Key Takeaways

• The California Attorney General (AG) reached a record $2.75 million settlement with Disney, stemming from allegations that the company violated the California Consumer Privacy Act (CCPA) by failing to adequately recognize consumer opt-out rights across its diverse platform.
• The settlement with Disney highlights how both the California AG and the California Privacy Protection Agency (CPPA) are still keenly focused on consumer opt-out rights while increasing scrutiny of complex ecosystems of personal information.
• Businesses should expect heightened scrutiny into the technical implementation of their consent management platforms and broader enforcement, including potentially steep fines and multi-year compliance obligations for violators.

The California AG’s recent $2.75 million settlement with Disney marks a further escalation by enforcers of the CCPA, both in penalty size and in the breadth of the activity being monitored. In October 2025, we analyzed the CPPA’s then-record $1.35 million enforcement action against Tractor Supply, which highlighted an expanded focus on privacy notices, job applicant disclosures and annual update requirements. While the Tractor Supply matter centered largely on disclosure deficiencies, the Disney action focuses heavily on the technical implementation of consumer opt-out rights in complex digital platforms and reinforces that technical implementation of consent management platforms must match an organization’s written disclosures. In essence, the California AG and the CPPA — which share enforcement authority under the CCPA — are more deeply scrutinizing complex data flows and taking action where consumer rights appear to be inadequately honored.

Allegations Against Disney: Opt-Out Rights in Practice

According to the California AG, Disney failed to adequately honor consumers’ right to opt out of the “sale” or “sharing” (the CCPA’s term of art for “targeted” or “cross-context behavioral” advertising) of personal information under the CCPA.

Key allegations included:

• Consumers’ opt-out selections applied only to specific devices or streaming services rather than across all platforms tied to the same Disney account;
• Global Privacy Control (GPC) honored at device level did not propagate consumers opt-outs to other devices and Disney-controlled properties; and
• Certain embedded third-party advertising technologies continued to collect or receive personal information in ways that constituted “sharing” even after consumers submitted opt-out requests.

The California AG’s allegations underscore regulators’ expectation that opt-out rights must function comprehensively across all business units, digital properties and integrated technologies.

Penalties Are Increasing, and So Are Oversight Obligations

The $2.75 million settlement surpasses prior CCPA penalties and suggests that California enforcement authorities are prepared to impose materially higher fines for systemic failures. The financial exposure is only part of the risk. The operational burden of multi-year regulatory oversight can be equally significant.

As noted in the Tractor Supply settlement, businesses may be required to certify compliance annually for multiple years. Similarly, the settlement requires that Disney implement opt-out methods that fully stop its sale or sharing of consumers’ personal information.

Expanding Enforcement

The trajectory of recent enforcement activities — including those against American Honda Motor Co., Todd Snyder, Tractor Supply and now to Disney — shows that the privacy enforcement is maturing. Early actions focused on enforcing basic data subject rights, followed by targeting privacy notices and contractual safeguards. Now both the California AG and the CPPA are scrutinizing the detailed technical implementations of digital advertising and multi-device consent management. The Disney settlement signals that regulators expect companies to operationalize privacy rights seamlessly across modern digital platforms. Taken together, these four actions illustrate regulators’ expanding scope of enforcement and expectation that companies focus on the entire lifecycle of privacy compliance.

What Businesses Should Do Now

The takeaway is clear: California’s regulators are actively enforcing their authority under the CCPA. Covered businesses should ensure compliance by:

• Reviewing privacy notices at least annually;
• Ensuring opt-out rights work technically and apply across affiliated brands and platforms;
• Scrutinizing ad-tech data flows; and
• Ensuring alignment between backend systems and front-end representations.

Polsinelli’s Technology Transactions & Data Privacy team continues to monitor California privacy enforcement trends and assists clients in conducting compliance assessments, implementing opt-out controls and managing regulatory inquiries. Please reach out to our team for further guidance.