Civil Law

On February 11, 2026, California Attorney General Rob Bonta announced a $ 2.75 million settlement with The Walt Disney Company (“Disney”), the largest civil penalty to date under the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, “CCPA”), resolving claims that Disney’s opt-out mechanisms did not fully satisfy CCPA requirements. This settlement stems from California’s 2024 investigative sweep examining streaming services’ compliance with the CCPA.

The Attorney General’s complaint (“Complaint”) centered on Disney’s targeted advertising ecosystem across its streaming services (including Disney+, Hulu, ESPN+, together referred to as the “Disney Bundle”), which collected personal information such as device identifiers, IP addresses, device types, and detailed streaming behavior across an individual account’s multiple devices to facilitate cross-context behavioral advertising. However, Disney allegedly failed to implement opt-out mechanisms capable of fully effectuating consumers’ preferences.

Although Disney offered consumers multiple methods to opt-out of the sale or sharing of their data, namely through webform, opt-out toggles, and Global Privacy Control (GPC) signals, the Attorney General asserted that those opt-out mechanisms operated inconsistently across services, devices, and data-sharing channels, thereby not meeting the requirements of the CCPA. Specifically, the webform allegedly limited sharing only within Disney’s own advertising ecosystem while continuing to make disclosures to third-party ad-tech partners. Opt-out toggles and GPC signals reportedly worked only for the specific service or device where the request was made, rather than applying account-wide. Consumers were forced to submit separate requests across multiple services and devices, and some connected TV environments allegedly lacked in-app opt-out functionality altogether. As a result, even though consumers may have believed they had fully exercised their opt-out rights, the disjointed opt-out mechanisms purportedly stopped only certain data sale and sharing activities, rather than halting them completely as required by law.

Not only does the settlement require Disney to pay $ 2.75 million in civil penalties, but it also requires Disney to implement opt-out mechanisms that fully and effectively stop the sale or sharing of consumers’ personal information. Additionally, it requires Disney to provide the Attorney General with progress updates every 60 days until all Disney services reach full compliance and to report annually on the effectiveness of its opt-out methods for a period of three years. In announcing the settlement, Attorney General Bonta reiterated that a consumer’s opt-out right applies “wherever and however a business sells data,” and that “businesses can’t force people to go device-by-device or service-by-service.” The settlement is consistent with California’s broader efforts to eliminate friction for consumers exercising their privacy rights, as evidenced in initiatives like California’s Delete Request and Opt-out Platform (“DROP”) tool, which is intended to streamline and simplify the opt-out process.

Takeaways

The Disney settlement underscores that businesses cannot rely on fragmented opt-out mechanisms where data is collected and shared across services, devices, and platforms. Opt-out mechanisms must effectuate opt-out preferences and fully halt the sale and sharing of personal data (unless an exception applies).

This requirement can be particularly tricky as opt-out mechanisms can look like they are working on the surface while quietly falling short behind the scenes. A toggle on your website might function perfectly, but that signal may never reach a connected TV app, a third-party ad-tech partner, or a downstream data-sharing arrangement. These breakdowns often result not from bad intent, but rather from the complex, layered tech stacks where a single integration change or vendor update can silently disrupt the chain and create hidden compliance gaps. This settlement showcases that pointing to vendor and technical limitations that do not hinder association of devices with specific users for purposes of identity-based advertising is not a sufficient defense. As established in the Complaint, “[t]he opt-out process must be frictionless, simple, and comprehensive. And if a business can associate a consumer’s devices with the consumer for advertising purposes, it can and must associate those devices with the consumer for purposes of honoring the consumer’s opt-out rights.”

Re-evaluating existing ad-tech architecture, implementing universal and verifiable opt-out mechanisms, and continuously testing and monitoring controls help organizations ensure that opt-outs appropriately suppress data flows and ad targeting. Validating opt-out performance from the outside in is crucial for detecting potential gaps. NRF’s proprietary NT Analyzer solution, for example, tests opt-out flows the way a consumer or regulator would actually experience them, flagging disconnects before they trigger enforcement actions. The message to the industry is clear: partial compliance is noncompliance.

LexBlog