In the Matter of Disney DTC, LLC and ABC Enterprises, Inc.
The Disney CCPA settlement signals a shift from formal compliance to architectural compliance. Learn why opt-out rights must function across accounts, devices, services, and ad-tech ecosystems—not just exist on paper.
Privacy law is no longer about posting links — it is about how systems behave.
From Formal Compliance to Architectural Compliance:
The Disney enforcement marks a turning point: a shift from formal compliance to architectural compliance.
This was not simply a case about a missing link or an incomplete disclosure. The Attorney General went further. The complaint alleges that when a company labels a mechanism as an “opt-out,” but structures it so that it does not fully effectuate the opt-out, that conduct is misleading. Likewise, telling consumers that Global Privacy Control signals are honored — when they are only partially implemented — creates a false impression of compliance. That is not just technical failure; it is deception under California’s consumer protection laws.
At its core, the case exposes a structural tension in modern digital business models: Advertising systems are architected holistically. Opt-out systems must be too.
The CCPA does not require companies to stop advertising. It requires them to stop selling and sharing personal information when consumers say no. And that “no” must function everywhere the advertising system functions — across services, across devices, across embedded third-party technologies, and across identity graphs.
In Disney’s case, it did not.
The bar is no longer whether an opt-out exists. The bar is whether it actually works — everywhere.
Key Enforcement Signals
- Record-Setting Penalty. The California Attorney General secured a $2.75 million civil penalty — the largest CCPA settlement to date — after concluding that Disney failed to fully effectuate consumers’ statutory opt-out rights.
- Fragmentation Is Not Compliance. Providing multiple opt-out tools is insufficient if each operates incompletely. Requiring consumers to opt out service-by-service and device-by-device — when the company maintains account-level identity resolution — does not satisfy the statute.
- Comprehensive Means Comprehensive. An opt-out must stop all selling and sharing of personal information across all associated services, devices, advertising contexts, and third-party ad-tech integrations, including pseudonymous advertising profiles.
- GPC Must Be Meaningful. Limiting the Global Privacy Control to a single browser or device is inadequate where cross-device identity capabilities exist. Frictionless signals must produce frictionless, account-wide suppression.
- System Design Is Now the Compliance Frontier. Enforcement is no longer focused on whether a link exists, but on whether architecture, vendor integrations, and user interface design collectively operationalize consumer choice.
Disney’s systems were sophisticated enough to track users across experiences. The settlement makes clear that privacy rights must travel just as far. And that is a much higher bar.
Factual Background
Disney DTC, LLC and ABC Enterprises, Inc., subsidiaries of The Walt Disney Company, operate major streaming services including Disney+, Hulu, and ESPN+.
These services require user accounts and logins and generate revenue not only through subscriptions but also through advertising.
The Attorney General alleged that Disney leveraged its ability to associate users across devices — including mobile phones, laptops, tablets, and connected TVs — to support cross-context behavioral advertising.
Specifically, according to the allegations:
(1) How Disney’s Advertising Machine Worked — and Where It Broke
Disney owns and operates Disney+, Hulu, and ESPN+. To watch content on any of these services, consumers must create an account and log in. Since 2019, Disney has also promoted the “Disney bundle,” allowing subscribers to access all three services with a single login.
Subscriptions generate revenue. But advertising generates leverage.
Disney recognized early that the real value of streaming was not simply showing ads like traditional television. It was building a detailed, cross-device understanding of its users. Even ad-free subscriptions, executives noted publicly, were “immensely valuable” because they provided visibility into device identifiers — allowing Disney to recognize when the same person moved across different Disney experiences.
That cross-device visibility matters. It allows advertisers to:
- Target ads based on browsing behavior from one device
- Show related ads on another device
- Measure whether a consumer later purchases a product
In other words, the Disney bundle was not just a content bundle. It was an identity bundle.
Each time a consumer logged into a Disney streaming service, Disney collected personal information such as:
- Device identifiers
- Device type (TV, laptop, mobile phone)
- IP address
- Viewing history and engagement data
When a user logged in on multiple devices, Disney associated those devices together for advertising purposes.
Disney monetized this information in two primary ways.
- First, like many digital platforms, it embedded third-party advertising technology into its apps and websites. These third-party ad-tech partners automatically received consumer data and combined it with information collected elsewhere on the internet to deliver targeted ads — both on Disney platforms and across the web.
- Second, Disney operated its own advertising platform. It enhanced streaming data with information purchased or licensed from data brokers and other vendors. Consumers were placed into audience segments based on attributes such as household characteristics, income proxies, browsing history, and predicted purchasing interests.
Both of these models qualify as cross-context behavioral advertising under the CCPA.
(2) The Investigative Sweep — and the Opt-Out Failure
As part of a broader investigative sweep of streaming services’ compliance with the CCPA, the California Attorney General examined Disney’s opt-out mechanisms.
The problem was not the absence of an opt-out link. The problem was that the opt-out didn’t fully work.
Disney offered multiple ways to opt out:
- A webform
- In-app toggles
- Recognition of Global Privacy Control (GPC) signals
But these mechanisms functioned in isolation from one another. They did not operate comprehensively across Disney’s systems, brands, and devices.
For example:
- If a consumer submitted Disney’s webform, the request stopped certain advertising activity on Disney’s own ad platform — but Disney continued sharing that consumer’s data with third-party ad-tech partners.
- If a consumer used an in-app toggle or sent a GPC signal, Disney stopped certain third-party sharing — but only for the specific service and device being used at that moment.
- Even logged-in users were not opted out account-wide.
In other words, each mechanism partially suppressed data flows. None of them fully effectuated the statutory right to opt out.
(3) The “Ten Opt-Outs” Problem
Under Disney’s system, a consumer who subscribed to the Disney bundle and accessed it on a computer, tablet, and connected TV would have to:
- Log into Disney+, Hulu, and ESPN+ separately on each device
- Activate the opt-out toggle for each service
- Repeat the process on each additional device
- And still complete Disney’s opt-out webform
The Attorney General calculated that this could require up to ten separate opt-out actions. Yet Disney already knew which devices were linked to the same account for advertising purposes.
The enforcement message is implicit but unmistakable:
If the business can link devices for monetization, it can link them for compliance.
(3) The Connected TV Gap
The problem deepened on connected TVs.
In many connected TV apps, Disney did not provide an in-app opt-out mechanism at all. Instead, users were directed to complete the webform on a computer or mobile device.
But the webform did not affect the embedded third-party code inside those TV apps.
That meant that even if a consumer followed every instruction and completed every available opt-out step, Disney could still continue selling or sharing data from certain connected TV applications.
There was, in practice, no way to fully stop the data flows.
Legal Claims
The Attorney General brought claims for violations of:
- Civil Code §§ 1798.120 and 1798.135 (failure to honor opt-out rights)
- Related CCPA implementing regulations
- Business & Professions Code § 17200 (Unfair Competition Law)
The Complaint also alleged that presenting incomplete opt-out tools as effective opt-outs constituted deceptive conduct.
Findings of Violation
(a) Fragmented Opt-Out Implementation
Under the CCPA, consumers have the right to opt out of the sale and sharing of their personal information.
Disney offered multiple opt-out mechanisms:
- Webform
- In-app toggles
- Acceptance of Global Privacy Control (GPC) signals
However, according to the Complaint and press release, these mechanisms did not operate comprehensively.
(b) Opt-Out Toggles
Opting out via an in-app toggle applied only to:
- The specific streaming service, and
- Often only the specific device being used.
A consumer using Disney+ on a connected TV might remain opted in on Hulu on a mobile device.
(b) Webform
The webform only stopped sharing through Disney’s own advertising platform.
Disney allegedly continued sharing data with embedded third-party ad-tech companies despite the consumer’s opt-out request.
(c) Global Privacy Control (GPC)
Disney accepted GPC signals, but limited their effect to the specific device from which the signal was sent — even if the consumer was logged into their Disney account.
(c) Connected TV Gaps
In some connected TV environments, Disney directed users to the webform instead of providing an in-app opt-out — even though the webform would not stop sharing occurring through embedded SDKs in those apps.
The result: A consumer could exercise every available opt-out tool and still have personal information sold or shared in certain contexts.
Enforcement Analysis
The Disney settlement does more than resolve a compliance gap — it sharpens the operational meaning of the CCPA’s opt-out right in the context of cross-device, cross-service advertising ecosystems.
1. If Identity Is Account-Level for Advertising, It Must Be Account-Level for Opt-Out
Disney’s advertising infrastructure linked users across devices and services for cross-context behavioral advertising. The settlement makes clear that when a business maintains account-level identity resolution for monetization, it must use that same identity infrastructure to honor opt-out rights.
Opt-out cannot be:
- Service-by-service
- Device-by-device
- Browser-by-browser
when the business itself operates at the account level.
In Short: If your ad tech can see the whole user, your compliance system must as well.
2. “Technically Available” Is Not the Same as “Legally Effective”
Disney offered multiple opt-out mechanisms — webforms, toggles, and GPC recognition. The problem was not the absence of controls, but their fragmentation.
The settlement clarifies that compliance is measured by outcome, not by the number of links provided.
An opt-out must stop:
- All selling
- All sharing
- Across all associated services
- Across all associated devices
- Including third-party ad-tech partners
- Including pseudonymous advertising profiles
A partial suppression of internal advertising systems, while continuing third-party embedded SDK transfers, is not compliance.
In short: The opt-out rights must be fully effectuated — not partially honored.
3. GPC Is an Account-Level Signal When the Business Can Make It One
The Global Privacy Control (GPC) is designed to function as a frictionless, browser-based signal. Disney treated it as device-scoped, even for logged-in users.
The settlement signals a regulatory expectation: Where a business can reasonably associate a GPC signal with a logged-in account, it must apply that choice comprehensively.
Limiting GPC to a single device — when cross-device recognition exists — undermines the statutory mandate that opt-out be easy to execute and fully effective.
4. Connected TV and SDK Gaps Are Not Excusable “Technical Limitations”
The complaint highlights that in certain connected TV environments, users were redirected to webforms that did not actually prevent embedded third-party data flows.
This is a significant enforcement signal: Technical architecture does not excuse incomplete opt-out implementation.
If a company embeds third-party code for advertising, it must ensure that its opt-out system reaches that layer of the stack.
“Vendor limitations” are not a defense when monetization systems function seamlessly.
5. UX Design and Choice Architecture Are Now Enforcement Targets
The settlement language is unusually explicit about design:
- Clear and conspicuous links
- No hidden menus
- No unlabeled carets
- No unnecessary scrolling
- No confusing parallel privacy controls
- No dark patterns that impair user decision-making
This reflects a maturation phase of CCPA enforcement.
The Attorney General is no longer focused solely on whether a business posts a “Do Not Sell or Share” link. The inquiry is now:
- Does the mechanism actually work?
- Is it frictionless?
- Is it account-wide where appropriate?
- Is the design neutral and non-manipulative?
- Are downstream third parties notified and constrained?
Compliance is no longer policy-deep — it is system-deep.
6. Downstream Accountability Is Mandatory
The settlement reinforces that opt-out is not complete until:
- Third parties are notified, and
- They are instructed to honor and forward the request.
This underscores that CCPA compliance extends beyond the first transfer. Once data is sold or shared, the originating business retains responsibility for ensuring downstream suppression.
Remedy and Settlement Terms
Under the February 2026 settlement, Disney agreed to:
(1) Compliance Obligations for Disney Streaming Services
For purposes of this judgment, “Disney Streaming Services” means the video services that Defendants offer and operate for consumers to stream live and on-demand content over the internet through websites and mobile or connected-device applications — including, but not limited to, Disney+, Hulu, and ESPN+.
In connection with these Disney Streaming Services, Defendants must comply with the California Consumer Privacy Act (CCPA) and its implementing regulations governing required notices and consumers’ right to opt out of the selling or sharing of their personal information.
(a) Clear Notice About Cross-Context Behavioral Advertising
Defendants must provide a clear and conspicuous notice informing consumers that:
- They conduct cross-context behavioral advertising, and
- They use personal information obtained from third parties for that purpose.
This notice must:
- Clearly explain what information is collected,
- Identify the categories of sources from which the personal information is obtained, and
- Direct consumers to Disney’s Notice of Right to Opt-Out of Sale/Sharing.
(b) A Simple and Consumer-Friendly Opt-Out Process
Defendants must implement an opt-out process that is:
- Easy to find,
- Easy to use, and
- Requires minimal steps.
This process must:
- Allow opt-out through an Opt-Out Preference Signal (such as Global Privacy Control), where required by the CCPA.
- Immediately stop the selling and sharing of the consumer’s personal information.
- Stop cross-context behavioral advertising for that consumer.
(c) Logged-In Consumers: Account-Level Opt-Out
If a consumer is logged into their Disney account and opts out (including via an opt-out preference signal):
- The opt-out must apply across all Disney Streaming Services associated with that account.
- Consumers cannot be required to opt out service-by-service or device-by-device.
(d) Consumers Not Logged In
If a consumer is not logged into a Disney account (or does not have one):
- Disney may inform the consumer that logging in — or providing minimal additional personal information — may be necessary to fully effectuate the opt-out across services.
- If the consumer does not log in or does not provide additional information, Disney must at minimum:
- Apply the opt-out to that browser, device, or application, and
- Apply it to any consumer profile associated with that browser, device, or app — including pseudonymous profiles used for advertising purposes.
(e) Clear and Conspicuous Opt-Out Link
All Disney Streaming Services must include a clear and conspicuous “Do Not Sell or Share My Personal Information” link that either:
- Immediately effectuates the opt-out, or
- Directs the consumer to the Notice of Right to Opt-Out of Sale/Sharing with an easy-to-use mechanism (such as a simple toggle or checkbox).
The notice must:
- Be properly formatted for the specific device or application,
- Scale to different screens and environments, and
- Avoid hidden links, confusing icons, unlabeled arrows, buried menus, or unnecessary scrolling.
(f) Confirmation of Opt-Out
Disney must provide consumers with a way to confirm that their opt-out request has been processed — for example, through account settings or preferences.
(g) No Dark Patterns or Confusing Choice Architecture
If Disney offers other privacy choices (e.g., cookie settings, email marketing preferences, vendor-specific controls), it must not:
- Suggest that those settings are required to effectuate an opt-out of selling or sharing;
- Mislead consumers into thinking those controls replace the statutory opt-out; or
- Design interfaces that impair or subvert consumers’ decision-making.
(h) Downstream Notification to Third Parties
When a consumer opts out, Disney must:
- Notify all third parties to whom it has sold or shared the consumer’s personal information,
- Instruct those third parties to comply with the opt-out request, and
- Require them to forward the request to any further downstream recipients.
(i) Oversight of Third Parties
Disney must take reasonable and appropriate steps to ensure that third parties use personal information in a manner consistent with Disney’s CCPA obligations.
(j) Protections for Children and Minors
Disney must not sell or share the personal information of children or minors unless:
- The minor (if legally permitted), or
- The parent (in the case of a child)
has affirmatively authorized the sale or sharing, consistent with the CCPA and its regulations.
(2) Compliance Program
(a) Ongoing Progress Updates
Within 60 days of the Effective Date of the Judgment, Defendants must provide the California Attorney General (“the People”) with an update describing their progress in complying with the opt-out requirements set forth in Paragraphs 26 and 27.
Defendants must continue providing progress updates every 60 daysuntil all Disney Services fully comply with those requirements.
(b) Three-Year Compliance Monitoring Program
Within 180 days of the Effective Date of the enforcement action— and for a period of three years thereafter — Disney must implement and maintain a formal compliance program designed to ensure that:
Consumers are provided with opt-out mechanisms that are:
- Consumer-friendly
- Easy to execute
- Require minimal steps
Opt-out requests are properly implemented:
- Across all Disney Streaming Services
- Account-wide where appropriate
- On each website, application, and device used to access Disney Services
All required disclosures and notices comply with the terms of the Judgment.
For three years following the Effective Date, Disney must document the results of this compliance review and provide an annual report to the AG summarizing their findings.
(3) Fines
Disney must pay $2.75 million in civil penalties — the largest CCPA settlement to date
Conclusion
The Attorney General described the enforcement as reinforcing that consumers should not have to “go device-by-device or service-by-service” to exercise their privacy rights.
The Disney enforcement signals a clear message:
If your advertising infrastructure operates at the account or identity level, your opt-out mechanism must operate at that same level.
The CCPA’s opt-out right is not satisfied by:
- Fragmented toggles
- Device-scoped controls
- Partial suppression of internal platforms
- Technical workarounds
Comprehensive technical capability creates comprehensive legal obligation.
As streaming, cross-device advertising, and identity resolution technologies continue to mature, regulators are increasingly focused on whether privacy controls match business capabilities.
Resources
- Complaint: The People of the State of California v. Disney DTC, LLC; ABC Enterprises, Inc.
- Final Judgment: The People of the State of California v. Disney DTC, LLC; ABC Enterprises, Inc.
- Press Release: California Won’t Let It Go: Attorney General Bonta Announces $2.75 Million Settlement with Disney
