The California attorney general recently announced one of the agency’s largest-ever settlement agreements for alleged noncompliance with the California Consumer Privacy Act (CCPA) and alleged deception of consumers about data practices. This enforcement action is borne out of the agency’s 2024 investigative sweep scrutinizing streaming services and provides insights as to the expectations of the California attorney general related to operationalization of privacy rights. The action also underscores the agency’s key enforcement priorities, including:

  • Ensuring consumer requests to opt out of the “sale” or “sharing” of their personal information (opt-out requests) are fully effectuated across related devices and services.
  • Seeing companies honor the Global Privacy Control (GPC) signal as an opt-out request.

Specifically, the California attorney general alleged that Disney:

  • Associated different devices on which a consumer had logged in for cross-context behavioral advertising (targeted advertising) purposes, but did not leverage this when processing a consumers’ opt-out requests.
  • Implemented a disjointed opt-out system that only partially effectuated opt-out requests.
  • Directed users of its TV streaming apps to submit opt-out requests on other devices, while knowing that such opt-out requests would not impact the TV streaming apps’ data sharing.
  • Deceived consumers through the above activities by giving them tools that seemed to opt consumers out of “sale” and “sharing” of personal information, without fully opting them out.

The agreement requires Disney to:

  • Pay a $2.75 million civil penalty, the highest fine imposed under the CCPA to date.
  • Implement certain procedures for handling consumer opt-out requests.
  • Regularly update the California attorney general on its progress toward compliance.

Though the California attorney general now shares CCPA enforcement authority with the California Privacy Protection Agency (CPPA), which announced its first-ever enforcement actions last year, this landmark settlement shows that the California attorney general has neither ceded its role as an enforcer in this area nor lost interest in aggressively enforcing the CCPA.

CCPA’s requirements for consumer opt-out requests

The CCPA requires businesses that sell or share personal information for targeted advertising purposes to allow consumers to opt out of their data being sold or shared.1 Businesses are required to provide at least two methods through which consumers may submit opt-out requests,2 and they are required to process the GPC signal as a valid opt-out request.3 The business must treat the GPC signal as an opt-out requests for “that browser or device and any consumer profile associated with that browser or device,” as well as “for the consumer,” if known.4The CCPA does not explicitly address linking opt-out requests submitted via other methods across browsers or devices, but the broad mandate to cease selling or sharing a consumer’s personal information captures all personal information, regardless of its source, that the business associates with a consumer. When processing an opt-out request, a business cannot require a consumer to “create an account or provide additional information beyond what is necessary” to process such requests.5

Associating consumer devices when processing opt-out requests

Disney operates multiple streaming services, each of which are accessible via both streaming sites and apps. The California attorney general alleged that Disney would associate a given consumer with their different streaming services and devices based on common account logins for advertising purposes but not when processing opt-out requests. Rather, Disney would process opt-out requests on a per-service, per-device basis. This meant that a consumer would have to submit an opt-out request from each device they use, on each service they use, in order for personal information associated with that device to not be sold or shared.

The order requires Disney to:

  • If a consumer submits an opt-out request while logged in, associate their opt-out request across all devices and all Disney streaming services associated with that consumer.
  • If a consumer is not logged in when submitting an opt-out request, or doesn’t have an account, inform the consumer it may be necessary to log in to fully effectuate the request and gather the minimum personal information necessary to effectuate the request. Disney must effectuate the request to the extent possible, even if the consumer declines to provide any additional personal information.

In its initial complaint and in the final order, the California attorney general emphasized that such a practice is known to be technically feasible for Disney, because Disney already engages in such associations for advertising purposes. It’s unclear what this means for entities that do not engage in such association, for whom compliance with this standard would be technically infeasible or unduly burdensome.

Selling ad services and selling personal information

Within its sites and apps, Disney accepts opt-out requests via a webform, opt-out toggles and the GPC. However, the California attorney general alleged that opt-out requests submitted through any of these methods were not fully effectuated. Disney engages in targeted advertising both by:

  • Selling advertising opportunities on its online properties.
  • Targeting ads for Disney products on third parties’ online properties.

The California attorney general alleged that Disney would only cease one activity or the other in response to a consumer opt-out request, based on the method used to submit the request.

  • If a consumer submitted an opt-out request to Disney using Disney’s webform, Disney would stop selling opportunities to advertise to that consumer on Disney online properties but continue to target ads to them on third-party sites.
  • If a consumer submitted an opt-out request using Disney’s toggle or the GPC, Disney would stop targeting ads to that consumer on third-party sites but continue to sell opportunities to advertise to them on Disney online properties.

The order requires that Disney cease both categories of targeted advertising in response to a consumer opt-out request, regardless of the method used to submit it.

No method to opt out for certain apps

The California attorney general alleged that Disney, “citing vendor and technological limitations, did not provide an in-app opt-out mechanism in many of its connected TV streaming apps.”6 Instead, the Do Not Sell or Share My Personal Information pages on apps directed consumers to submit opt-out requests through Disney’s online webform. However, as discussed in the “Associating consumer devices when processing opt-out requests” section above, opt-out requests were processed on a per-device basis. Disney’s webform was only accessible using a web browser, meaning consumers would submit requests using their computers or mobile devices, and the sale of data associated with the TV would continue. The California attorney general alleged Disney “knew” such opt-out requests “would have no impact on the embedded code that transferred personal information from these connected TV streaming apps to its ad-tech partners.”7

Deceiving consumers about opting out

In addition to alleged violations of the CCPA, the California attorney general also brought this action against Disney under its authority to enforce California’s consumer protection law, alleging that Disney had engaged in “unlawful, unfair, or fraudulent acts or practices, which constitute unfair competition” within the meaning of the law.8 The California attorney general took the position that, “[w]hen a business creates a form, toggle, or other tool, and chooses to label it as an opt-out, even though it does not fully opt-out the consumers who use it, the business is engaged in deception.”9

The California attorney general argued that, because Disney’s opt-out forms and toggles allegedly fell short of opting a consumer out of the sale and sharing of their personal information in a manner compliant with the CCPA, offering such tools to consumers at all was a fraudulent act or practice that deceived consumers.

Its logic could, in theory, be extended to other consumer-facing aspects of CCPA compliance. Falling short of full CCPA compliance in a consumer-facing context could mean facing liability under both the CCPA and California’s consumer protection statute, potentially doubling civil liability.

General requirements related to opt-out requests

In addition, the order requires Disney to:

  • Provide clear and conspicuous notice that Disney conducts targeted advertising using personal information obtained from third parties.
  • Update all Disney streaming services to:
    • Provide a clear and conspicuous opt-out link that either immediately effectuates a consumer’s opt-out request, or directs the consumer to a Notice of Right to Opt-Out of Sale/Sharing.
    • Provide a Notice of Right to Opt-Out of Sale/Sharing. If the link above does not immediately effectuate the opt-out request, this notice must include a simple opt-out method, such as a toggle or checkbox.
    • Format this notice for all webpages, apps and devices on which it is provided.
  • Provide consumers with a method to confirm their opt-out request has been processed.
  • Make sure other choices related to personal information do not contain dark patterns.
  • Direct third parties with whom Disney shares personal information to honor consumer opt-out requests that Disney receives, including by passing along the opt-out request to any further third parties with whom the consumer’s data has been shared.
  • When making personal information available to third parties, take reasonable and appropriate steps to ensure those third parties will use the personal information in a manner consistent with the CCPA.
  • Never sell or share children’s data without affirmative parental authorization.
 
Notes
  1. Cal. Civ. Code § 1798.120(a)(1).
  2. Cal. Code Regs. tit. 11, § 7026(a).
  3. Id. at § 7025(b).
  4. Id. at § 7025(c)(1).
  5. Id. at § 7026(c).
  6. Complaint, California v. Disney DTC, LLC, et al., No. 26STCV04425, ¶ 14 (Cal. Super. Ct. Feb. 11, 2026).
  7. Id.
  8. Complaint at ¶ 19 (citing Cal. Bus. & Prof. Code § 17200).
  9. Complaint at ¶ 15.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as "Cooley"). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction, and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. When advising companies, our attorney-client relationship is with the company, not with any individual. This content may have been generated with the assistance of artificial intelligence (Al) in accordance with our Al Principles, may be considered Attorney Advertising and is subject to our legal notices.