Jam City Case Shows That Enforcers Are Probing Mobile Apps, Teen Data Privacy

Jam City agreed last month to pay $1.4 million in a California Consumer Privacy Act (CCPA) settlement (see 2511210069). The state DOJ said the company failed to provide consumers ways to opt out of selling or sharing their personal information across its popular apps, which include games based on the Frozen and Harry Potter franchises. Also, some Jam City games shared or sold data of kids ages 13-16 without the opt-in consent required by CCPA, the AG’s office said.

The Jam City settlement marks the California AG’s second privacy enforcement action against a mobile game developer. Tilting Point Media agreed in 2024 to pay a $500,000 settlement resolving allegations of COPPA and CCPA violations related to a SpongeBob SquarePants game (see 2406200041).

However, the Jam City action has more in common with recent enforcement actions against Healthline and Sling TV (see 2507010074 and 2511070023), said Stacy Feuer, senior vice president at the Entertainment Software Rating Board’s Privacy Certified. The recent actions send a clear message that opting out under the CCPA “must be frictionless” for consumers, she said. They shouldn't have to take “extraordinary measures to stop the sale of their data.”

In addition, the California AG is "sending a very clear signal that teen data really matters” and that complying with COPPA is "just not enough anymore,” said Feuer. She noted that Jam City is a member of Privo’s Kid's Privacy Assured program, which certifies companies for complying with COPPA to safeguard children's personal information. However, in this case, the California AG didn’t allege any violations of COPPA, which covers only children under 13. Instead, the AG focused on teens covered by the CCPA.

“California is signaling [that] companies shouldn't treat teens as mini adults,” said Feuer. She added that ESRB self-regulatory guidelines “make very clear that companies must treat teen data with heightened care.”

ZwillGen privacy attorney Alexei Klestoff said the focus on mobile apps is what stood out to him about the California enforcement action. “It's very obvious that mobile apps are now a target.”

In particular, the settlement’s requirement that Jam City must honor a consumer’s opt-out request from one mobile game in all its other games -- if the company can identify that it’s the same user -- could be operationally difficult to implement, he said. While it's “unlikely” that many companies already have that functionality, “I can see that being an area of focus for the AG and the [California Privacy Protection Agency] for sure.”

Klestoff also noted that the settlement previews new CCPA rules taking effect in January (see 2511200059). For example, one new rule says an opt-out choice must be in the app’s settings, he said. Previously, the rules said an app “may” do this. “That was exactly what … the settlement required,” he said. Another example is the settlement's requirement that Jam City provide a visual confirmation when someone opts out, which will also be required for all CCPA-covered entities starting Jan. 1.

Jam City continues California privacy enforcers' expansion to new subjects this year, said Klestoff. The AG office’s review of the app ecosystem follows recent scrutiny of video streaming in the Sling case, as well as the privacy agency’s probe of employment data usage in September’s action against Tractor Supply Co. (see 2510030028). “If it's covered by the statute, it's fair game for the regulator,” Klestoff said.

Ben Winters, the Consumer Federation of America's director of AI and privacy, emailed us that “having vigorous enforcement of places where people are having their data routinely abused -- playing games, watching shows, driving their cars -- is critical.” The Jam City action “shows what privacy laws look like in practice, and provides consumers both safer experiences and a forward looking expectation of better online interactions.”

Focus on Opt-Outs

Opt-out rights continue to be a priority for regulators, privacy attorneys said in recent blog posts about the Jam City case. In addition, state privacy enforcement activity appears to be picking up, they said.

The Jam City settlement “reemphasizes the California AG's focus on CCPA fundamentals such as opt-out mechanisms,” Holland & Knight attorneys blogged Nov. 25. “It also shows that the AG is willing to push for more significant monetary settlements ($1.4 million in this case, compared to $530,000 for Sling TV) where a business does not make any obvious effort to implement required controls.”

Another takeaway from the Jam City case is that age-screening features must be implemented properly,” the Holland & Knight lawyers said. “Regulators may infer knowledge of a consumer's age if an age gate or other similar feature is used. If the business using that feature does not then ensure that information is used to address CCPA-required controls, regulatory scrutiny may follow.”

Robinson+Cole privacy attorney Kathryn Rattigan wrote in a blog post Wednesday that the enforcement is “a stark reminder” that “CCPA opt-out rights must be readily accessible and actionable within mobile apps, not just via privacy policies or external links.” Also, companies “must vigilantly comply with enhanced CCPA protections for minors, especially for teens aged 13 to 16.”

Troutman privacy lawyer David Stauss noted in a Nov. 22 blog post that seven of California’s nine announced CCPA enforcement actions “are from this year, showing a notable increase in enforcement activity.”

Jonathan Tam, a Baker McKenzie privacy attorney, posted last week on LinkedIn that while many previous CCPA enforcement actions focused on websites, “this case demonstrates that mobile apps are on regulators' radars too.” In addition, recent updates to CCPA rules “show that regulators are thinking about other types of online platforms, including virtual, mixed, and augmented reality devices,” said Tam. “Whatever the user interface, double-check your compliance, because California privacy regulators are active.”