Fragmented opt-out across devices and streaming services
Disney’s opt-out mechanisms were siloed by device and by service: using an in-app toggle only applied the opt-out to the specific streaming service and often only to the specific device in use, leaving all other Disney-linked services and devices continuing to sell and share data. Disney’s webform stopped sharing through its own ad platform but not with embedded third-party ad-tech vendors. GPC signals were honored only for the specific device that sent the signal, even when the consumer was logged into a Disney account, allowing cross-device data sharing to continue.
The core violation is scope fragmentation — each opt-out method had deliberate gaps that collectively ensured no opt-out was ever fully effective. Disney must implement opt-out processes that apply account-wide across all devices and services.
Largest CCPA settlement in California history at time of resolution, and the second enforcement action from the AG’s January 2024 investigative sweep of streaming services.