If you want a clean, modern example of what the CPPA is actually enforcing under CCPA, read the PlayOn Sports order.
On March 3, 2026, CalPrivacy (the CPPA’s public-facing name) announced a $1.10 million fine and a list of mandatory changes tied to PlayOn’s GoFan platform. If you have ever shipped a “click agree to continue” pop-up, buried an opt-out behind an industry website, or ignored opt-out preference signals, this one is uncomfortably relevant.
The headline is not “student privacy” (although that matters). The headline is: forced consent and pretend opt-outs are now expensive in California.
What PlayOn (allegedly) did wrong
Based on the CPPA’s press release and the Board’s decision, PlayOn used tracking technologies for targeted advertising and pushed users into agreeing before they could use digital tickets or view sites. The key facts regulators highlighted:
- “Agree” wall. A pop-up prompted users to accept the privacy policy and blocked the screen so you could not proceed without clicking. That is the definition of coercive choice architecture.
- No real opt-out method. PlayOn allegedly directed Californians to opt out via the Network Advertising Initiative (NAI) and Digital Advertising Alliance (DAA) instead of providing its own CCPA-required opt-out method.
- Ignored opt-out preference signals. The CPPA called out failure to recognize preference signals, which is what they say when a business ignores signals like Global Privacy Control.
- Insufficient notice. Their disclosures were not good enough. This is the boring part that still gets people fined.
That is a pretty standard enforcement recipe now. It is the same theme we keep seeing: the CPPA does not care that a link exists somewhere. They care whether a normal person can exercise their rights without getting bullied, tricked, or routed to a third party.
The part most businesses are missing: “captive audiences”
This case is going to get cited for one phrase from the agency: captive audiences.
Think about what made this situation feel different. GoFan was used to access tickets for school events. You show the ticket at the door. You cannot show the ticket unless you go through the platform. And you cannot go through the platform unless you agree to being tracked for ads (according to the order summary).
That is not “choice.” That is a paywall, but the currency is personal data.
Now take that idea and look at your business:
- Is your login flow blocked by “accept marketing cookies”?
- Is checkout blocked until the customer agrees to “sharing for personalized offers”?
- Do you route users to an ad industry opt-out page and call it compliance?
If any of those are true, you are running the same playbook. You just have a different audience.
Want a quick reality check?
Our free assessment takes 5 minutes and flags the exact patterns regulators are looking for (including opt-out workflows and preference signals).
Take the Free AssessmentWhy “use the DAA/NAI opt-out” is not a defense
A lot of companies still treat opt-out like a scavenger hunt. They put a “Do Not Sell or Share” link in the footer, and when you click it you get:
- a paragraph of legalese
- a link to a third-party industry program
- maybe a cookie manager that only covers one tag vendor
That is not what the CPPA is asking for. In the PlayOn press release, the agency explicitly says directing users to NAI and DAA violates the business’s responsibility to provide its own opt-out method.
Translation: your compliance can’t be outsourced to a trade group website.
Preference signals: stop treating GPC like “nice to have”
The CPPA also called out failure to recognize opt-out preference signals. That is regulator-speak for “we tested your site with an opt-out signal and nothing happened.”
Here’s the practical standard you should hold yourself to in 2026:
If a browser sends an opt-out preference signal, your systems should treat it like a valid opt-out request. Not a suggestion. Not something you ignore unless the user also fills out a form. A real opt-out.
If your marketing team is worried that honoring GPC will “hurt ad performance,” good. That is the point. The law is designed to give consumers a way to opt out of certain tracking, even when it costs you money.
Minors and opt-in: do not get cute
The PlayOn order also highlights a separate, easily-missed landmine: selling or sharing personal information of consumers at least 13 and less than 16 years old requires affirmative opt-in consent.
If your product touches teens, you need to know your age gating story and you need to know where ad tech is firing. “We don’t target teens” is not a control. It is a marketing claim.
What the CPPA made PlayOn do (and why you should care)
The fine is the headline, but the operational requirements are the real pain:
- Risk assessments. The CPPA made this explicit. Expect more orders to include this, especially now that risk assessments are a formal 2026 requirement for common processing activities.
- Disclosures that are easy to read and understand. If your notice reads like your outside counsel wrote it for another lawyer, rewrite it.
- Proper opt-out methods. First-party, functional, and not buried.
This is what enforcement looks like now: fines plus forced remediation plus a paper trail that makes the next audit easier for the government.
Do this on your site this week (seriously, this week)
If you run a consumer website or app and you have any advertising or analytics tags, here is the practical checklist. This is not a “privacy program” fantasy. It is a list your developer can execute.
1) Find and kill the “agree wall” pattern
Open your site in a fresh browser profile. Clear cookies. Use an incognito window. Now answer one question: can a user reach your content or complete a core task without clicking “accept”?
If the answer is no, fix it. Make “Reject non-essential” as prominent as “Accept all.” And do not block tickets, PDFs, account access, or checkout behind ad tracking consent.
2) Make your opt-out first-party and specific
Your “Do Not Sell or Share My Personal Information” link should lead to a page where the user can opt out on your site, in one step, without account creation. No detours to NAI/DAA. No “please disable cookies in your browser” nonsense.
If you share data for cross-context behavioral advertising, say that plainly. If you don’t, say that and be ready to defend it with your tag inventory.
3) Test preference signals like a hostile regulator
Turn on Global Privacy Control in a browser and hit your site. Watch what loads. If your ad tags still fire, you are exposed. If your consent banner still asks the user to opt out manually, you are exposed.
Document the behavior. Fix it. Retest. Keep the evidence. This is exactly the kind of artifact that makes a future audit less painful.
If you want the audit-ready version of this checklist
The CCPA Audit Readiness Kit gives you templates for tag inventories, opt-out workflow testing, vendor contract language, and the documentation auditors ask for.
Get the Complete Kit - $497My take: the CPPA is done debating “dark patterns”
PlayOn is not a household name. That is part of what makes this case important.
It tells you the CPPA is willing to go after companies that:
- operate in a narrow niche
- use common ad tech stacks
- depend on “default accept” UX to keep the tracking running
If you are still treating privacy UX as a marketing experiment, stop. In California, it is now an enforcement trigger.
Source: CalPrivacy press release (March 3, 2026) and the PlayOn Sports Order of Decision linked there.