On 11 February 2026, California’s Attorney General announced a massive $2.75 million settlement with Disney regarding opt-outs of selling and sharing of personal information under the California Consumer Privacy Act (CCPA).

For context on California’s definitions of selling and sharing, as well as the rules for applicability, please see our explainer at Understanding Your Obligations Under the California Consumer Privacy Act (CCPA)

The Investigative Sweep

This is the second enforcement action to come out of Attorney General Rob Bonta’s January 2024 investigative sweep of businesses with popular streaming apps, with respect to compliance with the CCPA. The investigation focused on compliance with opt-out requirements for businesses selling or sharing consumer personal information.

The first enforcement action was against internet-based live TV and streaming service provider Sling TV L.L.C. and Dish Media Sales L.L.C. on 30 October 2025, resulting in a $530,000 settlement. This settlement also rested on allegations regarding their opt-out processes, including directing consumers to a cookie preference management page which did not provide an opt-out for in-product data sales, not providing an in-app opt-out method, and failure to provide data collection and targeted advertising-free profiles or parental opt-in consents where children used their services.

The Allegations Against Disney

Whilst the judgment sets out the penalty and Disney’s obligations, because the matter was settled (as seems to be the preferred method of privacy enforcement in California) it does not directly contain the details of CCPA violations.

However, the AG’s press release (which is littered with Disney quotes, if you want an entertaining read!) and the original complaint allege issues with each of the opt-out methods Disney provided, uncovered as part of the California Department of Justice’s investigation of streaming services for CCPA compliance:

1. No Comprehensive Opt-Out: If users opted out of selling/sharing on Disney’s websites and apps, the opt-out was applied only to the specific service (and often also to the specific device) being used.
2. Ineffective Webform Opt-Out: If users opted out using Disney’s webform, they stopped sharing personal data through their own advertising platform and offerings but continued to sell/share personal data with third-party ad-tech companies, where their code was embedded in Disney’s website/apps.
3. No In-App Opt-Outs: Disney did not provide in-app opt-out methods for many of its streaming apps. Instead, it directed users to the webform, which was not stopping the sale/sharing of personal data through the apps – meaning there was no way to prevent Disney from conducting this selling and sharing.
4. Global Privacy Controls: If users opted out using Global Privacy Controls, Disney limited the request to the specific device being used, even if the user was logged into their Disney account at the time.

Many of these issues seem to be of particular interest to the California AG because Disney has the ability to link consumer devices and data to target ads across services and devices as part of its targeted advertising business, and does not do the same with respect to opt-outs. According to the complaint, Disney claimed it was hindered in providing a comprehensive consumer identity-based opt-out by vendor and technical limitations.

The Enforcement Action

As well as the $2.75 million civil penalty, Disney is required, Disney is required to:

1. within 60 days of the judgment date, and every 60 days thereafter until compliant, update on the progress of their compliance with the requirements to implement a consumer-friendly, easy to execute opt-out process that allows consumers to opt-out with minimal steps (subject to a number of specific requirements), and expeditiously update all relevant Disney services to comply with these requirements; and
2. within 180 days of the judgment date, and for a period of 3 years thereafter, implement and maintain a program to assess and monitor whether they are effectively providing methods of opting out of selling and sharing that are consumer-friendly, easy to execute, require minimum steps, and which (as appropriate) fully implement a consumer’s opt-out choice account-wide on each web property, application, and device used to access the relevant Disney services, and that they are providing disclosures and notices compliant with the judgment. They must also provide an annual report to the California AG.

This was the largest settlement to date under the CCPA, and reinforces that the authorities in California are keen on enforcing the law on selling and sharing, which frequently includes the use of cookies and other ad-tech tools. It is important not only to have cookie banners and allow opt-out signals, but to ensure that they have the practical effect that the law requires.

Need help navigating CCPA compliance obligations?

To discuss how this requirement may apply to your organisation, please contact Benjamin Ross (Global Head of Privacy & Cybersecurity) or Jessica Vautier (Senior Associate) in Bortstein Legal Group’s Privacy team.