The Walt Disney Company is cutting a $2.75 million check to California to resolve allegations from the state attorney general that its streaming platforms made it unreasonably hard for users to opt out of having their personal data sold or shared across devices and apps. State investigators found that toggle switches, web forms and in-app settings often failed to stop third-party ad tech from receiving data tied to a single Disney account, despite users trying to shut it down. The deal is the latest outcome of a multiyear probe into how streaming services handle consumer privacy.
In a California Department of Justice announcement, officials said the settlement resolves allegations that Disney violated the California Consumer Privacy Act by failing to fully carry out consumers' opt-out requests. The agreement requires Disney to pay $2.75 million and to implement opt-out tools that, in the state's words, “fully stop Disney’s sale or sharing of consumers’ personal information.”
What the settlement requires
The DOJ's review concluded that when users flipped in-app toggles to opt out, the setting often applied only to the specific service or the device in use. Investigators also said Disney’s webform did not block some third-party ad-tech providers, and Global Privacy Control signals were honored only at the device level, not across a full account. All of that meant account-level opt-outs did not reliably follow users from one Disney service to another, as reported by TheWrap.
The settlement language directs Disney to stop selling or sharing data for any consumer who opts out and to give clearer notice about the types of targeted advertising that depend on third-party data. In practical terms, that means users who say “no” to data sales should have that decision respected across the Disney ecosystem, not just on a single screen.
Where this fits in California enforcement
Privacy lawyers and reporters have called the payout a big one, and Bloomberg Law described it as the largest settlement under California's privacy law to date. The action joins a growing roster of California Consumer Privacy Act enforcement cases that have led to settlements with companies including Sephora, DoorDash and Sling TV, according to the California Department of Justice.
Regulators are using these cases not just to collect checks but to force operational changes, pushing companies to rework how opt-outs are honored across devices and services instead of treating privacy controls as one-off settings.
Disney response and next steps
Disney said it continues to invest in privacy and will work to put the required changes in place, a company spokesperson told TheWrap. The agreement is reported to be subject to court approval.
The Record reports that once a judge signs the order, Disney must submit an initial compliance update within 60 days, then provide progress reports every 60 days until all of its services comply with the settlement's terms.
Legal implications
Privacy attorneys say the order could widen how opt-out rights are enforced in California by effectively treating certain targeted advertising that relies on third-party data, known as cross-context behavioral advertising, as subject to opt-out obligations. The contours of that category and its consequences under California law are laid out by privacy counsel at firms such as Arnold & Porter.
Independent analysis of the Disney settlement terms indicates that companies will need to ensure their vendors and embedded ad tech actually honor account-level opt-outs, not just device-level toggles that can leave digital back doors open.
For Californians, the settlement is meant to make it more straightforward to stop the sale or sharing of their data across every device tied to a single streaming account. For the broader streaming industry, it is a warning shot that when privacy controls do not work as advertised, regulators are prepared to demand clearer notices, tighter vendor oversight and concrete technical fixes.
