On February 11, 2026, California Attorney General Rob Bonta announced a $2.75 million settlement with The Walt Disney Company and ABC for systematically violating the California Consumer Privacy Act — marking the largest CCPA civil penalty settlement in the state’s history. Disney’s offense was not some exotic data breach or shadowy backroom deal. It was far more mundane and, frankly, more insulting: the company made it nearly impossible for consumers to actually opt out of having their personal data sold and shared, even when those consumers explicitly asked it to stop.
The fine lands at a moment when privacy enforcement is accelerating across the country, and it sends a blunt message to every corporation running a streaming platform, app ecosystem, or multi-service digital empire. If your opt-out mechanism requires consumers to jump through hoops on every device and every service separately, California considers that noncompliance — full stop. This article breaks down exactly what Disney did wrong, what the settlement requires going forward, how Global Privacy Control fits into the picture, and what consumers and other companies should take away from the ruling.
Table of Contents
- Why Did Disney Get Hit With the Largest CCPA Fine in California History?
- How Disney’s Opt-Out Toggles Failed Consumers Across Devices and Services
- The Global Privacy Control Problem — Why Device-Level Opt-Outs Are Not Enough
- What Disney Must Do Now — Settlement Terms and Compliance Requirements
- Partial Compliance Is Noncompliance — The Broader Enforcement Trend
- What This Means for Other Streaming and Tech Companies
- The Future of CCPA Enforcement and Consumer Privacy Rights
- Conclusion
- Frequently Asked Questions
Why Did Disney Get Hit With the Largest CCPA Fine in California History?
The short answer is that Disney treated opt-out requests like suggestions rather than legal obligations. When a consumer toggled the opt-out setting on, say, Disney+, that choice applied only to that specific streaming service and often only to the specific device the consumer was using at the time. If the same person also used Hulu or ESPN+ under the same Disney account, their data continued to be sold and shared on those platforms unless they submitted entirely separate opt-out requests for each one. The CCPA requires that opt-outs be frictionless, simple, and comprehensive. Disney’s system was the opposite of all three. Making matters worse, Disney’s webform-based opt-out process was limited to Disney’s own advertising platforms.
Behind the scenes, consumer data continued flowing through embedded third-party tracking pixels that the opt-out didn’t touch. So even a consumer who believed they had successfully opted out was still having their information shared with outside advertisers and data brokers. To put it plainly, Disney built an opt-out system that looked functional on the surface but failed to actually do what the law demands. Attorney General Bonta’s office saw through that, and the $2.75 million penalty is the direct result. For comparison, prior CCPA enforcement actions have typically resulted in penalties well under a million dollars. The Sephora settlement in 2022 was $1.2 million — previously the largest. Disney’s fine more than doubles that figure, signaling that California is done issuing wrist slaps.
How Disney’s Opt-Out Toggles Failed Consumers Across Devices and Services
The mechanics of Disney’s failure are worth understanding because they expose a design pattern that many large companies still use. When a consumer logged into their Disney account and toggled the “Do Not Sell My Personal Information” option, that toggle applied narrowly — only to the service they were currently watching and only on the device in front of them. A family with a Disney+ subscription on their smart TV, a Hulu account on a tablet, and ESPN+ on a phone would need to locate and activate separate opt-out settings on each service and each device to fully exercise their rights under the CCPA. This is not how the law works. The CCPA was written with the explicit understanding that consumers should not have to become privacy compliance experts just to stop companies from selling their data.
A single, clear opt-out request — especially one made while logged into an authenticated account — should propagate across all services tied to that account. Disney’s fragmented approach meant that most consumers who attempted to opt out almost certainly remained partially opted in, simply because no reasonable person would know they needed to repeat the process a half-dozen times. However, it is important to note a limitation here: the CCPA applies specifically to California residents, and this settlement is enforceable through the California Attorney General’s office. Consumers in other states may have different rights depending on their state’s privacy laws, and Disney’s obligations under this settlement are specifically tied to CCPA compliance. If you live outside California, this ruling does not automatically grant you the same protections — though it may pressure Disney to adopt uniform practices nationwide.
The Global Privacy Control Problem — Why Device-Level Opt-Outs Are Not Enough
One of the most significant aspects of this case involves Global Privacy Control, the browser-based signal that allows consumers to broadcast a universal opt-out preference to every website they visit. California law recognizes GPC as a valid opt-out mechanism under the CCPA. Disney technically honored GPC signals — but only for the specific device sending the signal. If a consumer had GPC enabled on their laptop browser but also streamed Disney content on a Roku, a phone, and a tablet, the opt-out only applied to the laptop. This is a critical distinction.
The Attorney General’s position is that when a consumer sends a GPC signal while logged into their Disney account, Disney has enough information to know who that person is and should apply the opt-out across their entire account. Limiting the response to a single device effectively guts the purpose of GPC, which is to make privacy choices automatic and universal. Disney’s approach turned a tool designed for simplicity into yet another partial measure that consumers would have to supplement with manual requests. For consumers who rely on GPC — and privacy advocates have been pushing hard to increase adoption — this settlement is a significant precedent. It establishes that companies cannot hide behind technical limitations when they have the ability to link a privacy request to an authenticated account. If you are logged in and you send a GPC signal, the company knows who you are and must act accordingly.
What Disney Must Do Now — Settlement Terms and Compliance Requirements
The settlement imposes concrete obligations that go well beyond writing a check. Disney must overhaul its opt-out mechanisms so that they fully stop the sale and sharing of consumer personal information — not just on one platform or one device, but comprehensively across all Disney services linked to a consumer’s account. When a logged-in user submits an opt-out request on any Disney streaming service, that choice must carry across Disney+, Hulu, ESPN+, and any other platform under the Disney umbrella. Disney is also required to provide progress updates to the California Attorney General’s office every 60 days until the company reaches full compliance. This is not a “fix it whenever you get around to it” situation — the AG’s office will be actively monitoring.
On top of that, Disney must maintain a compliance monitoring program for three years and submit annual reports to the Attorney General documenting how it is meeting its obligations. The tradeoff for Disney is straightforward but worth noting: $2.75 million is a rounding error for a company with Disney’s revenue. The real cost is operational. Rebuilding opt-out infrastructure across a sprawling ecosystem of streaming services, apps, and third-party advertising integrations is a significant engineering and compliance undertaking. For smaller companies watching this unfold, the lesson is to build these systems correctly from the start — retrofitting privacy compliance after an AG investigation is far more expensive and embarrassing than doing it right the first time.
Partial Compliance Is Noncompliance — The Broader Enforcement Trend
The most important legal principle reinforced by this settlement is one that should alarm any company currently running a half-baked privacy program: under the CCPA, partial compliance is treated as noncompliance. Disney did not completely ignore opt-out requests. It built toggles and webforms and technically processed some requests. But because those mechanisms did not fully stop data sharing across all channels, the Attorney General treated the entire system as a violation. This matters because a lot of companies are in exactly the same position Disney was in. They have privacy settings pages.
They have opt-out forms. They can point to processes that technically exist. But if those processes leave gaps — if data continues flowing through third-party pixels, if opt-outs do not cross device boundaries, if GPC signals are treated as device-specific rather than account-wide — then the company is exposed to exactly the kind of enforcement action Disney just faced. A word of warning for consumers as well: do not assume that submitting an opt-out request means your data is actually protected. Until companies are forced into compliance through enforcement actions like this one, many will continue operating systems that create the appearance of privacy control without the substance. Check whether your opt-out choices are reflected across all devices and services, and consider using tools like GPC in combination with manual opt-out requests to maximize coverage.
What This Means for Other Streaming and Tech Companies
Disney is not the only company running a multi-platform streaming ecosystem with fragmented privacy controls. Every major media conglomerate — from NBCUniversal’s Peacock to Paramount+ to Warner Bros. Discovery’s Max — operates across multiple apps, devices, and advertising networks.
If any of them are using device-specific or service-specific opt-out mechanisms similar to what Disney had in place, they should be treating this settlement as a direct warning. The California Attorney General’s office has been steadily increasing the pace and severity of CCPA enforcement since the law took effect. The progression from the Sephora settlement at $1.2 million to Disney at $2.75 million suggests that the next major enforcement action could carry an even larger penalty, particularly if the violating company had the benefit of seeing Disney’s example and failed to act.
The Future of CCPA Enforcement and Consumer Privacy Rights
Looking ahead, this settlement is likely a preview of more aggressive privacy enforcement across the country. California remains the standard-bearer, but states like Colorado, Connecticut, Virginia, and others have enacted their own consumer privacy laws with varying opt-out requirements. Companies operating nationally will increasingly need to adopt the most protective standard as their baseline rather than trying to maintain different compliance regimes for different states.
The Disney case also strengthens the argument for federal privacy legislation, which has stalled repeatedly in Congress. Until a national standard exists, companies face a patchwork of state laws with different requirements and enforcement mechanisms. For consumers, the practical takeaway is that California residents currently have the strongest protections, and enforcement actions like this one are the primary mechanism for making those protections real. The $2.75 million fine may not dent Disney’s bottom line, but the compliance obligations and the public precedent will shape how every major company handles opt-out requests for years to come.
Conclusion
Disney’s $2.75 million CCPA settlement is a landmark moment in consumer privacy enforcement. The case establishes that building an opt-out system riddled with gaps — one that forces consumers to repeat their requests across every device and every service — is not compliance. It is a violation. The settlement requires Disney to implement account-wide opt-out mechanisms, submit to ongoing monitoring, and report to the Attorney General for three years.
For other companies, the message could not be clearer: partial measures will be treated as failures. For consumers, the case is a reminder that exercising your privacy rights often requires vigilance beyond clicking a single toggle. Enable Global Privacy Control in your browser, submit opt-out requests through every available channel, and verify that your choices are being honored across all platforms and devices. And for anyone watching the broader trajectory of privacy enforcement in the United States, this settlement confirms that California is not slowing down — the fines are getting larger, the compliance requirements are getting stricter, and the days of treating consumer opt-out requests as optional are over.
Frequently Asked Questions
What is the CCPA and who does it protect?
The California Consumer Privacy Act is a state privacy law that gives California residents the right to know what personal data companies collect about them, the right to delete that data, and the right to opt out of the sale or sharing of their personal information. It applies to for-profit businesses that meet certain revenue or data-processing thresholds and do business in California.
Does the Disney settlement mean I will get money?
No. This is a civil penalty settlement between Disney and the California Attorney General’s office. The $2.75 million goes to the state, not to individual consumers. There is no claims process or payout for affected users.
How do I opt out of data sharing on Disney streaming services?
Following this settlement, Disney is required to implement opt-out mechanisms that apply across all its streaming services when you are logged into your account. You should look for “Do Not Sell or Share My Personal Information” options in your account settings. Additionally, enabling Global Privacy Control in your web browser will send an automatic opt-out signal to websites you visit, including Disney’s.
Does this settlement apply to Disney customers outside California?
The settlement is specifically tied to CCPA enforcement and applies to California residents. However, Disney may choose to implement uniform privacy practices across all users rather than maintaining separate systems for different states. Other states with their own privacy laws may offer similar protections depending on where you live.
What is Global Privacy Control and how do I enable it?
Global Privacy Control is a browser setting or extension that automatically tells websites you visit that you do not want your data sold or shared. It is supported in browsers like Firefox and Brave, and can be added to Chrome and other browsers through extensions. California law requires businesses to honor GPC signals as valid opt-out requests.
Can Disney face additional penalties if it does not comply with the settlement terms?
Yes. The settlement requires Disney to provide progress updates every 60 days and maintain a compliance monitoring program for three years with annual reports to the Attorney General. Failure to meet these obligations could result in further enforcement action and additional penalties.