We have covered how Honda, Healthline, Tractor Supply Co, and now Jam City have all been fined over $5 million dollars so far this year and that number is small compared to the privacy lawsuit settlements we’ve been tracking. If you want to be compliant and avoid CalPrivacy headlines then book a demo right away with one of our privacy experts and learn how we’re helping businesses be compliant with the CCPA and other 19 state privacy laws.
California’s latest CCPA enforcement action reveals critical compliance gaps in mobile app privacy controls
California Attorney General Rob Bonta has secured a $1.4 million settlement with Jam City, Inc., marking another significant step in the state’s aggressive enforcement of consumer privacy rights. The case highlights a growing compliance challenge: mobile applications operate in a fundamentally different technical environment than traditional websites, yet face identical privacy obligations under the California Consumer Privacy Act.
The Core Privacy Violations of Jam City
Jam City, creator of popular franchise-based mobile games including titles built around Harry Potter, Frozen, and Family Guy, committed two fundamental CCPA violations that compliance teams should carefully examine.
First, despite operating 21 mobile applications that collect and share consumer data almost exclusively through these platforms, the company failed to implement any CCPA-compliant opt-out mechanisms within its apps. This is particularly striking given that Jam City’s business model relies substantially on data-driven advertising revenue. The company and its advertising technology partners use consumer information to deliver personalized ads within games, making data sharing central to operations rather than incidental.
Second, investigators discovered that certain Jam City games sold or shared personal information from users between ages 13 and 16 without obtaining the affirmative opt-in consent that California law specifically requires for minors in this age bracket. The CCPA establishes enhanced protections for consumers under 16, recognizing their limited capacity to understand privacy implications and requiring businesses to obtain explicit consent before monetizing their data.
Why This Settlement Matters for Compliance Programs
This enforcement action represents the sixth CCPA settlement secured by Attorney General Bonta’s office, but it carries particular significance for several reasons that extend beyond the penalty amount.
The settlement establishes clear regulatory expectations that CCPA obligations apply with full force to mobile applications regardless of platform-specific technical constraints. Many companies built their mobile presence before comprehensive privacy laws took effect and have struggled with retrofitting privacy controls into existing architectures. California’s enforcement makes clear these legacy technical decisions provide no safe harbor from current compliance requirements.
Mobile applications present distinct compliance challenges compared to traditional websites. Apps lack visible “Do Not Sell or Share My Personal Information” links that CCPA requires businesses to display on websites. This creates compliance gaps where mobile-first companies collect extensive consumer data without providing accessible opt-out mechanisms simply because the technical implementation differs from web-based approaches. Note that all clients of Captain Compliance’s Cookie Consent software has the Do Not Sell or Share My Personal Information built into their tooling.
The Jam City case directly addresses this gap. By investigating a company that collected consumer data nearly exclusively through mobile games rather than websites, California’s Department of Justice sent a clear signal: businesses cannot use platform differences as justification for incomplete CCPA implementation. The settlement requires Jam City to provide in-app methods for consumers to opt-out, establishing that mobile applications must offer privacy controls within the same environment where data collection occurs.
The Mobile App Privacy Challenge
Mobile applications operate in technical environments that differ substantially from traditional websites in ways that create specific compliance challenges for privacy teams.
Browser-based privacy tools like Global Privacy Control function well for websites but face limitations in mobile app environments. Mobile applications run in distinct technical ecosystems with different privacy signal mechanisms, creating implementation challenges for developers attempting to honor opt-out preferences across platforms.
Governor Gavin Newsom’s September 2024 veto of Assembly Bill 3048 further complicated this landscape. The proposed legislation would have required mobile operating systems to include system-wide opt-out settings, creating platform-level infrastructure that individual app developers could leverage for CCPA compliance. Without this platform-level support, mobile app developers must implement individualized opt-out mechanisms using platform-specific tools and approaches.
This creates particular pressure for the mobile gaming industry, where user experience considerations often conflict with privacy control implementations. In-app opt-out mechanisms can create additional screens and interactions that some companies fear might reduce user engagement or increase application abandonment rates. However, CCPA makes unambiguously clear that business considerations cannot override consumer privacy rights.
What Compliance Teams Should Do Now to be Compliant
Organizations with mobile applications should conduct immediate assessments of their current privacy implementations against the standards established by this settlement.
Begin by auditing whether in-app opt-out mechanisms exist for all mobile applications that collect or share personal information. The Jam City settlement establishes that websites offering opt-out functionality cannot substitute for in-app controls when data collection occurs primarily through mobile platforms.
For applications with users under 16, verify that robust age-gating mechanisms are in place and that appropriate consent workflows exist for different age groups. CCPA requires affirmative opt-in consent from users between 13 and 16 before selling or sharing their data, and requires parental or guardian consent for users under 13. These age-specific requirements demand careful technical implementation with appropriate verification mechanisms.
Review advertising technology partnerships to ensure that all ad tech providers can properly process and honor opt-out signals from mobile applications. The settlement reinforces expectations that the entire advertising supply chain must respect privacy signals regardless of platform. Compliance teams should verify that contracts with advertising partners include appropriate terms requiring CCPA compliance and that technical integrations support signal transmission.
Consider how recent enforcement patterns might affect regulatory risk assessments. Attorney General Bonta has demonstrated sustained commitment to CCPA enforcement across multiple sectors, conducting investigative sweeps into location data, streaming services, and employee information handling throughout 2025. The accelerating pace of enforcement actions and increasing penalty amounts suggest heightened regulatory scrutiny that should factor into compliance prioritization decisions. In fact CalPrivacy has a series of new privacy requirements that start in just over 30 days from now and most businesses are not prepared but if you work with Captain Compliance you’ll be prepared.
The Broader Enforcement Context
The Jam City settlement arrives amid California’s broader privacy enforcement campaign that has targeted multiple industries and collected substantial penalties.
In July 2025, the Attorney General secured a $1.55 million settlement with Healthline Media LLC, representing the largest CCPA penalty to date. That case involved a health information website that failed to allow consumers to opt out of targeted advertising while sharing data that could reveal serious health conditions. The settlement included novel terms prohibiting Healthline from sharing article titles that might reveal medical diagnoses.
October 2025 brought a settlement with Sling TV for failing to provide easy-to-use opt-out methods and failing to protect children’s privacy. These cases collectively demonstrate regulatory focus on companies that create friction for consumers exercising privacy rights through technical implementations that make opt-out difficult or impossible.
March 2025 saw investigative sweeps into the location data industry, with the Department of Justice sending letters to advertising networks, mobile app providers, and data brokers appearing to violate CCPA. Similar sweeps addressed streaming apps and devices along with employee information practices, demonstrating California’s willingness to conduct industry-wide compliance assessments rather than reactive investigations.
This enforcement pattern suggests that California regulators are moving beyond isolated complaints toward proactive identification of compliance gaps within specific industries and business models. Companies should anticipate that industry-wide technical practices may face scrutiny even if individual complaints have not been filed.
Industry-Wide Implications
The mobile gaming sector faces particular pressure from this settlement given widespread reliance on advertising-driven business models that depend on consumer data sharing.
Many gaming companies employ similar monetization strategies where advertising revenue depends on sharing user data with third-party networks for audience targeting and ad delivery. The Jam City settlement establishes that these business models carry clear compliance obligations that cannot be deferred due to technical implementation challenges or user experience concerns.
Advertising technology companies also face implications from mobile app enforcement. Many ad tech providers operate across both web and mobile environments, requiring technical capabilities to process opt-out signals regardless of platform. The settlement reinforces expectations that ad tech providers must honor privacy signals from mobile applications with the same rigor applied to traditional websites.
For marketing professionals, the settlement underscores the importance of understanding how advertising partners handle consumer data across all platforms. Advertisers purchasing inventory in mobile games should verify that publishers provide compliant opt-out mechanisms, as regulatory scrutiny increasingly focuses on the entire advertising supply chain rather than isolated participants.
CCPA Enforcement Trajectory
California’s CCPA enforcement trajectory suggests continued intensification of scrutiny on mobile applications and advertising technology practices.
The state’s privacy enforcement program represents the most aggressive approach among states with consumer privacy laws. While multiple states have enacted privacy legislation, California maintains the most active enforcement apparatus with substantial penalties and comprehensive investigative activities. This creates particular compliance pressure for companies operating nationally but subject to California’s jurisdiction through consumer relationships or data handling practices.
The timing and pattern of recent enforcement actions may influence broader industry behavior around privacy implementations. With CCPA enforcement activity accelerating and penalty amounts increasing, companies face growing pressure to ensure mobile applications provide the same privacy protections required for websites regardless of technical implementation challenges.
Organizations that wait for direct regulatory contact before addressing mobile app privacy gaps may face significant remediation costs alongside potential penalties. Proactive compliance assessments offer opportunities to identify and address issues before they become enforcement matters, potentially avoiding both financial penalties and reputational impacts.
Key Takeaways for Compliance Leaders
Several critical lessons emerge from the Jam City settlement that should inform compliance strategies.
Mobile applications face identical CCPA obligations as traditional websites, with no regulatory deference for platform-specific technical constraints. Companies cannot use the absence of platform-level privacy infrastructure as justification for failing to implement in-app opt-out mechanisms.
Business models based on data sharing for advertising purposes carry clear compliance obligations that must be fulfilled regardless of potential impacts on user engagement metrics or revenue. California regulators have consistently demonstrated that business considerations do not override consumer privacy rights.
Age-based protections for minors under 16 require careful technical implementation with robust verification mechanisms. The enhanced protections for younger consumers create specific compliance challenges that demand attention beyond general opt-out functionality.
Regulatory enforcement under CCPA continues intensifying, with California’s Attorney General conducting proactive industry sweeps rather than relying solely on individual complaints. This suggests companies should anticipate regulatory scrutiny of industry-wide practices even absent direct consumer complaints about specific implementations.
For companies operating mobile applications that collect or share consumer data, the time for privacy compliance assessments is now, not when enforcement letters arrive.
About this case: The settlement was announced November 21, 2025, and requires Jam City to pay $1.4 million in civil penalties while implementing compliant in-app opt-out mechanisms. Consumers can report CCPA violations to the California Attorney General’s office at oag.ca.gov/report.
