Developer of Mobile Gaming Apps Pays $1.4 Million to Settle CCPA Claims

The California Office of Attorney General ("CA OAG") announced a settlement with Jam City Inc. ("Jam City"), a developer of mobile gaming apps, for violations of the California Consumer Privacy Act ("CCPA") and Unfair Competition Law on November 21, 2025. Jam City agreed to pay penalties totaling $1.4 million to settle claims that it violated the CCPA when it sold or shared consumers' personal information without providing a compliant opt-out mechanism and sold or shared the personal information of consumers it knew were between 13 and 16 years of age without obtaining their affirmative consent.

Factual Background and Alleged Violations of Law

Jam City develops free mobile gaming apps that generate revenue partly through in-app advertisements. Jam City collects, uses, and discloses to third parties for cross-context behavioral advertising and analytics, the personal information of consumers, including device identifiers, IP addresses, and data about how the consumers interact with the games. These advertisements appear both on Jam City's apps and on other third-party apps.

The CA OAG alleged that Jam City engaged in the following practices that violated the CCPA:

• No CCPA-Compliant Opt-Out Mechanism Provided. Jam City offers 21 mobile apps, 20 of which failed to provide controls that would allow consumers to opt out of the sale or sharing of their personal information. While one app provided a control titled "Data Privacy," it failed to reference the CCPA or explain whether the control would opt the consumer out of the sale or sharing of personal information. Jam City also failed to provide an opt-out link or compliant opt-out mechanism on its website. Jam City's privacy policy merely included a section titled "Cookies and Interest Based Advertising" that directed consumers to email Jam City to opt out of targeted ads.

  The CA OAG alleged that Jam City sold and shared personal information without providing a clear and conspicuous opt-out link or a compliant opt-out mechanism (i.e., a webform) in violation of the CCPA and that such violations were also violations of California's Unfair Competition Law.

• Insufficient Protection for Minors. Jam City requires consumers to provide their age before first installing gaming apps and makes "child versions" of the games available to consumers who indicate they are younger than 16, which is the age in California below which the business must either obtain parental consent or the minor's affirmative consent before selling or sharing personal information. (The "child versions" do not sell or share personal information with third parties.)

  The CA OAG alleged that Jam City failed to configure properly the age gates for six of its games, which resulted in Jam City's sale or sharing of the personal information of consumers who were at least 13 and below 16 years of age without first obtaining those minors' consent in violation of the CCPA and the Unfair Competition Law.

Penalties Imposed on Jam City

In addition to imposing the $1.4 million fine, the settlement requires Jam City to do the following:

Opt-Out Requests

• Implement a "consumer-friendly, easy to execute opt-out process" that enables consumers to opt out of the sale or sharing of their personal information with "minimal steps";
• Provide a "clear and conspicuous opt-out link" on both its website and within each mobile app that either immediately opts a consumer out of sale and sharing or directs the consumer to the notice of the right to opt out that enables the consumer to do so;
• Provide the notice of the right to opt out within each mobile app, and if the mobile app opt-out link does not immediately effectuate the consumer's opt-out request, include in the "notice of the right to opt out" an easy-to-use opt-out method, such as a toggle or check box;
• Effectuate a consumer's opt-out request on a mobile app across all of Jam City's mobile apps for any personal information that Jam City associates with the consumer;
• Request the minimal amount of personal information necessary to effectuate the opt-out request;
• Format and design the notice of the right to opt out to "fit and scale" to the website and mobile app "without unnecessarily burdening a consumer's ability to opt out";
• Provide within each mobile app a means by which the consumer can confirm that Jam City processed the consumer's opt-out request by, for example, displaying on its website "Opt-Out Request Honored" or through a toggle or button; and
• Avoid designing or including language in other choice mechanisms (such as a cookie preference manager) that is likely to confuse a reasonable person about whether exercising choice through such mechanisms constitutes a request to opt out under the CCPA.

Minors' Personal Information

• Design age-screening tools in a neutral manner that does not default to age 16 and above and does not suggest that certain features will not be available to consumers who identify as under 16 years of age;
• Refrain from collecting personal information from consumers before obtaining the consumer's age through the age gate, except as allowed by law;
• Direct consumers who identify as under 13 years of age to a "child version" of the app (i.e., a version that is configured to not sell or share personal information with third parties);
• Direct consumers who identify as at least 13 but less than 16 years of age to a "child version" of the app or obtain the consumer's consent to sell or share their personal information before directing them to a non-child version of the app; and
• Direct all third parties to whom Jam City has sold or shared personal information collected from consumers under 16 years of age to delete such information that was collected before October 1, 2024.

Compliance Program

• Within 180 days of the effective date of the order, and for three years thereafter, implement and maintain a program to assess and monitor whether Jam City is doing the following:
  • Effectively providing opt-out methods that are "consumer-friendly, easy to execute, require minimum steps" and that implement the consumer's request to opt out;
  • Providing disclosures and notices of the right to opt out that comply with the requirements in the order; and
  • Making reasonable efforts to comply with obligations relating to consumers under 16 years of age.
• Document and share the results of such reviews with the CA OAG in an annual report for three years.

Takeaways

Ensure Opt-Out Notices Are Complete and Links Are Readily Available

Mobile app developers must ensure that opt-out links are conspicuously available on every mobile app and that they are easy to use, require minimum steps, and effectuate the consumer's choice to opt out. Moreover, businesses must provide a notice of the right to opt out that clearly explains to consumers that they have the right to opt out of sales of their personal information and targeted advertising along with a CCPA-compliant mechanism (i.e., an interactive webform) that allows them to do so. Simply providing a cookie banner, cookie preference manager, or notice in a website privacy policy with an email address is not sufficient.

Implement Opt-Out Requests Across All Platforms, Websites, and Apps

This settlement is a good reminder that businesses must implement a consumer's opt-out request across all platforms, websites, and apps where the business maintains personal information associated with the consumer.

Ensure Age Gates Work Properly and Consent Is Obtained, When Necessary

Businesses cannot turn compliance over entirely to technical tools. Internal governance processes are necessary to ensure regular monitoring of these compliance tools to confirm they are functioning properly. As in the recent CalPrivacy enforcement action against Todd Snyder, the business's technical compliance mechanism—here, an age gate—was not working properly and as a result, the minors were not directed to a child version of the app, and their personal information was sold and shared without the proper consent.