California’s Privacy Police continue the campaign to promote compliance with the California Consumer Privacy Act (CCPA) and seek remedies from businesses that they conclude have not complied. The Attorney General’s office announced a settlement for $2.75 million dollars—the largest CCPA settlement that California ever secured—against the Walt Disney Company (Disney).
The settlement arose from an investigation into various streaming services’ compliance with the CCPA that commenced in 2024. This led to an investigation into Disney’s practices. Subsequently, the Attorney General’s office sued Disney for alleged violations of the CCPA. Specifically, the allegations included that Disney did not properly allow people to opt-out of the sale or share of their data after a consumer requested Disney not to sell or share their data—an express violation of the CCPA.
Stemming from its investigation, the Attorney General alleged that if a consumer opted-out of the sale or share of their data by Disney, that opt-out was not honored across the board. For example, an individual might have opted-out on one device, yet their data was being shared or sold through other devices they used. Consequently, these issues allegedly violated the rights of consumers as Disney continued to sell or share the consumers’ data.
In addition to the payment, Disney is required to provide a more consumer-friendly opt-out process, so consumers may opt-out in an easier manner. The settlement further compels Disney to adopt various protocols depending on whether a consumer is logged into their account or not. If a consumer is logged into their Disney account, the opt-out must be effective across all of Disney’s streaming platforms associated with that account. If the consumer is not logged into their account (or does not have one), Disney shall advise the consumer that it may be necessary to log into their account or direct the consumer to provide some personal information to complete the consumer’s opt-out. If the consumer chooses not to log into their account or provide the personal information, the opt-out will only cover that browser, device, application, or profile that Disney associates with that browser, device, or application where the consumer attempted to opt-out. Further, Disney must report its compliance efforts to the Attorney General for three years into the future.
This settlement highlights that California takes perceived privacy violations seriously. Companies, including employers who fall under the CCPA/CPRA, need to look critically at their systems to ensure that they comply with the CCPA, including making it simple for consumers to opt-out of the share or sale of their data. For legal advice, contact Dalia Khatib or Dan Forman or any member of CDF’s Privacy Practice Group for legal counsel in this rapidly evolving area.
