Privacy & Identity Theft

Federal data privacy law should not preempt strong state privacy laws  

OAKLAND — California Attorney General Rob Bonta yesterday led a coalition of 18 attorneys general and state agencies in opposing the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (SECURE Data Act), a proposed federal data privacy bill. The SECURE Act would result in California’s landmark privacy law being replaced with weaker protections and would hamper the ability of California to adequately protect the privacy of its citizens. In the letter, the coalition calls on Congress to reject the SECURE Data Act, and to respect additional privacy protections states already grant their residents or would provide in future state-level legislation.

“Federal action to protect Americans' privacy is essential, but not at the expense of the strong state laws that already protect Californians. I join colleagues from across the country in opposition to the SECURE Data Act, federal legislation that would leave millions of consumers worse off and with fewer privacy protections,” said Attorney General Bonta. “As tech and data collection practices rapidly innovate, it is essential states keep our ability to respond just as rapidly to protect our residents from emerging privacy threats.” 

Since California passed the first comprehensive privacy law in 2018, numerous states have followed suit. For years, the California Consumer Privacy Act and other similar state laws give millions of Americans robust protections and rights to manage and control the use of their data. Comprehensive state privacy laws have set minimum data privacy standards, including heightened protections for minors and sensitive consumer data, limits on how data may be used and retained, and the ability for consumers to stop the sale of their data via a universal opt-out preference signal. The SECURE Data Act would wipe out these meaningful protections, making it harder for consumers to exercise their rights, give businesses more discretion on how to use and retain their data, and significantly limit enforcement remedies. 

In the letter, the coalition argues that the bill moves privacy rights in the wrong direction, leaving consumers worse off and with fewer protections. Any federal privacy framework must leave room for states to legislate responsively to changes in technology and data collection practices, as states are better equipped to address the unique needs of their citizens and quickly adjust to the challenges presented by technological innovation.

In sending the letter, Attorney General Bonta was joined by the attorneys general of Connecticut, Delaware, Illinois, Maine, Maryland, Massachusetts, Minnesota, Nevada, New Hampshire, New Jersey, New York, Oregon, Vermont, Virginia, and Washington, as well as the California Privacy Protection Agency and the Hawai’i Department of Commerce and Consumer Affairs. 

OAKLAND — California Attorney General Rob Bonta today filed a lawsuit against Chrome Holding Co., formerly known as 23andMe, for failing to protect its customers’ sensitive personal information and genetic data related to their health, genetic predispositions and risk factors, biological relatives, ancestry, and ethnicity. In 2023, 23andMe experienced a data breach that affected nearly 7 million users across the United States, including 855,541 Californians. While 23andMe publicly touted its commitment to data privacy and transparency, in truth, it failed to take reasonable measures to protect its customers’ most sensitive data, ignored known vulnerabilities in its systems, and failed to properly investigate or respond to numerous warnings that its systems had been compromised. The company also misled its customers and the public regarding crucial aspects of the 2023 data breach. In the complaint, filed today in San Francisco Superior Court, Attorney General Bonta alleges 23andMe’s failures to implement and maintain reasonable security procedures and its misleading statements regarding its security and the data breach were unlawful.

“23andMe collected genetic data about millions of people, failed to meet its obligation under California law to keep that information safe, and then lied to consumers about the severity of its 2023 data breach. Our investigation found that the company failed to take basic steps to protect users’ data — data including the sensitive personal information, family histories, and health conditions of consumers,” said Attorney General Bonta. “The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence — and explicitly called attention to the deeply personal and identifying nature of that information. This is disturbing and incredibly dangerous. Today, my office is suing 23andMe for its categorical failure to comply with California law.”  

BACKGROUND

Founded in San Francisco, 23andMe was the first and one of the largest direct-to-consumer genetic testing companies in the world. Customers sent their saliva samples to 23andMe for DNA analysis. The company stored data on consumers’ raw DNA sequence and used that information to provide consumers with reports about their ancestry, ethnicity, and genetic health predispositions. 

On October 6, 2023, 23andMe confirmed that it had suffered a major data breach. Indeed, for five months, a threat actor had breached 23andMe’s systems undetected by accessing about 14,000 customers’ 23andMe accounts. The threat actor leveraged that access, as well as other vulnerabilities within 23andMe’s systems, to obtain the data of nearly 7 million 23andMe customers.

The threat actor used a well-known type of cyberattack called “credential stuffing” that businesses, particularly those that collect and maintain sensitive personal and genetic data, can and should know to guard against. Credential stuffing exploits consumers’ tendency to use weak or common passwords or to reuse log-in credentials by using the same username and password that they use with one company to log into accounts with another company. Here, the threat actor used account credentials stolen in prior data breaches — including the highly publicized breach of MyHeritage, a separate genealogy site that had partnered with 23andMe. Although 23andMe’s data security team was aware of the MyHeritage breach, and 23andMe had encouraged its users to create an account with MyHeritage, 23andMe never checked for or prevented credential reuse, even after the MyHeritage data breach. Once in 23andMe’s systems, the threat actor used a vulnerability involving a critical coding error in “DNA Relatives” — a feature that allowed DNA-related customers to share information and contact each other — to steal additional identifying information, ancestry reports, and reports indicating the percentage of DNA shared with potential relatives about nearly 7 million consumers.

News of 23andMe’s breach came to light after the data of one million consumers were offered for sale on the dark web, specifically touting that the data belonged to Asian American and Pacific Islanders (AAPI) and Jewish users. Disturbingly, this occurred during a period of increasing anti-AAPI and antisemitic hate and violence. 

Even more disturbing, 23andMe’s post-breach statements to consumers were misleading and omitted or misrepresented critical information regarding the breach. While 23andMe assured the public that it had not experienced a data security incident within its systems, downplayed the sensitivity of the stolen data by claiming that the information stolen from the “DNA Relatives” feature was essentially public, and attempted to shift blame for the breach to its customers, 23andMe was simultaneously negotiating and paying a ransom to the threat actor in exchange for, among other things, the threat actor removing damaging information regarding the breach that had been posted online and providing information about multiple 23andMe security vulnerabilities, including vulnerabilities the threat actor exploited during the data breach. 

THE INVESTIGATION & LAWSUIT 

A 2023 investigation by the California Department of Justice and a multistate coalition found that 23andMe’s pre-breach data security procedures and practices fell below security and industry standards in several ways. In fact, 23andMe’s security measures were so lax that the threat actor was able to operate undetected within 23andMe’s systems for over five months, and remarkably, the company only began investigating after the threat actor offered the stolen user data for sale on the dark web and reached out to 23andMe to demand a ransom.

The investigation further found 23andMe: 

• Failed to implement reasonable security procedures to prevent and detect the well-known risk of credential stuffing.
• Missed several opportunities to detect the credential stuffing attack.
• Failed to guard against the exploitation of a coding error in the “DNA Relatives” feature that allowed doctored queries to the 23andMe database.
• Failed to properly account for genetic data, its nature, and its high-level of sensitivity when drafting and implementing its data security protocols.

Additionally, 23andMe made misleading statements before and after the breach. Before the breach, 23andMe touted its security practices as meeting the highest industry standards. After the breach, 23andMe’s statements omitted key information in an effort to hide and downplay both the breach’s severity and 23andMe’s responsibility for it. 23andMe continued to inform consumers that there was no data security incident within its systems, despite being informed by the threat actor during ransom negotiations of multiple exploitable vulnerabilities within 23andMe’s systems, including vulnerabilities that were used to facilitate the attack.

In the lawsuit, Attorney General Bonta argues that 23andMe failed to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information and genetic data that it maintained to protect that information from unauthorized access. The complaint also alleges that the company made untrue and misleading statements intending to encourage members of the public to use 23andMe’s services or products, including statements regarding its security measures in place at the time of the data breach and the circumstances of the data breach. These failures violated, among other laws, California's Genetic Information Privacy Act, Reasonable Data Security Law, False Advertising Law, Unfair Competition Law, and the California Consumer Privacy Act.

Today’s lawsuit is separate from the Attorney General’s pending challenge in the U.S. Bankruptcy Court for the Eastern District of Missouri regarding the sale of Californians’ genetic information and material in bankruptcy.

OAKLAND — California Attorney General Rob Bonta today, alongside a coalition of 17 attorneys general, called on Congress to take immediate action to halt federal agencies’ use of commercially purchased data and artificial intelligence tools that enable mass surveillance of Americans without judicial, legislative, or public oversight. The letter calls on Congress to close the data‑broker loophole, require warrants for federal access to Americans’ digital data, prevent domestic surveillance via foreign intelligence laws, mandate deletion of unlawfully collected information and related AI models, and establish nationwide transparency and accountability standards for data brokers. 

“Every day, we give off a steady stream of data that broadcasts not only who we are, but where we go. This data is deeply personal, can identify your everyday habits and movements, and can be bought. Data brokers compile, package, and sell this information to various entities, typically without a consumer even knowing," said Attorney General Bonta. "California boasts the nation’s most robust privacy protection law to give consumers control over their data, but no such federal privacy framework exists, allowing the federal government potential access to this trove of data once it has been collected. Allowing federal agencies to buy or compile, analyze, and use large profiles of information about Americans without limits, oversight, or accountability undermines the public’s faith in our system of governance and is dangerous for democracy. In light of federal assaults on immigrant and LGBTQ+ communities, and on gender-affirming healthcare and abortion providers, I urge Congress to take action now and limit the ability of the federal government to deploy mass surveillance on Americans."

Data comes from nearly everywhere online, even when people think they’re not revealing anything. Websites, apps, and software can track and amass personal information and behavioral data like pages visited, detailed purchase information, location data, health information, and more in order to create and share profiles and inferences about consumers. These businesses often sell information to third-parties that then amass whole profiles on consumers. The federal government has not kept up with California and other states in protecting consumers from these practices.   

In the letter sent to the leadership of the U.S. Senate Committee on Homeland Security and Governmental Affairs and House Committee on Oversight and Accountability, Attorney General Bonta and the coalition warn that federal agencies are exploiting a “data broker loophole” to obtain detailed information about Americans’ movements, associations, political activity, and daily lives — information the government would otherwise be required to obtain through a warrant or pursuant to other legal procedures. The attorneys general cite recent examples — including federal agencies’ purchase of billions of airline ticketing records and mobile location data from commercial brokers — that reveal a pattern of warrantless surveillance through the acquisition of massive datasets. Several of these practices have already drawn bipartisan concern in Congress and the public after media reporting uncovered the federal government’s ability to track individuals’ travel, movements, and daily routines. 

The attorneys general urge Congress to enact comprehensive reforms, including measures that would: 

• Prohibit federal agencies from purchasing data that would otherwise require a warrant to obtain. 
• Require judicial warrants before accessing Americans’ web browsing activity, search queries, and location information. 
• Ensure intelligence agencies cannot circumvent limits on domestic surveillance by exploiting foreign intelligence authorities or third‑party vendors. 
• Mandate deletion of unlawfully collected data and any algorithms trained using such data.  

Joining Attorney General Bonta in sending this letter are the attorneys general of Colorado, Connecticut, Hawai’i, Illinois, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nevada, New Jersey, New Mexico, Oregon, Vermont, Virginia, and Washington.  

California's Privacy Laws

The California Consumer Privacy Act (CCPA) vests California consumers with control over the personal information that businesses collect about them, including the right to request that businesses stop selling or sharing your personal information. With some exceptions, businesses cannot sell or share your personal information after they receive your opt-out request unless you later provide authorization allowing them to do so again.

The Delete Request and Opt-out Platform (DROP), developed by the California Privacy Protection Agency (CalPrivacy), gives Californians more control over their personal information and helps limit the information that data brokers sell. With the launch of DROP earlier this year, Californians have a safe and secure way to protect their privacy. The tool — made possible by the Delete Act (Becker, 2023) — transmits a single deletion request telling over 500 registered data brokers to delete all the personal information they have about you and to not sell your data going forward. For more information about DROP and how Californians can submit a deletion request, visit: privacy.ca.gov/drop.

OAKLAND — California Attorney General Rob Bonta today issued a consumer alert to remind Californians that they can send one request to more than 500 registered data brokers to delete their personal data by using a new, easy-to-use online tool. The Delete Request and Opt-out Platform (DROP), developed by the California Privacy Protection Agency (CalPrivacy), gives Californians more control over their personal information and helps limit the information that data brokers sell. Attorney General Bonta encourages Californians to consider using this free tool to protect their privacy and delete their personal information in three easy steps. 

“Data brokers store and sell so much information about our daily lives — who you are, how you live, and where you go — but in California there is now an easy-to-use tool to take back control over your data,” said Attorney General Rob Bonta. “By using DROP, consumers can tell data brokers to delete and not sell their personal information, decreasing both the amount of data circulating around and the risk that this data is leaked or hacked. I commend CalPrivacy for developing this critical tool and remind data brokers that my office stands ready and fully committed to enforce compliance. For more information and to use DROP, visit privacy.ca.gov/drop.” 

“In less than six weeks of its availability, over 225,000 Californians have already signed up for DROP,” said Tom Kemp, Executive Director of CalPrivacy. “This shows that Californians want to limit the personal information data brokers collect and sell about us and is yet another example of the tech policy innovation that is happening here first in California.”

“Californians have been very clear that they want to reclaim control over their personal information, and this law gives them a new tool to do that,” said Senator Josh Becker (D-Menlo Park). “The incredible success of the Delete Act and DROP demonstrates that strong privacy laws are practical, popular, and effective. It shows that if we make it easy, people will take advantage and delete their data.”

Data brokers collect and maintain troves of personal information like email addresses, phone numbers, online browsing history, interests, health-related information, geolocation, and more. Data brokers package and sell this information to various entities, typically without a consumer even knowing. Preventing third parties from receiving this information is a key step to stopping the proliferation of your data in the online ecosystem.  When you submit a DROP request, you tell data brokers to delete your personal information and not sell it

With the launch of DROP earlier this year, Californians have a safe and secure way to protect their privacy. The tool — made possible by the Delete Act (Becker, 2023) — transmits a single deletion request telling over 500 registered data brokers to delete all the personal information they have about you and to not sell your data going forward. Consumers can sign up for DROP now, and starting August 1, 2026, data brokers must start deleting your data. Those who fail to comply may face penalties and administrative fines.

Californians can delete their personal information in three safe and secure steps:

• Confirm that you are a California resident. You are a resident if you live in California, or domiciled in California, even if you are temporarily outside the state.
• Create your profile. Give basic information about yourself that is immediately encrypted and secure. It’s your choice what information to provide. The more information you enter, the more likely your data will be deleted.
• Submit your request. DROP lets you send a single deletion request to over 500 registered brokers. Data brokers are required to match you to their records based on the data you choose to submit through DROP. 

For more information about DROP and how Californians can submit a deletion request, visit: privacy.ca.gov/drop.

Second enforcement action stemming from 2024 investigative sweep of streaming services 

OAKLAND — California Attorney General Rob Bonta today announced a settlement with the Walt Disney Company (Disney), resolving allegations that the company violated the California Consumer Privacy Act (CCPA) by failing to fully effectuate consumers’ requests to opt-out of the sale or sharing of their data across all devices and streaming services associated with consumers' Disney accounts. Under today’s settlement, Disney must pay $2.75 million in civil penalties and must implement opt-out methods that fully stop Disney’s sale or sharing of consumers’ personal information. 

“Consumers shouldn’t have to go to infinity and beyond to assert their privacy rights. Today, my office secured the largest settlement to date under the CCPA over Disney's failure to stop selling and sharing the data of consumers that explicitly asked it to,” said Attorney General Bonta. “California’s nation-leading privacy law is clear: A consumer’s opt-out right applies wherever and however a business sells data — businesses can’t force people to go device-by-device or service-by-service. In California, asking a business to stop selling your data should not be complicated or cumbersome. My office is committed to the continued enforcement of this critical privacy law.”

The California Department of Justice’s investigation into Disney stems from a January 2024 investigative sweep of streaming services for potential CCPA violations. Effective opt-out is one of the bare necessities of complying with CCPA. The investigation found that Disney’s opt-out processes did not allow a consumer — even when logged into their account — to completely opt-out of and stop all sale or sharing of their data, in violation of the CCPA. Specifically, the investigation found that each of the methods Disney provided had key gaps that allowed Disney to continue to sell and share consumers’ data, including: 

Opt-Out Toggles: If a user requested to opt-out of the sale or sharing of their data via an opt-out toggle in Disney’s websites and apps, Disney only applied the request to the specific streaming service the user was watching, and often only the specific device the consumer was using. This meant that in most instances, using the toggle would not stop selling or sharing from other devices or services connected to the consumer’s account.

Webform: If a user opted out using Disney’s webform, Disney only stopped the sharing of personal data through the company’s own advertising platform and offerings. However, Disney continued to sell and share consumer data with specific third-party ad-tech companies whose code Disney embedded in its websites and apps. Disney also failed to provide an in-app, opt-out method in many of its connected TV streaming apps, instead directing consumers to its webform, effectively leaving consumers with no way to stop Disney’s selling and sharing from these apps.

The Global Privacy Control: For consumers who opted out via the Global Privacy Control (GPC), Disney limited the request to the specific device the consumer was using, even when the consumer was logged into their account. The GPC is an easy-to-use ‘stop selling or sharing my data switch’ that is available on some internet browsers or as a browser extension. 

The California Consumer Protection Act

The CCPA has opened up a whole new world of privacy protection and increased privacy rights for California consumers, such as the right to know how businesses collect, share, and disclose their personal information. The CCPA vests California consumers with control over the personal information that businesses collect about them, including the right to request that businesses stop selling or sharing their personal information. To learn more about opting out, please see here.

Attorney General Bonta is committed to the robust enforcement of California’s nation-leading privacy law. Today’s settlement represents the seventh enforcement action under the CCPA. Attorney General Bonta has also announced settlements with Sephora and DoorDash as well as mobile app gaming company, Jam City; streaming service, Sling TV; website publisher, Healthline.com; and entertainment company, Tilting Point Media. In order to monitor the businesses’ compliance with the CCPA, Attorney General Bonta has conducted investigative sweeps related to location data, streaming apps and devices, employee information, and surveillance pricing.

For more information about the CCPA, visit oag.ca.gov/ccpa. To report a violation of the CCPA to the Attorney General, consumers can submit a complaint online at oag.ca.gov/report.

Californians have the right to understand whether their data is being used to set individual prices they pay for items like groceries 

OAKLAND — In honor of Data Privacy Day, California Attorney General Rob Bonta today announced an investigative sweep focused on businesses’ use of consumers’ personal information to set targeted, individualized prices for products and services, a practice known as surveillance pricing. Surveillance pricing practices may trigger obligations under and even violate the California Consumer Privacy Act (CCPA), which includes a “purpose limitation principle” that limits a business’s use of personal information to purposes that are consistent with the reasonable expectations of consumers. Businesses that use data in ways that targeted consumers might not expect — including by using that data to set individualized prices — may be violating California law. As part of the sweep, the California Department of Justice is sending letters to businesses with significant online presence in the retail, grocery, and hotel sectors. The letters request information regarding how businesses use consumers’ shopping and internet browsing history, location, demographics, inferential, or other data to set the prices of goods or services.

“Consumers have the right to understand how their personal information is being used, including whether companies are using their data to set the prices that Californians pay, whether that be for groceries, travel, or household goods. We need to know whether businesses are charging people different prices for the same good or service — and if they’re complying with the law. Today, my office is launching a formal inquiry and will ask prominent businesses in the retail, grocery, and hotel sectors to provide my office with information so we can understand how these companies are using personal data,” said Attorney General Bonta. “Practices like surveillance pricing may undermine consumer trust, unfairly raise prices, and when conducted without proper disclosure or beyond reasonable expectations, may violate California law. On Data Privacy Day and every day, my office is committed to enforcing the CCPA and ensuring that businesses are transparent, fair, and accountable in their use of consumer data.”

The letters will request information including:

• Companies’ use of consumer personal information to set prices.  
• Policies and public disclosures regarding personalized pricing.
• Any pricing experiments undertaken by companies. 
• Measures companies are taking to comply with algorithmic pricing, competition, and civil rights laws.  

What is Surveillance Pricing: 

Surveillance pricing is the use of a consumer’s personal information to set targeted, individualized prices for a product or service. As a result, consumers buying the same product or service at the same time from the same business may be offered different prices. Unless a business discloses that it uses a consumer’s personal information to set prices, surveillance pricing may be invisible to the consumer, as consumers usually cannot and do not consult with each other to compare the prices they have been offered.

In recent years, media reports and regulators alike have sounded the alarm on the possibility of the existence of surveillance pricing. In July 2024, the Federal Trade Commission (FTC) sought information on surveillance pricing from eight companies that provided surveillance pricing products to businesses. Last year, before the change in federal administration, the FTC published a summary of its research. Since then, the Trump Administration’s FTC has closed public comment on a request for information regarding retailers’ use of surveillance pricing, illustrating another example of the Trump Administration’s abandonment of critical consumer protection work. A 2025 Consumer Reports investigation into the grocery delivery company, Instacart, found that some grocery prices differed by as much as 23% per item from one Instacart customer to the next. According to the investigation, price variations for the same products ranged from as little as seven cents to $2.56 per item. Instacart has since publicly stated that it has stopped offering technology that allowed grocery retailers to charge shoppers different prices for the same groceries at the same time.

The California Consumer Privacy Act (CCPA): 

The CCPA is a landmark law that secures increased privacy rights for California consumers, including the right to know how businesses collect, share, and utilize their personal information. Businesses that are subject to the CCPA have several responsibilities, including responding to consumer requests to exercise these rights and giving consumers certain notices explaining their privacy practices. Under the CCPA’s “purpose limitation” principle, businesses are limited in their use of personal information to purposes that are consistent with the reasonable expectations of consumers.  

Attorney General Bonta is committed to the robust enforcement of California’s nation-leading privacy law. Investigative sweeps and inquiries help the California Department of Justice to identify and zero in on compliance issues across industries.  

In 2024, the CCPA investigative sweep focused on the compliance of streaming services and connected TVs, and last year, Attorney General Bonta announced a settlement with Sling TV that arose from this sweep. In August 2022, the Attorney General announced a settlement with Sephora resolving allegations that arose from a sweep of companies that appeared to be out of compliance with the user-enabled privacy control (GPC) signal to stop the sale of personal information. Other investigative sweeps have related to the location data industry, employee information, opt-out requests on mobile apps, and business loyalty programs.

In November 2025, Attorney General Bonta announced a $1.4 million settlement with Jam City resolving allegations that the mobile app gaming company violated the CCPA by failing to offer consumers methods to opt-out of the sale or sharing of their personal information across its popular gaming apps. In July 2025, Attorney General Bonta announced a $1,550,000 settlement with website publisher Healthline Media LLC, resolving allegations that its use of online tracking technology on its health information website violated the CCPA. In 2024, Attorney General Bonta and Los Angeles City Attorney Hydee Feldstein Soto announced a $500,000 settlement with Tilting Point Media LLC resolving allegations that the company violated the CCPA and federal law by collecting and sharing children’s data without parental consent in their popular mobile app game “SpongeBob: Krusty Cook-Off.”  In 2024, Attorney General Bonta announced a settlement with DoorDash, resolving allegations that the company violated the CCPA and COPPA by selling California customers’ personal information without providing notice or an opportunity to opt out of that sale. 

For more information about the CCPA, visit oag.ca.gov/ccpa. To report a violation of the CCPA to the Attorney General, consumers can submit a complaint online at oag.ca.gov/report.

Company failed to offer consumers methods to opt-out of the sale of their personal information

OAKLAND — California Attorney General Rob Bonta today announced a settlement with Jam City, Inc. (Jam City), resolving allegations that the mobile app gaming company violated the California Consumer Privacy Act (CCPA) by failing to offer consumers methods to opt-out of the sale or sharing of their personal information across its popular gaming apps. Jam City creates games for mobile platforms, including games based on popular franchises such as Frozen, Harry Potter, and Family Guy. In addition to $1.4 million in civil penalties, under today's settlement, Jam City must provide in-app methods for consumers to opt-out of the sale or sharing of their data and must not sell or share the personal information of consumers at least 13 and less than 16 years old without their affirmative “opt-in” consent.

“Many Californians like to unwind after a long day by gaming on their cell phones. Even on apps, California law obligates companies to provide a way for consumers to opt-out of the sale and sharing of their personal data,” said Attorney General Bonta. “This process should be simple, transparent, and easy to navigate. My office is committed to the continued enforcement of the CCPA — including by ensuring that mobile gaming companies follow the law so consumers can exercise their right to protect their privacy.”  

Jam City generates revenue, in part, through disclosing personal information for advertising. Jam City and its ad-tech partners use information obtained from consumers to display personalized ads within Jam City games. Despite collecting and sharing consumer personal information nearly exclusively through its mobile games, the California Department of Justice’s investigation found Jam City did not offer CCPA compliant opt-outs in any of its 21 mobile apps. The investigation also found some Jam City games shared or sold the data of children between the age of 13 to 16 without the affirmative consent required by the CCPA. Under the CCPA, minors under the age of 16 are afforded special protections for the sale of their data. 

The CCPA is a landmark law that secures increased privacy rights for California consumers, such as the right to know how businesses collect, share, and disclose their personal information. The CCPA vests California consumers with control over the personal information that businesses collect about them, including the right to request that businesses stop selling or sharing their personal information. To learn more about opting out, please see here. 

Attorney General Bonta is committed to the robust enforcement California’s nation-leading privacy law. In March, the CCPA investigative sweep into the location data industry involved sending letters to advertising networks, mobile app providers, and data brokers that appear to be in violation of the CCPA. Attorney General Bonta has conducted investigative sweeps related to location data, streaming apps and devices, and employee information.

Today’s settlement represents the sixth enforcement action under the CCPA. 

Last month, Attorney General Bonta secured a settlement with streaming service, Sling TV, resolving allegations that the company violated the CCPA by failing to provide an easy-to-use method for consumers to stop the sale of their personal information and by failing to provide sufficient privacy protections for children. 

In July 2025, Attorney General Bonta announced a $1,550,000 settlement with website publisher Healthline Media LLC, resolving allegations that its use of online tracking technology on its health information website violated the CCPA by failing to allow customers to opt-out of targeted advertising and sharing data with third parties without CCPA-mandated privacy protections — including data suggesting that a person may have a serious health condition. In June 2024, Attorney General Bonta and Los Angeles City Attorney Hydee Feldstein Soto announced a $500,000 settlement with Tilting Point Media LLC resolving allegations that the company violated the CCPA and federal law by collecting and sharing children’s data without parental consent in their popular mobile app game “SpongeBob: Krusty Cook-Off.”  In February 2024, Attorney General Bonta announced a settlement with DoorDash, resolving allegations that the company violated the CCPA and COPPA by selling California customers’ personal information without providing notice or an opportunity to opt out of that sale. In August 2022, the Attorney General announced a settlement with Sephora resolving allegations that it failed to disclose to consumers that it was selling their personal information and failed to process opt-out requests via user-enabled global privacy controls in violation of the CCPA. 

For more information about the CCPA, visit oag.ca.gov/ccpa. To report a violation of the CCPA to the Attorney General, consumers can submit a complaint online at oag.ca.gov/report.

A copy of the complaint is available here. A copy of the judgment is available here.

OAKLAND — California Attorney General Rob Bonta, Connecticut Attorney General William Tong, and New York Attorney General Letitia James today announced that they have secured $5.1 million and injunctive terms from educational technology company Illuminate Education, Inc. (Illuminate) for failing to protect students’ data. In 2021, Illuminate experienced a data breach that exposed the information of millions of students, including California students across 49 school districts. The breached data included sensitive personal and medical information, such as student name, race, whether the student received special education services or reasonable accommodations, and coded medical conditions. Of the three million California students impacted by the breach, more than 434,000 had sensitive information stolen. As part of the three separate settlements with the states, Illuminate has agreed to pay California $3.25 million in civil penalties and has agreed to comply with requirements to strengthen its data security practices.  

“Illuminate failed to appropriately safeguard the data of school children, resulting in a data breach that compromised the sensitive data of students nationwide, including more than 434,000 California students. Our investigation revealed a troubling pattern of security deficiencies that should have never happened for a company charged with protecting data about kids,” said Attorney General Rob Bonta. “Today’s settlement should send a clear message to tech companies, especially those in the education space: California law imposes heightened obligations for companies to secure children’s’ information. I am grateful to Attorney General James and Attorney General Tong for their partnership in investigating companies that fail to safeguard our residents’ data. Data security concerns know no borders, and as today’s settlements showcase, neither should state collaboration.”

“Technology is everywhere in schools today, and Connecticut’s Student Data Privacy Law requires strict security to protect children’s information. Illuminate failed to implement basic safeguards, and exposed the personal information of millions of students, including thousands here in Connecticut," said Attorney General Wiliam Tong. "This action—Connecticut’s first ever under the Student Data Privacy Law—holds Illuminate accountable and sends a strong message to education technology companies that they must take privacy obligations seriously."

“Students, parents, and teachers should be able to trust that their schools’ online platforms are safe and secure,” said Attorney General Letitia James. “Illuminate violated that trust and did not take basic steps to protect students’ data. Today’s settlements will ensure that Illuminate protects students’ data in classrooms across the country. My office will continue to use every tool at our disposal to protect children online.”   

In December 2021, a hacker accessed Illuminate’s network using the credentials of a former employee who had left the company years earlier. The hacker then created new credentials to enable future access to Illuminate’s network and data and spent several days stealing and deleting student data. 

The investigation by the California Department of Justice determined that Illuminate failed to carry out basic security procedures to protect students’ information. First, Illuminate failed to terminate the login credentials of former employees, resulting in the credentials of a former employee with a high level of access to Illuminate’s systems remaining active after his departure from the company. Second, Illuminate did not monitor and alert for suspicious logins and activity. Third, Illuminate did not secure its back up databases separately from its active databases. As a result, the backup databases were compromised when the attacker compromised the active database, negating the purpose of maintaining a backup. Moreover, Illuminate made false and misleading statements in its Privacy Policy, including stating that it took steps to prevent unauthorized access and disclosure of information and that its measures “meet or exceed the requirements of applicable federal and state law," when that was not the case. Illuminate also deceptively advertised that it was a signatory of the Future of Privacy Forum’s “Student Privacy Pledge,” but was later dropped from the list of signatories as a result of the breach.  

As a result of today’s settlements, Illuminate must pay a total of $5.1 million to the states, including $3.25 million to California. In addition, as part of California’s settlement, subject to court approval, Illuminate has agreed to:

• Implement appropriate access control and account management, including terminating the credentials of former employees and conducting audits to check that all valid credentials belong only to current employees.
• Implement appropriate real-time monitoring and alerts for suspicious access and activity.
• Implement appropriate safeguards to protect backup databases, such as not storing backup databases within the same network segment as original databases.
• Inform California DOJ of breaches involving student data.
• Provide reminders to school districts that they should perform a review of the student data stored by Illuminate on the school’s behalf, including reminders related to retention and deletion of student data.

Today’s settlement marks DOJ’s first enforcement action involving California’s K-12 Pupil Online Personal Information Protection Act (KOPIPA), which requires operators of online services used for K-12 school purposes to implement and maintain reasonable security procedures and practices to protect student data.  

Attorney General Bonta is committed to ensuring business follow the law when it comes to consumers' data — including children’s data: 

Last month, Attorney General Bonta secured a $530,000 settlement with streaming service Sling TV resolving allegations that the company failed to provide an easy-to-use method for consumers to stop the sale of their personal information and failed to provide sufficient privacy protections for children. In 2024, Attorney General Bonta secured a $6.75 million settlement with Blackbaud, a South Carolina-based software company, for violating consumer protection and privacy laws related to its unlawful data security practices. Blackbaud’s failure to implement reasonable data security led to a data breach in 2020. Also last year, Attorney General Bonta and Los Angeles City Attorney Hydee Feldstein Soto, announced a $500,000 settlement with Tilting Point Media resolving allegations that the company violated the state and federal privacy laws by collecting and sharing children’s data without parental consent in their popular mobile app game “SpongeBob: Krusty Cook-Off.”

A copy of the complaint can be found here. A copy of the final judgment can be found here. 

Sling TV confused and misdirected consumers seeking to exercise their right to stop the sale of their personal information 

OAKLAND — California Attorney General Rob Bonta today secured a settlement with Sling TV LLC and Dish Media Sales LLC (Sling TV), a streaming service, resolving allegations that the company violated the California Consumer Privacy Act (CCPA) by failing to provide an easy-to-use method for consumers to stop the sale of their personal information and by failing to provide sufficient privacy protections for children. The investigation and proposed settlement arise from the California Department of Justice’s (DOJ) investigative sweep announced in January 2024, which focused on the compliance of streaming services and connected TVs with CCPA’s right to opt-out. Under the proposed settlement, Sling TV has agreed to pay $530,000 in CCPA civil penalties and implement changes to ensure the CCPA opt-out is easy for consumers to execute, requires minimal steps, and considers the way the business interacts with consumers. The settlement, subject to court approval, also requires the company to provide parents with clear disclosures and tools to minimize collection and use of their children’s data. 

“Californians have critical privacy rights. Our investigative sweep looked at all the different ways consumers should be able to stop the sale of their data when using streaming services,” said Attorney General Bonta “We take privacy rights seriously and Sling TV was not providing consumers an easy way to opt-out of the sale of their personal data as required. My office is committed to the continued enforcement of the CCPA — every Californian has the right to their online privacy, especially in the comfort of their living room.”  

Sling TV is an internet-based live TV service that offers both a paid subscription and a free, ad-supported streaming service. Unlike traditional television, where advertising is based on the content of the programming, Sling TV uses its internet-based platform to deliver highly targeted advertising, using detailed consumer data such as age, gender, location, and income to personalize ads for viewers, often without their awareness.   

In 2024, DOJ identified Sling TV as a target in its investigative sweep, because of Sling TV’s confusing and hard-to-find methods to opt-out of the sale and sharing of personal information. Sling TV combined cookie preferences with the CCPA opt-out, even though to truly opt-out, turning off cookies was insufficient. Consumers had to look for an embedded link to a webform and click through confirmation steps to complete their request. Even logged-in customers, where Sling TV knew the identity of the customer, had to fill out a webform with their name, address, email, and phone number — information already known to Sling TV. Additionally, Sling TV did not provide methods to opt-out within its apps on various living-room devices. Nor did they offer kids profiles that would reduce the use of targeted advertising when children are watching or otherwise obtain affirmative “opt-in” authorization when minors under the age of 16 were likely watching.  

Under the settlement Sling TV must: 

• Stop directing consumers seeking to implement their CCPA out-out rights to cookie preferences.
• Stop requiring logged-in customers to fill out a webform with information already available to the business, which adds unnecessary steps and could deter consumers from exercising their opt-out rights. 
• Provide an opt-out mechanism within the Sling TV app on various living-room devices, so consumers accessing Sling TV on various devices do not need to go to Sling TV’s website to opt-out.
• Allow parents to designate one or more user profiles as a “kid’s profile” that defaults off the sale and sharing of personal information and targeted advertising.
• Provide parents with clear disclosures and tools to protect their children’s privacy. 

The CCPA is a landmark law that secures increased privacy rights for California consumers, such as the right to know how businesses collect, share, and disclose their personal information. Businesses that are subject to the CCPA have specific responsibilities, including responding to consumer requests to exercise these rights and giving consumers certain notices explaining their privacy practices. 

Attorney General Bonta is committed to the robust enforcement California’s nation-leading privacy law. In March, the CCPA investigative sweep into the location data industry involved sending letters to advertising networks, mobile app providers, and data brokers that appear to be in violation of the CCPA. Attorney General Bonta has conducted investigative sweeps related to location data, streaming apps and devices, and employee information.

Today’s settlement represents the fifth settlement under the CCPA: 

In July 2025, Attorney General Bonta announced a $1,550,000 settlement with website publisher Healthline Media LLC, resolving allegations that its use of online tracking technology on its health information website violated the CCPA by failing to allow customers to opt-out of targeted advertising and sharing data with third parties without CCPA-mandated privacy protections — including data suggesting that a person may have a serious health condition. In June 2024, Attorney General Bonta and Los Angeles City Attorney Hydee Feldstein Soto announced a $500,000 settlement with Tilting Point Media LLC resolving allegations that the company violated the CCPA and federal law by collecting and sharing children’s data without parental consent in their popular mobile app game “SpongeBob: Krusty Cook-Off.”  In February 2024, Attorney General Bonta announced a settlement with DoorDash, resolving allegations that the company violated the CCPA and CalOPPA, by selling California customers’ personal information without providing notice or an opportunity to opt out of that sale.  In August 2022, the Attorney General announced a settlement with Sephora resolving allegations that it failed to disclose to consumers that it was selling their personal information and failed to process opt-out requests via user-enabled global privacy controls in violation of the CCPA. 

For more information about the CCPA, visit oag.ca.gov/ccpa. To report a violation of the CCPA to the Attorney General, consumers can submit a complaint online at oag.ca.gov/report.

A copy of the complaint can be found here. A copy of the final judgment can be found here. 

Coordinated state effort signals nationwide, robust enforcement of important privacy right 

OAKLAND — California Attorney General Rob Bonta, alongside the California Privacy Protection Agency and the attorneys general of Colorado and Connecticut, today announced an investigative sweep involving potential noncompliance with the Global Privacy Control, or GPC, an easy-to-use browser setting or extension that automatically signals to businesses a consumer’s request to stop selling or sharing their personal information to third parties. As part of the sweep announced today, the coalition sent letters to businesses that do not appear to be processing consumer requests to opt out of the sale of their personal information submitted via the GPC as required by law and requested that those businesses come into immediate compliance. This sweep reinforces the three states’ 2025 Data Privacy Day educational efforts on the GPC and California’s prior $1.2 million settlement  with Sephora regarding GPC compliance.

“Californians have the important right to opt-out and take back control of their personal data — and businesses have an obligation to honor this request,” said Attorney General Rob Bonta. “Today, along with our law enforcement partners throughout the country, we have identified businesses refusing to honor consumers’ requests to stop selling their personal data and have asked them to immediately come into compliance with the law. California and our sister states are committed to continued collaboration to actively enforce consumers’ important privacy rights and are paying close attention to business compliance with the Global Privacy Control.”

“In Connecticut, you have the right to access, correct, and delete personal data stored and collected by businesses, and the right to opt-out of the sale of personal data and targeted advertising. And you can install a simple browser extension that indicates your choice to opt-out of this type of commercial tracking. While many businesses have been diligent in understanding these new protections and complying with the law, we are putting violators on notice today that respecting consumer privacy is non-negotiable,” said Attorney General William Tong. 

“Collaboration with our partners in other states is essential to the CPPA’s work. We are proud to join this effort to ensure that consumers’ opt-out rights are honored, and we will continue working across jurisdictions to protect Californians’ privacy,” said Tom Kemp, the CPPA’s Executive Director.  

Data comes from nearly everywhere online, even when people think they’re not revealing anything. It has been estimated that the average person produces 1.7 MB of data per second or 6,120 MB of data per hour. Websites can track and amass personal information and behavioral data like pages visited, time spent on pages, clicks, and detailed purchase information to create and share profiles and inferences about consumers. Apps and other software can collect and transmit personal information as well, including sensitive personal information like a user’s precise geolocation. Preventing third parties from receiving this information is a key step to protecting private information and stopping the proliferation of consumer data in the online ecosystem.

YOUR RIGHT TO OPT-OUT IN CALIFORNIA

The California Consumer Privacy Act (CCPA) vests California consumers with control over the personal information that businesses collect about them, including the right to request that businesses stop selling or sharing their personal information. With some exceptions, businesses cannot sell or share your personal information after they receive your opt-out request unless you later provide authorization allowing them to do so again. Businesses must wait at least 12 months before asking you to opt back in to the sale or sharing of your personal information.  

Consumers interacting with a business online have two options to opt out of the sale of their data:

OPTION 1: Enabling Global Privacy Control 

The GPC is a signal that allows users to automatically indicate to the websites they visit that they would like to opt-out of the “sale” and “sharing” of their personal information. The GPC signal is an easy way to opt-out because a consumer does not have to make individualized requests to opt-out on each website they visit. GPC can be downloaded via a browser extension; some browsers offer a GPC setting. Installing GPC is simple and ensures your personal is protected. 

Click here for a video to show you how to install GPC.

OPTION 2: Opt-Out One Business at a Time 

Businesses that sell personal information must provide a clear and conspicuous “Do Not Sell or Share My Personal Information” link on their website that allows you to submit an opt-out request. Businesses cannot require you to create an account to process your opt-out, but may ask consumers for information necessary to complete the request, such as information necessary to identify the consumer whose information shall cease to be sold or shared by the business.

If you can’t find a business’s “Do Not Sell or Share My Personal Information” link, review its privacy policy to see if it sells or shares personal information. If the business does, it must also include that link in its privacy policy. If a business’s "Do Not Sell My Personal Information" link is not working or difficult to find, you may report the business to our office by visiting oag.ca.gov/report. 

For more information on the CCPA and opting out, please see here. For a tutorial on installing GPC, please see here.