March 27, 2026

Lessons From CalPrivacy PlayOn Order

LinkedIn Facebook X Send Embed

CalPrivacy is continuing its focus on digital tracking. In its settlement with PlayOn Sports, there are several hints about CalPrivacy’s concerns. Beyond the $1.1 million civil penalty, the settlement provides many lessons.

PlayOn is a popular digital ticketing platform for high schools and teen sports. Used primarily for sporting events, PlayOn also provides a ticketing platform for other school events, like dances and musicals. The platform provides all-in-one services, so schools can also stream, fundraise, offer concessions, or sell merchandise.

The investigation began after a customer complaint. According to CalPrivacy, from January 1, 2023 to December 31, 2024 PlayOn used tracking tools that sold personal information to third parties, without giving consumers the ability to opt-out. Specifically, CalPrivacy stated that during that time frame, the company ran one targeted advertising campaign, through which tracking tools were used that resulted in the sale of personal information.

Before CalPrivacy contacted PlayOn, the company changed its privacy policy and opt-out processes. As CalPrivacy pointed out in the settlement, originally, while the company had a cookie notice banner, it did not have parity of choice between opting in and out. While there was an “Agree” option, there was no “Reject” option. It modified the banner to provide both an “accept” and “reject” option. That banner, CalPrivacy noted, had previously also been above the purchase link, meaning that someone would have to agree in order to get to the purchase link. Additionally, according to CalPrivacy, the privacy policy posted during the time frame in question had not been updated since 2022, and stated that the company did not sell personal information and did not explain how to opt-out. CalPrivacy raised other concerns, including the failure to recognize GPC signals, all of which the company had revised by the end of the time frame in question.

CalPrivacy’s concerns were thus limited to the narrow time frame. Nevertheless, emphasizing that this is its first decision that addresses “ privacy violations involving students and California schools,” it imposed a significant fine along with having the company agree to several measures. These included scanning digital properties at least quarterly and ensuring that if the company sells personal information, and having a link on its websites and apps that lets people properly opt out. Also, as part of CCPA-required risk assessments, considering whether consumers could be viewed as being “coerced” into providing personal information. The risk assessments also need to list the names of board members who reviewed the assessments, and the dates of their review.

Putting it into Practice: This order is a reminder that CalPrivacy is looking closely at passive tracking and sharing. Be thoughtful about whether you have digital advertising campaigns that involve data sales. If so, are your opt-out processes working as they should? Could portions of your flow be subject to allegations that they are coercive? This decision reflects a broader trend, as we have previously written about.

Send Print Report

Related Posts

• Should CCPA Set a Cookie Banner Standard in Private Cases?

Latest Posts

• EAD/TPS Work Authorization: What Employers Need to Know
• Lessons From CalPrivacy PlayOn Order
• Executive Order Directs Agencies to Revisit Mortgage Rules
• South Dakota Enacts Licensing Framework for Virtual Currency Kiosks See more »

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Attorney Advertising.

©
Sheppard, Mullin, Richter & Hampton LLP
2026

Written by:

Sheppard, Mullin, Richter & Hampton LLP Contact + Follow Kathryn Smith + Follow Liisa Thomas + Follow

PUBLISH YOUR CONTENT ON JD SUPRA

• ✔ Increased readership
• ✔ Actionable analytics
• ✔ Ongoing writing guidance Join more than 70,000 authors publishing their insights on JD Supra

Start Publishing »

Published In:

California Consumer Privacy Act (CCPA) + Follow California Privacy Protection Agency (CPPA) + Follow Cookies + Follow Educational Institutions + Follow Enforcement Actions + Follow Event Tickets + Follow Opt-Outs + Follow Personal Information + Follow State Privacy Laws + Follow Targeted Digital Advertising + Follow Web Tracking + Follow Communications & Media + Follow Consumer Protection + Follow Education + Follow Privacy + Follow Science, Computers & Technology + Follow more

Sheppard, Mullin, Richter & Hampton LLP on:

Solve with 2Captcha

Solve with 2Captcha