Feb 13, 2026 · 5 min read
Disney Paid $2.75 Million for Ignoring Your Privacy Opt Out. It's the Largest CCPA Fine Ever.
California's attorney general secured the largest CCPA settlement in history after finding that Disney continued selling user data despite opt out requests.
The Opt Out That Didn't
When Disney+ subscribers clicked the "Do Not Sell My Personal Information" toggle, they had every reason to believe their data would stop being sold. It did not. California Attorney General Rob Bonta announced a $2.75 million settlement with Disney, the largest CCPA enforcement action in the state's history, after finding that the company's opt out controls were fundamentally broken.
"Consumers shouldn't have to go to infinity and beyond to assert their privacy rights," Bonta said. "A consumer's opt out right applies wherever and however a business sells data."
Three Layers of Failure
Disney's privacy controls failed in three distinct ways, each revealing a pattern that goes well beyond one company.
Per device toggles: Disney's opt out switches only applied to the specific streaming service and device being used. If you opted out on your phone, your Roku, laptop, and tablet continued selling your data. The toggle gave the appearance of control without delivering it.
Partial webform coverage: Disney's webform stopped sharing data through Disney's own advertising platform, but continued selling data to third party ad tech companies whose code was embedded in Disney's websites and apps. The opt out only worked for one sales channel while leaving others untouched.
Global Privacy Control ignored: GPC is a browser based signal that tells every website you visit to stop selling your data. Disney restricted GPC requests to individual devices only, even when consumers were logged into their accounts. An account level signal was treated as a device level request.
What Is Global Privacy Control?
Global Privacy Control (GPC) is a browser setting or extension that automatically sends a "do not sell or share my personal information" signal to every website you visit. Under the CCPA, businesses are legally required to honor GPC signals. It is designed to eliminate the need to click through opt out toggles on every individual website.
Disney's treatment of GPC illustrates a broader problem. Many companies technically acknowledge the signal but implement it as narrowly as possible, applying it only to the current browser session or device rather than the user's full account. This guts the purpose of a universal opt out mechanism.
The Third Party Ad Tech Problem
The most significant finding is that Disney continued selling data through third party code embedded in its own properties. This is not unique to Disney. Most major websites and apps embed advertising code from dozens of third party companies. When you visit a page, these embedded scripts collect data about your behavior and send it to ad networks, data brokers, and analytics companies.
An opt out that only covers first party data sharing while leaving third party code untouched is like locking the front door while the back door stays open. The California AG's position is clear: the CCPA requires companies to stop all data sales, regardless of which technical channel performs the sale.
This Is Not Just a Disney Problem
This investigation started with a January 2024 sweep of streaming services for CCPA compliance. Disney is the first public enforcement action, but it is unlikely to be the last. Any streaming service, e-commerce platform, or media company that uses per device opt out toggles or limits GPC support may face similar scrutiny.
The same third party tracking code that Disney failed to control also powers email tracking. Marketing emails embed tracking pixels and click trackers from the same ad tech companies, collecting data about when you open messages, what you click, and which device you use. If companies cannot be trusted to honor your opt out preferences on their websites, they are unlikely to honor them in your inbox either.
Protecting Yourself
Enable Global Privacy Control in your browser. Firefox has it built in. Chrome users can install the GPC extension. This sends an automatic opt out signal to every website you visit, and under California law, businesses must honor it.
For the tracking that happens inside your email, blocking spy pixels and click trackers at the source prevents data collection before it starts. Opt out mechanisms only work if companies implement them honestly. Blocking the tracking code directly does not rely on anyone's cooperation.