Life isn’t a cartoon show and businesses are legally bound to keep their word. Forgetting or ignoring that simple fact has cost the Walt Disney Company $2.75 million for violating the California Consumer Privacy Act (CCPA).

California Attorney General Rob Bonta announced a settlement with Disney today, resolving allegations that the company failed to honor customers’ requests to opt-out of the sale or sharing of their data across all devices and streaming services.

“Consumers shouldn’t have to go to infinity and beyond to assert their privacy rights. Today, my office secured the largest settlement to date under the CCPA over Disney’s failure to stop selling and sharing the data of consumers that explicitly asked it to,” said Bonta.

“California’s nation-leading privacy law is clear: A consumer’s opt-out right applies wherever and however a business sells data — businesses can’t force people to go device-by-device or service-by-service. In California, asking a business to stop selling your data should not be complicated or cumbersome.”

What it is

The CCPA is a landmark state law that gives California residents new rights over how businesses collect, use, and share their personal information. It was signed into law in 2018 and took effect on January 1, 2020 and was expanded in 2020.

Core Consumer Rights

Under the CCPA (as amended by CPRA), Californians have the right to:

1. Know what personal information a business collects about them.

2. Access that information.

3. Delete personal information (with some exceptions).

4. Correct inaccurate personal information (added by CPRA).

5. Opt out of the sale or sharing of their personal information.

6. Limit the use of sensitive personal information (e.g., precise geolocation, health data, financial information).

7. Non-discrimination for exercising privacy rights.

Who Must Comply?

The law applies to for-profit businesses that do business in California and meet at least one of these thresholds:

• Annual gross revenues over $25 million

• Buy, sell, or share personal information of 100,000 or more consumers/households

• Derive 50% or more of annual revenue from selling or sharing personal information

What Counts as “Personal Information”?

The definition is broad and includes:

• Names, addresses, email addresses

• IP addresses

• Geolocation data

• Browsing history

• Biometric data

• Inferences drawn to create consumer profiles

Caught in a trap

The California Department of Justice’s investigation into Disney stems from a January 2024 investigative sweep of streaming services for potential CCPA violations. Effective opt-out is one of the bare necessities of complying with CCPA.

The investigation found that Disney’s opt-out processes did not allow a consumer — even when logged into their account — to completely opt-out of and stop all sale or sharing of their data, in violation of the CCPA. Specifically, the investigation found that each of the methods Disney provided had key gaps that allowed Disney to continue to sell and share consumers’ data, including:

Opt-Out Toggles: If a user requested to opt-out of the sale or sharing of their data via an opt-out toggle in Disney’s websites and apps, Disney only applied the request to the specific streaming service the user was watching, and often only the specific device the consumer was using. This meant that in most instances, using the toggle would not stop selling or sharing from other devices or services connected to the consumer’s account.

Webform: If a user opted out using Disney’s webform, Disney only stopped the sharing of personal data through the company’s own advertising platform and offerings. However, Disney continued to sell and share consumer data with specific third-party ad-tech companies whose code Disney embedded in its websites and apps. Disney also failed to provide an in-app, opt-out method in many of its connected TV streaming apps, instead directing consumers to its webform, effectively leaving consumers with no way to stop Disney’s selling and sharing from these apps.

The Global Privacy Control: For consumers who opted out via the Global Privacy Control (GPC), Disney limited the request to the specific device the consumer was using, even when the consumer was logged into their account. The GPC is an easy-to-use ‘stop selling or sharing my data switch’ that is available on some internet browsers or as a browser extension.

The California Consumer Protection Act

The CCPA has increased privacy rights for California consumers, such as the right to know how businesses collect, share, and disclose their personal information. The CCPA vests California consumers with control over the personal information that businesses collect about them, including the right to request that businesses stop selling or sharing their personal information. To learn more about opting out, please see here.