal requirements, and how you are meeting your compliance requirements (even for one-time tests) can create liability
- Clear, complete, and consistent privacy notices. If you sell/share personal information, including digital advertising, make your disclosures clear and easy to read (e.g., your banner, policy, and links), so consumers can understand what's happening and how to exercise rights
- Opt-out methods must work. Implement opt-outs so they stop all sale/sharing activity you manage. CalPrivacy is looking for proof opt-outs are happening, not just looking for compliant language written in a policy
- Honor opt-out preference signals (including GPC-like signals) end to end. California regulators continue to emphasize that opt-out preference signals are not optional and that incomplete implementations can be viewed as failures to effectuate opt-outs
If you have questions about these enforcement trends and related developments, please reach out to Venable's Privacy and Data Security Group for assistance.