California’s 11 February 2026 settlement with Disney is one of the clearest CCPA warnings yet for teams that run the same customer account across multiple apps, devices, and ad-tech integrations. The point is bigger than streaming. It is about whether one opt-out request actually stops sale or sharing everywhere your systems say it should. If that answer changes by device, service, or login state, you have an enforcement problem.
What California said happened
In a press release published on 11 February 2026, the California Attorney General announced a $2.75 million settlement and permanent injunction with The Walt Disney Company. California said Disney failed to fully effectuate consumers’ requests to opt out of the sale or sharing of personal information across Disney+, Hulu, ESPN+, and other account-linked streaming contexts. On 11 February 2026, California described that settlement as the largest CCPA settlement to date. That stopped being true on 8 May 2026, when the General Motors settlement became larger. The useful lesson, though, is the same now as it was then: a consumer right does not become optional because your architecture is fragmented.
The Disney case came out of California’s 2024 investigative sweep of streaming services. The state alleged that Disney offered several opt-out routes, but none of them reliably stopped all relevant data flows. That matters because the CCPA requires businesses to offer workable ways to opt out of sale or sharing, including via a valid Global Privacy Control signal. A control that works only halfway is not a real control.
Where Disney’s opt-out flow broke down
The toggle applied to one service or one device
California’s filed complaint says Disney’s in-app and on-site toggles often applied only to the specific streaming service the user was on, and sometimes only to the device they were using at that moment. For a logged-in customer, that is a serious design failure. If the business can recognise the account across services and devices for advertising, billing, or personalisation, it can also recognise the account for an opt-out.
The webform did not stop every sharing pathway
The complaint also says Disney’s webform cut off sharing only through Disney’s own advertising platform, while some embedded third-party ad-tech code kept transmitting data. That is the operational point managers need to test in their own stack. A privacy webform can look complete in policy copy while leaving SDKs, tags, APIs, or broker feeds untouched in production. Our article on the General Motors CCPA settlement shows a different enforcement angle, but the same pattern appears: policy language and live data flows can diverge.
Connected TV users were pushed back to the web
California said some connected TV apps did not provide an in-app opt-out route at all. Instead, users were directed to a webform that, according to the complaint, had no effect on the embedded code in those apps. That left some consumers with no working way to stop sale or sharing from that app environment. If your service runs on smart TVs, mobile apps, browsers, and partner devices, web-only rights handling is not enough.
GPC was treated as device-level even for logged-in users
California’s Disney press release says users who opted out through GPC were often opted out only for the device they were using, even when they were logged in. That clashes with the Attorney General’s own GPC guidance, which describes GPC as a user-enabled signal that covered businesses must honour as a valid request to stop sale or sharing. The injunction goes further. It requires Disney to effectuate a logged-in consumer’s opt-out across all Disney streaming services associated with that consumer’s Disney account and to give consumers a way to confirm that the request was processed.
What this means for managers
The simplest reading of the case is this: an opt-out must follow the consumer, not the screen. That does not mean every anonymous browser signal has to become account-wide without more information. California’s judgment recognises that logged-out and no-account scenarios are different. But once a user is logged in and you associate services, profiles, and devices to that account, you need one source of truth for the sale-or-sharing preference. Without it, the customer sees one choice while the business runs several conflicting versions of that choice behind the scenes.
This matters well beyond media companies. A retailer with a website, a mobile app, a loyalty account, and third-party audience tools faces the same basic risk. So does a travel brand, a publisher, or a subscription business. If your data model treats the same person as separate identities in separate systems, rights handling breaks first where those systems reconnect: ad-tech, measurement tools, and audience syncs.
If you need the wider legal background, our California CCPA/CPRA explainer covers the broader framework. The Disney settlement adds the practical rule: do not call something an opt-out unless it stops the data flow that a reasonable consumer would expect it to stop.
Four checks managers should run now
- Map every opt-out entry point. Test the website toggle, the app toggle, the webform, the customer-support route, and GPC against every service where the account is used.
- Separate logged-in and logged-out behaviour. For logged-in users, check whether one choice suppresses sale or sharing across all linked services and devices. For logged-out users, check what extra information is needed and how that is explained.
- Trace third-party data flows after the opt-out. Review whether tags, SDKs, ad-server calls, audience exports, and broker transfers actually stop when the preference is set.
- Show the consumer that the request worked. California’s injunction required a way for users to confirm that their request had been processed. Your teams should be able to prove the same thing in logs, UI, and vendor notices.
Which teams own the fix
This is not a legal-team-only issue. Privacy and compliance teams need to define the rule. Product teams need to make the preference account-wide where the account is known. Engineering teams need to wire that preference into every service and device path. Martech and ad operations need to check the third-party side. Vendor management needs to make sure downstream partners honour the instruction. If one of those groups is missing, the opt-out will look complete in a deck and fail in the product.
The immediate operational step is simpler than a new policy. Pick one live customer path, submit one opt-out, and test whether the data still moves anywhere it should not.
Sources
- California Attorney General press release on the Disney settlement, 11 February 2026
- California complaint against The Walt Disney Company, filed 11 February 2026
- Final judgment and permanent injunction in People of the State of California v. The Walt Disney Company
- California Attorney General guidance on Global Privacy Control
- California Attorney General privacy enforcement actions page
- California Attorney General press release on the General Motors settlement, 8 May 2026
