Caught in a Mousetrap: Disney to Pay $2.75M for Consumer Opt-Out Missteps

The California Attorney General (CA AG) announced a $2.75 million settlement with Disney and ABC on February 11, 2026, to resolve allegations that Disney violated the California Consumer Privacy Act (CCPA) by failing to fully effectuate consumers' requests to opt-out of sales or sharing.

The settlement highlights the increasing regulatory focus on the usability and effectiveness of privacy controls, particularly for companies operating multiple consumer-facing services with shared accounts.

Background

The settlement stems from the California CA AG's 2024 investigative sweep targeting streaming services and connected TVs, which previously led to an enforcement action against Sling TV for similar failures in implementing comprehensive opt-out mechanisms.

Complaint Allegations

The complaint alleges the following gaps in Disney's opt-out mechanisms:

1. Failure to Provide a Comprehensive Opt-Out Mechanism. Disney's opt-out process was fragmented, with requests often applied only to the specific service or device used. The complaint noted that bundle subscribers would have to express their opt-out choice "up to 10 times" to fully opt out.
2. Failure to Cease All Sale or Sharing After Webform Opt‑Out. Requests submitted through the website form resulted in Disney taking action only with respect to its own advertising platform, while data continued to be shared with third-party ad tech partners.
3. Failure to Cease All Sale or Sharing After Opt-Out via Toggle Setting or Global Privacy Control. Opt-outs via these mechanisms were applied to disclosures to third-party ad tech partners, but only with respect to the service or device on which the request was made, even if the consumer was logged in.
4. Failure to Provide an Opt‑Out Mechanism Through Primary Consumer Touchpoints. Disney failed to provide a method that actually resulted in an opt-out for connected TV streaming apps.

The complaint emphasizes Disney's ability to identify consumers across services and devices for advertising purposes, accusing Disney of "leverage[ing] its extensive database of consumers' devices into a profitable targeted advertising business" while failing to apply that same capability to honor opt-out requests.

Alleged Violations of Law

The complaint alleges two causes of action against Disney:

• CCPA Violations
  • selling and sharing consumers' personal information despite receiving opt-out requests, in violation of Civil Code Sections 1798.120(a), (d) and 1798.135(a), (c)(4)
  • failing to treat opt-out preference signals as valid requests for known consumers, in violation of Civil Code Section 1798.135(e)
  • failing to provide easy-to-execute opt-out methods requiring minimal steps, in violation of Civil Code Sections 1798.120(a) and 1798.135(a)
  • failing to provide opt-out methods reflecting the manner in which the business primarily interacts with customers on app-based devices, in violation of Civil Code Section 1798.120(a)
• Violations of the Unfair Competition Law
  • engaging in unlawful and fraudulent practices by offering opt-out mechanisms that did not result in the consumer being fully opted out

Consequences for Disney

In addition to the $2.75 million fine, Disney must update its opt-out mechanisms and provide updates every 60 days until it is in full compliance. The injunctive provisions largely track the CCPA and its implementing regulations, but the CA AG added detail regarding how opt-outs should be applied across consumer interactions with Disney:

• If a consumer submits an opt-out request in a logged-in state, Disney must honor that choice across all its streaming services linked to the consumer's Disney account.
• If a consumer is not logged in or does not have an account, Disney must either prompt the consumer to log in or collect the necessary information to fully effectuate the opt-out.
• If a consumer declines to log in or provide such information, Disney must apply the opt-out at the browser, application or device level.

Disney must maintain a program to monitor its compliance with the terms of the injunction for three years and provide annual reports to the CA AG.

Next Steps

The Disney action underscores California's expectation that consumers should be able to use one mechanism to opt out of all sales and sharing across a company's services, web domains and devices. The settlement expresses a strong preference for encouraging consumers to use accounts so that opt-outs can be recognized broadly.

Notably, the complaint does not require companies to offer one toggle to opt out of all sales/shares occurring through both cookies and other means – despite the CCPA regulations requiring a "single option to opt-out of the sale or sharing of all personal information." 11 CCR 7026(h). This may indicate recognition of the technical difficulty of this concept. The complaint also does not contain allegations related to children's data, unlike the Sling TV complaint.

For more information or questions about how this may impact your business, please contact the authors or another member of Holland & Knight's Data Strategy, Security & Privacy Team.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.