Articles
Industry news
Disney’s $2.75M settlement: Lessons from California’s biggest CCPA action (so far)
Industry news
new

Disney’s $2.75M settlement: Lessons from California’s biggest CCPA action (so far)

Published  

2/18/2026

by 

Thierry Maout

8
min read

Published  

February 18, 2026

by 

Thierry Maout

10 min read
Summary

On February 11, 2026, the California Attorney General announced a $2.75 million settlement with Disney for failing to implement opt-out methods compliant with California Consumer Privacy Act (CCPA) requirements

This is the biggest settlement issued in California to date, on the tail of several high-profile enforcement actions last year. 

In this article, we go over what the settlement is about, where Disney failed to put sufficient safeguards in place, what they could have done differently, and what organizations should do to avoid this type of situation. Keep reading to learn more, or watch the recording of our recent webinar for more context about privacy on Connected TV:


Disney’s $2.75M CCPA settlement: What happened?

In summary, California alleged that Disney’s opt-out processes have violated the CCPA by failing to fully effectuate consumers’ requests to opt out of the sale or sharing of their data across all devices and streaming services associated with their accounts:

Consumers shouldn’t have to go to infinity and beyond to assert their privacy rights. Today, my office secured the largest settlement to date under the CCPA over Disney's failure to stop selling and sharing the data of consumers that explicitly asked it to. (...)

California’s nation-leading privacy law is clear: A consumer’s opt-out right applies wherever and however a business sells data — businesses can’t force people to go device-by-device or service-by-service. In California, asking a business to stop selling your data should not be complicated or cumbersome. My office is committed to the continued enforcement of this critical privacy law.

- Rob Bonta, Attorney General of California (source: State of California Department of Justice)

The announcement clearly lays out the complaints. An investigation of streaming services for potential CCPA violations dating back to 2024 found that the company failed to allow consumers to opt out of all sales or sharing of their data, potentially violating the Act. 

To be specific, the state of California observed that the following mechanisms were not working as they should have on Disney properties: 

  • Opt-out toggles provided by Disney on its websites and apps only applied the opt-out request to the specific streaming service the user was watching, and sometimes only to the device the consumer was using. 
  • Opt-out forms only stopped the sharing of personal data through the company’s own advertising platform and offerings, but failed to stop specific third-party ad-tech companies whose code Disney embedded in its websites and apps. 
  • Connected TV streaming apps didn’t offer an in-app opt-out, directing consumers to a web form instead.
  • Global Privacy Control (GPC) opt-outs were limited to the specific device the consumer was using, even when the consumer was logged into their account. Check out our GPC compliance checklist to learn more.

As a result, the California Attorney General announced a settlement with Disney on February 11, 2026, requiring the company to pay $2.75 million in civil penalties and to implement functioning opt-out methods that fully stop the sale or sharing of consumers’ personal information. 

Why does this settlement matter for every enterprise organization?

The Disney case is not an isolated event. The California AG has issued significant fines and announced other CCPA settlements in the past few years, including Sephora, DoorDash, Tilting Point Media, and, most recently, Sling TV, Jam City, and Healthline (the largest prior settlement at $1.55 million).

It’s not a California-only topic, either. In September 2025, the California Privacy Protection Agency (CPPA) joined forces with the Attorneys General of California, Colorado, and Connecticut to announce a coordinated sweep targeting businesses that fail to honor GPC signals.

This trend was identified as one of the big predictions for 2026 by professionals we interviewed around the turn of the year:

This will be the year that U.S. regulatory enforcement really gets into the weeds. Surface-level compliance isn't going to cut it anymore.

Regulators, especially in California, are stressing the importance of implementing consumer privacy rights correctly and exhaustively on the backend, from a technical perspective. This means ensuring GPC signals are honored, and opt-outs flow across platforms and consumer touch points, as well as having a full and complete understanding of (and proper contractual relationships and opt-out signaling capabilities with) every third party to whom personal information is sold or shared on an ongoing basis.

Regulators will dig deep to understand how data flows work, and they'll expect organizations to be right there with them. So make sure to get your ducks in a row: the hard questions are coming.

- Julie Rubash, General Counsel and Chief Privacy Officer at Sourcepoint by Didomi (source: 2026 data privacy trends: Predictions from the experts)

Large enterprises are increasingly pushing users from anonymous browsing to authenticated, logged-in experiences across multiple apps, devices, and services. That shift centralizes identity and data flows, which makes it even more important that privacy choices (such as opt-outs) are applied consistently across all contexts.

5 operational lessons for privacy teams from Disney’s CCPA settlement

What could Disney have done differently, and what can organizations learn to avoid the same pitfalls (and their monetary and reputational consequences)? We identified 5 steps companies should take as soon as possible, along with the solutions we’ve built for each.

1. Audit current consent flow and vendor behavior

The first step to ensuring compliance is to be aware of what is actually going on in your digital properties. Recent enforcement and our own expertise have shown that most organizations are actually unaware of their compliance status:

Most organizations are unaware of the glaring compliance mishaps happening on their digital properties, not by malice but because of the lack of expertise and reliable technology required to accurately spot them in websites with so many constantly moving parts.

- Teodora Tanase, Product Manager at Didomi

Running a thorough audit is essential, not only to ensure user choices are collected when required, but also that they are applied and respected. Learn more about our Advanced Compliance Monitoring (ACM) solution, which provides deeper compliance analysis for better governance at scale.

2. Ensure opt-outs are applied throughout user accounts

Another key aspect will be the ability to apply user privacy choices throughout their account, regardless of the device or domain used. Implementing a complete cross-device and cross-domain consent management solution will help ensure choices are synced, to build consistent and cohesive privacy experience. 

Over time, this implementation will also be necessary for audits to collect and report on user profiles, including versions and proofs, and to provide a single source of truth or consent lineage, enabling a comprehensive view of a user’s entire privacy journey.

2026 is shaping up to be a turning point. With meaningful enforcement of universal opt-outs finally arriving in U.S. browsers, we may see the long-standing divide between U.S. and European privacy expectations begin to narrow. As new consent channels mature—from mobile to CTV to server-side—the entire ecosystem will be pushed to rethink how permissioned data is tracked and governed. Knowing exactly when, where, why, and how consent was gathered will shift from an operational detail to a strategic advantage.

This clarity becomes essential as the industry moves into server-side execution and AI-driven interactions, where user choices must be consistent, transparent, and verifiable across every touchpoint.

- Jeff Wheeler, VP of Product at Didomi (source: 2026 data privacy trends: Predictions from the experts)

3. Make sure opt-outs are also applied to third-party vendors

Another issue highlighted by the Disney CCPA settlement concerned opt-out choices that third-party vendors failed to honor.

Companies looking to ensure privacy choices are effectively forwarded to their marketing stack must consider choosing vendors and solutions that are integrated within one another. This is something we are continually working on at Didomi, as evidenced by our recent announcement of a strategic partnership with Adobe, in the form of a native integration between our Consent and Preference Management Platform and Adobe Experience Platform (AEP). 

By integrating privacy management solutions into their marketing stack, companies can ensure that choices are communicated to all required vendors while maximizing the value of consented first-party data to orchestrate omnichannel marketing campaigns.

4. Provide a native opt-out option 

The Disney case has demonstrated the importance of providing users with a native privacy interface for each channel and device they use, rather than simply redirecting them to a web form.

This can be achieved with a comprehensive Consent and Preference Management Platform that displays a privacy interface to users and collects their choices across all support and contexts, whether in a browser, an app, or a connected device.

Didomi is one of a few CMPs certified by Google for web, app, and CTV, providing solutions catered specifically to a format that present unique challenges, and partnering with specialized providers to help organizations create compliant, curated privacy experiences on Connected TVs.

{{learn-more-about-consent-for-ctv}}

5. Apply Global Privacy Control (GPC) as an enforceable signal end-to-end

As of Jan 1, 2026, Twelve U.S. states require businesses that sell or share personal information (or engage in targeted advertising) to honor opt-out preference signals (OOPSs) or universal opt-out mechanisms (UOOMs) such as GPC.

It has been a central piece of CCPA enforcement in California since 2022, and the landmark $1.2 million fine from the California Attorney General against Sephora for failing to honor opt-out signals, including GPC. 

This was only the beginning. Since then, enforcement actions have expanded across regulators and states and have included Sling TV, Tractor Supply Company, TicketNetwork, Honda, and others (full list here). This is a trend that is likely to continue and intensify in 2026:

  

If you have a privacy mechanism on your website that’s not working, it’s a tell for regulators that you’re not paying attention. If they see that, they’re likely to assume that there are further issues going on and initiate an investigation to dig deeper.

- Julie Rubash, General Counsel and Chief Privacy Officer at Sourcepoint by Didomi

Didomi supports GPC by default for applicable U.S. regulations. To dig deeper, make sure to read our full guide to GPC, or watch the video summary from our Chief Privacy Officer, Thomas Adhumeau:

How Didomi can help with CCPA compliance

Data privacy in the United States is constantly evolving and increasingly challenging to navigate, driven by new laws, the looming threat of litigation, regulatory pressure, and mounting geopolitical tensions. 

Large enterprises, in particular, with cross-border audiences and complex consumer offerings, require enterprise-grade solutions and deep expertise to navigate this context and make the right choices to balance compliance, performance, and revenue. 

We anticipate that this necessity will continue to exacerbate in 2026 and beyond, an opinion shared by some of 20+ experts we gathered to share their predictions earlier this year:

What are Discover the top data privacy trends for 2026

Didomi has the expertise and solutions to help global enterprises navigate the approaching data privacy landscape with confidence, including for Connected TVs. Through our partnerships with leading CTV and OTT technology providers, Google-certified CTV consent management solutions, and cutting-edge work on complex CTV use cases, our team helps modern enterprises avoid compliance pitfalls and turn privacy into a revenue lever.

To learn more about CCPA compliance and discuss your data privacy challenges, book a call with one of our experts. And to stay up to date with U.S. enforcement and regulatory trends, make sure to follow A Little Privacy, Please, the weekly content series from Julie Rubash, General Counsel and Chief Privacy Officer at Sourcepoint by Didomi, on LinkedIn:

{{a-little-privacy-please}}

The author
The authors
Thierry Maout
Lead content manager at Didomi.
Managing content at Didomi. I love reading, writing, and learning about data privacy, technology, culture, and education.
Access author profile
Thierry Maout
Lead content manager at Didomi.
Managing content at Didomi. I love reading, writing, and learning about data privacy, technology, culture, and education.
Access author profile
Access author profile

Related Articles

Industry news
Cross-device consent: What the French DPA (CNIL) recommends
January 23, 2026
Read article
Industry news
EU Digital Omnibus: Mapping supporters, critics and key arguments
January 22, 2026
Read article
Industry news
2026 data privacy trends: Predictions from the experts
January 19, 2026
Read article
Industry news
EU Digital Omnibus: Here's what you should know about the GDPR simplification project
November 20, 2025
Read article
Industry news
The next chapter of data privacy: a live discussion with Max Schrems
October 20, 2025
Read article
Industry news
European Commission's digital omnibus package: The end of consent fatigue?
October 14, 2025
Read article