On March 3, 2026, the California Privacy Protection Agency (CalPrivacy) announced a settlement with PlayOn Sports (formerly 2080 Media, Inc.), imposing a $1.1 million administrative fine and sweeping compliance obligations. Reached in January, the settlement marks a significant escalation in state privacy enforcement and is the first CalPrivacy action to address privacy violations involving students and California schools. The enforcement is particularly notable because it targets a platform whose services are inherently associated with children, students, and families.
The PlayOn matter underscores how state regulators are increasingly scrutinizing privacy practices in environments where minors are not incidental users, but the core audience. Viewed alongside prior federal and state enforcement actions, the case offers important lessons about consent design, tracking technologies, and the growing convergence between children’s privacy principles and broader consumer‑privacy regimes.
The PlayOn Case: What Happened
PlayOn Sports operates digital ticketing and media platforms for high school athletics and activities, including GoFan, MaxPreps, and the NFHS Network. The company describes itself as the leading media and technology provider in high school sports and reports having sold more than 30 million tickets nationwide. In California alone, approximately 1,400 schools contract with PlayOn, and the company serves as the official ticketing partner for 80% of state athletic associations, including the California Interscholastic Federation (CIF).
Following an investigation covering the period from January 1, 2023, through December 31, 2024, CalPrivacy identified multiple violations of the California Consumer Privacy Act (CCPA).
Key Findings
Failure to Honor Opt‑Out Requests
PlayOn deployed first‑ and third‑party cookies, persistent identifiers, and similar tracking technologies to collect personal information for advertising purposes, and sold or shared that data with advertising, social media, and analytics partners. Yet its opt‑out mechanisms—a toll‑free phone number and an email address—were functionally disconnected from the actual data flows created by tracking technologies. CalPrivacy further faulted PlayOn for directing consumers to opt out through industry self‑regulatory programs (such as the Network Advertising Initiative and Digital Advertising Alliance) instead of providing its own compliant opt‑out mechanism.
Failure to Recognize Global Privacy Controls
PlayOn did not configure its digital properties to recognize or honor Global Privacy Control (GPC) signals, which allow consumers to broadcast a universal “do not sell or share” preference across websites.
Deficient Privacy Notices
Until February 2024, PlayOn’s privacy policy had not been updated since July 2022. During that period, the policy incorrectly stated that the company did not sell personal information and failed to disclose consumers’ right to opt out of sharing.
Coercive Consent Practices
Most notably, PlayOn’s cookie banners required users to click “Agree” to accept tracking technologies, with no option to decline or dismiss the banner. On mobile devices, the banner obscured the portion of the screen needed to access or redeem purchased tickets, effectively forcing users to consent in order to use services they had already paid for.
Settlement Obligations
Beyond the monetary penalty, the settlement requires PlayOn to implement robust compliance measures, including:
- Ongoing privacy risk assessments reviewed by its Board of Directors
- User notices that are “easy to read and understandable,” explicitly accounting for the age of the intended audience
- Annual public reporting of consumer privacy‑request metrics
Why Children’s Privacy Matters Here
The PlayOn enforcement is particularly significant because of who uses the service. High school sporting events, performances, and activities are attended primarily by students and their families. As CalPrivacy emphasized, privacy notices and disclosures on services selling tickets to high school events must be understandable to those attendees.
This focus on the intended and actual audience reflects a central principle of children’s privacy enforcement: companies cannot rely on formal characterizations of their services while ignoring the realities of use. Like COPPA before it, the CCPA provides heightened protections for minors, including restrictions on selling or sharing personal information of consumers under 16 without affirmative consent—and parental consent for children under 13.
Comparison to Prior Enforcement Involving Children
While PlayOn was enforced under state law, it fits squarely within a broader enforcement tradition historically dominated by the FTC’s application of COPPA. Comparing PlayOn to earlier cases reveals both continuity and evolution.
| Company |
Year |
Penalty |
Primary Violations |
Key Context |
| PlayOn Sports |
2026 |
$1.1M |
CCPA: opt‑out failures, no GPC recognition, deficient notices, coercive consent |
High school ticketing platform |
| TikTok / ByteDance |
2024– |
Pending |
COPPA: collecting children’s data without parental consent |
Social media platform |
| Disney |
2025 |
$10M |
COPPA: mislabeling child‑directed content |
Child‑directed media |
| Tilting Point (SpongeBob) |
2024 |
$500K |
COPPA & CCPA: children’s data collection |
Mobile game |
| Epic Games (Fortnite) |
2022 |
$520M |
COPPA: default settings, parental controls; dark patterns |
Child‑heavy gaming |
| Microsoft (Xbox) |
2023 |
$20M |
COPPA: account creation data; retention of children’s data |
Gaming platform |
| Google / YouTube |
2019 |
$170M |
COPPA: behavioral advertising |
Child‑directed channels |
| Musical.ly |
2019 |
$5.7M |
COPPA: under‑13 data collection |
Social media |
| Playdom |
2011 |
$3M |
COPPA: virtual worlds |
Children’s platforms |
Common Enforcement Themes
Several patterns recur across these cases:
Knowledge of the Audience
Regulators consistently emphasize what companies knew—or should have known—about their users. In Musical.ly, the FTC highlighted internal awareness of under‑13 users. In YouTube, enforcement turned on hosting large volumes of child‑directed content. In PlayOn, the nature of the service itself made the presence of minors self‑evident.
Tracking and Advertising Technologies
Many cases involve the use of persistent identifiers for advertising. PlayOn’s use of Meta Pixel mirrors earlier enforcement involving Yelp, TinyCo, LAI Systems, Retro Dreamer, and Google/YouTube.
Inadequate or Illusory Consent
From Hershey’s unverified parental‑consent forms to PlayOn’s forced “Agree” banners, regulators have repeatedly rejected consent mechanisms that are nominal rather than meaningful.
Dark Patterns and Manipulative Design
Design choices that steer users toward privacy‑intrusive outcomes increasingly attract scrutiny. PlayOn’s banner that blocked ticket redemption unless users consented to tracking exemplifies the type of coercive design regulators now openly condemn.
Evolution of Enforcement
Children’s privacy enforcement has evolved in scope and sophistication:
- Early COPPA Cases (2001–2003): Focused on basic notice and consent failures, with modest penalties.
- Mobile App Era (2011–2016): Addressed persistent identifiers and third‑party SDKs in mobile environments.
- Platform‑Scale Enforcement (2019–present): Produced record penalties against global platforms.
- State‑Level Expansion: The PlayOn case illustrates how states—particularly California—are now independently enforcing children‑adjacent privacy protections with increasing rigor.
Lessons for Businesses
The PlayOn case reinforces several critical lessons:
- Know Your Audience. If children or families are a foreseeable user base, privacy design must reflect that reality.
- Implement Real Opt‑Outs. Opt‑out mechanisms must actually stop data flows, including those driven by tracking technologies.
- Avoid Coercive Design. Consent must be freely given, not extracted through obstructive interfaces.
- Keep Privacy Policies Current. Outdated or inaccurate disclosures remain a core enforcement trigger.
- Take Risk Assessments Seriously. The CCPA’s emerging risk‑assessment framework is now an enforcement tool, not a theoretical exercise.
Looking Ahead
The PlayOn enforcement signals that children’s privacy is no longer confined to COPPA. State regulators are now applying consumer privacy laws with a children‑centric lens, particularly where services are intertwined with schools, youth activities, or family life.
For companies operating in education, gaming, media, events, or social platforms, the message is unmistakable: privacy compliance follows actual use, not marketing labels. Regulators will look past formal categorizations to assess who is really using a service—and whether their privacy has been respected.
[View source.]
