Disney Fined $2.75M for CCPA Violations

California Attorney General Rob Bonta announced a $2.75 million settlement with Disney for violating the California Consumer Privacy Act (CCPA). The media giant failed to honor consumers’ requests to opt out of the sale or sharing of their data across all devices and streaming services. The $2.75 million is the largest settlement in the history of the CCPA.

Opt-out Violations

Disney owns the Disney+, Hulu, and ESPN+ (collectively known as the Disney Bundle) streaming services. Consumers could use the same login information for all three services. When a consumer logs into one of these services, Disney collects personal information, including device identifiers, device type, IP addresses, and the types of content the user watched and for how long. Disney and its partners use this information to target ads to consumers in at least two separate ways.

Disney works with third-party ad-tech companies to sell advertising on Disney’s websites and services, as well as to target ads for Disney products on third-party sites and services. Code embedded on the streaming websites and apps automatically collects and transmits consumer personal information to third parties. The third parties then combine consumer personal information with data collected from the Disney platforms to target ads to Disney users.

Disney also generates revenue by charging advertisers to place ads on Disney’s streaming platforms. The company combines the information collected from its streaming services with data purchased from third-party vendors to profile consumers and place them into audience segments based on characteristics such as income and predicted interests or purchasing intent for more precise targeted advertising.

Both types of targeted advertising constitute cross-context behavioral advertising as defined in the CCPA. The law gives consumers the right to opt out of such advertising. Businesses are also required to accept opt-out requests communicated by opt-out preference signals, such as the Global Privacy Control (GPC). Disney created the appearance that it was complying with these requirements by providing an opt-out web form, opt-out toggles in its streaming platforms, and accepting opt-out preference signals, such as the GPC.

During an investigative sweep, the Attorney General discovered that Disney’s opt-out methods prevented consumers from fully opting out of and stopping all sales/sharing of their data. The company’s mix of web forms, toggles, and responses to opt-out preference signals only partially triggered opt-out requests, rather than implementing them across all of Disney’s platforms. For example, Disney honored opt-out requests submitted through its web form only with respect to the company’s own advertising platform. Disney continued to share data with third-party ad-tech partners, violating the CCPA. Consumers who opted out via the toggle or through the GPC were opted out of Disney’s data sharing with ad-tech partners, but only for the specific service and device the consumer was using when they opted out.

Under Disney’s setup, consumers could only fully opt out if they completed Disney’s opt-out web form and used the opt-out toggle for each service on each device the consumer used. For customers with the Disney Bundle, this means they may have had to express their opt-out choice up to ten times. This was the case even though Disney was aware of which devices were associated with the user or connected to their account.

Even if a consumer had opted out on all services and devices, Disney may still have continued to sell or share their data through certain apps on specific types of connected devices. Citing vendor and technological limitations, Disney did not provide an in-app opt-out mechanism in many of its connected TV streaming apps. Instead, Disney directed consumers to use their computer or mobile device to visit Disney’s opt-out web form (see below).

Disney knew the web form would not impact embedded code that transferred personal information from these connected TV streaming apps to its ad-tech partners. As a result, there was no way for consumers to stop Disney from selling and sharing personal information from these apps.

See the full allegations and settlement details.

Along with the financial penalty, Disney must implement opt-out methods that fully stop the sale or sharing of consumers’ personal information as part of the settlement.

Other CCPA Enforcements

The Disney settlement is the first CCPA enforcement of 2026. 2025 was an active year, with these CCPA penalties issued:

• Gaming app Jam City was penalized $1.4 million for failing to offer users of its products a method to opt out of the sale or sharing of their personal information on its apps.
• Sling TV was fined $530,000 for failing to provide easy opt-out methods and not protecting children’s privacy.
• Tractor Supply was fined $1.4M by the CPPA for not honoring opt-out requests, not processing opt-out preference signals, and having insufficient privacy polices.
• In July, AG Bonta issued a $1.55M fine to Healthline for sharing data, including data that suggested the consumer could have had a health condition, with third parties without proper privacy protections.
• In May, clothing retailer Todd Snyder was fined $345,178 by the CPPA for not honoring opt-out requests for 40 days and requiring consumers to verify their identity to opt out of the sale or sharing of their data.
• In March, the CPPA fined Honda $632,500 for requiring excessive personal information to exercise privacy rights, having a longer process for opting out than opting in, and other violations.

CompliancePoint offers Cookie Management Services to help businesses avoid similar penalties. We can also help with all aspects of CCPA compliance. Reach out to us at connect@compliancepoint.com to learn more.