California has delivered its clearest message yet on what “opt out” actually means under the California Consumer Protection Act (CCPA).
In a $2.75 million settlement with the Walt Disney Company—the largest CCPA resolution to date—the California Attorney General focused on a compliance failure that will feel familiar to many organizations operating across multiple platforms: consumers took steps to opt out, but their data continued to flow elsewhere in the ecosystem. From the state’s perspective, that gap isn’t just a technical glitch. It’s a violation.
The lesson for businesses is straightforward, if uncomfortable: if you can recognize a consumer across devices, services, and platforms for advertising or analytics, regulators expect you to recognize—and honor—that same consumer’s opt‑out everywhere those data flows exist.
The Case Against Disney
According to the Attorney General, Disney failed to fully honor consumer requests to opt out of the sale or sharing of personal information across all devices and streaming services linked to a consumer’s Disney account.
The investigation grew out of a January 2024 enforcement sweep of streaming services that asked a simple question: when a consumer opts out, does the data actually stop flowing? While Disney offered multiple opt‑out mechanisms, the AG concluded that they did not reliably deliver a complete opt‑out outcome—even when consumers were logged into their accounts.
Under the settlement, Disney agreed to:
- Pay $2.75 million in civil penalties;
- Implement opt‑out mechanisms that fully stop the sale or sharing of personal information—rather than doing so partially, or only on a device‑by‑device or service‑by‑service basis; and
- Institute a compliance program to assess and monitor the effectiveness of its opt-out mechanisms.
Where Disney’s Opt‑Outs Allegedly Fell Short
What makes the allegations worth attention isn’t Disney’s size, it’s how ordinary the compliance gaps appear.
Opt‑Out Toggles That Worked Only in Limited Contexts
Disney provided opt‑out toggles within certain websites and apps. According to the AG, those toggles often:
- Applied only to the specific streaming service being used; and
- Applied only to the specific device on which the opt‑out was exercised.
The result was predictable: consumers reasonably believed they had opted out, while their personal data continued to be sold or shared through other Disney services or devices tied to the same account.
A Webform That Didn’t Reach Third Parties
Consumers who opted out using Disney’s webform fared only slightly better. While Disney allegedly stopped sharing data through its own advertising platforms, personal information continued to flow to third‑party ad‑tech companies whose tracking tools were embedded on Disney’s sites and apps.
The problem was compounded for connected TV users. Some streaming apps lacked any in‑app opt‑out option at all, directing users instead to the webform. This left some consumers with no meaningful way to stop data sharing from those apps at all.
Global Privacy Control Signals Limited to a Single Device
The Global Privacy Control (GPC) is intended to function as a universal “stop selling or sharing my personal information” signal. The AG alleged that Disney honored GPC signals only on the specific device that sent the signal—even when the consumer was logged into a Disney account.
From the state’s perspective, that approach undermines the purpose of GPC and fails to deliver an effective opt‑out, as required by the CCPA.
Why This Settlement Matters More Than the Dollar Amount
The $2.75 million penalty makes headlines, but the real significance lies in the enforcement theory behind it.
The Attorney General’s message is that that “opt out” is not a button, a link, or a policy statement. It’s an operational outcome. Regulators are not asking whether a business offers multiple preference tools or publishes the right disclosures. They are asking a more direct question: after a consumer opts out, does personal data still get sold or shared anywhere in the ecosystem?
If the answer is yes, the opt‑out will be treated as ineffective—regardless of intent, technical complexity, or organizational structure.
Five Enforcement Expectations Businesses Should Take Seriously
The settlement reinforces several compliance expectations that are likely to shape future CCPA enforcement.
- Opt‑Out Has to Work in Practice: Offering multiple opt‑out paths doesn’t matter if none of them fully stop the sale or sharing of data. Regulators are evaluating data flows and outcomes, not intent or effort.
- Account‑Level Data Requires Account‑Level Opt‑Outs: If a business can link a consumer across services or platforms for advertising or analytics, it must also link—and honor—opt‑out requests across those same services. Technical difficulty is not a defense.
- Device‑by‑Device Compliance Is a Red Flag: Requiring consumers to repeat opt‑out steps across each device or interface is likely unlawfully burdensome. The CCPA expects opting out to be easy, not a scavenger hunt.
- Third‑Party Trackers Remain the Business’s Responsibility: The business is responsible for pixels, SDKs, and other ad‑tech tools it integrates into its websites and apps. The fact the tools are provided by third parties does not remove that obligation. If personal data continues flowing to third parties after an opt‑out, regulators will hold the business accountable.
- GPC Signals Must Be Meaningful: Honoring GPC signals in narrow or technical ways is unlikely to satisfy California regulators. Businesses should evaluate whether their GPC implementation actually stops all sale or sharing tied to the consumer, not just some of it.
If you’re unsure whether your opt‑out mechanisms would hold up under regulatory scrutiny, a quiet internal pressure test now is far preferable to an enforcement inquiry later.
If you’d like help evaluating whether your opt‑out processes align with CCPA and other state privacy law expectations, we can help.
