BlogIndustry
Industry

PlayOn Sports Hit with $1.1M CCPA Fine: What Every Website Owner Can Learn About Consent Management

Forced consent, ignored opt-out signals, targeted ads to students. California's latest enforcement action is a blueprint for what not to do.

Ron Leon Guerrero
Ron Leon GuerreroFounder & CTO
March 5, 20268 min read
TL;DR

California fined PlayOn Sports $1.1M for forcing users to accept tracking cookies with no opt-out, ignoring Global Privacy Control signals, and serving targeted ads to students. The fix for all three violations: a consent management platform that blocks scripts by default, honors opt-out signals automatically, and provides genuine consent choices. This is the first CPPA enforcement involving schools – and a preview of where enforcement is heading nationwide.

The California Privacy Protection Agency (CPPA) just issued a landmark decision requiring PlayOn Sports to pay $1.10 million in fines and overhaul its data practices. The violations? Forced cookie consent, ignored opt-out signals, and targeted ads served to students – all things a properly configured consent management platform would have prevented.

This is the first CPPA enforcement action involving students and schools, and it sets a clear precedent: consent management isn't optional, and doing it wrong is expensive.

What PlayOn Sports got wrong

PlayOn Sports operates GoFan, the official digital ticketing platform for the California Interscholastic Federation. Roughly 1,400 California schools use it for event tickets, game streaming, and player stats. Here's what the CPPA found:

Forced consent with no real opt-out

Users had to click "agree" to tracking technologies before they could use their tickets or access PlayOn's websites. There was no meaningful way to decline. This is the textbook definition of a dark pattern in consent – presenting the illusion of choice while removing the actual choice.

Important
"Agree or leave" is not consent. If your cookie banner doesn't offer a genuine way to decline tracking, you're not compliant – you're just collecting liability.

Failure to honor opt-out preference signals

California law requires businesses to recognize signals like Global Privacy Control (GPC). PlayOn didn't. Instead, they told users to opt out through third-party organizations like the Network Advertising Initiative and the Digital Advertising Alliance – shifting the burden onto consumers, which violates CCPA/CPRA regulations.

Targeted advertising to students

PlayOn used tracking technologies to collect personal information and deliver targeted ads to ticketholders, including students. The CPPA noted that students are "a uniquely vulnerable population whose data should be used to enhance their own learning, not to fuel advertising and commercial surveillance."

Why this matters beyond California

This isn't just a California problem. The enforcement trends are accelerating across the US:

  • Alabama just passed HB351, a consumer privacy bill requiring recognition of opt-out preference signals, effective May 2027
  • Disney was recently fined by CalPrivacy for failing to honor opt-out signals across Disney+, Hulu, and ESPN+
  • Morgan Lewis's 2026 enforcement report confirms regulators are now testing whether privacy programs actually work at scale – not just whether policies exist on paper
  • 20 US states now have comprehensive privacy laws on the books, with more advancing every session

The pattern is consistent: regulators are moving from "do you have a privacy policy?" to "does your consent mechanism actually work?" The bar is rising, and surface-level compliance isn't cutting it anymore.

Global Privacy Control (GPC)
A browser-level signal that tells websites a user wants to opt out of data sharing and targeted advertising. Supported in Firefox, Brave, DuckDuckGo, and as a Chrome/Edge extension. California, Colorado, Connecticut, Montana, and Texas legally require businesses to honor GPC signals. PlayOn Sports' failure to recognize GPC was one of the key violations in this enforcement action.
Cookie Wall
A consent mechanism that blocks access to a website unless the user accepts tracking cookies – effectively an "agree or leave" ultimatum. Cookie walls are prohibited under GDPR and violate CCPA opt-out requirements. The CPPA cited PlayOn Sports' use of a cookie wall as a primary violation.
Consent Management Platform (CMP)
Software that manages cookie consent on websites – blocking tracking scripts until users consent, providing compliant opt-in/opt-out mechanisms, honoring browser signals like GPC, and maintaining auditable consent records. A properly configured CMP would have prevented all three violations in the PlayOn Sports enforcement action.

The three violations every website should audit today

PlayOn's fine wasn't for some obscure technical violation. It was for three things that are shockingly common across the web:

1. Cookie walls that force consent

If users can't access your site without accepting cookies, that's a cookie wall. Under GDPR, they're explicitly prohibited. Under CCPA, they violate opt-out requirements. The fix is straightforward: your consent banner must offer a genuine "reject" or "decline" option, and the site must function regardless of the user's choice.

2. Ignoring GPC and opt-out signals

Global Privacy Control is supported in Firefox, Brave, DuckDuckGo, and as a browser extension for Chrome and Edge. When a user sends a GPC signal, your site must treat it as a valid opt-out request – automatically. Telling users to visit a third-party website to opt out is exactly what got PlayOn fined.

3. Tracking scripts that fire before consent

This is the most common technical violation we see. Analytics tags, advertising pixels, and third-party scripts that load and execute before a user has made a consent choice. Your consent mechanism needs to actually block scripts until consent is granted – not just show a banner while everything fires in the background.

Key Point
A consent banner that doesn't block scripts is just a notification, not a consent mechanism. Regulators know the difference.

What proper consent management looks like

PlayOn's $1.1M fine could have been avoided with a properly configured consent management platform. Here's what compliant consent actually requires:

  • Script blocking by default – No tracking scripts fire until the user explicitly consents. Google Consent Mode v2 handles this for Google tags; a CMP handles it for everything else.
  • Genuine opt-out – A visible, accessible reject option. Not buried in settings, not hidden behind a tiny 'X', not requiring users to visit external sites.
  • GPC signal recognition – Automatic detection and honoring of Global Privacy Control. When GPC is detected, treat it as an opt-out for targeted advertising and data sharing.
  • Your Privacy Choices link – CCPA requires a specific opt-out link. It needs to be in your footer, functional, and connected to your consent mechanism.
  • Consent records – Auditable proof that consent was freely given. If a regulator asks, you need to show when, how, and what the user agreed to.
  • Category-based consent – Users should be able to accept some categories (like analytics) while rejecting others (like advertising). All-or-nothing isn't compliant under GDPR.

The cost of getting it wrong vs. getting it right

PlayOn Sports is paying $1.1 million in fines plus the cost of overhauling their entire data practices infrastructure. They're also required to submit compliance reports to the CPPA for the next three years. That's the cost of ignoring consent management.

Compare that to the cost of doing it properly from the start. A consent management platform typically runs a few hundred dollars per month. It blocks scripts, honors GPC signals, provides compliant opt-out mechanisms, and maintains the consent records you need if regulators come knocking.

The math isn't complicated. The question isn't whether you can afford a CMP – it's whether you can afford the fine that comes without one.

Tip
Not sure where your site stands? AutoCMP's cookie scanner can audit your site in minutes – showing you every cookie, every tracking script, and every compliance gap. No code changes required to start. Start your free trial →

Key takeaways

  • Forced consent is not consent. Cookie walls that require users to 'agree or leave' are enforcement targets.
  • GPC signals must be honored. California, Colorado, Connecticut, Montana, and Texas all require recognition of opt-out preference signals.
  • Students and vulnerable populations draw extra scrutiny. If your platform serves minors, consent compliance is even more critical.
  • Surface-level compliance isn't enough. A banner that doesn't actually block scripts is just decoration – regulators test the technical implementation, not just the UI.
  • The enforcement trajectory is clear. More states, more laws, more enforcement actions. Getting compliant now costs a fraction of getting fined later.

Ready to simplify your cookie consent?

One script tag. Full compliance. 14-day free trial.

Start Free Trial
Back to Blog