Implementation of New UK Subscription Contract Regime Delayed
On 20 November 2025 the UK government confirmed that the secondary legislation which is required to clarify and bring into force the new consumer subscription contract regime under the Digital Markets, Competition and Consumers Act 2024 (DMCCA) [A New Era for Consumer Law and Regulation] will be delayed until autumn 2026 at the earliest. This marks a shift from the government’s earlier position that the new regime (which will impose new specific requirements on businesses offering consumers subscription contracts designed to ensure consumers understand what they are signing up to and can easily cancel) would come into force in spring 2026.
Why the delay?
The delay follows a government consultation which invited businesses to provide feedback on the new regime that closed in February 2025 [Consultation on the implementation of the new subscription contracts regime – GOV.UK]. Following an initial analysis of the responses to that consultation, the Department for Business and Trade (DBT) has written to respondents advising them that more time is required to analyse their responses and prepare a formal government response alongside an acknowledgement that businesses need more time to prepare for the new regime.
As a result, the government has announced that the new regime will not come into force until autumn 2026 at the earliest with further details of timings to be provided in the formal response to the consultation which the DBT is in the process of preparing.
Make your voice heard
This announcement reiterates that participating in government consultations on potential legislative changes is an important and cost effective way for businesses to influence potential changes affecting them – we have already seen this year the government announce that planned changes to the widely disliked Commercial Agents Regulations were being dropped as a result of a lack of responses to its consultation on those [Commercial Agents Regulations: Here to Stay] and it is clear that consultations will play an important part in future changes relating to artificial intelligence [Clock is Ticking for Responses to UK Government Consultation on Copyright and Artificial Intelligence].
Sirrul Choudhury contributed to this article
Navigating GPU Export Controls and AI Use Restrictions in Data Center Operations
Within data centers, Graphics Processing Units (GPUs) have emerged as key components, transforming how complex computations are handled. GPUs are employed for their ability to perform parallel data processing, making them ideal for a range of tasks, including scientific computations, machine learning algorithms, and processing large-scale data. As demand for infrastructure capable of supporting AI model training and inference has grown, the ability to host GPU servers has become increasingly important for data centers.
The increase in processing power that GPUs provide as compared to central processing units (or CPUs) has, however, given rise to disquiet amongst Western governments. In particular, the United States — where the biggest producers of GPUs are based — has expressed concern over their potential application for military and malign uses, and the Biden administration in January 2025 introduced comprehensive restrictions on the export and use of GPUs (the January 2025 AI Diffusion Rule). The Trump administration has also emphasized as a policy imperative the continuation (and even tightening) of these restrictions and has revoked the Biden-era restrictions and indicated that it will be replacing them with new restrictions, which as of the date of this GT Advisory have not yet been issued. This regulatory uncertainty leaves industry in an interim phase questioning how best to manage current and possible future restrictions on GPU exports and use.
Historically, data center operators that merely hosted the GPU servers of their tenants (rather than exporting or providing GPUs as a service) may have assumed U.S. export controls were not a material compliance concern. That assumption, however, may no longer be appropriate. U.S. export controls apply to the GPU hardware in perpetuity— meaning that even non-U.S. operators may face liability under the Export Administration Regulations (EAR) if restricted GPUs, controlled technology, or sanctioned end users are present in their facilities, even indirectly through tenants or sub-tenants. As regulators focus increasingly on the downstream use and custody of advanced computing hardware, data center operators should be prepared to demonstrate robust compliance measures and control frameworks. This includes knowing what GPUs are being hosted, where they were developed and manufactured, who owns and accesses them, and for what purposes they are used. This GT Advisory considers how data center operators who merely host GPU servers might navigate this hugely sensitive area.
We have produced this GT Advisory to give an overview of the current U.S. export and use restrictions and to offer insights that participants in this sector may want to consider to mitigate regulatory and reputational risk and prepare for future regulatory changes.
Continue reading the full GT Advisory.
Is Your Business Prepared for CPSC eFiling?
The July 8, 2026, effective date for the U.S. Consumer Product Safety Commission’s (CPSC or Commission) electronic filing (eFiling) requirements is fast approaching. As we previously discussed, last December, CPSC approved a Final Rule to implement mandatory eFiling of certificates of compliance (CoC) for imported consumer products that are subject to a CPSC rule, ban, standard, or regulation (Final Rule). Given the Final Rule’s broad applicability, and its lack of a de minimis exemption, importers of covered goods should ensure that they are ready to comply. While most covered imports must comply by July 8, 2026, CPSC-regulated products imported through a Foreign Trade Zone (FTZ) are given additional time and have an effective date of January 8, 2027.
Required Elements for CoCs
To review, the Final Rule requires importers (or their brokers) to eFile certain data elements at the time of filing an entry, including:
identification of the finished product (certificates for each product are required);
party certifying compliance;
each consumer product safety rule to which the finished product has been certified;
date and place the finished product was manufactured;
date and place the finished product was most recently tested for compliance; and
contact information for the person maintaining test records.
Certificates must still include citations for testing exemptions or exclusions. CPSC explained in the preamble to the Final Rule that “some rules contain testing exceptions for certain products or product characteristics, and no testing is required. Thus, for completeness and to avoid unnecessary investigations of shipments that are in fact compliant due to an exemption or exclusion, the certificate should either provide the name of the testing laboratory that conducted testing, or state why the product was not tested.”
FTZ Guidance
Earlier this year, the CPSC released a brief guidance document for importers using FTZs. Given recent uncertainties with tariff rates, importers are increasingly using FTZs. As we noted above, such importers need not comply with the Final Rule until January 8, 2027, for products imported through FTZs. However, by that date, importers must submit certificate data upon filing entry into the U.S. Customs and Border Protection (CBP) Automated Commercial Environment (ACE) for all CPSC-regulated merchandise withdrawn from an FTZ for “consumption, warehousing, or distribution in U.S. commerce.”
Ahead of the January 2027 compliance date, CPSC’s guidance advises that FTZ operators may wish to consider the following options:
“Developing the technical requirements necessary to continue using the First-In, First-Out (FIFO) inventory method to comply with the eFiling requirement.
If the FIFO inventory accounting method is not suitable for providing the requisite data for CPSC’s eFiling requirement, FTZ users may need to adopt an alternative inventory accounting method.
Utilizing a bonded warehouse to enter merchandise via a type 21 entry.”
Remaining Challenges for Importers
While CPSC clarified some issues and concerns that were raised during the rulemaking process, certain challenges for companies remain:
There is no Section 321 (de minimis) shipment exemption for eFiling, so even low-value shipments are subject to the new requirements.
Compliance will likely be especially challenging for companies shipping multiple SKUs, so those companies might wish to consider joining the CPSC’s eFiling Beta program to familiarize themselves with the system.
Some businesses have expressed concerns over whether the eFiling system can handle the amount of data submitted once the requirements are effective. Indeed, CPSC is already advising that large files may require multiple submissions due to file size limitations.
When the rule becomes effective, importers must provide detailed information, including the identity and contact information of manufacturers, which has long been treated as confidential business information. Companies who were victims of CPSC’s past issues with data breaches remain concerned about whether this sensitive commercial information will be maintained as confidential.
Compliance Dates Seem Unlikely to Change
Despite the remaining challenges identified above, there is no indication from CPSC that the mandatory compliance dates will be delayed or that CPSC will issue an enforcement discretion statement. Companies that import CPSC-regulated products should use the next few months to ensure that they are ready to meet the eFiling requirements.
Pixel-Tracking gets its third stripe: Adidas learns CIPA isn’t Optional.
The privacy world has been so busy with pixel-tracking that retail cases almost started to feel like the “quieter cousin.” Camplisson v. adidas, decided this week, is a reminder that retail sites aren’t getting a free pass, especially when they install high-powered pixels that behave more like surveillance tools than simple analytics.
The plaintiffs weren’t doing anything intimate or personal — they were just shopping on adidas.com. But the TikTok Pixel and Microsoft Bing tracker embedded in the site didn’t just record clicks. According to the complaint, they collected IP addresses, device identifiers, timestamps, fingerprinting data, and even used features like AutoAdvanced Matching that can tie your browsing back to your name, birthday, and address. That’s not “retargeting ads.” That’s a map back to the actual person, with the live location feature, if I may add.
And Judge Curiel’s order reflects exactly that reality. Instead of getting caught up in the “but this is just retail!” framing, the Court focuses on the substance: the trackers were allegedly installed on users’ browsers, they collected identifying and addressing information, and they did it without consent. Under CIPA’s pen-register provisions, that is more than enough to state a claim.
What’s interesting is how thoroughly the Court rejects the defense playbook. The “no standing because this isn’t a traditional privacy harm” argument? No. The “CIPA only applies to 1970s phone lines and this will break the internet” argument? Also no. Courts have been very clear that CIPA isn’t tied to a specific technology; it’s tied to the principle of preventing secret interception. TikTok Pixel + fingerprinting + third-party data sharing falls squarely within that principle.
Then there’s the consent angle. adidas, like half the internet, relied on buried browsewrap terms in the website footer — the kind no human ever scrolls down to find. Judge Curiel essentially says: if you want users to consent to browser-level tracking, you need to actually ask them. Not hide it in tiny font. Not imply that visiting the site equals consent. Without conspicuous notice and an affirmative “yes,” the consent exception under CIPA doesn’t apply.
And the ending is where the sass (quietly but unmistakably) lands. The Court basically shuts the door on adidas’s dismissal arguments with the judicial equivalent of: “Plaintiffs have sufficiently alleged a privacy invasion — the motion is denied.” Not dramatic. Not emotional. Just a firm reminder that CIPA’s pen-register provisions have teeth, and retail defendants don’t get to track first and explain later.
So when retail pixel cases meet reality, the message is simple: if your site quietly plants sophisticated trackers on users’ browsers and sends their information to third parties, courts aren’t going to swoop in and save you at the pleadings stage. CIPA protects the right not to be secretly tracked without consent. And in adidas, that was more than enough for the claim to move forward.
Current FTC and NAD Enforcement Priorities
The Federal Trade Commission and National Advertising Division of BBB National Programs set forth their enforcement priorities during the 2025 ANA Masters of Advertising Law Conference,
Not surprisingly, the FTC set forth a bread-and-butter enforcement agency. It includes, without limitation, protecting children (Children’s Online Protection Act (16 C.F.R. § 312); enforcing Made in USA (U.S. Origin Claims) (Made in USA Labeling Rule – 16 C.F.R. § 323); enforcing subscriptions, negative options and automatic trial programs (Restore Online Shoppers’ Confidence Act), Dark Patterns and Click-to-Cancel); Enforcing the FTC Rule on Unfair or Deceptive Fees”); enforcing target advertising and surveillance marketing techniques; enforcing influencers, consumer reviews and endorsements (The Consumer Reviews and Testimonials Rule: Questions and Answers – 16 CFR Part 465); and enforcing the use of AI (for example and without limitation, exaggerating the capabilities of AI features).
Consult with an experienced ecommerce attorney to discuss the implementation of preventative compliance measures or if you are the subject of a regulatory investigation of enforcement action.
Other areas which are reasonably certain to receive increase regulatory investigation and enforcement attention include but are not limited to, data privacy, Telephone Sale Rule, Telephone Consumer Protection Act, state unfair and deceptive business practices,
Additional key highlights and takeaways for discussion with a qualified ecommerce attorney include the use of health claims, green claims, and social media IP rights and takedown procedures,
Contact the author for more information.
Richard B. Newman is a leading FTC compliance attorney at Hinch Newman LLP.
Informational purposes only. Not legal advice. This article is not intended and should not be construed as legal advice. May be considered attorney advertising.
HBO Max Users’ Privacy Claims Divided Between Arbitration Providers
A November 4, 2025, ruling in Brooks v. WarnerMedia Direct, LLC, offers a clear reminder for organizations that changes to terms of service, especially those impacting where consumer disputes are heard, can have direct operational consequences. For WarnerMedia, the parent company of HBO Max, the result is a split process in which consumer privacy claims might proceed in two different arbitral forums, based on whether individual users can be shown to have agreed to updated terms of use regarding arbitration.
Factual Summary
The plaintiffs are former subscribers of HBO Max, a subscription-based streaming platform. The plaintiffs brought claims under the federal Video Privacy Protection Act, alleging that HBO Max improperly shared video-watching histories with third parties.
From its launch through late 2022, HBO Max’s terms of use required mandatory arbitration of nearly all disputes before the American Arbitration Association (AAA). Each plaintiff assented to those terms when subscribing to the streaming service. On December 20, 2022, WarnerMedia updated its terms to designate National Arbitration and Mediation (NAM) as the arbitral forum for all subscriber disputes, superseding AAA. Notices regarding this change were delivered to subscribers by email and via in-app pop-ups. WarnerMedia specified that continued use or access after notice would be deemed assent to the new terms.
In May 2023, HBO Max rebranded as “Max” and its updated terms continued to require NAM arbitration. Customers had to agree to these terms by clicking “Start Streaming” before accessing the Max platform. In January 2023, plaintiffs’ counsel sent letters attempting to reject the December 2022 terms and served Notices of Dispute consistent with the prior AAA agreement. WarnerMedia responded that it had delisted its AAA clause and would not register the clause again.
Plaintiffs and WarnerMedia both agreed that arbitration was the appropriate dispute resolution forum. However, the plaintiffs asserted that arbitration should be governed by the AAA and WarnerMedia held that it should be governed by NAM. The question turned on whether each subscriber had assented to be bound by the updated NAM agreement or remained covered by the prior AAA agreement.
The Court’s Analysis
WarnerMedia demonstrated that three users agreed to the updated terms by their conduct after notice. This included streaming HBO Max content, maintaining monthly subscriptions via third parties like T-Mobile and Hulu, and clicking an in-app assent button before starting streaming. For these plaintiffs, the court compelled arbitration in NAM, the forum specified in the revised contract. For the two other plaintiffs, the record showed that neither individual took any action after receiving notice that would constitute acceptance of the NAM agreement. Specifically, their subscriptions had expired before the updated terms came into effect, and discovery produced no evidence that either subscriber used HBO Max after the changes or streamed content as an authorized user on another account. Merely accessing the platform to review the new terms or sending a letter purporting to reject the new agreement was not enough to demonstrate assent under the court’s analysis. Without any post-notice activity(such as logging in, streaming, maintaining an active subscription, or clicking to agree to the new terms) there was no unambiguous manifestation of consent. Therefore, the court held that these users remained subject only to their original AAA agreement. The court stayed the underlying case pending arbitration.
Takeaways
For organizations, this opinion imparts several lessons:
Contract amendments about dispute resolution must include clear notice and mechanisms to record user assent. If consumer claims arise, a company needs to show who received updated terms and how users agreed, either by their actions or explicit acknowledgment.
Where notice and assent cannot be clearly shown, organizations risk managing disputes across multiple forums under different versions of their own agreements. This can mean higher costs, operational inefficiencies, and increased litigation risks.
Detailed business records showing user activity and consent events may be critical data points in establishing who is bound to new terms. Gaps or inconsistencies may leave some claims governed by older contracts.
Companies should review their processes for contract updates and the evidence they keep for user notice and assent. Patchwork dispute resolution is a burden and failing to manage assent with care could mean organizations face disputes in reruns across multiple arbitral stages.
DOJ Subpoena for Patient Records from Children’s Hospital of Philadelphia Blocked by Federal Court
On November 21, 2025, in a lengthy decision, U.S. District Judge for the Eastern District of Pennsylvania Mark A. Kearney quashed a subpoena issued by the U.S. Department of Justice (DOJ) to Children’s Hospital of Pennsylvania’s Gender and Sexuality Development Program (CHOP) seeking documents:
(1) identifying the names, addresses, and social security numbers of its child patients prescribed puberty blockers and hormone therapy and their families’ identifying information; (2) the child’s medical treatment records including diagnoses; and, (3) describing each child’s informed consent, patient intake, parent or guardian authorization, and use of medicine not approved by the Food and Drug Administration.
CHOP objected to producing “child-patients’ confidential medical records” and moved to quash the subpoena’s request for these three categories of records
The court found that the DOJ:
Offers no basis to compel the Hospital to identify the children (and their families), their treatment records, and disclosures made to them. We further find, even if the information responsive to these three requests is relevant (and thus authorized by Congress for a subpoena), the children’s and their families’ privacy interests in their highly sensitive and confidential medical and psychological treatment in an charged political environment which considers their medical treatment to a radicalized warped ideology far outweigh the Department of Justice’s shifting need for the information specifically identified in the three challenged requests. We grant the Hospital’s motion in part striking the three challenged requests and all information contained in responses to other requests disclosing the same information.
This decision comes on the heels of the actions of other federal judges quashing identical DOJ subpoenas identical to the one issued to Boston Children’s Hospital, and telehealth provider QueerDoc in September and October 2025 respectively. The DOJ has appealed from the Boston Children’s Hospital order but has not yet appealed the QueerDoc order.
Website Tracking Lawsuits- What Restaurants and Hospitality Businesses Need to Know
As restaurants and hospitality businesses adopt digital platforms to engage customers, tools like cookies, pixels, and session replay are widely used to improve user experience and marketing. However, this increased reliance on tracking technologies has triggered a sharp rise in lawsuits and regulatory investigations nationwide, even for small businesses and those outside major cities.
Restaurants and hospitality operators now face significant legal risks from website tracking, especially as privacy laws like California’s California Invasion of Privacy Act (CIPA) and the California Consumer Privacy Act are increasingly being used as grounds for civil lawsuits. Importantly, your business does not need to physically be in California to be subject to these laws; if someone accesses your website from there, you could face claims, often for allegedly collecting or sharing customer data without proper notice or consent. Potential damages are high, with CIPA alone allowing $5,000 per violation, and class actions multiplying that amount.
To reduce risk, restaurant and hospitality operators should:
Audit Tracking Tools: Regularly check which tracking technologies are active on your website and mobile apps. Ensure they don’t collect or share personal information without user consent.
Update Privacy Policies & Consent Mechanisms: Clearly inform customers about tracking. Implement cookie consent banners that comply with privacy laws.
Limit Data Collection: Only collect what’s necessary for business operations like reservations or loyalty programs. Avoid gathering sensitive data unless legally justified.
Review Vendor Contracts: Confirm that third-party service providers agree to strong data protection terms.
Stay Educated and Train Your Team: Ensure all staff members managing web or marketing activities understand privacy compliance basics.
If your business receives a legal claim regarding website tracking:
Act quickly: Consulting with privacy-savvy legal and technical professionals is essential.
Conduct technical and legal review: Assess your systems, understand the legal arguments, and plan your response.
With the legal landscape around website tracking continuing to shift, restaurants and hospitality businesses of all sizes must be proactive. Regular audits, transparency, and a culture of compliance can go a long way towards protecting your business from costly lawsuits and reputational harm.
Navigating Website Privacy Risks in California- CIPA Tracker Claims, TCPA Marketing, CCPA Compliance, and Why Arbitration in Your Terms Matter
As privacy litigation intensifies in California, companies operating websites and engaging in online marketing must be aware of the major legal risks and compliance strategies shaping digital business today. Below, I examine:
The surge in California Invasion of Privacy Act (CIPA) lawsuits targeting website tracking technologies;
Telephone Consumer Protection Act (TCPA) risks in digital marketing;
Key California Consumer Privacy Act (CCPA) compliance and litigation trends; and
The vital role of arbitration clauses and class action waivers in website Terms of Use.
CIPA and Website Tracker Claims
CIPA (Cal. Penal Code §§ 630-638) prohibits certain forms of wiretapping and eavesdropping on “confidential communications” without the consent of all parties. Recently, plaintiffs’ law firms have targeted website operators for:
Use of session replay tools that record user interactions for analytics;
Chatbots and third-party customer service widgets embedding code on websites; and
Allegedly “intercepting” or “eavesdropping” on website visitors’ communications.
CIPA permits statutory damages of $5,000 per violation, making claims lucrative for class actions. Multiple federal courts have declined to dismiss claims stemming from websites using third-party tracking scripts that record or transmit user communications. Companies should:
Assess all scripts and tracking tools on their sites, especially those relaying data to third parties;
Update privacy disclosures and obtain explicit user consent where required; and
Consider disabling or modifying session replay technologies for California visitors.
TCPA Risks in Digital Marketing
The TCPA, 47 U.S.C. § 227, restricts telemarketing and the use of automated technologies (including text messages and pre-recorded voice messages) to contact consumers.
Website operators face TCPA risks when:
Collecting contact information for promotional texting, call, or robodialing; and
Using pre-checked boxes or ambiguous consent language in lead forms.
The TCPA imposes statutory damages of $500 to $1,500 per violation, encouraging class-action litigation. To reduce risk:
Collect prior express written consent using clear, conspicuous language;
Maintain robust records of consent; and
Regularly review marketing workflows for TCPA compliance.
CCPA: Compliance and Litigation
The CCPA and its amendment (the California Privacy Rights Act) have created sweeping privacy rights for California residents, including:
The right to know, delete, and opt-out of the sale/sharing of personal information; and
Strict notice and transparency requirements for data practices.
Recent CCPA class actions have focused on alleged “sales” or “sharing” of personal data via analytics/ad tech scripts, and on disclosures deemed incomplete.
Best practices for CCPA compliance:
Implement and maintain Do Not Sell/Share links or toggles on websites;
Provide accurate, up-to-date privacy notices;
Carefully vet all service provider- and third-party data-sharing relationships;and
Promptly respond to access and deletion requests.
Including Arbitration and Class Action Waiver in Website Terms
Given the surge of privacy-related class actions, it is crucial to implement arbitration agreements and class action waivers in your website’s Terms of Use:
Arbitration clauses require disputes to be resolved in private arbitration which is typically quicker and less costly than court; and
Class action waivers prevent users from aggregating claims into costly class actions.
California’s evolving privacy landscape poses major compliance and litigation risks for digital businesses. Proactive steps such as auditing website tracking, securing proper marketing consents, ensuring airtight CCPA compliance, and embedding robust dispute resolution clauses, are critical defenses against costly class actions.
North Carolina + Utah Governors Launch Bipartisan AI Task Force
North Carolina Attorney General Jeff Jackson and Utah Attorney General Derek Brown recently co-launched a bipartisan task force “to help monitor artificial intelligence.” According to Jackson, the task force will focus on:
Identifying emerging AI issues with the help of law enforcement, experts, and stakeholders to better equip attorneys general to protect the public;
Developing basic safeguards for AI developers in order to protect the public and reduce harm, especially towards children; and
Creating a standing forum that will track AI developments and coordinate responses to new challenges.
The task force includes representatives from OpenAI, Microsoft, and the Attorney General Alliance. According to Jackson, “Congress hasn’t put basic protections in place and we can’t wait. As attorneys general, our job is to keep people safe. AI is becoming part of everyday life for families and kids. Taking thoughtful steps now will help prevent harm as this technology becomes more powerful and more present in our daily lives.” In announcing the task force, Brown stated, “This task force is committed to defending our freedoms and our privacy, while also building a safer digital world for our families and our children. By working together with other attorneys general, we will protect our society from potential abuses of AI before they ever happen.”
OCC Confirms Bank Authority to Hold Crypto-Assets as Principal for Paying Network Fees
On November 18, the OCC issued Interpretive Letter 1186 confirming that a national bank may, as an activity incidental to the business of banking, pay crypto-asset network fees to support otherwise permissible banking activities. The letter also states that a bank may hold, as principal, limited amounts of crypto-assets on its balance sheet when needed to cover these fees. In addition, the OCC confirmed that banks may hold small quantities of crypto-assets as principal for purposes of testing crypto-asset platforms.
The OCC framed these activities as a modern extension of established bank powers, emphasizing that limited principal holdings can support operational efficiency and customer transactions when tied to foreseeable network-fee needs. The agency noted that these activities must remain de minimis, risk-controlled, and integrated into existing compliance and oversight programs.
Putting It Into Practice: Federal regulators continue to clarify the scope of permissible digital-asset activities (previously discussed here and here). Banks considering distributed-ledger integrations should reassess network-fee dependencies, confirm that any crypto-asset holdings remain de minimis and purpose-driven, and update internal controls and governance frameworks accordingly. Financial institutions should continue monitoring federal and state supervisory developments as digital-asset requirements evolve.
Listen to this article
$1.4 Million Settlement for California Privacy Violation- What the Jam City Settlement Means for CCPA Enforcement
Jam City, Inc., a prominent mobile gaming company behind popular franchises such as Harry Potter and Frozen, has agreed to pay $1.4 million in civil penalties to resolve allegations that it violated the California Consumer Privacy Act (CCPA) by failing to provide adequate privacy opt-out mechanisms for its users. This resolution, announced by California Attorney General Rob Bonta, marks the second-largest CCPA enforcement penalty in the state’s history.
According to the complaint, here are the key allegations against Jam City:
Failure to Offer In-App Opt-Outs for Data Sale/Sharing
The complaint alleges that Jam City develops free-to-play mobile games that earn revenue by sharing user data for advertising, but did not include required opt-out links or settings in any of its 21 mobile apps. Only one app had a nominal “Data Privacy” control, which was described as unclear and noncompliant with CCPA requirements.
Sale and Sharing of Minors’ Data Without Affirmative Consent
Jam City’s games use “age gates” to identify users under 16, in line with CCPA protections for minors. However, the complaint alleges that for six of its games, Jam City only provided enhanced child privacy protections for users under 13, and failed to implement opt-in consent requirements for teens between 13 and 16, resulting in inappropriate sharing or sale of their data.
The suit sought injunctions and penalties under the CCPA (Civil Code §§ 1798.100 et seq.) for both general privacy failings and specific violations relating to minors (§ 1798.120 and associated regulations). Jam City was additionally accused of engaging in unfair competition under California’s Business and Professions Code § 17200. The state requested statutory damages of up to $2,663 per CCPA violation (or $7,988 for intentional or minor-related violations) and $2,500 per violation under the unfair competition statute.
The key settlement terms included the following:
Monetary Penalty: Jam City will pay $1.4 million in civil penalties, one of the largest CCPA settlements to date.
Privacy Practice Changes: The company must implement clear and accessible opt-out mechanisms for data sale and sharing across all of its apps and platforms.
Special Protections for Children’s Data: Jam City must not sell or share data from users under 16 without affirmative consent. The complaint highlights the significance of compliance for users between ages 13 and 16, not just those under 13.
Compliance Obligations: The settlement mandates robust compliance training and periodic public reporting of CCPA measures for oversight.
The Jam City case is a stark reminder that:
CCPA opt-out rights must be readily accessible and actionable within mobile apps, not just via privacy policies or external links.
Businesses must vigilantly comply with enhanced CCPA protections for minors, especially for teens aged 13 to 16.
California regulators are willing to pursue substantial penalties and broad injunctive relief for noncompliance.