Why Disney Owes $10M: Mislabeling Kids’ Videos on YouTube

The Federal Trade Commission announced that The Walt Disney Company agreed to pay a $10 million civil penalty and adopt new compliance measures to resolve allegations that Disney allowed personal data to be collected from children under 13 who watched kid-directed videos on YouTube—without first notifying parents or obtaining verifiable parental consent as required by COPPA. The case centers on Disney’s failure to properly designate certain YouTube videos as “Made for Kids,” which enabled targeted advertising and the collection of persistent identifiers from child viewers.

What the FTC Says Disney Did Wrong Regarding Childrens Privacy Requirements

At a high level, the FTC alleges Disney and an affiliated entity failed to correctly tag kid-directed videos on YouTube, which meant the platform could treat them like general-audience content and collect children’s personal data (e.g., persistent identifiers) for ad targeting—without parental notice and consent. The result: unlawful collection and use of data from viewers under 13.

• Mislabeling or non-designation of content that was plainly child-directed (e.g., preschool characters, animated franchises, nursery-rhyme formats).
• Allowing or not preventing behavioral advertising on videos that should have been treated as “Made for Kids.”
• Relying on default channel settings rather than video-level review appropriate for large libraries and mixed-audience channels.
• Failure to implement effective age-assurance and internal review processes for videos likely to be consumed by children.

Remedies contemplated: a mandatory system to designate kid-directed videos on YouTube accurately and keep targeted ads off those videos; adoption (or testing) of age-assurance technologies; and ongoing compliance and reporting obligations to the FTC.

What Counts as “Children’s Personal Data” Under COPPA

COPPA and its Rule (16 C.F.R. Part 312) define “personal information” broadly. Historically that has included names, contact info, geolocation precise to street level, photos/videos/audio containing a child’s image or voice, and persistent identifiers (cookies, IP addresses, device IDs) when used for more than strictly internal operations. In 2013 the FTC clarified that persistent identifiers themselves can be personal information; in 2025 the FTC finalized further updates, expanding and modernizing coverage (e.g., biometric identifiers and certain government-issued IDs).

• Name, address, email, telephone number.
• Persistent identifiers that track users over time/across sites (cookies, device IDs, IP addresses).
• Photos, videos, audio files containing a child’s image or voice.
• Geolocation precise enough to identify a street and city.
• Biometric identifiers (e.g., fingerprints, faceprints, voiceprints) included in 2025 updates.

The Rule requires notice to parents and verifiable parental consent (VPC) before collecting, using, or disclosing such data (with narrow exceptions), and it imposes data minimization, security, and deletion duties on operators of child-directed sites/services or others with actual knowledge they’re collecting from under-13 users.

How This Differs from FERPA (School Records Law)

FERPA is a separate federal law administered by the U.S. Department of Education, not the FTC. FERPA protects the privacy of students’ education records maintained by schools or districts that receive federal funds. It grants parents (and, at 18, students) rights to inspect, correct, and control disclosure of those records, and it restricts schools from disclosing personally identifiable information without consent, subject to defined exceptions. COPPA governs online services/content collecting data from children; FERPA governs schools’ education records.

Where KOSA Fits (and Why It Matters Even If Not Yet Law)

The Kids Online Safety Act (KOSA) would impose a “duty of care” on covered platforms to prevent and mitigate harms to minors (e.g., eating-disorder content, sexual exploitation), require safety settings by default, enable teen/parent controls, and mandate audits and researcher access. KOSA passed the U.S. Senate in 2024 but stalled; it was reintroduced in May 2025 in the 119th Congress and currently sits in Introduced status in the Senate Commerce Committee. If enacted, KOSA would complement COPPA by focusing on content- and design-related risks and accountability (audits, default safeguards), not just the notice-and-consent regime.

Enforcement in Context: Where Disney’s $10M Sits

1. Epic Games (Fortnite) — $275M COPPA civil penalty (largest to date) + separate $245M for dark-pattern refunds (non-COPPA).
2. YouTube/Google — $170M (2019) for alleged collection from kids via kid-directed channels.
3. Amazon (Alexa) — $25M and broad injunctive relief (2023).
4. Microsoft (Xbox) — $20M (2023).
5. Disney (YouTube videos) — $10M (2025).
6. Musical.ly/TikTok — $5.7M (2019).

How Disney’s Alleged Violations Compare to Prior FTC Cases

Like YouTube/Google (2019), the Disney theory turns on kid-directed content and collection of persistent identifiers without VPC—triggered here by mislabeling or under-labeling videos. The twist: a major content provider is paying and undertaking design obligations, signaling a broadening of who bears direct obligations for children’s data on large platforms. The order’s emphasis on age-assurance and systemic video review aligns with the FTC’s 2025 COPPA updates and the agency’s push to limit monetization of minors’ data.

Practical Takeaways: What Counts as “Kid-Directed”

Under COPPA, the FTC looks at content features—animation style, characters known to appeal to children, nursery-rhyme formats, subject matter, music cues, and marketing—plus audience analytics and other signals. On platforms like YouTube, “Made for Kids” is not a cosmetic tag; it’s the compliance switch that controls data collection and ad targeting. Failing to set it correctly can lead to illegal tracking of persistent identifiers and behavioral advertising to children.

Disney’s Compliance Checklist

• Video-level classification: Don’t rely on channel defaults. Implement two-pass review (automated screening + human validation) of each upload that could plausibly be kid-directed. Keep auditable logs.
• Age-assurance guardrails: Where platform tools exist, use them; where they don’t, apply conservative defaults (no targeted ads; disable data-sharing) for ambiguous content.
• Turn off behavioral ads by default for kid-directed content; restrict to contextual advertising only where permitted.
• Minimize data: Avoid collection beyond what’s strictly necessary for internal operations; document COPPA exceptions carefully.
• Strengthen notices & VPC: Provide clear, specific parental notices and verified consent paths before any collection from under-13s (outside narrow exceptions).
• Tighten vendor contracts: Bind adtech and analytics partners to no-tracking terms for minors; audit for leakage.
• Train creators & editors: Build a playbook with examples of kid-directed cues and require sign-offs pre-publish.
• Test and monitor: Run periodic audits of “Made for Kids” designations and flag anomalies (e.g., sudden spikes in 2–12 viewership on “general audience” videos).
• Prepare incident response: If misclassification occurs, be ready to reclassify, purge data, disable ads, and notify regulators where appropriate.

Lessons for Disney’s Peers

1. Labels are liability switches. On YouTube and similar platforms, content designations determine whether persistent identifiers can be used for ads. Treat that switch as a compliance control.
2. Age-assurance is coming for everyone. Even absent KOSA, the FTC is nudging operators and content owners toward age-assurance as a risk-reduction baseline.
3. The FTC’s COPPA scope keeps expanding. With 2025 updates, biometrics and new identifiers fall squarely within “personal information.”
4. Platform reliance ≠ compliance. A platform’s default settings won’t save you if your content is kid-directed. Build independent governance and QA.
5. Enforcement spans the ecosystem. Publishers, platforms, devices, and game ecosystems are all fair game.

Disney’s Data Privacy Future

The Disney settlement is a clear signal: it’s not enough to publish family-friendly videos and trust platform defaults. If your content could reasonably attract children, COPPA expects proactive classification, minimized data collection, and no behavioral ads—backed by age-assurance where feasible. While KOSA isn’t law yet, its momentum—paired with the FTC’s 2025 COPPA updates—means the bar is rising for design, governance, and audits around minors.

If you would like a privacy audit to see if your business is compliant then book a demo below with one of our privacy superheroes!