California’s Record-Setting Enforcement Signals Heightened Privacy Oversight

California Attorney General announced on February 11, 2026, a record-setting $2.75 million settlement with The Walt Disney Company for systemic failures to honor consumer opt-out requests across streaming services and digital platforms required under the California Consumer Privacy Act (CCPA). The settlement is the largest to date and marks a clear, escalating pattern of CCPA enforcement across industries.

CCPA Violations

The AG’s investigation identified three distinct categories of CCPA non-compliance that left consumers without a comprehensive, one-step opt-out, as required under CCPA.

• Deficient Opt-Out Toggles: When consumers clicked an opt-out toggle within a Disney streaming app, the opt-out applied only to that specific service and then, often, only to that specific device. A consumer watching Disney+ who opted out could still have their data sold through Hulu, ESPN+, or other Disney platforms accessed on different devices – even if they were logged into the same Disney account.
• Inadequate Webform Opt-Out: Disney’s webform opt-out mechanism stopped data sharing only through Disney’s own advertising platform. It did not prevent Disney from sharing consumer data with third-party ad-tech companies whose code was embedded directly in Disney’s website and apps. Compounding the problem, many of Disney’s connected TV apps lacked in-app opt-out functionality altogether, instead redirecting consumers to the webform, effectively leaving those consumers without a meaningful way to stop data sharing from those platforms.
• Non-Compliant Global Privacy Control (GPC) Processing: The GPC is a browser-level signal that, under the CCPA, must be honored as a valid opt-out request. Disney processed GPC signals only at the device level, even when the consumer was logged into their Disney account. This meant that a GPC opt-out on one browser did not carry over to the other devices or browsers associated with the same account.

1. What This Means for Businesses

Consumers’ opt-out rights under CCPA must be universal, accessible, and technology-agnostic.

• Universal: Opt-out controls must cover all devices and services tied to a single consumer account.
• Accessible: Businesses must provide clear, easy-to-find opt-out methods; the absence of in-app opt-out functionality (for example on streaming devices) may be deemed inadequate.
• Technology-Agnostic: Consumer privacy signals, including GPC, must be honored consistently across platforms.

Recommendations

In the aftermath of this enforcement action, consider taking the following steps:

1. Conduct a Comprehensive Opt-Out Mechanism Audit

Map every pathway through which your organization sells or shares personal information and verify that each opt-out mechanism – toggles, webforms, email links, GPC – actually stops all data flows when triggered. Engage your engineering, advertising, and legal teams jointly to identify gaps between stated opt-out functionality and actual data flow behavior. 

2. Implement Account-Level, Cross-Platform Opt-Out Propagation

The AG has made clear that opt-outs must be honored at the account level, across all devices, and all affiliated devices rather than just for the specific app or device where the consumer made the request. If you operate on multiple digital services, apps, or platforms under a unified account system, an opt-out request from any one touchpoint should propagate to all associated services and devices. Implement a centralized preference management system that can synchronize opt-out signals across your entire ecosystem in real time.

3. Honor Global Privacy Control

Ensure your website and app infrastructure can detect and process GPC signals. In practice, when a logged-in user’s browser sends a GPC signal, treat it as an account level opt-out – not merely a device-level or session-level request.  Confirm GPC signals are recognized and actioned across your stack.

4. Audit Third-Party Data Sharing Relationships

Review all third-party data sharing integrations embedded in your websites and apps to understand precisely what data is transmitted to each vendor, under what circumstances, and whether your current opt-out mechanisms actually suppress those transmissions. Where they do not, implement technical controls to ensure compliance.

5. Documentation and Notice Updates

Update your privacy notices to reflect compliant opt-out options.  Consider removing any mechanisms that require consumers to navigate to a separate webform to exercise their rights when using a TV-based or other non-browser app. Each platform and interface must provide its own accessible opt-out mechanism.  Provide clear instructions and transparency regarding how consumer requests are processed.

Looking Ahead

This enforcement action underscores the heightened risk profile for consumer privacy non-compliance.  Companies offering digital services must look beyond checkbox compliance and scrutinize whether opt-out mechanisms actually work in practice, across every touchpoint a consumer might encounter.  A trend toward heightened CCPA penalties should instigate internal disciplines to ensure your organization does what is necessary to become CCPA compliant well in advance of the AG’s sweep of your specific company or industry.

Authors: