A wooden gavel resting on a dark surface next to a sound block

TL;DR:

  • The lawsuit: A class action filed May 18 in federal court alleges Disney collected facial biometric data from millions of Disneyland and California Adventure visitors (including children) without meaningful consent. It seeks at least $5 million in damages. [1][2]
  • How it works: Since April 28, 2026, cameras at four park entrances scan arriving faces and compare them against ticket purchase photos. Disney calls it “optional.” The opt-out is a separate lane marked with a crossed-out silhouette. [1][3]
  • The core argument: Attorney Blake Yagman argues that “guests should be able to expressly opt in to this type of sensitive facial recognition,” not navigate confusing signage to avoid it. Most visitors don’t realize they’re being scanned. [1][2]
  • The data problem: Disney says facial data is deleted within 30 days. The lawsuit says that’s misleading: the original ticket photos against which faces are compared persist indefinitely in Disney’s system. [2][3]
  • Why it matters: This is the opt-in vs. opt-out fight playing out at scale. Illinois requires written consent before collecting biometrics. Disney’s approach (scan first, offer a hard-to-find exit) is how most of corporate America handles it. This case could set the standard.

What Disney Is Accused Of

On May 18, 2026, plaintiff Summer Christine Duffield filed a proposed class action in federal court on behalf of everyone who walked through a Disney park entrance and got their face scanned without knowing what was happening. [1][2]

The complaint is blunt: Disney “does not adequately disclose the use of their biometric collection, so consumers (which almost always include children) have no idea that Disney is collecting this highly sensitive data.” [1]

Blake Yagman, the attorney representing the class, put it more directly: “Guests should be able to expressly opt in to this type of sensitive facial recognition.” [2]

The lawsuit seeks at least $5 million in damages, plus restitution, injunctive relief, and attorney fees. It alleges violations of California privacy and consumer protection statutes. [1][2]

Disney’s response so far: “We respect and protect our guests’ personal information and dispute the plaintiff’s claims, which we believe are without merit.” [3]

How Disney Scans Your Face

Disney launched facial recognition at Disneyland Park and Disney California Adventure on April 28, 2026. Here’s the process: [1][3]

  1. When you buy a ticket or annual pass, Disney takes a photo of your face
  2. At the park entrance, cameras capture your face again
  3. Software compares the live scan to your stored photo
  4. Match? You’re in. No match? A cast member checks your ticket manually

Disney says this speeds up entry and prevents ticket fraud. The company claims it converts facial images into “numerical values” and deletes those values within 30 days. [3]

But the lawsuit pokes a hole in that claim. The 30-day deletion applies to the biometric template: the numerical faceprint. The original photographs tied to your ticket? Those stay in Disney’s system as long as you have an active pass. Your face is in their database either way. [2]

The Opt-Out Trap

Disney says participation is voluntary. At each of the four park entrances, there’s a lane where cast members verify tickets manually instead of scanning your face. You can spot it by the overhead sign showing a silhouette with a slash through it. [1][3]

That’s the entire opt-out mechanism. A small icon above one lane among many.

The lawsuit argues this isn’t meaningful notice. Families with kids, tourists who don’t speak English, and first-time visitors are unlikely to notice a single icon differentiating one lane from another, especially when they’re excited to get into the park. We documented this problem back in April: one visitor told Inside the Magic the system “scanned my face before I even realized what happened.” [4]

That’s the difference between opt-out and opt-in. Opt-out puts the burden on you to notice, understand, and actively avoid something that’s already happening. Opt-in requires the company to explain what it’s doing and get your agreement first.

Disney chose opt-out. The lawsuit says that’s not good enough for biometric data.

The Children Problem

The complaint specifically calls out the scanning of children. Disney’s facial recognition doesn’t check ages at the gate. Every face that walks through a recognition-enabled lane gets scanned, whether it belongs to a 45-year-old or a 5-year-old. [1][2]

Disney says children under 18 can participate “with parental consent.” In practice, a parent buying a child’s ticket and walking through the standard lane constitutes that consent. There’s no separate, explicit permission step for biometric data. [1]

This isn’t Disney’s first run-in with children’s privacy. In 2025, the company settled a $10 million FTC complaint over collecting children’s data through YouTube. [2] The updated COPPA rules that took effect in 2026 specifically expanded protections around biometric data collected from minors.

The Bigger Fight: Who Has to Ask Permission?

This lawsuit isn’t really about Disney. It’s about which model wins for biometric data in America.

The Illinois model (opt-in): Since 2008, Illinois’s Biometric Information Privacy Act has required companies to get your written, informed consent before collecting fingerprints, faceprints, iris scans, or voiceprints. Companies must explain what they’re collecting, why, and how long they’ll keep it, before they touch your data. BIPA has generated billions in settlements, including a $650 million payout from Facebook in 2021 and $228 million from TikTok. [5]

The Disney model (opt-out): Post a sign. Offer a hard-to-find alternative lane. Assume everyone who doesn’t actively object has consented. This is how most of corporate America handles biometric data in states without explicit biometric privacy laws.

The airport model (no choice): TSA rolled out facial recognition at airports across the country. There’s technically an opt-out, but travelers consistently report that agents either don’t mention it or make opting out feel like requesting a secondary screening. [6]

Right now, only Illinois, Texas, and Washington have dedicated biometric privacy laws. New York’s Biometric Privacy Act (S1422) is sitting in the Senate Consumer Protection Committee. California covers biometrics under the CCPA, but the lawsuit argues that’s not specific enough for facial recognition at a theme park gate. [5]

The Pattern Keeps Repeating

Disney is far from alone in the “deploy first, deal with lawsuits later” approach to facial recognition:

  • Clearview AI scraped billions of photos from social media and sold facial recognition to police departments. It was sued under BIPA and settled with the ACLU in 2022, but the technology is still in use by over 600 law enforcement agencies.
  • Madison Square Garden used facial recognition to ban attorneys whose firms were suing MSG Entertainment. New York’s attorney general investigated, and the state legislature introduced bills to ban the practice at entertainment venues.
  • Rite Aid deployed facial recognition in hundreds of stores, disproportionately targeting Black and Brown customers. The FTC banned the company from using the technology for five years in 2023.
  • Airports rolled out TSA facial verification without Congressional authorization. The system now operates at over 80 airports, and DHS plans to expand it.

Every one of these deployments started with the same pitch: it’s faster, it’s more secure, it’s convenient. Every one ran into the same problem: the people being scanned didn’t meaningfully agree to it.

What Happens Next

This case is in its earliest stages. Disney will likely move to dismiss, arguing its signage and privacy policy constitute adequate notice under California law. The plaintiff will argue that a crossed-out silhouette above one lane isn’t meaningful consent for biometric data collection.

If the case survives to discovery, it gets interesting. The class would include every person who walked through a facial recognition lane at Disneyland or California Adventure since April 28, 2026. Given Disney’s attendance (roughly 40,000 to 50,000 visitors per day across both parks), the potential class size is enormous.

Watch New York, too. The Biometric Privacy Act (S1422) would create BIPA-style protections on the East Coast. If it passes, companies operating in multiple states will face a patchwork of opt-in requirements that makes Disney’s current signage approach untenable nationwide.

What You Can Do

  • If you visited Disneyland or California Adventure since April 28, 2026: You may be part of the proposed class. Watch for notices about the lawsuit’s progress.
  • Next time you visit: Look for the lane with the crossed-out silhouette icon at the entrance. That’s the manual verification lane. Use it if you don’t want your face scanned.
  • Check your Disney account: Review Disney’s privacy policy for information about how your biometric data is stored and request deletion of your data under California’s CCPA.
  • Support biometric privacy legislation: If you’re in New York, contact your state senator about S1422. If you’re in California, AB 2561 would strengthen biometric protections: it passed the Assembly and is heading to Senate committee.

Sources

  1. The Hollywood Reporter: Disney Hit With Class Action Over Facial Recognition Technology at Park Entrances (May 2026)
  2. Engadget: Disney faces a class action lawsuit over facial recognition tech (May 2026)
  3. Biometric Update: Disney hit with class action over facial recognition at California parks (May 2026)
  4. State of Surveillance: Disneyland Now Scans Your Face to Get In (April 22, 2026)
  5. ACLU of Illinois: Biometric Information Privacy Act (BIPA)
  6. TSA: Facial Comparison Technology Fact Sheet