By Cameron Cantrell

On February 11, 2026, California’s Office of the Attorney General (“OAG”) settled with the Walt Disney Company to resolve four alleged CCPA violations related to the media giant’s streaming service business. This is the OAG’s second enforcement action resulting from its 2024 investigative sweep of streaming services, the first being a $530K settlement with Sling TV in October 2025. The OAG’s complaint against Disney alleged violations of the CCPA and California’s unfair competition law, arguing Disney’s streaming service opt-out methods were ineffective, deceptive, and incorporated dark patterns.

Background and the Complaint

Disney owns and operates Disney+, Hulu, and ESPN+, each an account-gated streaming service. The OAG’s complaint is primarily focused on how Disney allegedly handled a consumer’s right under the CCPA to opt-out of Disney selling or sharing their personal information in connection with these streaming services, whether accessed by app or website.

As detailed below, the OAG argued Disney’s alleged practices violated the CCPA by not fully honoring sale/sharing opt-out requests, making opt-out requests more difficult to submit than necessary, and not designing opt-out methods based on the manner in which Disney interacts with consumers.

Disney allegedly sold/shared personal information…

As a threshold matter, the OAG first argued that Disney engaged in advertising practices on its services that constitute sale/sharing of personal information by collecting, using, and disclosing personal information to third parties for purposes of targeted advertising. This includes alleged practices of disclosing personal information (i) to help third parties target advertisements on its services, and (ii) via cookies on its services to third parties who then “personally target[ed] ads to Disney users… on and off” Disney services. As these alleged practices each involve disclosing personal information to third parties for cross-context behavioral advertisement purposes, the OAG stated that Disney is subject to the CCPA’s sale/sharing requirements, laying a basis for its four alleged violations.

… but allegedly did not fully honor sale/sharing opt-out requests as required by the CCPA.

The OAG did not contest that Disney did provide consumers with several opt-out methods. Instead, the OAG focused on the alleged insufficiency of those methods. In particular, Disney allegedly only effectuated sale/sharing opt-out requests from consumers with respect to the “specific [Disney] service and device the consumer was using when they requested to opt-out.” The OAG claimed that to the extent consumers were authenticated into their Disney accounts when submitting opt-out requests, “Disney already knew exactly which devices were associated with the user or connected to their account,” so the CCPA requires Disney to further implement those consumers’ requests, including from Global Privacy Control (GPC) signals “across all of Disney’s systems, brands and devices.” Illustratively, Disney allegedly “effectuated opt-out requests submitted through its webform only with respect to the company’s own advertising platform… [and] continued to share those consumers’ data with third-party ad-tech partners” via cookies.

The OAG believes existing opt-out methods are not easy for consumers and require too many steps.

Calling Disney’s existing opt-out scheme “disjointed,” the OAG claims that “Disney would not fully opt-out a[n] [authenticated] consumer unless the consumer (1) completed Disney’s opt-out webform and (2) individually used the optout toggle for each service on each device the consumer used” (italics in original). So, if a consumer was “subscribed to the Disney bundle and accessed the service from [three devices] … [they] would have to express their opt-out choice up to ten times”; one toggle or GPC request per each of the three services on each of the three devices, and a tenth time via the webform. According to the OAG, if Disney knows which devices are associated with a given user/account, Disney does not need to require a consumer to “jump[] through all these hoops.” Instead, Disney would already be equipped to effectuate an opt-out request via “[a]ny one of these methods” across the board.  

Opt-out methods provided on app-based devices did not reflect the manner in which Disney primarily interacts with users on those devices and were not effective.

Finally, the OAG claimed that for “many of [Disney’s] connected TV streaming apps,” Disney “did not provide an in-app opt-out mechanism… [instead] direct[ing] consumers to use their computer or mobile device to visit Disney’s opt-out webform.” By requiring app users to interact with a different Disney service in order to submit an opt-out request, the OAG alleges Disney’s app-specific opt-out methods did not “reflect[] the manner in which [Disney] primarily interacts with its customers” as required by the CCPA.

The OAG noted, but did not seem persuaded by, Disney “citing vendor and technological limitations” as the reason for this redirection. This hesitancy could be because the OAG further claimed Disney “knew” requests submitted via the webform would not restrict sharing through the app (see previous claims), arguing the vendor and technological limitations effectively resulted in there being “no way for consumers to stop Disney from selling and sharing personal information from these apps.”

The Settlement

In addition to a $2.75M penalty, Disney is subject to several injunctive terms under the settlement. Many terms go beyond the scope of the alleged violations in the complaint, addressing notice requirements as well as opt-out rights. And, while the investigation that instigated the settlement was focused on Disney’s streaming services, the settlement terms apply broadly to any Disney entity that “links to or includes The Walt Disney Company privacy policy… on its website, application, or online service.”

Two of the settlement terms are more significant.

First, Disney must comply with a consumer’s request to opt-out of sale/sharing by (1) stopping the sale and sharing of their personal information, and (2) stopping cross-context behavioral advertising for that consumer. Notably, businesses are not otherwise required to honor requests to opt-out of cross-context behavioral advertising under the CCPA unless they disclose personal information to a third party for that purpose (i.e., unless it becomes “sharing”). Neither the OAG or CalPrivacy have previously required honoring cross-context behavioral advertising not involving  sale or sharing in connection with a CCPA settlement or order.

Second, the required notice of the right to opt-out of sale/sharing in Disney’s streaming services must be “formatted and designed to fit and scale to the web browser, application, or device where it is provided, and shall not require a consumer to unnecessarily search or scroll through text… or use hard-to-find-links, unlabeled carets, arrows, or other hidden menu icons, that add unnecessary steps and may be unclear.” While the CCPA’s implementing regulations already provide several examples of notice and interface design that violate the regulations’ ease-of-use requirements, the specific designs that the OAG mentions—content scaling, hard-to-find links, and hidden menu icons—have not been explicitly described as poor choice architecture until now.

Two settlement terms were not tied to corresponding violations alleged in the complaint.

Disney must provide notice to consumers that Disney’s advertising services use personal information obtained from third parties. Disney must also ensure that third parties with whom Disney discloses personal information comply with Disney’s obligations under the CCPA.

Many of the other settlement terms are standard for the OAG’s and CalPrivacy’s enforcement actions under the CCPA. For example, Disney must address the alleged violations by complying with relevant CCPA requirements. Disney must also implement a program to monitor and report compliance with the settlement terms for three years.

Key Takeaways

Businesses that sell or share personal information subject to the CCPA should consider taking the following steps:

Review authenticated and unauthenticated user opt-out mechanisms. The OAG repeatedly emphasized that Disney “already knew exactly which devices were associated with the user or connected to their account” by the time a consumer submitted a sale/sharing opt-out request or indicated opt-out via GPC signal. If a consumer is logged in to your business’s services when they submit or signal an opt-out request, make sure that the request is applied to stop all sale/sharing in connection with not only authenticated devices associated with that consumer’s account but also to data you know is associated with the same consumer on unauthenticated devices.

Harmonize opt-out methods. Even if your business provides distinct opt-out methods in each component of its services, as Disney did, determine if these methods can be unified on the back end. For example, if your business has an ad platform consider if an opt out from an individual through your ad platform can be tied to and honored for data about the same individual used to target ads about your business on other platforms. And if you have multiple business brands or subsidiaries that share data for advertising, make sure that you have a way to flow opt-outs from one brand/subsidiary to the others.

Test opt-out methods. The OAG’s factual allegations appear to be based almost entirely on simulating a Disney user’s experience and testing the available opt-out flows. Consider periodically pressure-testing your opt-out methods from an outsider’s point of view, to ensure that they are working as intended and are easy to use. An opt-out method described in an app should work to opt a user out of sale/share of data from that same app. As part of this, your team could weigh existing processes against examples of choice architecture, dark patterns, and the like detailed in the CCPA’s implementing regulations. And if you use a third-party opt out vendor, consider independent testing of their processes.

Update dark patterns guidelines. If your business has a process to review notices and interfaces in its services for dark patterns, before launch or periodically thereafter, update as needed to address content scaling, link visibility, and menu icon visibility as part of that review.

Cameron Cantrell is an Associate at Hintze Law PLLC, counseling companies on global AI and data protection issues, including health (consumer, biotech, genetics), business (CCPA, GDPR), and areas of ongoing federal regulation (HIPAA, GLBA, the DOJ Cross-Border Data Transfers Rule, human subject research).