Disney has agreed to pay $2.75 million to California—the largest CCPA settlement in California history—for systematically failing to honor consumer requests to opt out of data sharing. When consumers checked a box on Disney’s website asking the company to stop selling their streaming data to advertisers, Disney ignored that request and continued sharing information across device-specific and service-specific silos instead of applying the opt-out across all its platforms. This settlement, reached in 2026, forces Disney to change how it handles opt-out requests going forward, making them apply across Disney+, Hulu, and ESPN+ for logged-in users. This article explains what Disney did wrong, what consumers are entitled to know, what the settlement requires Disney to do, and what real changes you should expect to see.
The core violation is straightforward: CCPA gives California consumers the right to tell companies “don’t sell my personal information,” and those companies must obey. Disney received opt-out requests from its streaming service users but treated those requests as applying only to the specific app or device where the consumer submitted the request—not across Disney’s entire ecosystem of properties. Meanwhile, Disney continued to share user data with third-party ad-tech vendors for targeted advertising, defeating the consumer’s intention to stop data sales. The California Attorney General prosecuted this as a willful violation of state law, and Disney settled rather than litigate.
Table of Contents
- What Was the Core Privacy Violation Disney Committed?
- How Exactly Did Disney’s Data Sharing Continue After Opt-Out?
- What Specific Changes Is Disney Required to Make?
- What Practical Changes Will Disney Users See?
- What Is the California Consumer Privacy Act (CCPA) and Why Does It Matter?
- How Does Disney Compare to Other Tech Companies?
- What Does This Settlement Mean for the Future of Streaming and Privacy?
- Frequently Asked Questions
What Was the Core Privacy Violation Disney Committed?
Disney’s violation involved a technical and legal misunderstanding—or deliberate evasion—of what CCPA opt-outs are supposed to do. When a california consumer visited Disney.com, ESPN.com, or the Hulu website and clicked “Do Not Sell My Personal Information,” that opt-out request was supposed to apply across all of Disney’s data-sharing operations. Instead, Disney’s system treated the opt-out as applying only to the specific service or device where the consumer submitted it. If you opted out via the Disney+ app on your iPhone, Disney might still sell your data when you logged in on a Roku, or when you visited ESPN.com on your desktop, or when you accessed Hulu through a web browser.
This fragmentation meant Disney could claim technical compliance while gutting the consumer’s substantive rights. A consumer who carefully read the “Do Not Sell” policy and submitted an opt-out request believed they had stopped Disney from commercializing their streaming habits. In reality, they had only created a narrow exception for one login session or device. Disney then continued selling or sharing data about those same consumers with third-party advertisers and ad-tech vendors, who used it to target ads back to the consumer across the internet. The California Attorney General determined this practice violated California Consumer Privacy Act (CCPA) requirements because Disney failed to “fully effectuate” the consumer’s explicit opt-out request.
How Exactly Did Disney’s Data Sharing Continue After Opt-Out?
Disney’s business model depends on using streaming data to sell targeted advertising. The company collects detailed information about what users watch, when they watch, how long they watch, whether they skip ads, and demographic information tied to account registration. This data is valuable to advertisers who want to reach specific audiences. Disney’s violation was that it continued sharing this data with third-party ad-tech companies—the data brokers and programmatic advertising networks that power the modern ad ecosystem—even after consumers clicked “Do Not Sell.” The company’s technical architecture made this possible. Disney treated opt-out requests as applying only to the specific system that received the request. If you opted out through a web portal, that opt-out applied only to web traffic. If you later used the Disney+ app on a different device, that device was treated as a separate user session with a separate data profile, and it was not bound by your earlier opt-out.
Over time, this means Disney accumulated multiple “profiles” for the same person across different devices and services, and each profile could be monetized independently unless that specific profile received an opt-out request. The company then aggregated or linked these profiles when selling to advertisers, effectively circumventing the consumer’s stated wish to stop data sales. A concrete example: Imagine you opted out of data sharing on Disney.com using your desktop browser. Disney logged that opt-out for your web session. But your family’s smart TV still had a different Disney+ account (or your account logged in via a different app), and that account was not flagged with an opt-out. Disney continued to receive and monetize data from that TV session. Worse, Disney’s ad-tech vendors could use device identifiers, IP addresses, or email matching to link the data from your web session to the data from your TV session, effectively reconstructing your full Disney profile even after you opted out of one piece of it.
What Specific Changes Is Disney Required to Make?
The settlement imposes a clear structural change: for logged-in users who submit an opt-out request, that request must now apply across all Disney streaming services—Disney+, Hulu, and ESPN+—in a unified way. This means if you log into your Disney+ account and click “Do Not Sell My Personal Information,” Disney is now required to apply that opt-out to the same account when you access Hulu or ESPN+, assuming you’re logged in and using the same account. Disney cannot fragment the opt-out request across devices or service silos anymore. To prove compliance and accountability, Disney must submit written progress updates to the California Attorney General every 60 days starting within 60 days of the settlement’s effective date. These updates must document how Disney is handling opt-out requests, how many consumers have submitted requests, and what technical changes have been implemented.
This reporting requirement gives California a window into Disney’s data practices and creates an incentive to maintain compliance—if Disney is still violating the opt-out protocol, the AG will have documented evidence. The $2.75 million payment is due within 30 days of the settlement becoming final. this settlement does not require Disney to stop collecting data or to stop serving personalized ads to users who have not opted out. Consumers who want targeted ads can still receive them, and Disney can still monetize that data. The settlement only requires Disney to respect the explicit opt-out choices that consumers make. For consumers who have never submitted an opt-out request, Disney’s data practices continue as before.
What Practical Changes Will Disney Users See?
The most noticeable change for Disney users should be in the reliability of opt-out requests. If you submit “Do Not Sell My Personal Information” through any Disney, Hulu, or ESPN+ account portal, that request should now stick across all three services linked to your logged-in account, rather than being siloed to whichever device or website you used to submit it. This means you should receive fewer targeted ads from Disney’s ad-tech vendors and fewer ads based on your Disney streaming behavior. However, a significant limitation exists: the settlement only applies to logged-in users. If you watch Disney+ without logging in (for example, using a shared household account that’s not authenticated to you personally), or if you watch via a web browser without creating an account, the opt-out protections may not apply, because Disney cannot link the anonymous viewing session to a specific consumer’s opt-out request.
Additionally, even after opting out of data sales, you will still see ads—Disney will simply have to serve you non-personalized or less-personalized ads instead of ads targeted to your specific streaming habits. You may also still see ads from other companies that previously purchased Disney’s data before your opt-out took effect, since the settlement does not require Disney to erase data already sold in the past. A comparison point: This is stricter than the protections Apple added to iOS, which let consumers opt out of app tracking across all apps. Disney’s change is more limited—it only applies to Disney’s own ecosystem, not to third-party apps or websites. However, for consumers specifically concerned about how Disney uses their streaming data, this settlement represents a significant tightening of the company’s obligations.
What Is the California Consumer Privacy Act (CCPA) and Why Does It Matter?
The California Consumer Privacy Act (CCPA) is California state law that gives residents specific rights over their personal data. The core rights are: you can ask a company what data it collects about you; you can request a copy of that data; you can ask a company to delete your data; and you can opt out of “sales” of personal information. The CCPA uses “sale” broadly to include not just direct selling of data lists but also sharing of data with third parties for value—including giving data to advertisers or ad-tech companies that use it to deliver targeted ads.
From a legal standpoint, if you opt out, the company must stop sharing your data with third parties for value, even if the company claims it’s not a “sale.” Disney’s case is important because it establishes that CCPA opt-outs must be functionally effective, not just technically documented. A company cannot claim it has honored an opt-out if it has built workarounds that allow it to continue monetizing the consumer’s data through different silos, devices, or accounts. The $2.75 million penalty is significant—it’s the largest CCPA settlement by a single company to date—and it sends a message to other tech companies that fragmented or device-specific opt-out implementations will be challenged. This settlement also highlights how abstract terms like “personal information” and “sale” translate into real consumer harms: in this case, Disney’s fragmented opt-out system meant millions of consumers who believed they had stopped data sales were actually still being profiled and monetized.
How Does Disney Compare to Other Tech Companies?
Disney is not the only major tech company to be prosecuted for CCPA violations, but it is notable for the scale of the settlement and for the specific problem of cross-service fragmentation. Other tech companies have paid CCPA settlements for failing to honor consumer data deletion requests, failing to disclose all categories of data collected, or failing to provide adequate opt-out mechanisms. The distinguishing factor in Disney’s case is that the company had opt-out mechanisms in place—consumers could actually click a button to stop data sales—but those mechanisms were deliberately or negligently designed to apply only to individual devices or services rather than to the consumer’s account as a whole.
This matters because it shows that building a compliant opt-out button is not enough; the opt-out must actually work across the company’s entire data ecosystem for the same consumer. Disney’s business structure, which involves multiple consumer-facing brands (Disney+, Hulu, ESPN+) with separate data systems, created a compliance trap. The company either needed to integrate its data systems to recognize the same user across all services and apply opt-outs universally, or it needed to face liability. Disney chose to settle rather than redesign its entire data infrastructure.
What Does This Settlement Mean for the Future of Streaming and Privacy?
The Disney settlement is likely to influence how other streaming companies and large tech platforms design their opt-out systems going forward. Other streaming services like Netflix, Amazon Prime Video, and Apple TV+ may face similar pressure to ensure their opt-out protections apply at the account level rather than the device or service level, especially if they operate multiple services under one corporate parent. The settlement also demonstrates that California’s Attorney General under current leadership is willing to litigate and win significant CCPA cases, making CCPA compliance a priority for companies rather than a compliance checkbox.
Looking ahead, the 60-day reporting requirement imposed on Disney is a prototype for ongoing oversight. If other settlements adopt similar structures, consumers and regulators will have more visibility into how companies are actually handling opt-out requests, which could drive further changes. The settlement also highlights a tension in the current regulatory environment: CCPA creates rights for California consumers, but CCPA is a state law, and companies serving national or global audiences may struggle to maintain separate compliance standards for California users. Some companies may decide to extend California-style opt-out protections to all users rather than maintaining different systems for different states, which would broaden the practical impact of this California-specific settlement.
Frequently Asked Questions
Does the Disney settlement give me money or a refund?
No. The $2.75 million settlement goes to the California Attorney General, not directly to consumers. The settlement changes Disney’s future data practices rather than providing compensation to users who were harmed.
If I’ve already opted out with Disney in the past, do I need to opt out again?
Disney’s new system should recognize previous opt-out requests across all services going forward, but it is advisable to verify your preferences in the settings of each service (Disney+, Hulu, ESPN+) to ensure your opt-out is properly recorded under the new system.
Will I stop seeing all ads on Disney+ if I opt out?
No. Opting out stops Disney from selling your data and serving you targeted ads based on your streaming habits. You will still see ads on Disney’s ad-supported tiers, but those ads will be less personalized or non-personalized.
Does this settlement apply to me if I don’t live in California?
The CCPA only applies to California residents, so this settlement and its protections are specifically for California users. If you live in another state with privacy laws (like Colorado or Virginia), you may have different privacy rights depending on your state’s requirements.
What if Disney is still not honoring my opt-out request?
You can file a complaint with the California Attorney General or consult with a consumer privacy attorney. The 60-day reporting requirement means the AG is monitoring Disney’s compliance, so ongoing violations could trigger further enforcement action.
Can Disney use my past data to target me even after I opt out?
The settlement does not require Disney to erase data already sold before your opt-out request. Disney can continue to use or share data that was collected and sold before you opted out. The opt-out only stops future sales and sharing of new data collected after the opt-out takes effect.