California Attorney General Rob Bonta announced his office reached the largest California Consumer Privacy Act settlement to date, a USD 2.75 million penalty and corrective measures imposed on The Walt Disney Company over claims of CCPA opt-out requirement noncompliance. The enforcement action surpasses the USD 1.55 million settlement secured with Healthline Media on July 1, 2025, over similar opt-out allegations, and underscores a clear enforcement trend: opt-out compliance remains a top priority for California regulators.
The Investigation and Findings
The California Department of Justice’s investigation into Disney stems from a January 2024 investigative sweep of streaming services for potential CCPA violations. The investigation found that Disney’s opt-out processes did not allow a consumer—even when logged into their account—to completely opt out of and stop all sale or sharing of their data. Each of the methods Disney provided contained key gaps that allowed Disney to continue selling and sharing consumers’ data.
Opt-Out Toggles
When a user requested to opt out via a toggle in Disney’s websites and apps, Disney applied the request only to the specific streaming service and, often, only the specific device the consumer was using. In most instances, the toggle did not stop selling or sharing from other devices or services connected to the consumer’s account.
Webform
When a user opted out using Disney’s webform, Disney stopped sharing data only through its own advertising platform. Disney continued to sell and share consumer data with third-party ad-tech companies whose code was embedded in its websites and apps. Disney also failed to provide an in-app opt-out method in many of its connected TV streaming apps, instead directing consumers to its webform—effectively leaving consumers with no way to stop selling and sharing from those apps.
Global Privacy Control
For consumers who opted out via GPC (“Global Privacy Control,” which is a browser-based signal that communicates a universal“stop selling or sharing my data” preference) Disney limited the request to the specific device the consumer was using, even when the consumer was logged into their account.
Broader Enforcement Trends
A majority of the seven CCPA settlements reached by Bonta’s office to date focus on opt-out violations. In September 2025, the Attorney General joined the California Privacy Protection Agency and attorneys general in Colorado and Connecticut for a coordinated investigative sweep targeting GPC signal noncompliance. Similar momentum is emerging elsewhere: Connecticut Attorney General William Tong reported that a majority of complaints under the Connecticut Data Privacy Act concerned insufficient deletion request responses, while Minnesota Attorney General Keith Ellison noted approximately 200 complaints under that state’s law over six months, predominantly involving deletion rights.
Contact ComplyAuto Today
Whether you are in California, Connecticut, Minnesota, or another state, you need to take steps to ensure you are addressing the complicated state law consumer requests, privacy notice requirements, and cookie consent banner obligations. Reach out to ComplyAuto today to learn more about how our solutions can make these complicated and risky issues simpler and more manageable.