Gaming App Hit with $1.4M CCPA Fine

California Attorney General Rob Bonta reached a $1.4 million settlement with Jam City, a mobile gaming app company, for violating the California Consumer Privacy Act (CCPA). Jam City failed to offer users of its products a method to opt out of the sale or sharing of their personal information on its apps.

Insufficient Opt-out Methods

Jam City collects personal information, including device identifiers, IP addresses, if the user makes in-game purchases, and how often they play the game. The company discloses the information to third parties who use the data for cross-context behavioral advertising, both on Jam City apps and other platforms.

The CCPA requires businesses to give consumers the right to opt out of the sale and sharing of their data for cross-context behavioral advertising. The opt-out mechanism must reflect how the business interacts with the consumer, meaning a business that primarily creates apps must provide opt-out links within the app.

An investigation initiated by the Attorney General found that Jam City did not provide a CCPA-compliant opt-out link within its apps. 20 out of 21 of Jam City’s apps did not provide the ability to opt out of the sale and sharing of personal information. One of Jam City’s apps had a “Data Privacy” link, but it did not reference the CCPA and did not clearly state if it would stop the sale or sharing of personal information.

Jam City also did not provide a CCPA-compliant opt-out link on its website. The only CCPA opt-out rights mentioned on the website were found under a section titled “Cookies and Interest Based Advertising.” There, consumers were told they could email Jam City to stop targeting advertising, which does not meet CCPA requirements.

Selling or Sharing Children’s Data Without Consent

On several apps, Jam City had an age gate and required users to submit their age when installing games. Jam City provided child versions of many games that did not collect or share the personal information of users under 16 with third parties. The company did not properly maintain the age gate for six of its games and only provided child versions of games to users under 13, resulting in users between the ages of 13 and 16 having their personal information sold or shared without affirmative authorization, violating the CCPA.

Along with the financial penalty, Jam City has agreed to provide opt-out methods within its apps and not to sell or share the personal information of 13-16-year-olds without affirmative opt-in consent.

Previous CCPA Penalties

2025 has been an active year for CCPA enforcements, with the following penalties handed down:

• Sling TV was fined $530,000 for failing to provide easy opt-out methods and not protecting children’s privacy.
• Tractor Supply was fined $1.4M by the CPPA for not honoring opt-out requests, not processing opt-out preference signals, and having insufficient privacy polices.
• In July, AG Bonta issued a $1.55M fine to Healthline for sharing data, including data that suggested the consumer could have had a health condition, with third parties without proper privacy protections.
• In May, clothing retailer Todd Snyder was fined $345,178 by the CPPA for not honoring opt-out requests for 40 days and requiring consumers to verify their identity to opt out of the sale or sharing of their data.
• In March, the CPPA fined Honda $632,500 for requiring excessive personal information to exercise privacy rights, having a longer process for opting out than opting in, and other violations.

CompliancePoint offers Cookie Management Services to help businesses avoid similar penalties. We can also help with all aspects of CCPA compliance. Reach out to us at connect@compliancepoint.com to learn more.