On November 21, 2025, California Attorney General (AG) Rob Bonta announced a $1.4 million settlement with Jam City, Inc. (company), a mobile game app company, for alleged failures to enable in-app opt-outs from the sale and sharing of personal information across many of the company’s mobile apps as required by the California Consumer Privacy Act (CCPA). The AG’s complaint also alleged that the company sold and shared personal information of consumers known to be 13 to 15 years old without consent in violation of the CCPA. In addition to the monetary penalty, the company must implement robust compliance measures, honor consumers’ requests to opt out of the sale or sharing of personal information, and submit annual compliance reports under regulatory monitoring for 3 years.
Background
The company operates free-to-play mobile app games and generates revenue through in-app advertising. The company collects personal information such as device identifiers, IP addresses, and consumers’ interactions with the app and shares it with third-party advertising and analytics companies. These third parties combine the personal information with personal information collected from other sources to deliver targeted ads both within the company’s apps and on other platforms. The AG alleged that this practice constituted the sale and sharing of personal information under the CCPA.
The AG initiated the investigation in May 2024. According to the complaint, 20 of the company’s 21 apps lacked any mechanism to opt out of the sale or sharing of personal information. The lone app with a “Data Privacy” control feature failed to explain its function. Neither the company’s websites nor its apps provided a link that consumers could use to submit opt-out requests, such as the “Do Not Sell or Share My Personal Information” link.
Additionally, the AG alleged that the company knowingly sold and shared personal information of consumers between 13 and 16 years of age without their consent. Several of the company’s apps offered a “child version” for consumers who self-identify as under 16 years of age through an age gate. But the company allegedly misconfigured the age gate so that, for certain apps, only consumers who self-identified as under 13 years of age were directed to the child version. As a result, consumers who self-identified as between 13 and 16 years of age were directed to the non-child version of the app, and the company sold and shared their personal information without opt-in consent.
Settlement
The settlement requires the company to pay $1.4 million and take corrective actions, including the following.
Opt-Out Compliance
- Implement a clear and conspicuous opt-out link on the company’s websites and apps.
- Allow consumers to confirm their opt-out requests are being honored and apply them across all the company’s apps associated with the consumer.
Protection of Teens’ Personal Information
- When adopting an age gate, ensure it remains “neutral” by not default to age of 16 or over or suggesting feature limitations for younger consumers.
- Direct consumers who self-identify as under 13 years of age to a child version of the app; for consumers who self-identify as between 13 and 16 years of age, either direct them to a child version of the app or obtain opt-in consent before selling or sharing their personal information.
- Instruct third parties to delete personal information of known under-16 consumers received from the company.
Compliance Program
- Implement and maintain a compliance program to assess and monitor whether the company is complying with its obligation relating to consumers’ opt-out rights, including additional restrictions for under-16 consumers’ personal information.
- For 3 years, annually submit the results of the compliance review to the State of California.
Key Takeaways
The settlement underscores state regulators’ growing focus on consumer privacy rights and protections for minors. The size of the civil penalty entered against the company and the extent of the technical changes required by the consent judgment are a clear signal to mobile app providers that the failure to provide consumers – especially minors – with clear privacy choices could result in aggressive enforcement and costly consequences. Mobile app providers should:
- Ensure a technical understanding of all embedded third-party analytics and AdTech tools, including third-party pixels and SDKs,[1] as well as the data flows associated with these tools.
- Assess whether their data handling practices will be deemed as the “sale” or “sharing” of personal information.
- Implement clear and accessible opt-out mechanisms across platforms.
- Confirm appropriate safeguards for minors’ personal information are in place, such as neutral age gates and properly configured consent management tools.
Alston & Bird’s Privacy, Cyber & Data Strategy Team and Privacy & Cybersecurity Litigation Team have extensive experience assisting clients’ privacy compliance efforts, advising clients who receive inquiries and violation notices from privacy regulators, and defending clients in class action lawsuits asserting alleged privacy violations. Please contact us if you have any questions.
[1] “SDK” (Software Development Kit) is a collection of tools, libraries, and documentation that enables developers to build applications for a specific platform or service. Third-party SDKs are often provided free of charge and widely used by mobile app developers to accelerate development and quickly integrate features and functionality.
