This enforcement action sends a very clear message: Opt‑out rights must actually work, everywhere, all at once.
If your company operates multiple applications, brands, devices, or platforms, this case should be a wake‑up call.
What Happened?
In February 2026, California Attorney General, Rob Bonta announced a settlement with Disney over alleged violations of the California Consumer Privacy Act (CCPA). The issue wasn’t that Disney failed to offer opt‑outs. The issue was that those opt‑outs didn’t fully stop the sharing of data.
Consumers could take normal steps to opt-out, but Disney applied the opt-out request to:
- only one application in their overall universe
- only one specific consumer device
- only Disney’s advertising systems, not third‑party advertising technology
As a result, consumer data could still be sold or shared even after someone explicitly said, “no thanks”, which violates the core tenet of the CCPA.
Why is this the biggest CCPA case so far?
This is the largest fine to date
At $2.75 million, it surpasses every previous public CCPA enforcement action.
The case came with a court‑ordered injunction
Disney didn’t just pay a penalty. A judge ordered permanent changes to how Disney must handle opt‑outs moving forward. That turns this case into a compliance blueprint for everyone else.
This raises the bar for what an “effective opt‑out” should look like
California is no longer asking: “Did you provide an opt‑out?” They’re asking: “Did it actually stop the data flows?”
How did California warn the industry?
This case didn’t come out of nowhere. In January 2024, the California DOJ launched an investigative sweep of streaming services, focused specifically on opt‑out compliance. The state made its expectations clear:
- Opt‑outs should be easy
- They should require minimal steps
- They should work across devices and services when a consumer is logged into an account
Disney was one of the companies examined as part of that sweep. This settlement is the second major enforcement action to come out of it, and by far the largest.
What did Disney do wrong?
According to the Attorney General and the settlement documents, Disney’s opt‑out mechanisms had several gaps:
Opt‑out toggles
- These were often applied only to the specific streaming service
- They were sometimes only applied to the specific device being used
DSR Webform opt‑outs
- These requests were limited to Disney’s own advertising platforms
- They did not stop data sharing via embedded third‑party trackers
Global Privacy Control (GPC) signal
- Were honored only on the specific device that sent the signal
- Signals were not applied across a user’s account or other devices
Consumers had to opt out multiple times in multiple places to get partial protection. This is not acceptable under the CCPA.
What are the regulators saying?
This case reinforces a simple but powerful rule: If you can connect users across devices for advertising, you must be able to connect opt‑outs across devices too.
Companies often argue that account‑level opt‑outs are “technically difficult.” California’s response is clear: If your technology stack can unify identity for monetization, it can unify identity for privacy rights.
Why does this matter beyond streaming services?
This isn’t just a “Disney problem” or a “media problem.” Any organization with multiple brands, applications, devices, and shared customer identities is exposed.
This includes retailers with web + mobile + loyalty programs, travel and hospitality companies, financial services firms, and marketplaces. If the opt‑out mechanism works in one place, but not everywhere in your connected universe, you’re now at risk.
What should you do?
Test the outcomes, not just interfaces
Don’t ask “Do we have an opt‑out?”, ask “Does data actually stop flowing after it’s used?” This is a very common mistake we identify with clients.
Make opt‑outs “account‑level”
If a consumer is logged in, their choice should follow them across devices, applications, brands, and platforms.
Honor GPC across the connected universe
Global Privacy Control (GPC) should not be device‑only if the user is authenticated.
Audit third‑party data sharing
Opt‑outs must suppress pixels, SDKs, server-side ad calls, and partner integrations.
Reduce friction
California expects opt‑outs to be easy to find, easy to use, and effective with minimal steps. Anything else is becoming an enforcement risk.
Final thoughts
California is building privacy enforcement through precedent. Each settlement clarifies expectations, each injunction becomes a reference point and opt‑out rights are clearly the top priority.
The Disney case makes one thing undeniable: Privacy compliance is no longer only about notices and links. It’s about real‑world system behaviour.
The $2.75 million fine is just the headline. The real cost of getting this wrong is:
- Privacy Engineering re-work
- Vendor clean-up
- Regulatory scrutiny
- Reputational damage
Companies that treat opt‑outs as an actual privacy by design requirement, and not a legal checkbox, will be the ones best positioned for what comes next.
