TL;DR: On February 11, 2026, California Attorney General Rob Bonta fined The Walt Disney Company $2.75 million, the largest CCPA settlement in California history. The problem: Disney's opt-out controls were designed to fail. Toggle switches only applied to one streaming service on one device. Webforms only stopped data sharing through Disney's own ad platform while third-party trackers kept running. Global Privacy Control signals were ignored across devices. Disney could unify your identity across every screen for targeted advertising, but claimed it couldn't unify your opt-out. This is the seventh CCPA enforcement action and the second from a 2024 investigative sweep of streaming services. More settlements are coming.

Three Ways Disney Made Your Opt-Out Meaningless

California's investigation, which started with a January 2024 sweep of streaming services, found Disney gave users three ways to opt out of data selling and sharing. All three were broken. Not accidentally. By design.

The toggle switch. Disney offered an opt-out toggle in its streaming apps. Click it, and the app would stop selling your data, on that specific service, on that specific device. Opt out on Disney+ on your phone? Disney+ on your TV kept selling. Hulu kept selling. ESPN+ kept selling. A single account, linked across every screen, with opt-out buttons that only worked where you clicked them [1].

The webform. If you submitted Disney's online opt-out form, it stopped data sharing through Disney's own advertising platform. But Disney had embedded third-party ad-tech companies' code across its sites and apps. Those third parties kept collecting and selling your data. The webform was a front door that locked while every window stayed open [1][2].

Global Privacy Control. GPC is supposed to be the universal "stop selling my data" signal, a browser setting that applies everywhere. Disney honored GPC requests only on the device that sent them. Logged into your Disney account on your laptop and sent a GPC signal? Disney acknowledged you wanted out, then kept tracking you on your phone, your tablet, your smart TV. Same account. Same person. Ignored [1][3].

They Could Track You Everywhere. They Just Couldn't Stop.

Here's what makes this particularly brazen. Disney had no trouble linking your identity across devices and services when it benefited them. The company collected device identifiers, IP addresses, user interaction data, and login credentials across Disney+, Hulu, ESPN+, and its other properties. It pulled additional data from third parties. All of it fed into a unified advertising profile that followed you across every screen [4].

But when you asked Disney to stop? Suddenly, technical limitations prevented a unified opt-out. The company told California investigators that "vendor and technical limitations hindered its ability to provide a comprehensive consumer identity-based opt-out" [4].

AG Bonta wasn't buying it: "A consumer's opt-out right applies wherever and however a business sells data. Businesses can't force people to go device-by-device or service-by-service" [1].

The math tells the story. To opt out completely, a Disney customer would have needed to submit up to 10 separate opt-out requests across different services and devices. To get tracked for ads, they just needed to log in once [4].

The Streaming Industry Sweep

Disney didn't get caught by accident. This settlement is the result of a January 2024 investigative sweep in which California's Department of Justice examined streaming services for CCPA violations [1][5].

Disney is the second target from that sweep. Sling TV settled for $530,000 in a previous action. According to Deadline, more streaming platforms are still being investigated [5]. The AG's office hasn't named them, but the sweep was broad enough that any major streaming service operating in California should be nervous.

The $2.75 million fine makes Disney the largest CCPA penalty in California's history, surpassing the $1.55 million penalty against Healthline Media in July 2025 [3]. In total, California has now brought seven CCPA enforcement actions: Sephora, DoorDash, Jam City, Sling TV, Healthline Media, Tilting Point Media, and Disney [1].

The pattern is clear. Six of those seven actions target opt-out failures. The AG isn't going after companies for collecting data. He's going after companies that collect data, offer an opt-out button, and then make the button do nothing.

What Disney Has to Do Now

The settlement requires more than writing a check. Disney must [1][4]:

  • Build a real unified opt-out that stops data selling and sharing across all Disney services and devices in "minimal steps"
  • Honor Global Privacy Control signals for logged-in users across the entire business, not just the device that sent the signal
  • Stop cross-context behavioral advertising when a consumer opts out, not just direct sales, but the third-party tracking pixel sharing too
  • Police its own vendors by taking "reasonable and appropriate steps" to ensure third parties handle personal information consistently with CCPA requirements
  • Submit to 60-day compliance check-ins with the California AG until all requirements are met

Why This Matters Beyond Disney

The Disney settlement sets a precedent that reaches past streaming. The AG's core argument: if a company can consolidate your identity across services for advertising, it must consolidate your opt-out the same way. You don't get to be a single person for tracking and a fragmented mystery when you want your privacy back [3][4].

That principle hits every company running cross-platform advertising: social media companies, ad networks, retail apps, news publishers. If you're stitching together user identities for ads, California now expects you to unstitch them just as easily when asked.

The enforcement is also getting more technical. These aren't investigations based on reading privacy policies. California's team examined actual system functionality: how the toggles worked, what the webforms actually stopped, where GPC signals did and didn't propagate. They tested the mechanisms [3].

Connecticut and Minnesota are running similar investigations into deletion request obstacles. The AG's September 2025 multi-state GPC sweep found widespread non-compliance [3]. This isn't slowing down.

Check Your Own Opt-Outs

Disney's not the only company with opt-out buttons that don't work as advertised. Here's how to test yours:

  • Opt out on one device, check another. If you opt out of data sharing on Disney+ on your phone, log in on your TV and check whether the setting carried over. Do this for every streaming service you use.
  • Enable Global Privacy Control. Install a GPC-enabled browser or extension (Firefox, Brave, and DuckDuckGo support it natively). Then check if services actually honor it by looking at their cookie and tracking behavior.
  • Use the webform AND the toggle. Don't assume one method covers everything. As Disney showed, different opt-out methods stopped different things, and none stopped all of it.
  • File a complaint. If you're in California and a company's opt-out doesn't work, file a consumer complaint with the AG. These investigations start with complaints.

The Potemkin Opt-Out

Disney built a privacy architecture where the button existed but the function didn't. You could click opt-out as many times as you wanted. Disney would acknowledge it every time. And behind the scenes, the data kept flowing, to different services, on different devices, through different ad-tech partners.

$2.75 million is the price California put on that. For a company that reported $22.6 billion in revenue from its streaming division last quarter, it's pocket change. But the compliance requirements have teeth, and the precedent carries weight. Every streaming service that launched a half-baked opt-out toggle is now on notice.

California won't let it go.

Sources

  1. California Attorney General: "California Won't Let It Go": AG Bonta Announces $2.75 Million Settlement with Disney (February 11, 2026)
  2. WDW News Today: The Walt Disney Company Hit with Record Fine by California DOJ (February 2026)
  3. IAPP: California's Attorney General Issues Largest CCPA Fine to Date (February 2026)
  4. Frankfurt Kurnit Klein & Selz: Takeaways from the Disney CCPA $2.75 Million Settlement (February 2026)
  5. Deadline: Disney Settles Streaming Data Suit From California AG; More Streamers Still Being Probed (February 2026)
  6. Sandberg Phoenix: Disney Agrees to $2.75 Million CCPA Settlement, The Largest in California History (February 2026)