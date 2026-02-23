On February 11, 2026, the California Attorney General simultaneously filed and settled an enforcement action against Disney DTC, LLC and ABC Enterprises, Inc. (Disney) over the company's failure to comply with the California Privacy Protection Act (CPPA). Specifically, the AG alleged that Disney failed to properly honor consumer opt-out requests on Disney+, Hulu, and ESPN+. The settlement requires Disney to pay $2.75 million and to overhaul its opt-out mechanisms so that a single consumer request halts the sale and sharing of personal information across all services, devices, and third-party partners associated with the consumer's account. The case establishes a practical enforcement precedent that if a business can unify consumer identity for advertising, it must unify that identity for opt-out compliance.

Disney operates the Disney+, Hulu, and ESPN+ streaming services, each of which requires consumers to maintain an account and log in before accessing content. Disney also offers a bundled subscription across these services with a common login. In addition to subscription revenue, Disney generates significant revenue through targeted advertising delivered within and across these streaming platforms.

Each time a consumer logs into a Disney streaming service, Disney collects personal information, including device identifiers, device type, IP addresses, and detailed viewing behavior. When a consumer uses the same login on multiple devices, Disney associates all of those devices with the consumer. Disney leverages this cross-device identity graph in two ways. First, it shares consumer data with third-party ad-tech partners who combine it with data from other websites to target ads on and off Disney platforms; and second, through Disney's own advertising platform, which enriches streaming data with information from data brokers to build detailed consumer profiles for more precise ad targeting. Both practices constitute cross-context behavioral advertising under the CCPA.

Allegations

The AG's investigation, conducted as part of an Investigative Sweep focused on streaming service compliance with the CCPA, identified three fundamental failures in Disney's opt-out processes:

Fragmented opt-out methods that only partially worked . Disney offered an opt-out web form, in-app toggles, and accepted opt-out preference signals, including the Global Privacy Control (GPC). However, the webform only stopped data use on Disney's own advertising platform and did not stop Disney from continuing to share data with third-party ad-tech partners. The in-app toggles and GPC signals stopped third-party sharing but only for the specific service and device where the consumer submitted the request, even if the consumer was logged in to its Disney account.

. Disney offered an opt-out web form, in-app toggles, and accepted opt-out preference signals, including the Global Privacy Control (GPC). However, the webform only stopped data use on Disney's own advertising platform and did not stop Disney from continuing to share data with third-party ad-tech partners. The in-app toggles and GPC signals stopped third-party sharing but only for the specific service and device where the consumer submitted the request, even if the consumer was logged in to its Disney account. An unreasonable burden on consumers . A consumer who subscribed to the Disney bundle and accessed streaming content from a computer, tablet, and connected TV would have had to express their opt-out choice up to ten separate times: by using the opt-out toggle on Disney+, Hulu, and ESPN+ on each of three devices (nine separate actions), plus completing the separate webform. The CCPA requires opt-out methods that are easy to execute and require minimal steps.

. A consumer who subscribed to the Disney bundle and accessed streaming content from a computer, tablet, and connected TV would have had to express their opt-out choice up to ten separate times: by using the opt-out toggle on Disney+, Hulu, and ESPN+ on each of three devices (nine separate actions), plus completing the separate webform. The CCPA requires opt-out methods that are easy to execute and require minimal steps. No opt-out was possible on certain connected TV apps. Disney did not provide in-app opt-out mechanisms in many of its connected-TV streaming apps, citing vendor and technological limitations. Disney directed consumers to visit the opt-out webform from a computer or mobile device, but the webform had no effect on the embedded code that transmitted personal information from connected TV apps to ad-tech partners. Consumers had no way to stop the sale and sharing of their data from these apps.

Settlement Terms

To resolve the matter, Disney entered into a settlement with the Attorney General that includes the following principal terms:

Monetary penalty . Disney must pay $2.75 million to the California Attorney General's Office within 30 days, pursuant to Civil Code Section 1798.199.90.

. Disney must pay $2.75 million to the California Attorney General's Office within 30 days, pursuant to Civil Code Section 1798.199.90. Account-wide opt-out propagation . When a logged-in consumer opts out on any Disney Streaming Service, including via an opt-out preference signal, Disney must effectuate that opt-out across all Disney Streaming Services associated with the consumer's account. For consumers who are not logged in or do not have an account, Disney must at minimum apply the opt-out to the browser, application, or device and any associated consumer profile, including pseudonymous profiles used for cross-context behavioral advertising.

. When a logged-in consumer opts out on any Disney Streaming Service, including via an opt-out preference signal, Disney must effectuate that opt-out across all Disney Streaming Services associated with the consumer's account. For consumers who are not logged in or do not have an account, Disney must at minimum apply the opt-out to the browser, application, or device and any associated consumer profile, including pseudonymous profiles used for cross-context behavioral advertising. Clear and conspicuous opt-out links . Disney must provide a clear and conspicuous opt-out link within all Disney Streaming Services that either immediately effectuates the opt-out or directs the consumer to the Notice of Right to Opt-Out. The notice must include an easy-to-use method such as a toggle or checkbox, must be properly formatted and scaled for the device, and must not require unnecessary scrolling or use hidden links, unlabeled carets, arrows, or other unclear interface elements.

. Disney must provide a clear and conspicuous opt-out link within all Disney Streaming Services that either immediately effectuates the opt-out or directs the consumer to the Notice of Right to Opt-Out. The notice must include an easy-to-use method such as a toggle or checkbox, must be properly formatted and scaled for the device, and must not require unnecessary scrolling or use hidden links, unlabeled carets, arrows, or other unclear interface elements. No confusing choice architecture . If Disney offers other privacy-related choices (cookie preferences, email marketing preferences, vendor-specific processing controls), it must avoid language and design that confuse consumers into thinking those other choices are required for or equivalent to opting out of the sale and sharing of their personal information.

. If Disney offers other privacy-related choices (cookie preferences, email marketing preferences, vendor-specific processing controls), it must avoid language and design that confuse consumers into thinking those other choices are required for or equivalent to opting out of the sale and sharing of their personal information. Opt-out confirmation . Disney must provide a way for consumers to confirm that their opt-out request has been processed, such as within account settings or preferences.

. Disney must provide a way for consumers to confirm that their opt-out request has been processed, such as within account settings or preferences. Third-party notification . Disney must notify all third parties to whom it sold or shared a consumer's personal information of the opt-out request and direct those third parties to comply with and forward the request.

. Disney must notify all third parties to whom it sold or shared a consumer's personal information of the opt-out request and direct those third parties to comply with and forward the request. Children and minors . Disney must continue to refrain from selling or sharing personal information of known children (under 13) and minors (13 to 15) unless the minor or parent has affirmatively authorized such sale or sharing.

. Disney must continue to refrain from selling or sharing personal information of known children (under 13) and minors (13 to 15) unless the minor or parent has affirmatively authorized such sale or sharing. Three-year compliance monitoring. Disney must provide 60-day progress reports on compliance and, within 180 days, implement a program to assess and monitor its opt-out processes for three years, with annual reports to the AG's office.

Key Takeaways for Businesses

This enforcement action carries implications well beyond the streaming industry. Any business that operates ad-supported digital services with authenticated consumer accounts should take note of the following principles:

1. Identity Symmetry Is Now a Compliance Requirement. The AG's central theory is that if a business can associate a consumer with its devices for advertising purposes, it must associate those same devices with the consumer for purposes of honoring opt-out requests. This principle applies to any business that maintains cross-device or cross-platform consumer identity graphs, including telecommunications providers, connected vehicle platforms, IoT service providers, and companies operating AI-powered customer engagement tools that track consumers across touchpoints.

2. A Single Opt-Out Must Be Comprehensive. The CCPA requires businesses to provide opt-out methods that are easy to execute and require minimal steps. Businesses cannot require consumers to repeat opt-out requests across different services, devices, or platforms. For authenticated users, a single opt-out request should propagate across all services and devices associated with the consumer's account. Businesses should audit their opt-out workflows to confirm that an opt-out submitted through any available method (webform, in-app toggle, opt-out preference signal) stops all selling and sharing of the consumer's personal information across every channel and partner.

3. Technical Limitations Are Not a Defense. The AG rejected Disney's assertion that vendor and platform constraints on connected TV devices prevented comprehensive opt-out implementation. The practical implication is that if opt-outs cannot be honored based on a particular technology limitation, then a business should not collect and share personal information from that environment for advertising purposes. Businesses operating on platforms with limited privacy infrastructure, such as connected TVs, smart home devices, and in-vehicle systems, should evaluate whether their data collection practices outpace their ability to honor consumer rights on those platforms.

4. Choice Architecture and Dark Patterns Will Draw Enforcement. The settlements detailed prescriptions on user interface design, including prohibitions on hidden links, unlabeled carets, and confusing overlapping privacy controls, once again reinforce that regulators are scrutinizing not only whether an opt-out exists but also how it is presented and whether the surrounding design choices impair consumer decision-making. This has been a consistent theme in recent California privacy enforcement actions. Businesses should review their privacy control interfaces for any design elements that could be characterized as adding unnecessary friction to the opt-out process.

5. Opt-Out Preference Signals Must Be Fully Honored. The complaint specifically alleged that Disney failed to treat the Global Privacy Control (GPC) as a valid opt-out request for known consumers. Businesses like Disney that claim to honor GPC or other opt-out preference signals must ensure that the signal triggers a complete opt-out, not merely a partial one limited to certain data-sharing relationships or individual devices. For authenticated users, a GPC signal should be treated the same as any other opt-out request and should propagate account-wide.

We continue to see California and other states actively enforce their privacy laws. These settlements indicate that regulators are confirming that business representations in privacy policies, terms of service, in user interfaces, and other public statements. We are happy to help your business sort through the complex patchwork of state privacy requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.