Mobile game developer Jam City recently settled a case alleging violations of the California Consumer Privacy Act (CCPA) for $1,400,000, according to a statement from the California Attorney General’s Office. The settlement concludes an investigation that dates back to May 2024, supporting the proposition that CCPA enforcement has in fact been quite robust despite an early lull in announcements from the AG and CalPrivacy.

What can businesses take away from the Jam City CCPA settlement?

Compliance Issues

Background

Jam City is a mobile developer with a large lineup of video games, including games based on popular intellectual properties such as Harry Potter, Family Guy, and Frozen. The games operate on a free-to-play model and, according to the complaint, generate revenue via in-app purchases, advertising, and selling players’ personal data to third-party marketing and analytics companies.

Opt-Outs

Once again, regulators have focused on the failure to offer consumers a CCPA-compliant way to opt-out of the selling and sharing of their personal information. In Jam City’s case, the state alleged the following:

• Apps Without Opt-Outs: Investigators found that 20 out of 21 Jam City games provided no privacy controls whatsoever. One app did have a setting called “Data Privacy,” but it did not mention the CCPA and was unclear as to whether it opted users out of data selling and sharing. The Attorney General reiterated that, if users’ personal information is sold or shared within a mobile app, the app itself must have an opt-out method, not a link to an external website.
• Only an Email for Website Opt-Outs: On Jam City’s website, the only opt-out method provided was an email address. This violated CCPA rules that require:
  
  • An opt-out link in the footer, and
  • A form allowing for direct submission of an opt-out request on the website.

Under-16 Data Collection

Being a video game developer, it’s no surprise that Jam City would regularly process the personal information of minors. Under the CCPA, that means getting opt-in consent before selling or sharing the data of consumers under the age of 16 (and getting parental consent for consumers under 13). However, the Attorney General’s Office identified problems with how Jam City was complying with these rules.

Jam City did set up an age-collection mechanism for several of its games, and offered a “child version” for users under the age of 16, in which their personal data was not sold or shared with third parties. The issue seems to have been that for some of those games, the age gate was not properly configured and only applied the child version if the user was under 13. This resulted in the sale and sharing of personal data of consumers between 13 and 16 years old without their consent.

Don’t Be the Next Business to Get Fined

The CCPA has been in effect for several years already, and regulators are not giving businesses the benefit of the doubt. If they see signs of non-compliance, they will actively enforce the law. We’ve also seen that it’s not just large companies that are being targeted; SMEs like Jam City, Todd Snyder, and Tilting Point are being hit with large fines as well.

Smaller companies often meet the processing thresholds for privacy laws like the CCPA, but they generally don’t have the internal expertise to handle compliance on their own. TrueVault makes comprehensive privacy compliance achievable and affordable for organizations of all sizes. 

Using our guided workflows and automated integrations, you can quickly create a data map, publish privacy notices, be prepared to handle consumer requests, and more. Anyone can do it—no legal background required. Best of all, as new state laws are passed or old laws are amended, those changes are incorporated into your privacy dashboard at no extra cost!

Contact our team today to learn how TrueVault can help your business get compliant and stay focused on what you do best.