“Students trying to go to prom or a high school football game shouldn’t have to leave their privacy rights at the door.” — Michael Macko, Head of Enforcement, CalPrivacy
The California Privacy Protection Agency (CalPrivacy) Board issued a landmark decision requiring PlayOn Sports — the parent company behind GoFan, MaxPreps, and NFHS Network — to pay a $1.10 million fine and fundamentally overhaul its data practices. It is the first enforcement action by the Board specifically targeting student data and California schools.
Imagine a high school student who just wants to buy a ticket to cheer on their team at the Friday night game. They pull up the GoFan app, tap to check out — and without realizing it, they’ve agreed to have their personal data sold to advertisers. They had no meaningful choice. The digital ticket and the data collection were bundled together. Go to prom, get tracked. Watch the varsity game, get profiled.
That was the reality for millions of students across the United States — until California’s privacy regulator stepped in.
The PlayOn Sports Case: What Actually Happened
PlayOn Sports occupies a dominant position in the youth sports ecosystem. Its GoFan platform is the official ticketing system for the California Interscholastic Federation — the governing body for high school sports statewide — and approximately 1,400 California schools contract with PlayOn to sell digital tickets to sporting events, theater performances, homecoming dances, and proms. Its MaxPreps subsidiary tracks high school team statistics, and the NFHS Network streams games online. With annual gross revenues exceeding $26 million, PlayOn is a significant player in the education technology space.
The core violation was deceptively simple. When users accessed GoFan to purchase a ticket, a pop-up appeared asking them to agree to PlayOn’s privacy policy. Buried in that policy was consent for the sale of their personal data. Crucially, PlayOn failed to offer its own compliant opt-out mechanism. Instead, the company directed users who wanted to opt out to third-party industry organizations — the Network Advertising Initiative and the Digital Advertising Alliance — which CalPrivacy determined did not fulfill PlayOn’s legal obligations under the California Consumer Privacy Act (CCPA).
The enforcement decision described students as a “uniquely vulnerable population” and warned that targeted advertising systems can subject young people to profiling that follows them for years. The CCPA also includes heightened protections for consumers between 13 and 16 years old, requiring businesses to obtain affirmative opt-in consent — rather than merely offering an opt-out — before selling or sharing their data. PlayOn was found to be in violation of these provisions as well.
What the Order Requires
Beyond the $1.10 million financial penalty, the CalPrivacy Board’s order requires PlayOn Sports to:
- Conduct privacy risk assessments
- Provide clear and easy-to-read privacy disclosures
- Implement proper, working opt-out mechanisms directly on its platform
- Comply with the CCPA’s affirmative opt-in requirement for teen users aged 13–16
PlayOn did not formally admit liability — standard in regulatory settlements — and did update its privacy policy in December 2024 to allow users to opt out. The fine and remediation order still stand as a record of the prior violations.
CalPrivacy’s Enforcement Surge: A Pattern Takes Shape
The PlayOn Sports decision did not emerge in isolation. It is the latest in a rapidly accelerating series of enforcement actions from CalPrivacy and the California Attorney General’s office. Here’s a look at the major CCPA fines of recent years:
$1.55 Million — Healthline Media LLC (2025)
The 2nd largest CCPA fine to date behind Disney and their 2.75 million fine, issued by the California AG. The health information website allowed third-party trackers to collect sensitive data about users’ article interactions — including what health topics they were researching — without proper disclosure or consent.
$1.35 Million — Tractor Supply Company (2025)
CalPrivacy’s largest fine at the time of issuance, and the first CCPA fine targeting HR and employment data. Violations included a broken opt-out mechanism, failure to inform job applicants of their privacy rights, and missing service provider contracts.
$1.20 Million — Sephora (2022)
The landmark early CCPA enforcement action. Sephora failed to disclose data sales and ignored opt-out requests submitted through the Global Privacy Control (GPC) browser signal. The company also failed to fix violations within the 30-day cure period regulators provided.
$632,500 — American Honda Motor Co. (2025)
The connected vehicle manufacturer was investigated for requiring excessive personal information to process privacy requests, and for using “asymmetrical” privacy tools — making opting out harder than opting in while using a provider named OneTrust.
$530,000 — Sling TV (2025)
The streaming service’s opt-out mechanisms were found to be “confusing and hard to find.” Clicking “Do Not Sell or Share My Personal Information” led users to a generic cookie preferences center rather than a proper opt-out flow.
$345,178 — Todd Snyder, Inc. (2025)
The menswear brand’s privacy portal was misconfigured for 40 days, failing to process any opt-out requests. The company also demanded excessive ID documentation from users trying to exercise their data rights.
$1.10 Million — PlayOn Sports / GoFan (2026)
First enforcement action involving student data. Directed students to third-party opt-out tools instead of providing a compliant mechanism; violated teen data opt-in requirements.
Children and Students: The Federal Picture
California has been the most aggressive state actor, but federal regulators have been raising the stakes on children’s data specifically. The past four years have seen some of the most consequential enforcement actions in the history of the Children’s Online Privacy Protection Act (COPPA).
December 2022 — Epic Games / Fortnite — $275 Million (COPPA) The FTC reached a historic settlement with the maker of Fortnite for collecting personal data from children without parental consent and using dark patterns to trick users into unwanted purchases. The COPPA portion — $275 million — was the largest children’s privacy penalty in history at the time.
July 2023 — Amazon (Alexa) — $25 Million (COPPA) Amazon was fined for retaining children’s voice recordings and location data indefinitely, even when parents requested deletion. The case highlighted the risks of always-on voice assistant devices in homes with children.
August 2023 — Edmodo — Banned from Ed Tech (COPPA) The educational platform, once used in thousands of classrooms, was banned from operating in the ed tech sector entirely after the FTC found it illegally collected children’s data for advertising. The ban — not just a fine — underscored regulators’ willingness to impose structural remedies.
August 2024 (Lawsuit Filed) — TikTok / ByteDance (COPPA) The DOJ, acting on an FTC referral, sued TikTok and ByteDance for what the FTC called “flagrant” COPPA violations: knowingly allowing millions of children under 13 to create accounts, collecting their data without parental consent, and failing to honor deletion requests. TikTok had already paid a $5.7 million COPPA settlement in 2019. Civil penalties in the new case could exceed $51,744 per violation per day.
January 2025 — Updated COPPA Rule (Effective June 2025) The FTC finalized significant updates to COPPA, including requiring separate verifiable parental consent before disclosing children’s data to third parties for targeted advertising, expanding the definition of “personal information” to include biometric data, and implementing stricter data retention limits.
Opt-Out Failures, Dark Patterns, and Why It Matters
Across every enforcement action described above, a common thread runs through the violations: companies made it easy — sometimes unavoidable — to surrender privacy, while making it difficult, confusing, or technically broken to protect it. Regulators have given this problem a name: dark patterns.
Under the CCPA, dark patterns are design choices that impair or interfere with consumers’ ability to make genuine privacy decisions. The Honda case illustrates this sharply — Honda’s privacy management tool was found to be “asymmetrical,” meaning the opt-out mechanism was less prominent and harder to use than the mechanism for accepting data collection. Even where a business technically offers both choices, presenting them inequitably can itself be a violation.
The Sling TV settlement tells a similar story. When users clicked “Do Not Sell or Share My Personal Information” — a link explicitly required by California law — they were funneled into a generic cookie preferences center that did not actually process their opt-out request. The label promised privacy; the design delivered friction.
For PlayOn Sports, the dark pattern was architectural: students couldn’t attend prom or a football game without a digital ticket; they couldn’t buy one without agreeing to the privacy policy; and that policy consented to data sales with no genuine opt-out path through PlayOn itself. Captive audiences deserve heightened protection, not heightened exploitation.
Global Privacy Control: The Legal “Off Switch” Businesses Must Respect
One of the most technically significant developments in privacy compliance is the rise of the Global Privacy Control (GPC) — and the legal obligation to honor it.
GPC is a browser-based signal, available in Firefox, Brave, DuckDuckGo, and via browser extensions, that automatically communicates a user’s preference to opt out of the sale and sharing of their personal data to every website they visit.
Under the CCPA as amended by the California Privacy Rights Act (CPRA), businesses are required to treat a GPC signal as a legally valid opt-out request. The California Attorney General’s 2022 enforcement action against Sephora made this crystal clear: Sephora’s failure to honor GPC signals was cited as a central violation, contributing to its $1.2 million fine.
How Far Has GPC Reached?
As of mid-2025, ten U.S. states require businesses to honor universal opt-out signals: California, Colorado, Connecticut, Delaware, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas. California, Colorado, and Connecticut have announced a joint investigative sweep specifically targeting companies that fail to honor GPC.
New California regulations effective January 1, 2026 now require businesses to actively confirm when a GPC request has been processed — displaying something like “Opt-Out Request Honored” — making the obligation visible and auditable.
Over 40 million consumers now use browsers and tools that send GPC signals automatically.
What Businesses Must Do
For businesses, the practical implications are significant. Detecting GPC signals requires:
- Technical infrastructure to read HTTP headers on incoming requests
- Propagating opt-out preferences across advertising systems, analytics platforms, and downstream data processors
- Extending GPC opt-outs to any known consumer profile associated with that user — not just the specific browser or device
- Displaying visible confirmation that the opt-out has been honored
- Ensuring manual opt-out links and GPC produce equivalent outcomes
- Regularly auditing consent management platforms to confirm they are functional
Directing users to insufficient third-party tools, as PlayOn did, or silently ignoring GPC signals, as Sephora did, is now one of the clearest paths to regulatory action.
What the PlayOn Case Signals for Every Business
The PlayOn Sports enforcement action sends several messages beyond the $1.10 million penalty itself.
Student data is squarely in scope. Educational and quasi-educational technology platforms — ticketing services, sports analytics, streaming services used by schools — are subject to CCPA. The decision’s framing of students as a “uniquely vulnerable population” suggests regulators will apply heightened scrutiny anywhere users cannot opt out of a service without also opting out of a core life experience.
Third-party opt-out tools don’t satisfy your own obligations. Directing users to industry self-regulatory programs (NAI, DAA) or generic cookie managers does not fulfill a business’s CCPA compliance requirements. Businesses must operate their own compliant opt-out mechanisms and ensure they work.
The era of the buried opt-out link is over. As CalPrivacy’s executive director Tom Kemp put it: “We are committed to making it as easy as possible for all Californians — from high school students to older adults — to make the choice of whether they want to be tracked or not.” CalPrivacy and federal regulators are now actively testing opt-out flows, checking whether GPC signals are honored, and reviewing whether teen data protections are actually implemented. The architecture of your privacy choices is now subject to the same scrutiny as your contracts and your code.
