California Attorney General Secures $1.4 Million Settlement Against Jam City for CCPA Violations: Critical Lessons for Mobile App Developers
In the sixth enforcement action under the California Consumer Privacy Act (CCPA), California Attorney General Rob Bonta announced a $1.4 million settlement with Jam City, Inc., a mobile gaming company based in Culver City, California. This enforcement action highlights critical compliance failures that mobile app developers must avoid and demonstrates the Attorney General’s continued focus on ensuring consumers can easily exercise their privacy rights, particularly through their mobile devices.
Overview of the Case
Jam City, a developer of popular free-to-play mobile games based on franchises including Disney’s Frozen, Harry Potter, and Family Guy, allegedly violated the CCPA by failing to provide consumers with functional methods to opt out of the sale or sharing of their personal information. The investigation, initiated in May 2024, revealed that despite generating revenue primarily through personalized advertising that relies on consumer data, Jam City failed to implement CCPA-compliant opt-out mechanisms in any of its 21 mobile applications.
The settlement represents a significant enforcement action that addresses two fundamental aspects of CCPA compliance: the right to opt out of data sales and sharing, and enhanced protections for minors under 16 years of age.
The Investigation: What Went Wrong
According to the complaint filed by the California Department of Justice, Jam City’s violations fell into several distinct categories:
1. Complete Absence of In-App Opt-Out Mechanisms
The most striking finding was that 20 out of 21 Jam City mobile applications provided no control or setting whatsoever addressing the sale or sharing of consumers’ personal information. This is particularly significant because Jam City exclusively creates games for mobile devices and collects consumer data almost entirely through these applications.
The one remaining app offered a control titled “Data Privacy,” but this control:
- Did not reference the CCPA
- Was unclear about whether enabling it would actually stop the sale or sharing of personal information
- Failed to meet the transparency requirements under CCPA regulations
2. Inadequate Website Opt-Out Provisions
Jam City’s website fared no better, according to the complaint. The company:
- Did not provide an opt-out link on its website
- Failed to offer a CCPA-compliant opt-out method
- Only referenced consumers’ opt-out rights buried in its privacy policy under “Cookies and Interest Based Advertising”
- Instructed consumers to email
[email protected]to stop targeted advertisements, “a method that, by itself, does not satisfy CCPA requirements”
The CCPA and its implementing regulations make clear that businesses must provide opt-out mechanisms that reflect how they primarily interact with consumers. For a company that creates exclusively mobile apps, in-app opt-out functionality is mandatory—not optional.
3. Failures in Age-Gating and Minor Protections
Another aspect of the matter involves Jam City’s treatment of children’s data. The CCPA and other privacy laws provide enhanced protections for consumers under 16 years of age, prohibiting businesses from selling or sharing their personal information without first obtaining affirmative authorization.
For several Jam City games, the company implemented age gates requiring users to submit their age upon first installing the game. For most of these age-gated games, Jam City provided “child-versions” that do not collect or share personal information with third parties for users who submitted ages below 16.
However, Jam City failed to properly maintain the age gate for six of its games, providing child versions only to consumers who declared their age as below 13, not below 16 as required. This meant that consumers between 13 and 16 years of age had their data sold or shared without Jam City first obtaining the minors’ affirmative authorization, a violation of Civil Code section 1798.120(c).
The Data Collection and Sharing Practices
To understand the significance of these alleged violations, it’s important to examine what data Jam City collected and how it was used:
Personal Information Collected:
- Device identifiers
- IP addresses
- User interaction data (including purchase behavior and gameplay patterns)
How the Data Was Used: Jam City disclosed this consumer personal information to third-party companies for advertising and analytics purposes. These companies, in turn, used the information along with data collected across different websites, apps, music services, podcast platforms, and TV streaming services for cross-context behavioral advertising.
This practice of cross-context behavioral advertising enabled advertisers and third-party companies to personally target ads to Jam City’s users both within Jam City’s apps and on other platforms, precisely the type of data sharing that triggers CCPA’s opt-out requirements.
Legal Violations Alleged
The California Attorney General alleged violations of two separate legal frameworks:
First Cause of Action: CCPA Violations (Civil Code § 1798.100 et seq.)
Jam City engaged in acts or practices that violated the CCPA, including:
- Selling and sharing consumers’ personal information without providing a CCPA-compliant opt-out process (violating Civil Code §§ 1798.120, 1798.135, 1798.140, and Cal. Code Regs. tit. 11, § 7026)
- Selling and sharing the personal information of consumers known to be between 13 and 16 years of age without obtaining affirmative consent (violating Civil Code §§ 1798.120(c), 1798.135, and Cal. Code Regs. tit. 11, § 7071)
Second Cause of Action: Unfair Competition Law (Business & Professions Code § 17200 et seq.)
The complaint also alleged that Jam City’s CCPA violations constituted unfair competition under California’s UCL, which prohibits unlawful, unfair, or fraudulent business practices.
Settlement Terms: $1.4 Million and Comprehensive Injunctive Relief
The settlement, finalized in the form of a Final Judgment and Permanent Injunction, requires Jam City to pay $1.4 million in civil penalties in two installments:
- $700,000 within 60 days of the effective date
- $700,000 within one year of the effective date
Beyond the monetary penalty, the settlement imposes extensive injunctive requirements that provide a roadmap for CCPA compliance in the mobile app context:
1. Implementation of Consumer-Friendly Opt-Out Mechanisms
Jam City must provide clear and conspicuous opt-out links within both its website and mobile applications. These opt-out mechanisms must either:
- Immediately effectuate the consumer’s choice to opt out, OR
- Direct the consumer to a Notice of Right to Opt-Out of Sale/Sharing
The opt-out process must be:
- Consumer-friendly
- Easy to execute
- Require minimal steps
- Request only the minimal amount of personal information necessary to effectuate the opt-out
The judgment emphasizes that the Notice of Right to Opt-Out must “be formatted and designed to fit and scale to the website or application where it is provided, without unnecessarily burdening a consumer’s ability to opt-out.”
2. Opt-Out Confirmation Requirements
Jam City must provide consumers with a means to confirm that their opt-out request has been processed. Examples include:
- Displaying “Opt-Out Request Honored” on the website
- Using a toggle or radio button showing that the consumer has opted out
- Providing confirmation within each mobile application
3. Cross-Application Opt-Out Functionality
When a consumer opts out through one mobile application, Jam City must effectuate the opt-out choice across all of its mobile applications for any personal information it associates with that consumer. This prevents the common problem of consumers having to opt out separately in each app from the same developer.
4. Avoiding Confusion with Other Privacy Controls
If Jam City implements other privacy choice mechanisms (such as cookie preference managers), it must avoid language or design that could confuse consumers into believing:
- Those other choices constitute a CCPA-compliant opt-out, OR
- Those other choices must also be selected to opt out of selling or sharing
This requirement addresses the growing concern about “dark patterns” and confusing user interfaces that subvert consumer choice.
5. Enhanced Requirements for Age-Screening
For mobile applications using age-screening mechanisms, Jam City must:
Design Neutrality:
- Design the age-screening in a neutral manner that does not default to age 16 or above
- Avoid suggesting that certain features will be unavailable for consumers under 16
- Not collect personal information from consumers prior to collecting age information (except as permitted by law)
Child Version Requirements:
- Direct consumers under 13 to a child version of the application
- For consumers aged 13-15, either direct them to a child-version OR obtain their affirmative authorization before directing them to a non-child-version
Data Deletion:
- Direct all third parties to whom Jam City sold or shared personal information collected from consumers who submitted ages under 16 to delete such information collected prior to October 1, 2024
6. Compliance Program and Monitoring
Within 180 days of the effective date, and for three years thereafter, Jam City must implement and maintain comprehensive monitoring programs to:
- Assess whether it is effectively providing consumer-friendly opt-out methods
- Monitor compliance with minor protection requirements
- Document and share results with the California Attorney General in annual reports
All reports are treated as confidential and exempt from public records disclosure.
Implications for Mobile App Developers
This enforcement action provides several critical lessons for companies developing mobile applications, particularly those relying on advertising revenue:
1. In-App Opt-Outs Are Mandatory, Not Optional
If your business model involves mobile apps, you must provide opt-out functionality within those apps. The CCPA regulations at 11 CCR § 7015 make clear that opt-out mechanisms must reflect how the business primarily interacts with consumers. Simply directing users to email for opt-out requests or burying opt-out instructions in a privacy policy will not suffice.
Mobile app developers should implement:
- A clearly labeled “Do Not Sell or Share My Personal Information” link or setting
- Simple toggle switches or checkboxes that are easy to use
- Immediate confirmation when the opt-out is processed
- Cross-application opt-out functionality for developers with multiple apps
2. Age-Gating Must Be Implemented Correctly
If you collect age information from users, you must use that information to comply with the CCPA’s enhanced protections for minors. Key requirements include:
- Design age gates neutrally (don’t default to 16+)
- Don’t collect personal information before collecting age
- Provide child-versions or obtain affirmative consent for users 13-15 when engaging in certain kinds of data processing, including for targeted advertising
- Ensure the age gate applies consistently across all apps
The fact that Jam City implemented age gates but failed to properly use the age information for six games demonstrates that having an age gate is not enough; it must function correctly and consistently.
3. “Dark Patterns” and Confusing Designs Will Be Scrutinized
The settlement’s provisions about avoiding confusion with other privacy controls signal regulators’ focus on user experience design. Companies should avoid:
- Cookie preference managers that could be confused with CCPA opt-outs
- Multi-step processes that burden consumers
- Unclear language about what opting out actually accomplishes
- Design elements that steer users away from exercising their rights
4. Documentation and Monitoring Are Essential
The three-year compliance monitoring requirement in this settlement reflects the importance of ongoing compliance programs. Companies should:
- Document their opt-out implementation
- Regularly test opt-out functionality
- Monitor whether opt-outs are working as intended
- Review age-screening mechanisms for effectiveness
- Maintain records of compliance efforts
5. The Stakes Are Significant
The $1.4 million penalty demonstrates that the California Attorney General is willing to impose substantial monetary consequences for CCPA violations, particularly when companies make little to no effort to comply with fundamental requirements. As Holland & Knight noted in their analysis, this settlement shows “the AG is willing to push for more significant monetary settlements…where a business does not make any obvious effort to implement required controls.”
Broader Context: The Attorney General’s CCPA Enforcement Strategy
The Jam City settlement represents the sixth CCPA enforcement action announced by Attorney General Bonta, revealing an emerging pattern in California’s privacy enforcement strategy:
Previous CCPA Enforcement Actions:
- Sephora (August 2022) – $1.2 million settlement for failing to disclose it was selling personal information and failing to process opt-out requests via user-enabled global privacy controls
- DoorDash (February 2024) – Settlement for selling customer personal information without providing notice or opportunity to opt out
- Tilting Point Media (June 2024) – $500,000 settlement (joint with LA City Attorney) for collecting and sharing children’s data without parental consent in “SpongeBob: Krusty Cook-Off”
- Healthline Media (July 2024) – $1.55 million settlement (the largest to date) for the health website’s use of tracking technology without proper opt-out protections
- Sling TV (October 2025) – $530,000 settlement for employing “deceptive” user interface design and inadequate children’s privacy protections
There have also been enforcement actions by the California Privacy Protection Agency (CPPA), such as against Honda and Todd Snyder.
Common Themes in CCPA Enforcement:
Examining these six enforcement actions reveals Attorney General Bonta’s priorities:
Consumer Choice Architecture: Multiple settlements (Jam City, Sling TV, Sephora) focus heavily on how opt-out mechanisms are designed and presented to consumers. The AG clearly expects businesses to make opting out easy, not burdensome.
Children’s Privacy: Three of the six actions (Jam City, Sling TV, Tilting Point) involved violations of special protections for minors, demonstrating heightened scrutiny of companies serving child audiences.
Targeted Advertising Ecosystem: The enforcement actions target various players in the digital advertising ecosystem, from mobile apps (Jam City, Tilting Point) to streaming services (Sling TV) to e-commerce (Sephora) to publishers (Healthline).
Investigative Sweeps: The AG has conducted investigative sweeps focused on location data, streaming apps and devices, and employee information, suggesting more enforcement actions may be forthcoming.
What This Means for Your Business
For Mobile App Developers:
If you develop mobile applications that involve any of the following, you need comprehensive CCPA compliance:
- Displaying personalized or targeted advertising
- Sharing user data with advertising networks or analytics providers
- Using SDKs that collect and share user information
- Offering apps to California residents
Your privacy compliance program, including as it relates to the CCPA, should include:
- In-app opt-out mechanisms that are easy to find and use
- Child versions of apps or robust age verification and consent mechanisms, depending on the app’s audience and other relevant details
- Regular audits of data collection and sharing practices, including via data mapping
- Clear and accurate privacy policies
- Training for development teams on privacy requirements
For Businesses Using Mobile Advertising:
Even if you’re not a mobile app developer, if you advertise through mobile apps or use mobile app data for marketing, you should:
- Verify that app partners have proper opt-out mechanisms
- Review contracts to ensure data processing agreements address CCPA compliance
- Understand whether you’re receiving data about minors
- Ensure your own privacy notices accurately describe mobile advertising practices
For Companies Serving Children:
If your app or service is directed to children or you have actual knowledge that users are minors, you must:
- Implement effective age verification mechanisms
- Provide child-appropriate experiences that limit data collection
- Obtain proper consent before selling or sharing minor data
- Comply with both CCPA and COPPA requirements
- Train staff on youth privacy protections
Practical Compliance Checklist
Based on the Jam City settlement, here’s a practical checklist for mobile app compliance:
Opt-Out Implementation:
- In-app “Do Not Sell or Share My Personal Information” link or setting visible on main menu or settings
- Opt-out mechanism works across all your company’s apps
- Opt-out takes two clicks or fewer to complete
- Confirmation displayed when opt-out is processed
- Website also has compliant opt-out link
- Opt-out actually stops data sharing/selling (test it!)
Privacy Notices:
- Privacy policy clearly describes what personal information is collected
- Policy explains how data is shared for advertising
- Policy links to opt-out mechanism
- Notice of Right to Opt-Out of Sale/Sharing is clear and accessible
- Mobile app privacy practices specifically addressed
Age-Related Protections:
- Age gate implemented if app attracts children (with nuances depending on specifics)
- Age gate is neutral (doesn’t default to 16+)
- No data collection before age is obtained
- Child-versions available for users under 13
- For users 13-15: child-version OR affirmative consent mechanism
- Age information used consistently across all games/apps
Vendor Management:
- Inventory of all SDKs and third parties receiving data
- Contracts address CCPA compliance obligations
- Verification that vendors honor opt-out requests
- For apps with minors: directed vendors to delete historic minor data
Documentation and Monitoring:
- Written policies and procedures for CCPA compliance
- Regular testing of opt-out mechanisms
- Monitoring of age-screening functionality
- Compliance training for development and product teams
- Annual compliance reviews and documentation
Looking Ahead: The Evolving Privacy Landscape
The Jam City enforcement action comes at a time of significant evolution in privacy regulation:
California Privacy Rights Act (CPRA): The CPRA amendments, which took effect in 2023, strengthened opt-out rights and created new requirements around sensitive personal information and automated decision-making.
California Privacy Protection Agency: The new California Privacy Protection Agency now has authority to conduct its own enforcement actions, alongside the Attorney General.
Federal Privacy Legislation: While comprehensive federal privacy legislation remains pending, various federal agencies are increasingly active in privacy enforcement.
Global Privacy Controls: Businesses should also prepare for Global Privacy Control (GPC) requirements, which allow consumers to broadcast opt-out preferences automatically.
Age-Appropriate Design Codes: California’s Age-Appropriate Design Code Act (currently subject to litigation) may impose additional requirements for services likely to be accessed by children.
Conclusion: Compliance Is Not Optional
The $1.4 million Jam City settlement delivers a clear message: CCPA compliance in the mobile app context is not optional, and enforcement is accelerating. For mobile app developers, particularly those monetizing through advertising, the path forward requires:
- Immediate implementation of compliant in-app opt-out mechanisms
- Rigorous age-screening processes with appropriate restrictions for minor users subject to nuances of the audience and who the app is geared toward
- Regular monitoring and testing of privacy controls
- Transparent privacy notices that accurately describe data practices
- Comprehensive compliance programs with documentation and training
The enforcement action also highlights the importance of CCPA compliance. The consequences of non-compliance, both monetary penalties and reputational harm, far exceed the investment in proper compliance programs. The California Attorney General has demonstrated a commitment to robust enforcement, and the mobile app industry should expect continued scrutiny of data practices, particularly those affecting children and involving targeted advertising.
