December 2, 2025
Jam City Fined $1.4M for CCPA Non-Compliance
California regulators remain focused on vigorous enforcement of the CCPA, with mobile game developer Jam City being the latest to incur a large fine.
The California Privacy Protection Agency (a.k.a., CalPrivacy) is primarily known for its CCPA enforcement, as well as its rulemaking powers. However, it has another area of activity that is often overlooked: legislative advocacy.
One of CalPrivacy’s official duties is to provide advice to the state legislature on privacy-related legislation. Often this takes the form of giving (or withholding) its stamp of approval to bills already being considered, but the Agency also makes its own proposals for new privacy legislation.
Here are CalPrivacy’s legislative proposals for 2026.
CalPrivacy currently receives a fairly large volume of consumer privacy complaints (reportedly about 150 per week, and the pace is increasing). Now it’s looking to solicit privacy complaints from within regulated businesses.
The Agency has proposed an amendment to the CCPA that would protect and incentivize whistleblowers who report privacy violations at their workplace. These individuals would be protected against retaliation from their employers, and potentially also share in a portion of any fine that results from their whistleblowing.
Our take: This proposed measure seems likely aimed at gaining some insight into the privacy workings at larger tech companies, but other businesses whose leadership has been dismissive of privacy compliance should take note, as it encourages employees to take action.
Another subtle but significant proposal is to require businesses to offer more than just an email address for consumers to submit privacy requests.
For businesses that operate purely online, the current rule allows them to simply post an email address for submitting requests to access, delete, and correct their personal information (opt-outs and requests to limit have different requirements). Along with reports that CalPrivacy’s enforcement team has been sending out test emails to these addresses to see if anyone actually responds, the proposal suggest regulators' skepticism that such organizations are in compliance with the CCPA. Beyond this, forcing consumers to articulate their privacy requests via email likely discourages many from submitting a request in the first place.
Our take: Many online businesses “comply” with the CCPA by posting a boilerplate privacy policy and an email address that no one actually monitors. Forcing businesses to offer an online form to consumers will make it more readily apparent to regulators which businesses are not taking compliance seriously.
The final legislative proposal is to amend the CCPA so that deletion requests apply to all personal information collected about a consumer, not just data collected from a consumer. In other words, if a business collects personal information from a source other than directly from the consumer, they would be required to delete it upon request (assuming no exceptions apply).
If enacted, this would align the CCPA with existing language in many other state privacy laws.
Our take: Most smaller businesses don’t cut their privacy compliance so fine that they will care much about this change. However, companies that traffic heavily in consumer data will no doubt be keeping an eye on this.
Data privacy compliance is not a one-and-done project; it is a moving target that requires regular attention. Many businesses don’t have the internal expertise to stay current on the latest developments, though. A privacy policy or a data map created years ago may not reflect updated requirements.
TrueVault helps businesses of all sizes get privacy compliant in as little as a few days, and stay that way for years to come. Using our guided workflows and automated integrations, you can quickly create a consent banner, publish privacy notices, be prepared to handle consumer requests, and more. Anyone can do it—no legal background required. As new state laws are passed or old laws are amended, those changes are incorporated into your privacy dashboard at no extra cost!
Contact our team today to learn how TrueVault can help support your business’s compliance.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
