The Office of California Attorney General Rob Bonta announced the largest settlement for violations of the California Consumer Privacy Act (CCPA) to date, imposing a $2.75 million civil penalty and injunctive relief focused on how Disney implements consumer opt-outs across its streaming ecosystem. Disney must pay the penalty within 30 days of the judgment’s effective date. Beyond the headlining number, the settlement highlights an enforcement theme that has become increasingly explicit. Opt-out rights must be effective in practice across the interfaces where consumers actually interact, not merely available as a formal policy or isolated control.
According to allegations, Disney did not fully effectuate consumers’ requests to opt-out of the sale or sharing of personal information across all devices and streaming services connected to a consumer’s Disney account. The court entered a stipulated “Final Judgment and Permanent Injunction” in Los Angeles County Superior Court pursuant to the CCPA and California’s Unfair Competition Law. The judgment defines the covered footprint broadly, stating that “Disney streaming services” include, without limitation, Disney+, Hulu, and ESPN+. That framing matters for any company operating multiple “distinctly branded” services that are nonetheless tied together through shared identity, ad tech, or data infrastructure.
For most regulated organizations, the larger financial exposure is often operational rather than punitive. Investigation response, engineering remediation, vendor reconfiguration, and validation across multiple apps and device types can quickly outpace the civil penalty, particularly when opt-outs must propagate through identity graphs and pseudonymous profiles used for selling, sharing, or cross context behavioral advertising.
The injunctive provisions, however, are the real compliance signal. Disney must implement a “consumer friendly, easy to execute opt out process” with minimal steps and support for opt-out preference signals, then apply opt-outs account wide for logged-in users across all associated Disney streaming services .
The order also addresses common failure points for non-logged-in users, requiring clear instructions about logging in or providing only minimal personal information needed to fully effectuate the opt-out, while otherwise treating the opt-out as applying to the browser, app, or device and associated profiles. It further requires clear and conspicuous opt-out links, device scaled notices, and controls that do not rely on hard to find or friction heavy interface patterns, a way for consumers to confirm the opt-out was processed, and guardrails against confusing “choice architecture” that could imply cookie settings or marketing preferences substitute for a full opt-out of sale or sharing.
Finally, Disney must provide ongoing progress updates and maintain a 3-year assessment and monitoring program with annual reporting, reinforcing that California’s focus is shifting from one time user interface fixes to durable operational controls. The full order and settlement can be found here.