CalPrivacy is continuing its focus on digital tracking. In its settlement with PlayOn Sports, there are several hints about CalPrivacy’s concerns. Beyond the $1.1 million civil penalty, the settlement provides many lessons.
PlayOn is a popular digital ticketing platform for high schools and teen sports. Used primarily for sporting events, PlayOn also provides a ticketing platform for other school events, like dances and musicals. The platform provides all-in-one services, so schools can also stream, fundraise, offer concessions, or sell merchandise.
The investigation began after a customer complaint. According to CalPrivacy, from January 1, 2023 to December 31, 2024 PlayOn used tracking tools that sold personal information to third parties, without giving consumers the ability to opt-out. Specifically, CalPrivacy stated that during that time frame, the company ran one targeted advertising campaign, through which tracking tools were used that resulted in the sale of personal information.
Before CalPrivacy contacted PlayOn, the company changed its privacy policy and opt-out processes. As CalPrivacy pointed out in the settlement, originally, while the company had a cookie notice banner, it did not have parity of choice between opting in and out. While there was an “Agree” option, there was no “Reject” option. It modified the banner to provide both an “accept” and “reject” option. That banner, CalPrivacy noted, had previously also been above the purchase link, meaning that someone would have to agree in order to get to the purchase link. Additionally, according to CalPrivacy, the privacy policy posted during the time frame in question had not been updated since 2022, and stated that the company did not sell personal information and did not explain how to opt-out. CalPrivacy raised other concerns, including the failure to recognize GPC signals, all of which the company had revised by the end of the time frame in question.
CalPrivacy’s concerns were thus limited to the narrow time frame. Nevertheless, emphasizing that this is its first decision that addresses “privacy violations involving students and California schools,” it imposed a significant fine along with having the company agree to several measures. These included scanning digital properties at least quarterly and ensuring that if the company sells personal information, and having a link on its websites and apps that lets people properly opt out. Also, as part of CCPA-required risk assessments, considering whether consumers could be viewed as being “coerced” into providing personal information. The risk assessments also need to list the names of board members who reviewed the assessments, and the dates of their review.
Putting it into Practice: This order is a reminder that CalPrivacy is looking closely at passive tracking and sharing. Be thoughtful about whether you have digital advertising campaigns that involve data sales. If so, are your opt-out processes working as they should? Could portions of your flow be subject to allegations that they are coercive? This decision reflects a broader trend, as we have previously written about.
