$2.75M record settlement with Disney and California DOJ

Disney found out you can’t just wish upon a star and make compliance obligations disappear.

On February 11, 2026, California Attorney General Rob Bonta announced the largest enforcement settlement under the California Consumer Privacy Act (CCPA), resolving claims that The Walt Disney Company failed to adequately honor consumers’ opt-out rights — a core tenet of modern privacy law.

The settlement carries a $2.75 million civil penalty and requires Disney to overhaul its opt-out mechanisms to ensure that Californians can actually exercise their statutory rights.

At the core was Disney’s alleged failure to implement comprehensive and effective opt-out mechanisms across its streaming services, like Disney+ and Hulu. The California Department of Justice’s (DOJ) investigation found that Disney’s system often resulted in partial or ineffective opt-outs.

Specifically, the California DOJ alleged: Opt-out toggles within Disney’s apps or websites operated only on the specific streaming service and often only the device where the request was submitted. This meant that opting out on one device didn’t necessarily propagate across a consumer’s account.

Opting out via Disney’s webform halted data sharing through the company’s own advertising platform but did not prevent sharing with embedded third-party ad tech services.

When consumers sent a Global Privacy Control (GPC) signal, which is an emerging universal opt-out signal delivered by some browsers or extensions, Disney honored it only for the device from which it was sent, even if the user was logged-in to a cross-device account.

Taken together, these deficiencies meant that Californian consumers could ask Disney to stop selling or sharing their data and still have their data sold or shared on other devices or via third-party trackers. According to the California Attorney General, that violates the CCPA.

The Disney settlement comes after a string of recent settlements by the California DOJ with companies including Sephora, DoorDash, Sling TV and Healthline, targeting companies’ opt-out functionality, especially in digital ecosystems such as streaming services and websites.

A central point of contention in these cases was how businesses respond to universal opt-out signals, like the Global Privacy Control (GPC). The GPC is designed to allow users to broadcast a “Do Not Sell or Share” preference directly from their browser or via a browser extension, offering a standardized way to signal privacy preferences.

Underscoring a broader priority of enforcing compliance with opt-out requirements, the California attorney general announced a coordinated investigative privacy sweep with Colorado and Connecticut in September 2025, focusing on businesses that might not be honoring opt-out requests sent through GPC.

This sweep signals that regulators are not only scrutinizing whether websites claim to provide opt-out mechanisms but also whether those mechanisms function when consumers use universal opt-out signals.

The Disney settlement and related enforcement context suggest several key priorities for organizations:

Ensure that opt-outs operate at the account level across all platforms and devices.

Meaningfully integrate GPC and similar universal signals into privacy operations and identity resolution systems.

Verify that opt-out requests cascade through all data-sharing partners and embedded technologies, not merely internal advertising platforms.

Regularly test opt-out paths (including GPC) from the perspective of a real user, across devices and login states, to uncover and remediate gaps.

Katarina Overberg is a member of McLane Middleton’s Corporate Department. She can be reached at katarina.overberg@mclane.com.