California Lands Record $2.75 Million CCPA Settlement With Disney Over Opt-Out Gaps

Key Takeaways

• Largest CCPA Settlement to Date: California secured a $2.75 million settlement with The Walt Disney Company, marking the biggest enforcement action yet under the California Consumer Privacy Act.
• Account-Wide Opt-Out Required: Regulators made clear that a consumer’s opt-out request must apply across all devices and services tied to an account, not just the specific app or device used at the time.
• Global Privacy Control Scrutinized: The investigation found that limiting Global Privacy Control signals to a single device, even when a user is logged in, did not meet CCPA requirements.
• Third-Party Ad-Tech Exposure: Disney’s webform opt-out process did not fully stop data sharing with certain embedded third-party advertising partners, highlighting ongoing risk in complex ad-tech ecosystems.

Deep Dive

California has secured its largest settlement yet under the California Consumer Privacy Act, with Attorney General Rob Bonta announcing that The Walt Disney Company will pay $2.75 million to resolve allegations that it failed to fully honor consumers’ requests to opt out of the sale or sharing of their personal information.

The case, which stems from a January 2024 investigative sweep of streaming services, focuses on a deceptively simple question that sits at the heart of modern privacy law: when a consumer says “stop,” does the data actually stop moving?

According to the California Department of Justice, in Disney’s case, the answer was not always.

Under the settlement, Disney must pay civil penalties and implement opt-out mechanisms that fully cease the sale or sharing of consumers’ personal information when a valid request is made. The $2.75 million figure represents the largest CCPA settlement to date.

“Consumers shouldn’t have to go to infinity and beyond to assert their privacy rights,” Bonta said in announcing the agreement. He added that California’s privacy law is clear regarding the fact that a consumer’s opt-out right applies wherever and however a business sells data. Companies cannot require users to go device by device or service by service to exercise that right.

Where the Process Fell Short

The state’s investigation did not hinge on whether Disney provided opt-out tools. It did. The issue was whether those tools worked comprehensively across the company’s streaming ecosystem.

Regulators found that when users toggled an opt-out setting within Disney’s websites or apps, the request often applied only to the specific streaming service being viewed and sometimes only to the device in use. That meant other devices or services connected to the same Disney account could continue to transmit personal information for sale or sharing.

The webform option presented its own limits. While Disney stopped sharing data through its own advertising platform when a webform opt-out was submitted, investigators found that personal information continued to be sold or shared with certain third-party ad-tech companies whose code was embedded in Disney’s sites and apps.

In several connected TV streaming apps, consumers were not offered an in-app opt-out method at all. Instead, they were directed to the webform, which regulators said left them without a direct way to stop selling or sharing from those apps themselves.

Even the Global Privacy Control, a browser-based signal designed to communicate a user’s desire to opt out, was treated narrowly. Disney limited the request to the specific device transmitting the signal, even when the consumer was logged into their Disney account.

Taken together, regulators concluded that these limitations prevented consumers from fully effectuating their statutory right to opt out under California law.

A Test of Account-Wide Compliance

The settlement arrives at a time when privacy compliance is increasingly being tested not on policy language but on system design. The CCPA grants California residents the right to know how businesses collect, use, and disclose personal information, as well as the right to request that businesses stop selling or sharing it.

The Disney case highlights the operational complexity that arises when data flows across multiple devices, services, advertising platforms, and embedded third-party technologies. In such environments, honoring an opt-out request requires more than a visible toggle, it requires backend alignment across the entire ecosystem tied to a user account.

With the $2.75 million resolution, California has signaled that partial compliance will not suffice. When a consumer opts out, the expectation is that the request follows them across their account, not just the screen they happen to be using at the time.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.