top of page
Search

Opt-Outs Didn't Go The Distance Operationally: Disney to Pay Record $2.75M CCPA Penalty

  • Writer: Nikki K.
    Nikki K.
  • 2 days ago
  • 5 min read

Root of the Matter

  • Yesterday, February 11th, Disney DTC, LLC and ABC Enterprises, Inc. (Disney), agreed to pay $2.75 million in civil penalties (largest CCPA settlement to date) and comply with injunctive terms requiring more effective opt-out mechanisms. The CA AG alleged Disney failed to comprehensively effectuate consumer opt-out rights for the "sale" and "sharing" of their personal information across bundled services, web properties, and connected devices tied to a consumer's unified user account.


Real-World Consumer Moment

You did it. You opted out.


You toggled the settings on your phone. You found time to search for an opt-out page across the service you've been using on your phone, TV, and tablet. You're expecting much less personalization.


You're pretty sure you understand that "opt-out" should mean that you don't see more of these helpful, yet the same targeted promotions appear after submitting your request.


You check your account again. There's no way to verify if your request applied beyond your one device. You try to "opt-out" once more through the website of the service itself. No noticeable change. To fully stop your data flow, you would need to repeat the same process multiple times per device on each app, and even then, there's no certainty it worked.


The only other option is to raise a formal complaint. But you might not know where to start or if it will make a difference.


Luckily for you, your frustration is precisely what regulators are noticing. This sense of disjointedness in connected technologies available to consumers is now what regulators are examining in the complex ad tech ecosystem.


Inside the Company

Ad tech is increasingly complex and deeply interwoven. The operational and technical considerations are extensive. From multiple service lines, to the underlying technologies and integrations, pixel usage, and ultimate impact on consumers across devices and digital properties, it's hard to even begin with step one: collection of the data elements with one business department and perhaps only one product line. Opt-out configuration is often implemented late in development after core advertising and data flows are already operational.


With the rise of complex privacy laws and numerous amendments coming into force across countries, states, and local regions, how can research and development and engineering teams keep up with the balance of innovation and the need to responsibly check that workflows and technical implementation work as intended? Without centralized governance efforts or at least coordinated decentralized execution and tech validation, opt-out systems risk becoming fragmented by design.


Background

This enforcement action follows a recently finalized $10 million settlement with the Federal Trade Commission (FTC) involving Disney-affiliated entities in December 2025 under the Children's Online Privacy Protection Act (COPPA). Disney now faces additional privacy concerns under California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), placing the broader corporate family under heightened regulatory scrutiny.


Under CCPA/CPRA, covered businesses engaging in the "sale" or "share" of personal information must provide consumers with effective opt-out mechanisms that are easy to execute and require minimal steps. Per the complaint, the California Attorney General (CA AG) alleged Disney applied a disjointed approach to its opt-out system. Users attempting to opt out of the sale or share of their personal information through an opt-out toggle on Disney's site and app would find their request applied only as to that specific device for a particular service when logged in. All other devices and additional services connected to that user's account were allegedly left unchanged despite the request.


Disney also provided a webform that only offered the opt out of sharing personal information within its own ad tech platform and did not apply the request to any third-party ad tech providers embedded on its many apps and sites. With respect to the Global Privacy Control available on some internet browsers, any consumers that tried to opt out that way experienced their opt out limited to the specific device used, even when still connected to their unified account. The complaint further stated that a consumer needed to opt out up to ten separate times in order to completely express their opt-out request across Disney's websites and apps on all relevant and connected personal devices, in addition to Disney's standalone webform to opt-out, and before any third party ad tech partner opt-out considerations.


Under the settlement, in addition to the record-breaking $2.75 million dollar monetary penalty, Disney's compliance obligations and continuous updates include:

  • Compliance with CCPA/CPRA notice and opt-out requirements

  • Clear and conspicuous notice of cross-context behavioral advertising using personal information obtained through third parties and notice of consumer right to opt-out of sale/sharing

  • Implementation of a consumer-friendly, easy to execute opt-out process with minimal steps for consumers across services

    • Distinguished workflows for 1) consumers logged into a common account 2) consumers not logged into or who do not have a common account, and 3) consumers who decline to log-in, who do not have a common account, or who do not provide additional information

  • Immediate effectuation of opt out rights or direct access to notice of rights

  • Confirmation of processing of opt-out requests (e.g., settings/preferences menu)

  • Notification to downstream third parties and compliance with opt-out requests

  • Continued refrain from selling/sharing personal information of known children/minors absent affirmative authorization

  • Maintenance of a three-year compliance program with annual reporting to the CA AG, ensuring effective opt-outs


This settlement highlights an expectation that opt-out effectuation means cross-device consistency, account-level enforcement, Global Privacy Control recognition, and vendor downstream compliance. Vendor technical limitations are not sufficient to rely on as mitigating factors in this complex context as the CA AG reminds covered businesses that they derive substantial benefits from identity-based advertising. Account-level personalization calls for account-level suppression.


Uncover Business Blind Spots

  • Are you using any third-party ad-tech partners? What kind of tech is used? What data is collected (e.g., device identifiers, login)?

  • Have you conducted thorough due diligence efforts to understand how those partners effectuate and honor opt-outs in California, notably, and for other relevant jurisdictions with heightened enforcement priorities? Are the opt-out flows comprehensive and frictionless? Are they tied to a common account login?

  • How are you ensuring opt-out preference signals like the Global Privacy Control are working as intended across the company and your third parties?

  • Do you have an in-app opt-out mechanism for any connected apps?

  • Are you validating technical implementation? Or relying on vendor assurances? Are there clear and conspicuous notices about your cross-context behavioral advertising obtained via third parties and the corresponding right to opt-out of the sale/sharing?


Consumer Pro Tips

  • Are you accessing streaming services on several devices (e.g., laptop, phone, TV)? Have you decided if you want your personal information collected in these apps and shared with other companies and businesses?

  • Do you know how to opt-out of the sales/sharing of your personal information? What settings do you see?

  • Confirm whether opt-outs are working across all your devices tied to your service account.

  • Check out the Global Privacy Control via web browser to opt out.

  • Document any failures or inconsistencies if opt-outs don't persist. Consider submitting complaints to regulators or consumer protection authorities about your experience. Your input often drives industry-wide inquiry.


Our Grounded Take

As the seventh enforcement action under the CCPA, especially following prior scrutiny of mobile gaming opt outs with Jam City, Inc.'s recent settlement, the CA AG's efforts here signify the importance of functional consumer rights.


Companies should conduct a thorough review of their opt-out workflows across their full suite of services, consumer devices, digital properties, and downstream partners. If opt-out preferences do not travel the full technical distance, they do not satisfy the law.


A Grounded Reader's Note and Disclaimer:

This material is provided for general information only and is not intended to constitute legal advice. It should not be relied upon as a substitute for obtaining legal advice tailored to your specific circumstances. You should consult with qualified counsel about your individual situation. Certain portions of this blog may be considered attorney advertising. We strive to ensure the information presented is current, complete, and accurate, but mistakes may occur. Grounded Legal Practice, PLLC and its authors make no representations, warranties, express or implied, or guarantees regarding completeness, accuracy, or suitability of this material and assume no responsibility for any errors or omissions.

Recent Posts

See All
Grounded Legal Practice, PLLC Modified Logo of Justice Pillar with Roots

​Staying human as the world accelerates and automates.™

Privacy Statement | Terms of Use

© 2026 Grounded Legal Practice, PLLC. All Rights Reserved. Attorney Advertising.

bottom of page