By Hansenard Piou

On November 21st, 2025, the California Attorney General announced a $1.4 million dollar settlement with the mobile app gaming company, Jam City, Inc., the sixth such settlement by California regulators under the California Consumer Privacy Act (CCPA). The AG had sued Jam City, whose mobile gaming apps collect personal information such as device identifiers, IP addresses, and usage data, alleging that it had failed to offer appropriate methods to opt out of sale and sharing of personal data in violation of the CCPA.

The Complaint

In May 2024, an AG investigation found that 20 of Jam City’s 21 apps did not provide a link or setting for consumers to opt-out of the sale of their personal information or sharing of such data for behavioral advertising across Jam City’s apps and other apps and platforms.

The complaint thus alleges that Jam City did not provide CCPA compliant opt-out methods on its apps or its website. In addition to the lack of controls on the 20 apps, the 21st app provided a “Data Privacy” setting that allegedly did not reference the CCPA and was unclear about whether enabling the setting would effectuate an opt-out request. Additionally, the “Cookies and Interest Based Advertising” section of privacy policy on Jam City’s website “told consumers that they could email Jam City at ccpaoptout@jjamcity.com to stop targeted advertisements,” a method the AG claimed was allegedly insufficient under the CCPA.

The complaint further alleges that Jam City did not acquire opt-in consent to sell or share the personal information of consumers it knew to be less than 16 years old. Jam City allegedly age-gates several of its apps and provides “child-versions” which do not collect or share personal information with third parties. However, Jam City allegedly failed to properly age-gate six of its apps, only providing the child-versions to consumers who declared they were under 13. As a result, Jam City was improperly selling or sharing the data of consumers between 13 and 16 years old, including via cross-context behavioral advertising without obtaining opt-in consent.

The Settlement

The settlement orders Jam City to comply with the CCPA’s opt-out provisions, specifically requiring:

• Implementing a consumer-friendly, easy to execute opt-out process with minimal steps and in the case of mobile apps or connected devices, such opt-out process being available in a setting or menu option that leads the consumer to a page, setting, or control that enables the consumer to opt-out the sale and sharing of the consumer’s personal information either immediately, or in the alternative, via a link to the notice of right to opt-out of sale/sharing in the privacy notice,;

• Effectuating of a consumer opt-out l across all of Jam City’s mobile apps for any personal information associated with the consumer,;

• Providing means by which the consumer can confirm the processing of their opt-out request; and

• Avoiding language or design likely to confuse a reasonable consumer that choices related to the collection of personal information, other than the opt-out process, constitute a compliant opt-out method or must be selected to opt-out.

Additionally, the settlement also requires compliance with special rules for consumers under 16 years old:

• Where Jam City implements an age-screening mechanism,

  • Designing the mechanism in a neutral manner that does not default to 16+ and does not suggest that certain features are unavailable to consumers under 16 years old;

  • Directing consumers who submit an age under 13 years old to a child-version of the app; and

  • Directing consumers who submit an age of at least 13 years old and less than 16 years old to a child-version of the app or obtain their affirmative authorization to sell or share their personal information before directing them to a non-child-version of the app.

• Directing all third parties to whom Jam City sold or shared personal information collected prior to October 1, 2024, from consumers who submitted ages under 16 years old in any Jam City mobile apps to delete such personal information.

Takeaways

With its recent investigations and settlement actions, the California Privacy Protection Agency has shown its willingness to enforce the CCPA, especially its opt-out provisions. The Jam City settlement order to effectuate opt-outs wherever the business identifies the consumer is similar to the California’s AG recent settlement order against Sling TV, which was ordered to “provide an opt-out mechanism within the Sling TV app on various living-room devices, so consumers accessing Sling TV on various devices do not need to go to Sling TV’s website to opt-out.” This robust enforcement of implementation of opt-out measures comes from the CCPA regulation requiring businesses to comply with a customer’s previously given opt-out signal “where the consumer is known to the business."

Moreover, recent California legislation is a part of a national trend of increased concern for children’s online privacy and safety. Laws with additional requirements for processing minors’ data are being complemented with app store age-verification laws, such as California’s Digital Age Assurance Act, which provide developers knowledge of whether consumers are minors.

This enforcement action highlights the political momentum for minors’ online privacy and the CCPA’s increased enforcement activity. Consider the following actions to address the concerns raised in this enforcement action:

• Review all platforms, both apps and websites where you collect personal information to confirm choice mechanisms for consumer rights are clear and conspicuous so that users can easily effectuate those rights and understand those requests are being processed.

• Implement choice mechanisms to properly regulate processing in accordance with data protection law and the consumer’s age.

• Effectuate opt-out requests so that the consumer is opted out of such processing across apps, devices, and services where the business has information connecting the identity of the consumer.

• Ensure age-gating processes comply with regulatory guidance, including not defaulting to an age above the relevant age range or suggesting a particular age range is required to access certain features.

• Be mindful of data practices and obligations with respect to minors’ data, especially as more states pass legislation protecting children and teens’ privacy, in particular, if you are an app publisher, be prepared to put in place processes to properly handle child and teen data as you may gain knowledge of age under coming age assurance laws.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law. 

Hansenard Piou is an Associate at Hintze Law PLLC with experience in global data protection issues, including kids’ global privacy laws, AADC, privacy impact assessments, GDPR, and privacy statements.