California Attorney General (AG) Rob Bonta announced the largest settlement under the California Consumer Privacy Act (CCPA) against The Walt Disney Company (Disney) for failing to honor customers’ requests to opt out of the sale or sharing of their data across all devices and streaming services linked to their Disney accounts. Essentially, Disney made it too difficult for consumers.  Businesses should evaluate their internal structure for responding to consumer requests. California has put a hefty price tag to make sure that more than appearances matter. As discussed in prior alerts, this follows the joint investigative sweep announced in September 2025 among California, Connecticut, and Colorado to investigate businesses refusing to honor consumers’ right to opt out of the sale of their personal information.

Disney owns and operates the Disney+, Hulu, and ESPN+ streaming services, each of which requires consumers to have an account and to log in before watching content from these services. In addition to charging subscription fees, Disney generates revenue in several different ways through advertising. It advertises within its streaming services, websites, and properties by selling space through third-party adtech companies and using its own advertising platform. To maximize its advertising revenue, Disney combines the information collected from its streaming services with data purchased or licensed from third-party vendors to profile consumers and place them into audience segments for advertising purposes. Both types of targeted advertising constitute cross-context behavioral advertising as defined in the CCPA.

The CCPA provides consumers with the right to opt out of this sale and sharing of their personal information. This means that businesses are required to provide consumers with a method to opt out on their websites and apps as well as to accept opt-out preference signals, such as Global Privacy Control (GPC). Interestingly, Disney had an opt-out webform and opt-out toggles in its streaming websites and apps, and it accepted opt-out preference signals such as the GPC on its streaming websites. However, on closer examination, Disney would not fully let a consumer opt out unless the consumer (1) completed Disney’s opt-out webform and (2) individually used the opt-out toggle for each service on each device the consumer used, even though Disney already knew exactly which devices were associated with the user or connected to their account. The California AG made clear this multistep process is not consistent with the CCPA and requires too much of a consumer. As part of the settlement, Disney will be required to pay a $2.75 million civil penalty and implement a consumer-friendly, easy-to-execute opt-out process that allows consumers to opt out with minimal steps. For consumers logged in to their Disney account, this means if they complete the webform or use an opt-out preference signal, Disney must effectuate the opt-out choice across all Disney services (including Hulu and ESPN+) associated with the consumer’s Disney account, on all websites and devices.

This enforcement action highlights that privacy compliance is judged on whether consumer rights actually work in practice, not merely on whether processes exist. When a consumer opts out of the sale or sharing of their personal information, their choice must be honored across all systems, platforms, devices, and vendors associated with that consumer, without requiring repeated or fragmented actions. Companies should take steps to ensure their processes work are not overly burdensome for consumers. For more information or to discuss data privacy compliance, the McCarter & English Cybersecurity and Data Privacy team stands ready to assist you.