On February 27, 2026, the California Privacy Protection Agency (“CalPrivacy”) issued an order (the “Order”) requiring a sports-focused media and technology company (the “Company”) to pay a $1.10 million administrative fine for violations of the California Consumer Privacy Act (“CCPA”). The action continues California regulators’ scrutiny of how companies deploy cookies, software development kits and other online tracking technologies for digital advertising.
The Company operates ticketing, streaming, fundraising, concessions, merchandising, and website management platforms used by schools and youth sports organizations across California and nationwide. Its ticketing platform enables schools and other organizations to sell and redeem digital tickets, sometimes the only way attendees may enter an event.
CalPrivacy’s enforcement focused on the Company’s use of tracking technologies for advertising and the Company’s alleged lack of compliant opt-out mechanisms and deficient consumer disclosures between January 1, 2023 and December 31, 2024. Although the Company ran only one targeted advertising campaign during that period, CalPrivacy determined that its use of tracking technologies still constituted “selling” and “sharing” under the CCPA.
Key Findings from CalPrivacy’s Investigation
CalPrivacy found that the Company deployed tracking technologies without offering consumers a compliant way to opt out. The Company’s cookie banners notified users of tracking but allegedly required them to click “agree” before using or redeeming tickets. Although the Company provided a toll-free number and email address for users to opt out of tracking, CalPrivacy determined that these methods were insufficient to stop advertising-related selling and sharing. The Company allegedly continued selling and sharing personal information even after consumers used these methods to submit opt-out requests.
The Company stated in its privacy policy that users could opt out of tracking using mechanisms provided by the Network Advertising Initiative and the Digital Advertising Alliance. CalPrivacy decided, however, that the Company could not rely on these third parties to meet its own obligations under the CCPA.
CalPrivacy also found that the Company did not configure its websites or mobile apps to honor opt-out preference signals – signals sent by a mechanism on behalf of a consumer that communicates the consumer’s choice to opt out of the sale and sharing of their personal information. CalPrivacy further alleged that the Company did not explain in its privacy policy how it would process these signals.
CalPrivacy found that the Company’s privacy policy fell short of meeting CCPA requirements in several other ways. The privacy statement purportedly had not been updated within a year, claimed that the Company did not sell personal information, and did not describe consumers’ right to opt out of selling or sharing.
Required Remediation and Ongoing Obligations
In addition to paying the fine and updating its practices in compliance with the CCPA, the Order requires the Company to implement certain privacy practices related to tracking governance, opt-out controls and disclosures, and board-level oversight.
The Company must:
- Scan its websites and mobile apps at least quarterly to maintain an inventory of trackers. The Order does not specify how long the Company must continue the scans.
- Maintain CCPA-compliant contracts with all vendors that process personal information collected through digital trackers.
- Configure its websites and mobile applications that sell or share personal information to recognize and honor opt-out preference signals and any other opt-out methods required by the CCPA.
- Implement a “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” link on its websites and mobile apps that sell or share personal information.
The Company must also publish, for three years, the number of privacy rights requests, including opt-out requests, it received, complied with, and denied in the previous calendar. Typically, the CCPA only requires businesses to disclose this information if they know or reasonably should know that they buy, receive for “commercial purposes,” sell, share or otherwise make available for “commercial purposes” the personal information of at least 10 million consumers in a calendar year, but the Order imposes this requirement regardless of that threshold.
To comply with CCPA regulations that took effect January 1, 2026, the Company must conduct risk assessments for selling and sharing personal information. The risk assessments must identify the negative impact to consumers’ privacy, including whether the Company forces consumers to accept tracking.
Board Oversight
The CCPA requires risk assessments to be reviewed and approved by individuals who must be identified in the assessments. Notably, the Order specifies that the Company’s board of directors must review and approve of the Company’s risk assessments and that the risk assessments must name the directors who reviewed and approved them.
Takeaways for Businesses
This enforcement action, along with other recent actions, signal that CalPrivacy and the California attorney general remain focused on tracking technologies and opt-out compliance. If your business is engaged in these activities, you should:
- Reevaluate privacy notices on websites and mobile apps to ensure they clearly address selling and sharing, tracking technologies, advertising uses, and opt-out methods.
- Review cookie banners and consent management tools to confirm users can decline tracking as easily as users can accept it and that these tools do not interfere with user privacy choices.
- Implement the Global Privacy Control and other opt-out mechanisms and routinely test them for functionality.
- Maintain current tracking inventories and vendor contracts with those that provide the trackers in compliance with CCPA requirements.
- Conduct and document risk assessments that meet CCPA content requirements and secure appropriate review and approval.
Looking ahead, we will continue to monitor digital advertising and analytics enforcement activity across California and other jurisdictions. CalPrivacy noted in its 2025 Annual Report, released in February 2026, that CalPrivacy will continue collaborating with the California attorney general and other state attorneys general through the Consortium of Privacy Regulators. On September 9, 2025, CalPrivacy announced a joint investigative privacy sweep with three members of the Consortium, the attorneys general of California, Colorado, and Connecticut, involving potential noncompliance with the Global Privacy Control.
CalPrivacy also reported that it continues to strengthen its international collaboration, “formalizing partnerships with Korea’s Personal Information Protection Commission, the United Kingdom’s Information Commissioner’s Office, and France’s CNIL.”
If you have questions about privacy enforcement, please contact our Privacy, Cyber, and Data Strategy Team.
