On February 11, 2026, California Attorney General Rob Bonta announced a landmark $2.75 million settlement with The Walt Disney Company the largest civil penalty ever obtained under the California Consumer Privacy Act (CCPA). This enforcement action, arising from a January 2024 investigative sweep of streaming services, exposes a fundamental disconnect between how entertainment companies monetize consumer data and how they honor privacy rights. The settlement establishes a critical precedent: if a business possesses the technical sophistication to unify consumer identity across devices and platforms for advertising purposes, it must demonstrate equal sophistication in honoring opt-out requests.
Beyond the monetary penalty, which dwarfs the previous record of $1.55 million assessed against Healthline Media, this settlement represents a regulatory shift toward outcome-focused enforcement. California regulators are no longer satisfied with businesses merely providing opt-out mechanisms—they demand that these mechanisms actually work comprehensively across a company’s entire data ecosystem. For any organization operating multi-platform digital services, authenticated user accounts, or cross-device advertising capabilities, this settlement serves as a blueprint for compliance expectations and a warning about the cost of fragmented privacy infrastructure.
The Investigation: Origins and Scope
The 2024 Streaming Services Sweep
The California Department of Justice launched an investigative sweep of streaming services in January 2024, examining how platforms handled consumer opt-out requests under the CCPA. This initiative reflected growing regulatory concern about the rapid evolution of streaming advertising technology and whether privacy compliance had kept pace with monetization capabilities. The sweep targeted multiple major streaming platforms, ultimately resulting in enforcement actions against both Sling TV (settled for $530,000 in October 2025) and Disney.
The timing of the sweep was strategic. By 2024, streaming services had matured from subscription-only models into sophisticated advertising platforms that rival traditional television in their ability to target audiences. Disney, having fully integrated ad-supported tiers into Disney+, Hulu, and ESPN+, represented a particularly significant target given its scale, technical capabilities, and role as an industry leader.
Disney’s Streaming Advertising Infrastructure
To understand the violations, it’s essential to grasp how Disney monetizes its streaming services. Each platform—Disney+, Hulu, and ESPN+—requires user authentication through a Disney account. This authentication enables Disney to track viewing behavior across multiple devices associated with a single user, creating a comprehensive identity graph that follows consumers from their smartphones to tablets to connected TVs.
Disney leverages this cross-device data through two distinct advertising pathways. First, it shares consumer information with third-party advertising technology partners who combine Disney’s streaming data with information from other websites and platforms to enable targeted advertising both within Disney properties and across the broader digital ecosystem. Second, Disney operates its own advertising platform, Disney’s Real-Time Ad Exchange (DRAX), which enriches first-party streaming data with information purchased from data brokers to build detailed consumer profiles for precision advertising.
Both practices constitute cross-context behavioral advertising under the CCPA—the kind of data monetization that triggers consumers’ right to opt out of the sale and sharing of their personal information. The sophistication of Disney’s advertising infrastructure made the fragmentation of its opt-out mechanisms all the more glaring.
The Three Core Violations
1. Fragmented Opt-Out Methods Creating Partial Protection
Disney offered consumers multiple pathways to opt out: a web-based form, in-app privacy toggles, and support for the Global Privacy Control (GPC) browser signal. On the surface, this appeared to provide comprehensive choice. In practice, the investigation revealed these methods operated in silos, each providing only partial protection.
The web-based opt-out form only stopped data use within Disney’s own advertising platform (DRAX). Consumers who submitted requests through this form continued to have their viewing data, device identifiers, and behavioral information shared with third-party advertising technology companies. The form created the appearance of compliance while leaving the most invasive data sharing practices completely untouched.
The in-app privacy toggles provided better protection—they did stop third-party data sharing—but only for the specific service and device combination where the consumer activated the setting. A consumer logged into their Disney account on a smartphone who toggled the privacy setting on the Disney+ app would find their opt-out ignored when they logged into the same account on Hulu, or when they streamed Disney+ content on their connected TV. Despite Disney’s technical ability to recognize that all these devices belonged to the same authenticated user, the opt-out remained isolated to a single app on a single device.
Most troubling was Disney’s treatment of the Global Privacy Control signal. When a consumer using GPC visited Disney’s streaming services, even while logged into their account, Disney applied the opt-out only to that specific browser or device. The company possessed clear knowledge that the GPC signal came from an authenticated user whose identity was linked across multiple devices and services, yet it chose to treat the signal as device-specific rather than account-wide.
2. Unreasonable Burden on Consumers
The CCPA explicitly requires that opt-out methods be easy to execute and require minimal steps. The Attorney General’s investigation documented how Disney’s fragmented approach transformed a straightforward privacy right into an impossible maze.
Consider a typical Disney bundle subscriber who accesses content across three devices: a laptop computer, a tablet, and a smart TV. To fully opt out of data selling and sharing, this consumer would need to complete the web-based opt-out form (which only partially worked), then activate the in-app privacy toggle separately on Disney+, Hulu, and ESPN+ on each of their three devices—a total of ten distinct actions. And because Disney provided no confirmation mechanism or centralized dashboard, consumers had no way to verify whether their opt-out requests had actually been processed or to know that multiple additional steps were required.
This burden was not merely inconvenient—it was prohibitive. Privacy research consistently shows that even minor friction in privacy controls dramatically reduces their use. By requiring consumers to take ten separate actions to exercise a single privacy right, Disney effectively nullified that right for all but the most determined and technically sophisticated users.
3. Complete Opt-Out Impossibility on Connected TV Applications
Perhaps the most egregious finding involved Disney’s connected TV applications—the very platforms where a majority of its streaming content is consumed. Disney did not provide in-app opt-out mechanisms in many of its connected TV apps, citing vendor and technological limitations. Instead, the company directed consumers to complete the web-based opt-out form using a separate computer or mobile device.
This created a cruel irony: the web form didn’t actually control the data collection happening through connected TV apps. The embedded tracking code that transmitted personal information from smart TV platforms to Disney’s advertising partners operated independently of the web form’s opt-out settings. Consumers who dutifully followed Disney’s instructions and submitted the web form achieved nothing—their connected TV viewing data continued flowing to advertisers without interruption.
For millions of consumers who primarily or exclusively watch Disney+ and Hulu on their televisions, there was literally no way to exercise their opt-out rights. The Attorney General rejected Disney’s defense that platform limitations made comprehensive opt-out impossible, establishing a bright-line rule: if a business cannot honor opt-out requests on a particular platform, it should not collect and monetize personal information on that platform.
Settlement Requirements: Beyond Financial Penalties
While the $2.75 million penalty garnered headlines, the settlement’s operational requirements represent its most significant impact. Disney must fundamentally restructure its privacy infrastructure to match the sophistication of its advertising technology.
| Requirement | Details |
| Monetary Penalty | $2.75 million payable within 30 days—the largest CCPA penalty in California history |
| Account-Wide Propagation | When a logged-in consumer opts out on any Disney service or via any method (including GPC), the opt-out must apply across all streaming services, devices, and platforms associated with that account. For non-authenticated users, the opt-out must apply to the browser, application, or device and any associated consumer profile, including pseudonymous identifiers. |
| Clear Interface Design | Opt-out links must be clear and conspicuous in all streaming services, properly formatted for each device type, and must not require unnecessary scrolling or use hidden elements like unlabeled icons. The settlement explicitly prohibits design patterns that confuse consumers by conflating CCPA opt-out with cookie preferences or vendor-specific controls. |
| Third-Party Notification | Disney must notify all third parties to whom it sold or shared a consumer’s personal information of that consumer’s opt-out request and direct those third parties to comply. This creates a cascade effect, forcing Disney’s entire advertising partner ecosystem to honor consumer choices. |
| Compliance Monitoring | 60-day progress reports until full compliance is achieved, implementation of a comprehensive monitoring program within 180 days, and annual reports to the Attorney General’s office for three years. This extended oversight ensures Disney cannot backslide once regulatory attention fades. |
Precedential Legal Principles
The Identity Symmetry Doctrine
The settlement’s most significant contribution to privacy law is the formal articulation of what legal practitioners are calling the ‘identity symmetry doctrine’: if a business can associate a consumer with their devices for advertising purposes, it must associate those same devices with the consumer for purposes of honoring privacy requests.
This principle has profound implications beyond streaming services. Any organization that maintains cross-device or cross-platform consumer identity graphs—telecommunications providers tracking customers across mobile, home internet, and television services; automotive companies linking in-vehicle systems with mobile apps; retailers connecting e-commerce, in-store, and mobile shopping—must now ensure their privacy infrastructure matches the sophistication of their data collection and monetization capabilities.
The doctrine rejects the technical excuse that privacy compliance is harder than advertising technology. California regulators have made clear they will not accept claims that unifying opt-outs across services is technically difficult when the same business has already solved that exact technical challenge to enable unified advertising.
Technical Limitations as an Affirmative Defense Rejected
Disney argued that vendor constraints and platform limitations on connected TV devices prevented comprehensive opt-out implementation. The Attorney General categorically rejected this defense, establishing that technical limitations do not exempt businesses from CCPA obligations. If a platform or vendor relationship prevents a company from honoring consumer rights, the company must either solve the technical problem or cease collecting and monetizing data through that channel.
This ruling has immediate consequences for businesses operating on platforms with limited privacy infrastructure: smart TVs, connected vehicles, Internet of Things devices, and emerging technologies like augmented reality headsets. Companies can no longer hide behind platform limitations to justify incomplete privacy compliance. The choice is stark—build robust privacy controls or don’t collect the data.
Dark Patterns and Choice Architecture Under Scrutiny
The settlement’s detailed prescriptions on user interface design—prohibiting hidden links, unlabeled icons, confusing overlapping controls, and unnecessary verification steps—demonstrate that regulators are examining not just whether opt-out mechanisms exist but how they are presented. This focus on dark patterns and choice architecture has emerged as a consistent theme across recent California privacy enforcement actions, from Healthline to Sling TV to now Disney. Businesses should anticipate that any design element making opt-out more difficult than opting in will draw enforcement scrutiny.
Industry-Wide Implications and Action Items
Immediate Compliance Priorities
Organizations operating multi-platform digital services should immediately undertake the following actions:
- Audit all opt-out pathways to confirm that a single opt-out request, submitted through any available method, stops all data selling and sharing across every service, device, and third-party partner associated with that consumer.
- Map your consumer identity graphs—document how you link devices, browsers, and platforms to individual users for advertising, then verify your privacy infrastructure can make the same connections to propagate opt-out requests.
- Review treatment of Global Privacy Control and other opt-out preference signals to ensure they trigger comprehensive, account-wide opt-outs for authenticated users rather than device-specific settings.
- Examine platforms with limited privacy capabilities (connected TVs, IoT devices, in-vehicle systems) and either implement functional opt-out mechanisms or cease data collection for advertising purposes on those platforms.
- Evaluate user interface design for any elements that could be characterized as dark patterns—hidden links, confusing language, unnecessary steps, or conflation of different privacy controls.
Establish monitoring systems to verify opt-outs are actually being honored by all services and third-party partners, not just recorded in a database.
Sector-Specific Considerations
Telecommunications and Internet Service Providers: Companies offering bundled services (mobile, broadband, television) face heightened risk. The same identity symmetry principle that caught Disney applies directly—if you can track a customer across their phone, home internet, and TV service for marketing or network optimization, you must honor opt-out requests across all three services simultaneously.
Automotive Industry: Connected vehicle platforms that link in-car infotainment systems with mobile apps and web portals must ensure opt-out requests propagate across all touchpoints. The challenge is particularly acute given the limited privacy controls in many vehicle operating systems and the involvement of multiple third parties (vehicle manufacturers, infotainment system providers, mapping services, insurance telematics).
Healthcare and Wellness Technology: Following the Healthline settlement’s focus on sensitive health data, companies operating across web, mobile apps, and connected devices (fitness trackers, medical devices) should pay special attention to ensuring opt-out completeness, particularly given the heightened sensitivity of health information.
Retail and E-Commerce: Retailers connecting online shopping, mobile apps, in-store systems, and loyalty programs must verify that a customer’s opt-out in any channel stops data sharing across all channels and all retail brands under common ownership.
Advertising Technology Vendors: The settlement’s requirement that Disney notify all third-party advertising partners of consumer opt-outs creates obligations for ad-tech companies to honor those requests and potentially forward them through the programmatic advertising supply chain. Vendors should prepare to receive and process substantially more opt-out notifications as publishers implement account-wide propagation.
The Broader California Enforcement Landscape
Escalating Financial Penalties
The Disney settlement represents a clear escalation in California’s enforcement posture. Comparing the monetary penalties across the Attorney General’s seven CCPA enforcement actions reveals an upward trajectory:
- Sephora (August 2022): $1.2 million
- DoorDash (February 2024): amount not disclosed
- Tilting Point Media (June 2024): $500,000
- Sling TV (October 2025): $530,000
- Jam City (November 2025): $1.4 million
- Healthline Media (July 2025): $1.55 million
- Disney (February 2026): $2.75 million
The Disney penalty is 77% higher than the previous record and more than five times larger than the Sling TV settlement from the same investigative sweep. This escalation signals that initial settlements may have been deliberately calibrated low to encourage voluntary compliance, but the Attorney General’s patience with incomplete opt-out implementations has expired.
Investigative Sweeps as Enforcement Strategy
California has pioneered the use of sector-specific investigative sweeps as a privacy enforcement methodology. The Attorney General’s office has conducted sweeps targeting:
- Streaming services and connected TV platforms (January 2024)
- Location data collection practices
- Employee information handling
- Global Privacy Control compliance (September 2025, coordinated with Colorado and Connecticut)
This approach allows California to develop industry-specific compliance expectations, identify common patterns of non-compliance, and create enforcement precedents that guide businesses beyond those directly investigated. Companies in sectors that have not yet been subject to a sweep should not assume they are safe—they should proactively implement the compliance lessons emerging from completed investigations.
The California Privacy Protection Agency’s Parallel Enforcement
While the Attorney General’s office has secured the Disney settlement, businesses must also contend with the California Privacy Protection Agency (CPPA), which has independent CCPA enforcement authority. The CPPA has pursued its own aggressive enforcement agenda, including record settlements with Tractor Supply ($1.35 million, September 2025) and coordinated sweeps on data broker registration compliance. The existence of two separate California regulators with overlapping jurisdiction means businesses face double exposure—either agency can initiate investigations, and their enforcement priorities may diverge.
The Real Cost: Beyond the $2.75 Million Penalty
While the monetary penalty captured media attention, privacy compliance experts universally agree that $2.75 million represents a small fraction of Disney’s total cost. Attorney Daniel Goldberg of Frankfurt Kurnit Klein & Selz noted that the penalty pales compared to the resources required to respond to an investigation of this complexity and implement the mandated changes.
The hidden costs include:
- Engineering Resources: Redesigning opt-out systems across Disney+, Hulu, and ESPN+ to enable account-wide propagation across web, mobile, and connected TV platforms.
- Legal and Compliance: Responding to investigative demands, negotiating settlement terms, drafting and implementing compliance programs, and providing quarterly reports for three years.
- Vendor Coordination: Renegotiating contracts with advertising technology partners to ensure they can receive and honor opt-out notifications; potentially replacing vendors who cannot meet technical requirements.
- Infrastructure Overhaul: Implementing new systems to track opt-out status across all consumer touchpoints, notification mechanisms to third parties, and monitoring systems to verify compliance.
- Opportunity Cost: Engineering and product teams diverted from revenue-generating features to privacy infrastructure remediation.
Industry observers estimate the total cost likely exceeds $20-30 million when accounting for all these factors, with ongoing maintenance costs for the required compliance monitoring programs. This 10-15x multiplier on the nominal penalty illustrates why prevention through proper initial compliance is dramatically cheaper than remediation after enforcement.
There are also reputational costs that defy quantification. Disney’s brand is built on trust, particularly trust that parents place in the company regarding their children’s content and data. Headlines about privacy violations and data selling undermine that carefully cultivated reputation, potentially affecting subscriber retention and acquisition far into the future.
The Future of Privacy Enforcement
Multi-State Coordination
California is not operating in isolation. The September 2025 GPC compliance sweep involved coordination between California’s Attorney General, the CPPA, and attorneys general in Colorado and Connecticut. As more states enact comprehensive privacy laws with opt-out rights (currently 20 states), expect increased coordination through vehicles like the Consortium of Privacy Regulators.
This coordination multiplies enforcement risk. A business that violates opt-out requirements may find itself simultaneously investigated by multiple state regulators, each with authority to impose separate penalties. The total exposure from a single compliance failure could easily reach tens of millions of dollars across multiple states.
Increasing Technical Sophistication of Enforcement
Attorney Goldberg observed that while Disney had many of the right optics—privacy policies, opt-out mechanisms, compliance programs—the investigation focused on mechanics and whether the systems actually worked. This represents a maturation of privacy enforcement from checking boxes on paper to verifying functional outcomes.
Expect future investigations to involve technical testing: do opt-outs actually stop data flows, or just update database flags? Are third parties truly notified and do they honor those notifications? Can consumers verify their opt-out status? Regulators are building technical capabilities to answer these questions empirically rather than accepting businesses’ representations at face value.
The Emerging Standard: Privacy Infrastructure Parity
The Disney settlement codifies what may become the fundamental principle of modern privacy compliance: privacy infrastructure must match advertising infrastructure in sophistication, completeness, and reliability. Organizations have proven they can build remarkably complex systems for tracking users across devices, platforms, and contexts; for real-time bidding on ad inventory; for enriching first-party data with third-party information; and for measuring advertising attribution across the customer journey. Privacy compliance demands equivalent investment and capability.
Disneys Latest Privacy Fine is a Turning Point in Privacy Enforcement
The Disney settlement represents far more than a record financial penalty. It establishes enforceable standards for how businesses must implement consumer privacy rights in an era of sophisticated, cross-platform data monetization. The identity symmetry doctrine, the rejection of technical limitations as a defense, and the focus on actual functionality over formal compliance create a demanding new baseline for privacy programs.
For businesses, the message is unambiguous: offering opt-out mechanisms is not enough—those mechanisms must work comprehensively, across every service and device associated with a consumer. The fragmentation that once characterized privacy compliance, where each platform or service maintained isolated controls, is no longer acceptable.
The settlement also signals a broader shift in regulatory philosophy. Early CCPA enforcement focused on fundamental failures—companies not providing opt-out mechanisms at all, or not honoring GPC signals whatsoever. We have entered a second phase where regulators examine the quality of implementation, the user experience of privacy controls, and the actual effectiveness of opt-out systems in stopping data monetization.
Companies cannot afford to wait for their industry’s investigative sweep. The lessons from streaming services, healthcare publishers, mobile gaming, and now Disney provide clear guidance on regulatory expectations. Organizations should conduct internal audits immediately, using the framework established by these settlements to identify gaps before regulators do.
The choice facing businesses is straightforward: invest now in privacy infrastructure that matches the sophistication of data monetization capabilities, or prepare for enforcement actions that will prove far more expensive in financial penalties, remediation costs, and reputational harm. The Disney settlement leaves no doubt which path regulators expect companies to choose.
