California Attorney General Rob Bonta today announced a settlement with The Walt Disney Company resolving allegations that the entertainment giant violated the California Consumer Privacy Act by failing to fully implement consumers' requests to opt-out of data sale and sharing across devices and streaming services. Under the settlement, which requires court approval, Disney must pay $2.75 million in civil penalties and implement comprehensive changes to how the company processes privacy requests across its streaming platforms.

The enforcement action marks the fifth major CCPA settlement secured by Bonta's office, following a $1.55 million agreement with Healthline Media LLC in July 2025 and a $1.4 million settlement with mobile gaming company Jam Cityin November 2025. The escalating penalty amounts signal intensifying state enforcement efforts against companies whose opt-out mechanisms fail to meet statutory requirements.

According to court documents filed in Los Angeles Superior Court, Disney operated two distinct opt-out methods that each failed to stop data sharing comprehensively. When consumers used opt-out toggles embedded in Disney's websites and apps, the company applied the request only to the specific streaming service the user was watching, and often only to the specific device. When consumers used Disney's webform, the company stopped sharing personal data through its own advertising platform but continued selling and sharing consumer data with specific third-party advertising technology companies whose code Disney embedded in its websites and apps.

Disney also failed to provide in-app opt-out methods in many connected TV streaming apps, instead directing consumers to its webform. This approach effectively left consumers with no way to stop Disney's selling and sharing from these apps, according to the complaint.

The settlement requires Disney to implement consumer-friendly, easy-to-execute opt-out processes allowing consumers to opt-out with minimal steps across all Disney streaming services. For logged-in consumers, Disney must effectuate opt-out choices across all Disney streaming services associated with the consumer's Disney account. The company must provide clear and conspicuous opt-out links within all Disney streaming services and ensure these links either immediately effectuate the consumer's choice or direct the consumer to a notice of right to opt-out containing an easy-to-use opt-out method.

Technical implementation failures exposed

The enforcement action reveals significant gaps between Disney's stated privacy practices and actual technical implementation. When a user requested to opt-out via an opt-out toggle in Disney's websites and apps, Disney only applied the request to the specific streaming service the user was watching, and often only the specific device the consumer was using. This meant that in most instances, using the toggle would not stop selling or sharing from other devices or services connected to the consumer's account.

For consumers who opted out using Disney's webform, Disney only stopped the sharing of personal data through the company's own advertising platform and offerings. However, Disney continued to sell and share consumer data with specific third-party advertising technology companies whose code Disney embedded in its websites and apps.

The technical failures affected Disney's streaming services including Disney+, Hulu, and ESPN+. These platforms serve as video services that Disney offers and operates for consumers to stream live and on-demand content over the internet via websites and applications for mobile and connected devices.

Comprehensive compliance requirements

The settlement imposes detailed technical requirements on Disney's opt-out mechanisms. The company must comply with CCPA provisions related to required notices and consumers' right to opt-out of selling or sharing personal information, including Civil Code sections 1798.100, 1798.120, 1798.130, and 1798.135, along with implementing regulations.

Disney must provide clear and conspicuous notice to consumers that the company conducts cross-context behavioral advertising using personal information obtained from third parties. Such notice must provide consumers a meaningful understanding of the information being collected, the categories of sources from which the personal information is collected, and direct consumers to Disney's notice of right to opt-out of sale and sharing.

When a logged-in consumer opts out, including through use of an opt-out preference signal, Disney must effectuate the consumer's opt-out choice across all Disney streaming services that Disney associates with the consumer's Disney account. When a consumer is not logged-in or does not have a Disney account and that consumer opts out, Disney must inform the consumer that it may be necessary to log-in to their Disney account or direct the consumer to provide the minimal amount of personal information necessary to fully effectuate the consumer's opt-out choice.

For consumers who do not have a Disney account, choose not to log-in to their account, or who do not provide the necessary additional information, Disney must treat the consumer's opt-out choice as a request to opt-out of sale or sharing for that browser, application, or device and any consumer profile that Disney associates with that browser, application or device, including pseudonymous profiles that Disney maintains in connection with selling, sharing, or cross-context behavioral advertising.

The notice of right to opt-out must be formatted and designed to fit and scale to the web browser, application, or device where it is provided. The notice shall not require a consumer to unnecessarily search or scroll through text to effectuate Disney's opt-out or use hard-to-find-links, unlabeled carets, arrows, or other hidden menu icons that add unnecessary steps and may be unclear.

Broader industry context

The Disney settlement arrives as Disney has been expanding its advertising technology capabilities across streaming platforms. In April 2025, Disney announced significant advancements in its advertising technology, expanding biddable ad capabilities across its streaming platforms and integrating new systems to address growing advertiser demands in the live content space.

Disney's advertising infrastructure includes the Disney Real-Time Ad Exchange (DRAX), which the company has connected directly to major demand-side platforms including Google's Display & Video 360 and The Trade Desk. These technical integrations, announced in March 2024, significantly simplified how advertisers access premium inventory across Disney's streaming platforms.

The settlement requirements address fundamental challenges in how streaming platforms implement privacy controls across fragmented technical environments. Connected TV advertising continues experiencing rapid expansion, with industry projections indicating CTV ad spending reaching $33.35 billion in 2025. The technical complexity of implementing privacy controls across smart TVs, streaming devices, gaming consoles, computers, mobile devices, and tablets creates implementation challenges for platforms collecting and sharing consumer data for advertising purposes.

California's privacy enforcement demonstrates sustained commitment to ensuring opt-out mechanisms function as intended. The state has emphasized Global Privacy Control as an automated browser-based mechanism allowing consumers to signal opt-out preferences without making individualized requests on every website. Disney's settlement requirements include specific provisions for processing opt-out preference signals consistently with applicable CCPA obligations.

Settlement details and timeline

Disney must provide compliance updates to the California Attorney General's office every 60 days until all Disney services comply with the opt-out requirements. Within 180 days of the effective date, and for a period of three years thereafter, Disney must implement and maintain a program to assess and monitor whether the company is effectively providing methods of opting out of selling and sharing that are consumer-friendly, easy to execute, require minimum steps, and which fully implement a consumer's opt-out choice account-wide on each web property, application, and device used to access Disney services.

The company must document and share the results of this review with the California Attorney General in an annual report for three years from the effective date. All reports, reviews, and sharing of information pursuant to the judgment shall be treated as confidential and as exempt from disclosure under relevant public records laws.

Disney must comply with a consumer's opt-out choice as required by CCPA, including notifying all third parties to whom Disney has sold or shared a consumer's personal information after the consumer submits the request to opt-out and before Disney complies with that request. Disney must direct these third parties to comply with the consumer's request and forward the request to any other person to whom the third party has made the personal information available during that time period.

With respect to personal information that Disney makes available to a third party, Disney must take reasonable and appropriate steps to ensure that such third parties use such personal information in a manner consistent with Disney's obligations under the CCPA.

The settlement prohibits Disney from selling or sharing the personal information of consumers that it has actual knowledge are children under 13 or minors aged 13 to 15 unless the minor or parent, in the case of a child, has affirmatively authorized such selling or sharing, as set forth in Civil Code sections 1798.120(c), 1798.135(c)(5), and implementing regulations.

Enforcement pattern emerges

Attorney General Bonta's office has demonstrated sustained focus on companies that create friction for consumers exercising privacy rights. The Healthline settlement in July 2025 revealed that even after users activated a "triple opt-out" through cookie banners, privacy links, and Global Privacy Control, investigators observed 118 cookies from advertising companies still being placed, with tracking continuing to send data transmissions to dozens of advertising firms.

The Jam City settlement in November 2025 found the mobile gaming company failed to provide CCPA-compliant opt-out mechanisms in any of its 21 mobile applications despite collecting and sharing consumer personal information almost exclusively through these mobile platforms. The investigation revealed the company collected and shared consumer personal information nearly exclusively through mobile games, creating obligations to implement in-app opt-out functionality rather than relying solely on website-based mechanisms that mobile app users rarely encounter.

Previous CCPA settlements include Sephora for $1.2 million in 2022, DoorDash for $375,000 in 2024, and Tilting Point Media for $500,000 in 2024. The escalating penalty amounts - from $375,000 to $1.4 million to $1.55 million and now $2.75 million - signal intensifying enforcement scrutiny of privacy compliance failures.

The California Department of Justice has conducted investigative sweeps targeting companies that appear to violate CCPA. In March 2025, the department sent letters to advertising networks, mobile app providers, and data brokers appearing to violate the statute. Similar sweeps addressed streaming apps and devices along with employee information practices.

Marketing industry implications

The settlement establishes clear expectations that opt-out obligations extend fully to streaming services regardless of technical architecture or business model choices. Companies collecting and sharing consumer data for advertising purposes across multiple devices and platforms must implement opt-out mechanisms that function comprehensively rather than in device-specific or platform-specific silos.

For streaming platforms operating sophisticated advertising technology infrastructure, the enforcement action demonstrates that technical complexity cannot excuse incomplete implementation of privacy rights. Disney's integration of programmatic advertising capabilities, dynamic ad insertion technology, and real-time bidding systems created corresponding obligations to ensure privacy controls functioned across this technical ecosystem.

The requirement to notify third parties of consumer opt-out requests and direct these third parties to comply creates accountability throughout the advertising supply chain. Disney must notify all third parties to whom it has sold or shared a consumer's personal information after the consumer submits the request to opt-out and before Disney complies with that request. This obligation extends the reach of consumer privacy rights beyond the initial platform to encompass downstream data recipients.

California privacy law updates that took effect January 1, 2026 expanded requirements for businesses to disclose whether personal information categories are sold or shared at or before the point of collection. Companies cannot collect additional categories of personal information or use data for purposes incompatible with initial disclosures without providing updated consumer notice.

The Disney case highlights fundamental questions about privacy implementation in streaming advertising. While platforms have invested heavily in advertising technology infrastructure to maximize revenue opportunities, privacy compliance requires corresponding investment in systems that fully effectuate consumer opt-out choices across fragmented technical environments.

Companies operating streaming services must evaluate current consent mechanisms, third-party relationships, and disclosure practices to ensure compliance with evolving requirements. The expanded scrutiny of technical implementation details suggests regulators will examine whether opt-out mechanisms function as intended rather than accepting surface-level compliance measures that leave gaps in actual data sharing practices.

Timeline

Summary

Who: California Attorney General Rob Bonta and The Walt Disney Company, including Disney DTC, LLC and ABC Enterprises, Inc., with jurisdiction exercised by the Superior Court of the State of California, County of Los Angeles.

What: A $2.75 million settlement resolving allegations that Disney violated the California Consumer Privacy Act by failing to fully effectuate consumers' requests to opt-out of data sale and sharing across all devices and streaming services associated with consumers' Disney accounts. The settlement requires Disney to implement comprehensive opt-out mechanisms that function across Disney+, Hulu, ESPN+, and other Disney streaming services, including clear and conspicuous opt-out links, proper handling of opt-out preference signals, notifications to third parties, and a three-year compliance monitoring program with annual reporting to the Attorney General.

When: The settlement was announced on February 12, 2026, subject to court approval. Disney must provide compliance updates every 60 days until all services comply with requirements, implement a comprehensive monitoring program within 180 days, and maintain that program for three years. The $2.75 million civil penalty must be paid within 30 days of the effective date.

Where: The enforcement action covers Disney streaming services accessible to California consumers, including Disney+, Hulu, and ESPN+, across all platforms including smart TVs, streaming devices, gaming consoles, computers, mobile devices, and tablets. Jurisdiction was established in Los Angeles Superior Court, with the settlement affecting Disney's operations nationwide as they serve California residents.

Why: The enforcement action addresses failures in Disney's technical implementation of privacy controls that left consumers unable to fully opt-out of data selling and sharing despite making such requests. The opt-out toggle mechanism only applied requests to specific streaming services and often only to specific devices, while the webform mechanism only stopped sharing through Disney's own advertising platform while continuing to share data with third-party advertising technology companies whose code Disney embedded in its platforms. The settlement aims to ensure Disney implements account-wide opt-out mechanisms that function comprehensively across all devices and services, protecting California consumers' statutory privacy rights while establishing compliance standards for streaming platforms collecting and sharing personal information for advertising purposes.

Share this article
The link has been copied!