California’s Record CCPA Settlement with Disney Underscores What Opt-Out Compliance Actually Requires
The California Attorney General’s office does not pick enforcement targets at random. When it trained its sights on Disney’s streaming ecosystem and emerged with a $2.75 million settlement, the largest in the California Consumer Privacy Act’s history, it did so with a specific, pointed message: if your technology can follow a consumer across every screen in their home for advertising purposes, it can follow that consumer’s opt-out choice just as far. The inability or unwillingness to do the latter while doing the former is not a technical limitation. It is a violation.
The complaint, final judgment, and permanent injunction filed against Disney DTC, LLC and ABC Enterprises, Inc. on February 11, 2026, deserve careful reading not just as a legal outcome, but as an operational compliance framework. For any in-scope business that collects consumer data, runs targeted advertising, and operates across multiple digital surfaces, which describes a substantial share of the modern digital economy, this settlement is a compliance blueprint and a warning rolled into one document.
How We Got Here
This enforcement action did not arrive without warning. In January 2024, Attorney General Rob Bonta launched an investigative sweep specifically targeting streaming services and their opt-out practices. That sweep signaled to the industry that the AG intended to scrutinize not just whether companies offered opt-out mechanisms, but whether those mechanisms actually worked in full.
The sweep produced its first public enforcement result with a settlement against Sling TV. Disney became its second, and far larger, result. At $2.75 million, it eclipses the prior record of $1.55 million set by the Healthline Media settlement in July 2025, which was itself described at the time as the largest CCPA settlement ever. The trajectory is clear: penalties are escalating, and California’s enforcement apparatus has fully arrived.
This is now the seventh enforcement action brought under the CCPA. Every single one has involved, in some meaningful way, the consumer’s right to opt out of the sale or sharing of personal information. That is not a coincidence; it reflects the deliberate enforcement priorities of the AG’s office and its sister agency, the California Privacy Protection Agency (CPPA).
The Core Problem: An Advertising System Far More Capable Than Its Privacy System
The sharpest part of the AG’s case against Disney is the asymmetry argument, and it resonates because it is so intuitively obvious once stated. Disney operates Disney+, Hulu, and ESPN+ under a unified account and bundle structure. When consumers log in to any of these services on any device—a laptop, a tablet, a smart TV—Disney links that device to the consumer’s account and uses the resulting cross-device profile to power targeted advertising. Disney executives publicly promoted this capability. One quoted in the complaint described how even ad-free subscriptions were valuable to Disney’s advertising business because they provided “strong visibility into device ID,” allowing Disney to “see when that person is in other Disney experiences.” Advertisers paid a premium for the confidence that their message was reaching the same human being across multiple screens.
None of that is inherently illegal. The problem arose when consumers sought to stop it.
The CCPA gives California consumers numerous privacy rights, including the right to opt out of the sale and certain sharing of their personal information, such as for the purpose of targeted advertising. Disney provided multiple opt-out mechanisms — a webform, in-app toggles, and acceptance of the Global Privacy Control (GPC) browser signal. The investigation found that each of these mechanisms was fundamentally incomplete, and that together they still did not give consumers an actual way to stop Disney from selling and sharing their data.
The toggles stopped data sharing only for the specific service the consumer was using at the moment they activated the toggle, and often only for that specific device, even when the consumer was logged into their Disney account. Activating the Hulu toggle on a tablet did nothing to affect Disney+ data flowing from a smart TV, nor did it affect ESPN+ usage on a desktop.
The web form stopped data sharing only through Disney’s own advertising platform. It had no effect on the third-party ad-tech companies whose tracking code Disney had embedded throughout its websites and apps. Those continued collecting and transmitting consumer data regardless of whether a web form was submitted. Worse, for consumers using Disney’s connected TV apps (on Roku, for example), there was no in-app opt-out mechanism at all. Disney directed those consumers to the web form, which it knew would not address data flows originating from the connected TV app.
The GPC signal was honored only for the device and session in which it was detected, even when the consumer sending it was actively logged into their Disney account. California law requires businesses to treat a GPC signal from a known, logged-in consumer as an account-wide opt-out. Disney treated it as nothing more than a device-level flag.
The combined effect was wide-ranging in its inadequacy. A Disney bundle subscriber accessing services across three types of devices would have had to express their opt-out preference up to ten separate times — once per service per device using the toggles, plus the web form — and still may not have achieved a complete opt-out. The AG’s office put it plainly, with a nod to Disney’s own catalog: “Consumers shouldn’t have to go to infinity and beyond to assert their privacy rights.”
Disney’s response, that vendor and technological limitations prevented it from applying opt-outs across devices and services in the same way it applied advertising targeting, was precisely the argument the AG rejected. The principle the complaint establishes is one privacy practitioners should internalize immediately: if a business can associate a consumer’s devices with that consumer for advertising purposes, it can and must associate those devices with the consumer to honor opt-out rights. Technical complexity is not a defense when the technical capability demonstrably exists for commercial exploitation.
What the Settlement Requires
Disney agreed to the entry of a Final Judgment and Permanent Injunction without admitting liability. Beyond paying $2.75 million within 30 days, the injunction imposes a structured compliance framework that warrants detailed examination.
Account-wide opt-out propagation. The centerpiece requirement is that when a logged-in consumer opts out, by any method, including the GPC, that choice must apply across all Disney streaming services associated with their account. For consumers who are not logged in or lack an account, Disney must at minimum honor the opt-out for that browser, application, or device, including any pseudonymous profiles tied to it. Disney must also inform non-logged-in consumers that logging in may be necessary to achieve a complete opt-out.
In-surface opt-out links. All Disney streaming services must include a clear and conspicuous opt-out link, formatted and scaled to the specific browser, app, or device where it appears. The link must not require excessive scrolling, hunting through submenus, clicking unlabeled carets, or navigating hidden icons. This requirement is particularly significant for connected TV apps, which had been the most egregious gap in Disney’s prior system.
Opt-out confirmation. Disney must give consumers a way to confirm that their opt-out has actually been processed, such as through the account settings or preferences menu. This seemingly simple requirement has real operational implications: opt-out systems must now be bidirectional, capable of recording and surfacing the status of a consumer’s choice.
No confusing choice architecture. The settlement prohibits Disney from designing its interface in ways that cause consumers to believe they must also select cookie preferences, audience measurement settings, or other choices in order to complete a CCPA opt-out, or that those other choices themselves constitute a full opt-out. This provision codifies the AG’s longstanding position that dark patterns in the consent and opt-out context are not merely poor UX; they are independently actionable consumer deception under California’s Unfair Competition Law.
Third-party notification and downstream compliance. Before Disney itself complies with a consumer’s opt-out, it must notify all third parties to whom it has sold or shared that consumer’s data, direct those parties to honor the request, and require them to cascade the request to any downstream recipients. Disney must also take reasonable steps to ensure those third parties use consumer data consistently with its CCPA obligations. This creates a chain of responsibility that extends well into Disney’s ad-tech partner ecosystem.
Ongoing monitoring and reporting. The settlement imposes a two-track compliance reporting structure. Disney must provide the AG with progress updates on the remediation of its opt-out system every 60 days until all services are compliant. It must then implement and maintain a compliance assessment program for three years, with annual reports to the AG. All of these reports are confidential and exempt from public records disclosure.
Where This Fits in California’s Enforcement Story
California’s privacy enforcement trajectory has been building steadily, and the Disney settlement represents its sharpest expression yet. We have written previously about California’s emergence as the most aggressive privacy regulator in the nation, and each successive action has added specificity to what compliance actually requires in practice.
The CPPA’s enforcement action against Tractor Supply for $1.35 million established important lessons around opt-out rights and privacy disclosures. The Todd Snyder CPPA action added further texture around opt-out failures. The Healthline settlement addressed contractual failures regarding purpose limitation and data sharing, as well as opt-out issues. Jam City addressed children’s privacy. DoorDash addressed data sharing with third-party marketing cooperatives.
Disney synthesizes all of these threads and amplifies them. The settlement is not a departure from prior enforcement; rather, it is the logical culmination of that enforcement applied to one of the world’s most recognizable consumer brands at an unprecedented penalty level.
It is also worth situating this action within the broader multi-state enforcement environment. In September 2025, California joined Colorado and Connecticut in a coordinated investigative sweep specifically targeting GPC signal non-compliance. That sweep has not yet yielded public enforcement results, but given Disney’s explicit GPC failures, businesses should expect those results, whenever they come, to lean heavily on the Disney framework.
Our overview of the 2026 privacy compliance landscape covers the full scope of where state and federal enforcement is heading, including the growing role of the Consortium of Privacy Regulators in coordinating cross-state enforcement actions.
What Businesses Should Take Away
The Disney settlement is best understood not as a case about streaming services specifically, but as a case about any business that operates multiple digital properties under a common account system, embeds third-party ad-tech, and engages in cross-context behavioral advertising. That description applies broadly.
The settlement’s compliance requirements function as a de facto industry standard. Businesses that read them carefully and audit their own systems against them will be better positioned than those that do not. A few specific areas merit immediate attention.
The identity symmetry principle should reshape how engineering and product teams think about building privacy infrastructure. If your systems maintain a unified consumer identity across properties and devices for targeting and measurement purposes, your opt-out systems must operate at the same level of identity resolution. Segregated, service-by-service opt-out mechanisms are not compliant if they leave data flows on other surfaces untouched.
GPC compliance cannot be treated as a checkbox. For logged-in consumers, a GPC signal must trigger an account-wide opt-out, not merely a device-level flag. Businesses that have implemented GPC detection at the browser level without connecting it to account identity systems need to revisit that implementation now.
Targeted advertising programs that rely on third-party ad-tech need contractual and operational mechanisms to cascade opt-out requests to all partners within the required timeframe. A robust data processing agreement, privacy compliance, and consent management infrastructure are not optional; they are prerequisites for compliant opt-out execution under the standard established by the Disney settlement.
The deception theory under California’s UCL deserves particular attention from legal and product teams alike. The AG characterized incomplete opt-out mechanisms — those labeled as full opt-outs but that do not function as such — as consumer fraud, not merely technical violations. This elevates the legal risk profile of opt-out UI/UX design decisions, meaning that cookie and consent interface design is now squarely a legal compliance function.
The AG has also demonstrated consistently that it investigates proactively through sweeps rather than waiting for consumer complaints. Businesses in streaming, adtech, location data, and now surveillance pricing should operate under the assumption that they may already be under some form of scrutiny. The Disney case arose from a sweep announced publicly more than two years before the settlement was filed; the investigation timelines are long, and the enforcement results are significant.
Looking Ahead
The Disney settlement will not be the last word. The AG’s most recent investigative sweep, announced in early 2026, targets surveillance pricing, the use of personal data to set individualized prices for consumers. This represents an expansion of the CCPA’s opt-out and transparency framework into pricing practices, with implications for e-commerce, retail, and financial services that are still being assessed.
The CPPA continues to build its own enforcement docket in parallel with the AG, and the two agencies are coordinating in ways that create a layered exposure for California-regulated businesses. The question of federal preemption remains open, but, as we have analyzed elsewhere, California’s enforcement will continue regardless of how federal developments unfold, and the practical cost of a multi-year enforcement investigation dwarfs the cost of proactive compliance.
The Disney settlement leaves the industry with a clear standard and diminishing room for doubt about what it requires. A consumer opt-out must actually stop all selling and in-scope sharing, across all services, on all devices, through all channels. Building a system that does that, rather than a system of partial mechanisms that collectively fall short, is the work that every business engaging in data-driven marketing and advertising needs to undertake.
