On February 11, California Attorney General Rob Bonta’s office (CA AG) announced a $2.75 million settlement—the largest settlement to date under the California Consumer Privacy Act (CCPA)—with the Walt Disney Company (Disney). 

The Complaint alleged that Disney sold to and shared personal information with third parties despite receiving opt-out requests, failed to treat opt-out preference signals as valid opt-out requests, and failed to provide opt-out methods that are easy to execute, require minimal steps, and are available on app-based devices. The Complaint alleged that Disney failed to apply consumer opt-out requests across its various interactions with the company, regardless of how the opt-out request came in.¹

This settlement is notable for a few reasons. It highlights how complicated compliance with data subject requests can be, especially for large companies that have multiple business units that consumers may interact with. This issue will only get more complicated as more states pass comprehensive privacy laws and when the delete request and opt-out platform goes into effect in California later this year for state’s registered data brokers. It also shows that regulators are paying attention to the specific details of companies’ compliance practices, including whether they are complying with a state’s law as it was intended to apply. 

In addition to the $2.75 million penalty, Disney will be required to implement injunctive relief, including implementing a consumer-friendly, easy-to-execute opt-out process with minimal steps, honoring a consumer’s opt-out choice across all Disney streaming services associated with the consumer’s account, and providing consumers with a way to confirm that their opt-out request has been processed. Disney is also required to create an internal monitoring program and annually report findings to the CA AG’s office.

In this post, we identify key takeaways from the settlement. To stay up to date on the latest California privacy law developments, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.

Key Takeaways

1. Partial compliance is not sufficient to avoid an enforcement action. The Complaint focused on the asymmetry between how Disney recognizes the various devices connected to a single consumer account and how the company honors opt-out requests. The CA AG’s office alleged that Disney only effectuated opt-out requests submitted through its web form for its own advertising while continuing to share consumer data with third-party ad tech partners.
2. Regulators are focused on GPC compliance. The Complaint alleges that Disney failed to properly treat Global Privacy Control (GPC) signals as valid opt-out preference signals. Consumers who requested the opt-out via a toggle or through GPC were opted out only for the specific service and device the request originated from, even when the consumer was logged into their account. The Complaint made clear that the Attorney General expects a single opt-out request to trigger a system-wide opt-out, even for companies like Disney with multiple streaming services. 
3. Regulators are paying attention to how devices are tracked. The Complaint explains that streaming companies identify consumers across devices to more easily target and measure the effectiveness of their ads. As an example, the Complaint describes how advertisers can access consumer browsing history from a mobile phone to target ads for a product on a connected TV, later assessing whether the consumer purchased the product on a connected computer. Thus, if a company has the ability to associate multiple devices to a single consumer account, this settlement suggests that the CA AG’s office expects the same association to be applied for opt-out requests to be honored across all devices. 
4. Pseudonymous profiles or unlinked profiles do not fall outside of compliance obligations. To account for those consumers who are not logged into an account or who do not have an account, Disney must now inform consumers that it may be necessary to log in to the consumer’s account or direct the consumer to provide the minimal amount of personal information necessary to process the opt-out request. Still, the onus is on Disney to opt the requesting consumer out of the sale or sharing of any consumer profile they associate with the browser, application or device, including pseudonymous profiles Disney maintains in connection with selling, sharing or cross-context behavioral advertising.
5. Investigative sweeps are driving systemic enforcement. The CA AG’s office initially investigated Disney in January 2024 as part of a sweep of streaming services to audit compliance with the CCPA’s opt-out requirements. The investigation probed whether the streaming services reviewed offered an easy mechanism for consumers who want to stop the sale or sharing of their data. This settlement is the second enforcement action resulting from the investigation. While investigative sweeps are not new—the CA AG’s office has announced investigations into consumer pricing, employee data and geolocation collection practices to name a few—the enforcements resulting from these investigations signal a potential shift away from complaint-driven enforcement to a more proactive, sector-wide approach.
6. Connected-TV apps are an enforcement focus. The Complaint alleges Disney did not provide an in‑app opt‑out mechanism in many connected‑TV streaming apps (citing vendor/technical limitations) and instead directed consumers to a web form that Disney allegedly knew would not stop transfers via embedded third‑party code. As a result, consumers purportedly had no effective way to stop the sale or sharing of personal information from those apps—even after attempting to opt out.
7. Regulators care about policy language and implementation. This settlement marks a shift away from reviewing a company’s privacy policies toward reviewing a company’s implementation of its privacy policies. Companies should be mindful of their disclosures via privacy policies and consumer-facing websites, and of their implementation of these privacy guarantees on the back end.

1. The agreement stipulates that the judgment does not constitute evidence of or an admission by Disney regarding any issue of law, fact or liability alleged in the Complaint.