Jun 29, 2026 · 9 min read
Jam City Pays $1.4M for Selling Kids' Data Without Consent
California's sixth CCPA enforcement action targets a mobile gaming giant that built its business on ad tech data pipelines — and forgot to give any of its players a way to say no.
California Attorney General Rob Bonta announced on November 21, 2025 that Jam City, Inc. — publisher of Harry Potter: Hogwarts Mystery, Cookie Jam, Panda Pop, and 18 other mobile titles — had agreed to pay $1.4 million to settle a California Consumer Privacy Act investigation. The complaint was straightforward: 20 of the company's 21 apps collected personal information and passed it to third party advertising and analytics partners, yet not one app contained a button, toggle, or menu option that let users opt out. For teenagers between 13 and 16, the situation was worse — Jam City shared and sold their data without the affirmative opt in consent the CCPA expressly requires for that age group.
Key Takeaways
- California AG Rob Bonta announced the $1.4 million settlement with Jam City on November 21, 2025 — the sixth CCPA enforcement action secured by his office.
- 20 of Jam City's 21 mobile apps offered no in app mechanism to opt out of the sale or sharing of personal information; users who wanted to opt out were directed to email ccpaoptout@jamcity.com.
- Jam City sold and shared the personal data of users aged 13 to 16 — including device identifiers, IP addresses, and in app purchase history — without the affirmative consent the CCPA requires for that age group.
- The settlement requires Jam City to implement in app opt out controls, obtain affirmative opt in consent before monetizing minors' data, and use neutral age screening that does not steer children away from declaring their real age.
- The data was shared with third party companies for cross context behavioral advertising across apps, websites, and streaming services.
What Did Jam City Actually Collect and Sell?
Jam City's apps collected the kinds of data that are routine across the mobile gaming industry: device identifiers (including advertising IDs), IP addresses, and behavioral signals like in app purchase activity and gameplay patterns. That information was disclosed to third party companies operating within the apps' ad and analytics stacks, where it fed into cross context behavioral advertising — the practice of using data gathered in one context (a Harry Potter game) to target users in an entirely different context (a news site or streaming service).
Under the CCPA, this type of disclosure qualifies as a "sale or sharing" of personal information — a term the California Privacy Rights Act of 2020 deliberately broadened to capture nonmonetary data exchanges as well as straightforward commercial transactions. Once that threshold is crossed, the law requires businesses to provide consumers with a clear, accessible opt out mechanism. Jam City provided none. Instead, its privacy policy mentioned an email address — ccpaoptout@jamcity.com — buried under a section titled "Cookies and Internet Based Advertising." That is not a mechanism. It is an obstacle.
AG Bonta's office framed the compliance expectation clearly: apps must provide consumers with a "simple, transparent, and easy to navigate" opt out. An email address that most users will never find does not meet that standard, regardless of what a privacy policy technically discloses. Source: California Office of the Attorney General, November 2025.
Why the Minors' Data Violations Are the More Serious Problem
The opt out failure affected all Jam City users. The minors' data violation is narrower in population but more severe in legal exposure — and it is the part of the settlement that should alarm any company operating a consumer facing app or service with a broad user base.
California's CCPA, as amended by the CPRA, created a two tier protection structure for young users. Children under 13 require verifiable parental consent before any data sale or sharing — consistent with the federal COPPA framework. For teenagers between 13 and 15, the CCPA adds a state level requirement: businesses must obtain affirmative opt in consent from the user themselves before monetizing their data. The default position for a 14-year old is no data sale, unless the teenager has explicitly agreed. The opt out model that applies to adults is reversed: for minors in this age range, no action means no sale, not permission.
Jam City's games include titles — like Cookie Jam and Panda Pop — that are not specifically marketed to children but attract players across a wide age range. The investigation found that some games shared or sold data from users who had identified themselves as between 13 and 16 without capturing that affirmative consent. The settlement now requires Jam City to route any user who enters an age below 13 to a child version of the app that does not sell or share data at all, and to obtain explicit opt in consent from any user who declares an age between 13 and 15 before that user's data enters the ad pipeline. Critically, the age screening mechanism itself cannot be designed to nudge users toward entering an age above 16 — a design practice sometimes called "age gating theater."
What This Settlement Signals for CCPA Enforcement
The Jam City settlement is the sixth CCPA enforcement action completed by AG Bonta's office. The progression across all six cases tells a story about enforcement maturity. Early actions after the CCPA took effect in 2020 tended to focus on disclosure failures — companies that did not tell users data was being collected. More recent cases, including Jam City and the GM OnStar settlement, target the operational layer: the actual mechanisms (or absence of mechanisms) that give users control over their data. The California AG is no longer asking whether a privacy policy exists. It is asking whether the opt out actually works.
For compliance officers, the Jam City case also illustrates a category of risk that is easy to underestimate: app portfolio liability. Jam City published 21 apps. The California DOJ's investigation covered all of them and found that 20 were noncompliant. A company that has deployed multiple apps, browser extensions, or digital touchpoints needs to audit the opt out infrastructure of every product in the portfolio — not just the flagship — because regulators will. The SECURE Data Act currently moving through Congress would establish a federal floor, but California's enforcement is not waiting for federal preemption to materialize.
There is also a structural implication that most coverage has missed: the Jam City case is not really about a gaming company. It is about the ad tech layer that sits inside gaming companies, ecommerce apps, news apps, and nearly every other consumer facing mobile product. Jam City collected the data; third parties received and used it. The company that appears in the settlement is the one that had the direct consumer relationship, but the data ultimately traveled to an advertising ecosystem that has no direct legal relationship with the end user at all. California's enforcement posture holds the publisher accountable for what its ad partners do with the data — a principle that will reshape vendor due diligence requirements across every industry running programmatic advertising.
What This Means for Your Organization
The Jam City settlement is not a lesson confined to mobile gaming. Any organization that runs a consumer product — app, web platform, email marketing tool, or connected service — and shares behavioral data with third party advertising or analytics vendors is operating inside the same legal framework the California AG just enforced. The compliance checklist is specific.
First, opt out accessibility. The CCPA requires a "Do Not Sell or Share My Personal Information" link or equivalent control that is prominent, clearly labeled, and functional — not a reference to an email address in a privacy policy. The California Privacy Protection Agency's finalized regulations specify that opt out links must be placed on the homepage or equivalent landing page, or made accessible from the interface where users interact with the product. A buried email address fails that test.
Second, age verification design. If your product can be accessed by users under 16 — and most consumer apps can — your age screening mechanism must be designed to produce accurate inputs, not convenient ones. Default values, interface design, or incentive structures that steer users toward declaring an age above 16 are themselves a violation under the settlement's consent decree terms.
Third, vendor accountability. Your data processing agreement with every ad tech or analytics partner should specify what they are permitted to do with data received from users who are, or may be, under 16. If that agreement does not exist or does not cover that scope, the Jam City settlement is an illustration of where the liability will land — with you, not your vendor. For broader context on how regulators are approaching children's data internationally, see also California's ongoing suit against 23andMe, another action where the AG is holding a California company responsible for downstream data flows that users never authorized.
Why Email Users Should Care
The data practices the California AG penalized in the Jam City case — collecting behavioral signals, passing them to ad tech partners for cross context targeting, burying the opt out in a policy document no one reads — are structurally identical to how most commercial email marketing operates. When you open a marketing email, tracking pixels log your IP address, device type, and timestamp. That data flows to the sender's email service provider, often to a customer data platform, and sometimes onward to advertising networks that use it to target you across entirely separate contexts. The opt out, if it exists at all, is a link in the email footer that executes an unsubscribe from that sender's list — not from the data sharing pipeline.
The Jam City settlement makes clear that California regulators treat the absence of a meaningful opt out mechanism as a standalone violation, separate from whether data was disclosed in a privacy policy. Email senders who rely on tracking pixels and downstream data sharing without a real, accessible opt out face the same legal exposure Jam City just paid $1.4 million to resolve. The difference is that most marketing emails reach far more users than any single mobile app — and the behavioral data they collect is at least as granular.
Sources: California Office of the Attorney General; Inside Privacy (Covington); California Privacy Protection Agency regulations.