California Continues to Actively Enforce Privacy Opt-Out Rights | Kelley Drye & Warren LLP

Last week, the California Privacy Protection Agency (“CPPA” or the ​“Agency”) continued its active enforcement of the California Consumer Privacy Act (CCPA) with its announcement of two new settlements – the first with PlayOn Sports, the parent company of GoFan, MaxPreps, and NFHS Networks, a ticketing platform supporting schools, and the second with Ford Motor Co. The CPPA imposed fines of $1.1 million against PlayOn and more than $375,000 against Ford.

The throughline across California privacy enforcements is a regulatory expectation that businesses must offer consumers an easy way to opt out of sales and shares that does not discourage consumers from exercising their choices, and, in fact, will opt the individual out of further sales and shares. Underscoring this theme, the CPPA shortly thereafter invited preliminary comments on ​“reducing friction” in the exercise of opt-outs and other consumer privacy rights, indicating that the Agency is considering additional regulation in this area. Comments are due on April 6.

Below, we summarize the Agency’s orders against PlayOn and Ford and elaborate on the opt-out disclosure and implementation expectations that the CPPA is communicating through these cases.

Details of the Alleged Violations

PlayOn Sports: PlayOn Sports offers a suite of ticketing, streaming, fundraising, concession and merchandise sales, and website management tools used by schools and youth sports organizations across the U.S. The PlayOn websites host third-party data collection and targeted advertising technologies, and sell and share consumer personal information to advertising, social media, and analytics companies.

The CPPA’s inquiry into PlayOn began in 2024 after the Agency received a consumer complaint about the company’s opt-out practices. According to the CPPA, PlayOn:

(1) failed to provide users an effective mechanism to opt out of sales and sharing occurring on its websites;

(2) did not honor consumer opt-out preference signals; and

(3) did not provide sufficient notice of its information handling practices and available consumer privacy rights.

The first claim warrants close attention. Although the company offered ​“two or more designated methods” (as required under the CCPA regulations) – a toll-free number and an email address – to submit opt-out requests, the company did not apply these requests to the ​“Tracking Technologies” on its websites.

Instead, PlayOn pointed consumers to industry opt-outs provided by the Network Advertising Initiative and the Digital Advertising Alliance. These mechanisms, according to the CPPA’s order, did not allow consumers to opt out of sales or shares to advertising vendors directly with PlayOn.

The Agency also took issue with the company’s cookie banner, which disclosed the collection and use of personal information on the website, but required the consumer to click ​“agree” to close the banner without offering a symmetric option to reject. On mobile devices, the cookie banner completely blocked consumers’ ability to redeem or use their tickets without accepting the use of the tracking technologies. This was particularly concerning to the CPPA given the high percentage of kids and teens that use the platform to attend ticketed school events.

Ford Motor Co.: The CPPA’s investigation of Ford was part of its 2023 enforcement sweep of vehicle manufacturers, which led to the separate enforcement action against Honda that was announced in March 2025. As in the Honda case, the Agency took issue with Ford’s opt-out process, alleging that Ford impermissibly required consumers to verify their identities to complete opt-out requests. According to the Agency, this verification step created ​“unnecessary friction” in the opt-out process in violation of Cal. Code Regs. § 7026(d). The CPPA alleged that Ford violated Cal. Civ. Code § 1798.120(d) each time it sold the personal information of a consumer that submitted an opt-out request but did not confirm the request via email.

Key Takeaways

Opt-out rights remain a top priority: Each of the Agency’s CCPA enforcement actions announced over the last year, including these recent two, has, in one way or another, addressed consumer privacy rights and more specifically, the right to opt out of the sale and sharing. Opt-out mechanisms should reflect the way consumers interact with a business, be easy to use, and not require unnecessary information or identity verification. Even where sale activities are limited – PlayOn allegedly engaged in one targeted advertising campaign during the investigation’s relevant time period – the Agency has made clear that it expects full compliance with these legal obligations. Additionally, consumer notices should clearly describe how to exercise all available consumer privacy rights and should be reviewed and updated annually. The enforcement focus is also a good reminder to ensure that the opt-out right is working as intended, and that supplemental transparency measures, such as cookie banners, do not introduce confusion or present information that may conflict or interfere with a consumer exercising their opt out right.

Beware of ​“Accept All”: The CPPA has long emphasized the importance of ​“symmetrical” consumer choices. The issue highlighted with PlayOn’s cookie banner is nearly identical to the example provided in Section 7004(a)(2)(C) of the CCPA regulations, which asserts that presenting an ​“accept all” button without an equally simple option to ​“decline all” impairs the consumer’s ability to make a meaningful choice. In designing pop-up banners or any consumer choice mechanisms, businesses should consider the examples provided in the CCPA regulations, such as whether the ​“accept” and ​“reject” buttons are equal in size and prominence, whether the notice uses double negatives or is phrased in a way that could confuse consumers, and whether the banner should be offering choices at all versus providing additional transparency.

Implement, test, repeat: The CPPA’s orders require Ford and PlayOn to maintain comprehensive inventories of tracking technologies on their website and conduct internal audits and monitoring to ensure that they fully apply opt-out choices to these technologies. Establishing a regular internal cadence for reviewing and cataloging data collection technologies and testing opt-out integrations to confirm if they are working properly can help detect gaps in this complex but critical compliance area, and enable the business to remediate proactively.

Complying with opt-out requirements under the CCPA and other state laws requires a sustained effort, and the consequences of missteps are growing. For more details about common pitfalls and how to address them, please see our previous post on these topics.

[View source.]