CalPrivacy Fines PlayOn Sports $1.1M: 5 CCPA Compliance Lessons From the Student Privacy Case

What Happened

On March 3, 2026, the California Privacy Protection Agency (CalPrivacy) announced a $1.10 million fine against 2080 Media, Inc., doing business as PlayOn Sports, for violations of the California Consumer Privacy Act (CCPA). This marks CalPrivacy's first enforcement action specifically addressing privacy violations involving students and schools.

PlayOn operates GoFan, a digital ticketing platform used by approximately 1,400 California schools for sporting events, concerts, and other school activities. The enforcement action found that PlayOn used tracking technologies to serve targeted advertisements to ticketholders — including students — without providing a legally compliant opt-out mechanism.

The Violations in Detail

Forced tracking consent

PlayOn required users to click "agree" to tracking before they could access or present their digital tickets. Since students needed their tickets to enter school events, this created a coercive dynamic where declining tracking meant being unable to use tickets they had already purchased.

Inadequate opt-out mechanism

Rather than building its own opt-out mechanism, PlayOn directed users to third-party advertising industry tools (Digital Advertising Alliance and Network Advertising Initiative opt-out pages). CalPrivacy determined this was insufficient — the CCPA requires businesses to provide their own, easily accessible opt-out mechanism.

Student data used for targeted advertising

PlayOn collected personal information from student ticketholders and used it for targeted advertising purposes. Under the CCPA, the sale or sharing of personal information of consumers under age 16 requires prior opt-in consent — not merely the absence of an opt-out.

Failure to honor opt-out preference signals

PlayOn did not recognize or honor browser-based opt-out preference signals such as Global Privacy Control (GPC). California law requires businesses to treat GPC signals as valid consumer requests to opt out of data sale and sharing. Our GPC Compliance Checker can help you assess your obligations.

CalPrivacy Enforcement Is Escalating

The PlayOn Sports case is part of an unmistakable pattern of escalating enforcement by California privacy regulators. Here is how recent actions compare:

Company	Fine	Date	Key Violation
Tractor Supply Company	$1.35M	Sep 2025	Failure to honor opt-out; privacy notice deficiencies
Jam City	$1.4M	Nov 2025	No opt-out in 20 of 21 apps; selling minor data without consent
Disney (streaming)	$2.75M	Feb 2026	Opt-out not honored across linked streaming services
Ford Motor Company	$375K	Mar 2026	Email verification barrier for opt-out requests
PlayOn Sports	$1.1M	Mar 2026	Student tracking without opt-out; forced consent

The trend is clear: CalPrivacy is issuing larger fines, moving faster, and targeting a wider range of industries. For the complete list of enforcement actions, visit our Penalties & Fines Tracker.

5 Compliance Lessons for Every Business

Lesson 1: You must provide your own opt-out mechanism

Directing consumers to third-party industry opt-out tools (like the DAA AdChoices page or NAI Consumer Opt Out) does not satisfy the CCPA. Your business must provide its own accessible, functional opt-out mechanism on your website or in your app. This can be a "Do Not Sell or Share My Personal Information" link, a preference center, or another mechanism — but it must be yours and it must work.

Lesson 2: Minor and student data demands extra care

If your platform serves minors aged 13 to 15, the CCPA requires affirmative opt-in consent before you can sell or share their personal information. For children under 13, parental consent is required. The PlayOn case shows that platforms used by schools cannot treat student data the same as adult consumer data. If your business might collect data from minors, review our COPPA Compliance Guide alongside your CCPA obligations.

Lesson 3: "Agree to tracking" is not valid consent for data sale

Bundling tracking consent into a condition of service use — especially when consumers have no real alternative — does not constitute valid consent under the CCPA. CalPrivacy explicitly flagged that requiring users to agree to tracking before accessing purchased tickets was coercive. If your service conditions access on tracking acceptance, restructure your consent flows immediately.

Lesson 4: Opt-out preference signals must be honored

Global Privacy Control (GPC) and other opt-out preference signals are not optional in California. The CCPA and CPRA regulations require businesses to treat these signals as valid consumer opt-out requests. If your website does not detect and honor GPC, you are non-compliant. This requirement also exists in Colorado, Connecticut, Montana, and Delaware.

Lesson 5: B2B2C platforms cannot hide behind institutional contracts

PlayOn's relationship was primarily with schools (B2B), but the end users — students and parents — are consumers with CCPA rights. CalPrivacy's enforcement makes clear that platforms serving consumers through institutional intermediaries still bear direct CCPA obligations to those consumers. SaaS companies, EdTech platforms, and other B2B2C businesses take note: your institutional client's contract does not shield you from consumer privacy law.

What Your Business Should Do Now

1. Audit your opt-out mechanism. Verify it works, is easily accessible, and processes requests within 15 business days. Do not rely solely on third-party opt-out tools.
2. Implement GPC detection. If your website has not already implemented Global Privacy Control signal detection and honoring, do it now. Check your compliance with our GPC Compliance Checker.
3. Review age-gating procedures. If any of your users might be under 16, implement an age verification or estimation process and obtain opt-in consent before selling or sharing their data.
4. Decouple tracking from service access. Never condition access to a purchased service or product on accepting tracking. Offer a tracking-free experience as the default.
5. Use our Privacy Law Calculator to determine which state privacy laws apply to your business — CalPrivacy's enforcement approach is now being mirrored by other state regulators.

Frequently Asked Questions

Can CalPrivacy fine any business or only large companies?

CalPrivacy can investigate and fine any business subject to the CCPA, regardless of size. The CCPA applies to for-profit businesses that operate in California and meet any one of three thresholds: annual gross revenue over $25 million, buying/selling personal information of 100,000+ consumers, or deriving 50% or more of annual revenue from selling personal information. Use our Privacy Law Calculator to check.

What is the maximum CCPA fine per violation?

The CCPA allows penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation. When multiplied across thousands of consumers, these per-violation penalties can add up to millions — as the PlayOn, Disney, and Tractor Supply cases demonstrate. Our penalties and fines guide covers the full picture.

Does this ruling affect EdTech companies?

Yes. While the PlayOn case specifically involved a ticketing platform, the principles apply broadly to any technology company that serves students or schools. EdTech companies that collect student data and use it for advertising or share it with third parties face similar enforcement risk. This is compounded by the updated COPPA Rule (enforcement deadline April 22, 2026) which adds federal requirements on top of state law.

Is the CCPA the only law CalPrivacy enforces?

CalPrivacy's primary jurisdiction is the CCPA/CPRA and the California Delete Act (SB 362). However, the California Attorney General also has authority to enforce these laws and has been active in doing so — the $2.75 million Disney settlement was an AG action, not CalPrivacy. For businesses subject to the Delete Act, see our California Delete Act compliance guide.

Last updated: March 29, 2026.