On March 3, 2026, the California Privacy Protection Agency announced a $1.1 million settlement with 2080 Media, Inc. d/b/a PlayOn Sports, a high school sports events management platform, to resolve alleged violations of the California Consumer Privacy Act. Below are our key takeaways from the settlement:

1. Deterrence Over Remediation.

PlayOn had proactively identified and resolved issues with its privacy policy, notice banners, and website practices in December 2024, prior to being contacted by the Enforcement Division. Where earlier enforcement efforts focused on bringing businesses into compliance, PlayOn represents a shift toward industry-wide deterrence. CalPrivacy imposed a $1.1 million penalty despite the business's previous remediation, demonstrating that subsequent fixes may not excuse prior violations, even where compliance was not spurred by regulatory inquiry.

2. Student Privacy Remains in Focus.

Last November, the California Attorney General's Office joined a $5.1 million multistate enforcement action against Illuminate Education for alleged failures to safeguard student data. CalPrivacy has made clear that heightened regulatory scrutiny of this area will continue. PlayOn's platform is used by approximately 1,400 California schools for ticketing and streaming, and CalPrivacy alleged that students and parents were forced to "agree" to tracking technologies to access tickets they had already purchased. Regulators characterized students as a "uniquely vulnerable population" and criticized the practice of requiring users to agree to tracking to participate in school events. While this action undoubtedly puts businesses in or around the education space on high alert, this "captive audience" framework could readily be applied to many other business practices.

3. Risk Assessments as an Enforcement Tool.

Among the injunctive terms, PlayOn must conduct risk assessments required by the new CCPA regulations. This is the first action to explicitly reference this obligation. Despite the 2028 deadline to submit risk assessment reports, the requirement to conduct risk assessments began on January 1st of this year. CalPrivacy will likely continue to utilize this requirement as an enforcement tool. Notably, however, these terms go beyond the requirements in the regulations in a few ways:

Art. 10 of CCPA Regulations Require: PlayOn Settlement Requires: Review by an "individual who has the authority to participate in deciding" whether to initiate processing. Review by Board of Directors, including identifying the names of individuals who reviewed each risk assessment. Updating a risk assessment for each material change in processing "as soon as feasibly possible, but no later than 45 calendar days" from the material change. Updating assessments "before any material change." Identifying the negative impacts to consumers' privacy. The regulations provide a non-exhaustive list of potential impacts to consider. Identifying the negative impacts to consumer's privacy, specifically mandating assessment of whether processing "is coercing or compelling Consumers into allowing the processing of their Personal Information," such as "whether users are required to consent ... in order to participate in certain events." Conducting a risk assessment for legacy processing (initiated prior to January 1, 2026) before December 31, 2027. Conducting a risk assessment for legacy processing within one year of the effective date of this Order.

4. Focus on Minors Without Opt-In Allegations

While this action involved a significant number of consumers aged 13-15, the core allegations focused on the failure to provide an effective opt out for all users and to honor opt-out preference signals. CalPrivacy did not specifically allege a failure to obtain affirmative opt-in consent for minors, as is required by the CCPA. However, the final order explicitly mandates PlayOn to implement and maintain compliant opt-in procedures for minors going forward. The agency will continue to monitor age-specific consent requirements, even when they may not form the basis of the penalty.

5. Industry Opt-Out Tools are Insufficient

The settlement clarifies that businesses cannot satisfy their CCPA obligations by redirecting consumers to third-party industry tools. PlayOn allegedly instructed consumers to exercise their opt-out rights via the Network Advertising Initiative and Digital Advertising Alliance, rather than providing a direct, business-specific opt-out mechanism. Just as many previous enforcement actions centered on a business's reliance on faulty vendor tools, industry association tools can pose similar risks if not properly configured. With regard to the two parties named in the order: the NAI sunset its opt-out tools last year, and the DAA's opt-out tool remains a questionable means of compliance.