Disney found out you can’t just wish upon a star and make compliance obligations disappear.
On February 11, 2026, California Attorney General Rob Bonta announced the largest enforcement settlement under the California Consumer Privacy Act (CCPA), resolving claims that The Walt Disney Company failed to adequately honor consumers’ opt-out rights – a core tenet of modern privacy law. The settlement carries a $2.75 million civil penalty and requires Disney to overhaul its opt-out mechanisms to ensure that Californians can actually exercise their statutory rights.
This settlement serves as a stark reminder that compliance with consumer opt-out rights, especially unified opt-out across platforms, accounts, and devices, is no longer aspirational, it’s mandatory.
This settlement also comes in the wake of Disney’s $10 million settlement with the FTC in December 2025 for violations of the Children’s Online Privacy Protection Act (COPPA), indicating a growing enforcement priority for several regulatory agencies.
Alleged CCPA Missteps
At the core was Disney’s alleged failure to implement comprehensive and effective opt-out mechanisms across its streaming services, like Disney+ and Hulu. The California Department of Justice’s (DOJ) investigation found that Disney’s system often resulted in partial or ineffective opt-outs.
Specifically, the California DOJ alleged:
- Device-Specific Toggles: Opt-out toggles within Disney’s apps or websites operated only on the specific streaming service and often only the device where the request was submitted. This meant that opting out on one device didn’t necessarily propagate across a consumer’s account.
- Partial Webform Enforcement: Opting out via Disney’s webform halted data sharing through the company’s own advertising platform but did not prevent sharing with embedded third-party ad tech services.
- Insufficient GPC Response: When consumers sent a Global Privacy Control (GPC) signal, which is an emerging universal opt-out signal delivered by some browsers or extensions, Disney honored it only for the device from which it was sent, even if the user was logged-in to a cross-device account.
Taken together, these deficiencies meant that Californian consumers could ask Disney to stop selling or sharing their data and still have their data sold or shared on other devices or via third-party trackers. According to the California Attorney General, that violates the CCPA.
Enforcement Priorities
The Disney settlement comes after a string of recent settlements by the California DOJ with companies including Sephora, DoorDash, Sling TV, and Healthline , targeting companies’ opt-out functionality, especially in digital ecosystems such as streaming services and websites.
A central point of contention in these cases was how businesses respond to universal opt-out signals, like the Global Privacy Control (GPC). The GPC is designed to allow users to broadcast a “Do Not Sell or Share” preference directly from their browser or via a browser extension, offering a standardized way to signal privacy preferences.
Underscoring a broader priority of enforcing compliance with opt-out requirements, the California Attorney General announced a coordinated investigative privacy sweep with Colorado and Connecticut in September 2025, focusing on businesses that might not be honoring opt-out requests sent through GPC.
This sweep signals that regulators are not only scrutinizing whether websites claim to provide opt-out mechanisms but also whether those mechanisms truly function as intended when consumers use universal opt-out signals.
Action Items
The Disney settlement and related enforcement context suggest several key priorities for organizations:
- Unified Opt-Out Architecture: Ensure that opt-outs operate at the account level across all platforms and devices.
- GPC Integration: Meaningfully integrate GPC and similar universal signals into privacy operations and identity resolution systems.
- Third-Party Tracking Awareness: Verify that opt-out requests cascade through all data sharing partners and embedded technologies, not merely internal advertising platforms.
- Audit and Test Mechanisms: Regularly test opt-out paths (including GPC) from the perspective of a real user, across devices and login states, to uncover and remediate gaps.
McLane Middleton’s Cybersecurity and Privacy team helps clients integrate privacy into system design, anticipate enforcement trends, and implement durable compliance frameworks that withstand scrutiny. In a landscape where “form over function” no longer suffices, we guide organizations toward solutions that are legally sound, technically operational, and regulator-ready. We can help. If you have questions about the state privacy regulations or need assistance assessing compliance, please contact a member of the McLane Middleton Cybersecurity and Privacy team.