Major Settlement: Disney Fined $2.75 Million Over CCPA Violations
On February 11, 2026,California Attorney General announced a groundbreaking settlement of $2.75 million with The Walt Disney Company, highlighting serious breaches of the California Consumer Privacy Act (CCPA). This unprecedented settlement illustrates an intensified focus on CCPA compliance across various industries.
Understanding CCPA Violations
The investigation conducted by the Attorney General revealed three critical areas where Disney failed to comply with CCPA regulations:
1. Deficient Opt-Out Toggles
Disney’s streaming applications featured opt-out toggles that lacked comprehensive coverage. When users opted out via Disney+, their preferences only applied to that specific service and, often, to just one device. This meant that a user opting out on Disney+ could still have their data shared through other Disney platforms like Hulu or ESPN+, even if logged into the same account.
2. Inadequate Webform Opt-Out
Disney’s webform for opting out only restricted data sharing through Disney’s own advertising systems. It did not prevent data sharing with third-party ad-tech companies embedded within Disney’s websites and apps. Furthermore, many of Disney’s connected TV apps failed to incorporate any in-app opt-out functionalities, compelling users to resort to a webform that offered no effective solution.
3. Non-Compliant Global Privacy Control (GPC) Processing
The GPC is a browser-based signal designed to facilitate opt-out requests under CCPA. Disney processed these requests only at the device level. Consequently, an opt-out on one browser wouldn’t be honored on other devices or browsers linked to the same account.
Implications for Businesses
To effectively honor consumers’ rights under the CCPA, businesses must ensure that opt-out features are:
Universal
Opt-out options should encompass all devices and services associated with a single user account.
Accessible
Clear and easy-to-find opt-out mechanisms are a necessity. The absence of in-app opt-out options could be viewed as non-compliant.
Technology-Agnostic
Consumer privacy signals, like GPC, must be honored consistently across various platforms.
Key Recommendations for Compliance
In light of this significant enforcement action, businesses are encouraged to undertake the following measures:
1. Audit Opt-Out Mechanisms
Conduct a thorough investigation into every pathway through which your organization shares personal data. Verify that all opt-out functions, including toggles, webforms, and GPC signals, genuinely halt all data-sharing processes.
2. Ensure Account-Level Opt-Out Propagation
Opt-out requests must be applied universally at the account level across all devices. Implementing a centralized preference management system can help propagate these requests in real time.
3. Honor Global Privacy Control Signals
Make sure your website and app architecture can effectively identify and manage GPC signals. When a logged-in user provides a GPC signal, treat it as a request applicable at the account level, not limited to a single device.
4. Review Third-Party Data Sharing Practices
Conduct an audit of how data is shared with third-party vendors embedded in your digital platforms. Ensure that existing opt-out mechanisms suppress unauthorized data transmissions.
5. Update Privacy Notices and User Documentation
Revise your privacy statements to accurately reflect compliant opt-out methods and provide clear instructions on how consumer requests are processed.
Conclusion: Looking Ahead at Consumer Privacy Compliance
The recent settlement serves as a stark reminder of the heightened regulatory scrutiny surrounding consumer privacy rights. Companies offering digital services must go beyond superficial compliance and ensure that their opt-out mechanisms function effectively at all consumer touchpoints. As the trend towards stricter CCPA enforcement continues, organizations must prioritize compliance to avoid potential penalties and protect consumer trust.
For more information on the California Consumer Privacy Act and its implications for your business, visit the California Attorney General’s website. Compliance is not only a legal obligation but a cornerstone of good business practice in today’s digital landscape.
