MAGIC MEETS COMPLIANCE: California AG Drops The Hammer On Disney, Securing The Largest CCPA Settlement Yet At $2.75 Million. 

Add a comment

Hi CIPAWorld! 

Lei here with breaking news on the largest California Consumer Privacy Act (“CCPA”) settlement in history. 

California Attorney General Rob Bonta just announced yesterday, on February 11, 2026, that his office settled with Disney for $2.75 million over allegations of violating CCPA by failing to fully effectuate consumers’ opt-out requests to not sell or share customers’ data across all devices and streaming services associated with consumers’ Disney accounts. People of the State of California v. Disney DTC, LLC, No. 26STCV04425 (Cal. Super. Ct. L.A. Cnty. Feb. 11, 2026). Read the complaint and judgment here. CA_SUP_LAX_26STCV04425__Final_Judgment_and_Permanent_Injunction.pdf and 1 – Complaint (Disney).pdf  

We all know that Disney is not only Walt Disney World and the Disney Resorts. It also has a giant streaming ecosystem covering Disney+, Hulu, and ESPN+. Though you are saving money through the Disney Bundle offer, Disney allegedly collects your “personal information such as device identifiers, device type (e.g., laptop, TV, mobile device), IP addresses, and a user’s interaction with its streaming service products, including what types of content the user streamed and how long they watched,” then either works with third-party ad-tech companies or through its own advertising platform to carry out cross-context behavioral advertising. 

Basically, Disney allegedly built an entire advertising empire on the ability to connect your Disney+ login on your computer, to your Hulu app on your phone, to your ESPN+ on your smart TV, and serve you targeted ads EVERYWHERE. 

Per the allegations, when consumer tried to opt out? Sorry, technical limitations. You’ll need to opt out 10 separate times. Also, some of the apps just…can’t do opt-outs at all. Vendor issues, you know how it is. 

According to the complaint, the California AG’s office’s investigation found that “Disney’s opt-out methods had key gaps that obstructed the ability of consumers to completely opt-out out of and stop all sales/sharing of their data.” Disney’s opt-out mechanism was fragmented and ineffective: 

  • Opt-out requests often applied only to a specific device or service instead of all linked accounts. 
  • Consumers sometimes had to submit multiple requests across platforms and devices to fully exercise their rights. 
  • Many of Disney’s connected-TV apps lacked any functional in-app opt-out method. 

So if the complaint is true, while Disney could connect user data across devices for advertising purposes, it should honor the customer’s opt out requests and provide a mechanism that is customer-friendly and easy-to-use to opt out.  

Without admitting liability, Disney agreed to a stipulated judgment requiring operational changes, including: 

  • Clear and conspicuous notice about cross-context behavioral advertising practices.  
  • A simplified, consumer-friendly opt-out process requiring minimal steps.  
  • Account-wide opt-out enforcement across all Disney streaming services when a logged-in user submits a request.  

Additionally, a compliance monitoring program lasting at least three years is required.  

And on top of all of that, Disney’s also paying $2.75 million to the State. 

This is the second enforcement action stemming from California AG’s office’s 2024 Investigative Sweep of streaming services. Just months earlier, AG Bonta secured a $530,000 settlement with Sling TV LLC and Dish Media Sales LLC for failing to provide an easy-to-use method for consumers to stop the sale of their personal information and by failing to provide sufficient privacy protections for children. 

The escalation – from a mid-six-figure penalty to a multimillion-dollar settlement – demonstrates a clear enforcement trajectory: regulators are increasing penalties as expectations become more explicit. 

The message is very straightforward and clear. California regulators expect companies to operationalize consumer rights across their entire ecosystem – not merely provide formal mechanisms. For streaming platforms and ad-tech companies, if your systems are sophisticated enough to track users across devices, they must also be sophisticated enough to respect their privacy choices everywhere. 

No vendor excuses. No fragmented implementations. No partial compliance. The CCPA requires opt-outs to be “frictionless, simple, and comprehensive” 

From a customer and fan perspective, I actually see this outcome as encouraging. The company’s agreement to enhance compliance infrastructure signals that even industry leaders are adapting to stronger privacy norms. When major platforms raise their standards, the entire ecosystem benefits. The magic isn’t just in storytelling anymore – it’s in building technology that respects users while still delivering innovation. 

Disney learned the $2.75 million lesson. Don’t make it a $2.75 million (or even more) lesson for you too. 

Unknown's avatar

Published by Lei He

Lei is an associate attorney at Troutman Amin, LLP. Lei holds four law degrees from leading institutions across three major legal jurisdictions—China, the European Union, and the United States. Before joining Troutman Amin and transitioning into telemarketing, privacy, and TCPA-related class action defense, Lei focused on white-collar defense and complex cross-border regulatory compliance.

Leave a comment