Disney agrees to $2.75 million CCPA settlement for not honoring opt-outs across streaming services

The California Attorney General (AG) has announced a $2.75 million settlement with Disney over allegations that its streaming services violated the California Consumer Privacy Act (CCPA) by failing to effectively process targeted advertising opt-outs.

Key takeaways

• Disney’s web opt-out form did not limit data sharing with advertising third parties
• Disney allegedly provided a fragmented opt-out process that required users to opt out separately across multiple devices and apps
• The company allegedly failed to honor opt-out preference signals comprehensively and knew its connected TV opt-out methods were ineffective
• Under the settlement, Disney must implement a consumer-friendly, account-wide opt-out process and pay a $2.75 million civil penalty. Payment is due no later than 30 days from the date of the ruling. 

Why does this CCPA case against Disney matter?

The verdict, announced on February 11, 2026, was the largest CCPA settlement in California history until GM agreed to settle for $12.75 million on May 8, 2026.

California Attorney General (AG) Rob Bonta said, “Consumers shouldn’t have to go to infinity and beyond to assert their privacy rights. Today, my office secured the largest settlement to date under the CCPA over Disney's failure to stop selling and sharing the data of consumers that explicitly asked it to,” said Attorney General Bonta. 

“California’s nation-leading privacy law is clear: A consumer’s opt-out right applies wherever and however a business sells data — businesses can’t force people to go device-by-device or service-by-service. In California, asking a business to stop selling your data should not be complicated or cumbersome. My office is committed to the continued enforcement of this critical privacy law.”

• The verdict stems from a January 2024 investigative sweep of streaming services, and the AG calls this the second enforcement action from that sweep (and the seventh CCPA enforcement action overall).
  
  
• This landmark case raised the bar for CCPA enforcement because it demonstrates that opt outs must be honored at the user account level, not just for a single service or device. 

Linking devices across platforms

Disney operates streaming services including Disney+, Hulu, and ESPN+.

The company collects personal information, such as device identifiers and viewing history, to serve targeted ads via its own platform and third-party ad-tech companies.

To maximize ad revenue, Disney links multiple devices (like smartphones, laptops, and connected TVs) to individual consumer accounts.

What were the CCPA allegations?

For targeted advertising purposes, Disney could link multiple devices to one individual. But when consumers requested to opt out of targeted advertising (exercised their “right to opt out of the sale and sharing of personal information”), the California AG alleged that Disney failed to make the same links.

Disney’s web opt-out form did not limit data sharing with advertising third parties

Completing the company's opt-out webform only stopped data sharing with Disney’s internal ad platform, not third-party ad partners.

Disney allegedly implemented a disjointed opt-out system.

Using an in-app opt-out toggle or an Opt-Out Preference Signal (OOPS) like the Global Privacy Control (GPC) only applied to the specific device and service being used at that moment.

A consumer with a Disney bundle would allegedly have to opt out up to ten times across different devices to fully stop data sharing.

As the verdict notes: “The Global Privacy Control: For consumers who opted out via the Global Privacy Control (GPC), Disney limited the request to the specific device the consumer was using, even when the consumer was logged into their account. The GPC is an easy-to-use ‘stop selling or sharing my data switch’ that is available on some internet browsers or as a browser extension.”

Connected TV opt-outs

The AG also highlighted CCPA violations regarding Disney's connected TV streaming apps.

Disney allegedly did not provide an in-app opt-out mechanism for these devices, citing technical limitations. Instead, Disney directed consumers to use a webform on a computer or mobile device.

The AG alleged that this webform would not stop the tracking code embedded in the connected TV apps, making it impossible for consumers to stop the sale and sharing of personal information from those devices.

What does the settlement require?

Disney agreed to pay a $2.75 million civil penalty without admitting liability. The company must implement a frictionless opt-out process that properly honors the GPC.

To be compliant from now on, when a logged-in user opts out, Disney must apply that choice across all streaming services associated with their account. In other words, an account-wide choice, across every device. But that’s not all. 

Accepting this judgment, albeit without admitting liability, means that Disney needs to make the following changes:

• Disney needs to stop selling/sharing and cross-context behavioral advertising for the opting-out consumer.
  
  
• In-app “Do Not Sell or Share”: Implement a clear and conspicuous opt-out link that must exist inside every Disney streaming service. The “Do Not Sell or Share” button must be designed to fit the device and not rely on hard-to-find links, unlabeled carets/arrows, or hidden menu icons.
  
  
• Proof/confirmation of the opt-out: Disney must provide a way for consumers to confirm their opt-out was processed (e.g., inside account settings).
  
  
• No dark patterns: If Disney offers other preference choices (e.g., cookie preferences, email marketing, vendor-specific processing), it can’t present them in a way that confuses/deceives users into thinking they must pick them to opt-out, or that they function as a broader opt-out than they do.
  
  
• Downstream third parties: Disney must comply with opt-outs as required by CCPA, including notifying third parties if data sharing has or will take place. 

Logged-in compared to logged-out handling of consumer data:

• If logged in, the opt-out must be applied across all Disney streaming services associated with that account.
  
  
• If not logged in (or no account), Disney must tell the user to log in or provide the minimum additional information needed. Otherwise, Disney needs to still treat it as a device/browser opt-out, including for pseudonymous profiles tied to that device/browser.

Ongoing court oversight

There is also ongoing court oversight as a result of this. Disney must provide progress updates within 60 days and every 60 days until services comply.

After that, Disney needs to maintain a monitoring program and share results in an annual report for 3 years.

Final takeaways

To avoid similar enforcement, businesses should:

• Implement continuous privacy auditing across all platforms and linked devices to ensure opt-out signals are respected
• Establish strict digital tracking governance to map exactly where and how data is shared with ad-tech vendors

Ensure compliance with Privado AI

• Web Auditor: Scan your websites to verify consent banners, pixels, and data flows are compliant with each regulation in each location. Flag compliance risks in real-time with evidence for exactly what needs to be changed. No technical implementation required.
• App Auditor: Scan app files to ensure consent banners, SDKs, and data flows are compliant with each regulation in each location. Flag compliance risks in real-time with evidence for exactly what needs to be changed. No technical implementation required.

Disney CCPA verdict FAQs

What is the significance of this settlement? 

At $2.75 million, it's the largest CCPA settlement in California history, announced in February 2026. Beyond the financial penalty, it raises the bar for CCPA enforcement.. Data sharing opt outs must be honored at the user account level, not just for a single service or device. 

What changes must Disney now make? 

• Disney must implement a frictionless, account-wide opt-out that applies across all its streaming services and devices when a logged-in user makes a request 
• It must add a clear "Do Not Sell or Share" link inside every streaming app
• It needs to provide users with confirmation that their opt-out was processed
• Properly honour the Global Privacy Control
• Avoid dark patterns that could confuse users 

Disney is also subject to court oversight, with progress reports required every 60 days until compliance, followed by annual reports for three years.

What did Disney do wrong under CCPA? 

The reason for this verdict (albeit one without an admittance of liability) is that Disney failed to properly honour users' opt-out requests across its streaming services (Disney+, Hulu, and ESPN+). Its web opt-out form only stopped data sharing with Disney's own ad platform — not third-party ad partners.