California AG Secures Record $2.75M CCPA Settlement Against Disney
Disney is one of the most recognizable brands in the world, but even Mickey isn’t safe from the California Consumer Privacy Act (CCPA). In a landmark enforcement action, the California Attorney General yesterday announced a $2.75 million settlement with The Walt Disney Company, the largest settlement to date under the CCPA, over allegations that Disney failed to fully honor consumer opt-out requests.
The settlement stems from a January 2024 investigative sweep into streaming services. The California Department of Justice concluded that Disney did not fully carry out consumers’ requests to opt out of the sale or sharing of their personal information across all devices and services associated with a user’s account.
According to the Attorney General, Disney offered multiple opt-out mechanisms, but each contained material limitations:
Opt-Out Toggles: Requests made through website or in-app toggles were applied only to the specific streaming service or device being used at the time. Other devices or services tied to the same account could continue selling or sharing data.
Webform Requests: Consumers who opted out using Disney’s webform were able to stop certain forms of internal, advertising-related data sharing. However, Disney continued to share consumer data with third-party ad-tech vendors whose tracking tools were embedded in its platforms. In several connected TV apps, Disney did not provide an in-app opt-out option at all.
Global Privacy Control (GPC): GPC signals were recognized only at the device level, even when the consumer was logged into a Disney account, limiting the effectiveness of the opt-out.
This settlement marks the seventh CCPA enforcement action, following prior settlements with companies including Sephora, DoorDash, Jam City, Sling TV, Healthline.com, and Tilting Point Media.
For businesses, the Disney settlement highlights several compliance priorities: opt-out mechanisms should function at the account level; third-party tracking technology does not shield a company from liability; and Global Privacy Control signals must be meaningfully honored.