Jam City, Inc., a prominent mobile gaming company behind popular franchises such as Harry Potter and Frozen, has agreed to pay $1.4 million in civil penalties to resolve allegations that it violated the California Consumer Privacy Act (CCPA) by failing to provide adequate privacy opt-out mechanisms for its users. This resolution, announced by California Attorney General Rob Bonta, marks the second-largest CCPA enforcement penalty in the state’s history.
According to the complaint, here are the key allegations against Jam City:
- Failure to Offer In-App Opt-Outs for Data Sale/Sharing
- The complaint alleges that Jam City develops free-to-play mobile games that earn revenue by sharing user data for advertising, but did not include required opt-out links or settings in any of its 21 mobile apps. Only one app had a nominal “Data Privacy” control, which was described as unclear and noncompliant with CCPA requirements.
- Sale and Sharing of Minors’ Data Without Affirmative Consent
- Jam City’s games use “age gates” to identify users under 16, in line with CCPA protections for minors. However, the complaint alleges that for six of its games, Jam City only provided enhanced child privacy protections for users under 13, and failed to implement opt-in consent requirements for teens between 13 and 16, resulting in inappropriate sharing or sale of their data.
The suit sought injunctions and penalties under the CCPA (Civil Code §§ 1798.100 et seq.) for both general privacy failings and specific violations relating to minors (§ 1798.120 and associated regulations). Jam City was additionally accused of engaging in unfair competition under California’s Business and Professions Code § 17200. The state requested statutory damages of up to $2,663 per CCPA violation (or $7,988 for intentional or minor-related violations) and $2,500 per violation under the unfair competition statute.
The key settlement terms included the following:
- Monetary Penalty: Jam City will pay $1.4 million in civil penalties, one of the largest CCPA settlements to date.
- Privacy Practice Changes: The company must implement clear and accessible opt-out mechanisms for data sale and sharing across all of its apps and platforms.
- Special Protections for Children’s Data: Jam City must not sell or share data from users under 16 without affirmative consent. The complaint highlights the significance of compliance for users between ages 13 and 16, not just those under 13.
- Compliance Obligations: The settlement mandates robust compliance training and periodic public reporting of CCPA measures for oversight.
The Jam City case is a stark reminder that:
- CCPA opt-out rights must be readily accessible and actionable within mobile apps, not just via privacy policies or external links.
- Businesses must vigilantly comply with enhanced CCPA protections for minors, especially for teens aged 13 to 16.
- California regulators are willing to pursue substantial penalties and broad injunctive relief for noncompliance.
