Disney's $2.75M CCPA Settlement: What Every Business Must Learn

California Attorney General Rob Bonta just made history. The $2.75 million settlement with The Walt Disney Company is the largest penalty ever imposed under the California Consumer Privacy Act (CCPA)—and it should be a wake-up call for every business that collects consumer data.

The investigation centered on Disney's streaming services and uncovered three distinct compliance failures that, taken together, paint a picture of what "partial compliance" actually looks like in practice.

What Disney Did Wrong

1. Incomplete Opt-Outs

When users submitted "do not sell or share" requests, Disney only honored them on a single device or for a specific service. A user who opted out on a web browser was still being tracked through the Disney+ mobile app, for example. The opt-out wasn't applied at the account level—it was siloed.

This is a subtle but critical distinction. The CCPA requires businesses to honor opt-out requests across their entire data ecosystem for that consumer. Partial compliance is non-compliance.

2. Ad-Tech Gaps

Disney stopped some data sharing through its own first-party webforms. But the data kept flowing to third-party ad-tech companies through other channels. The opt-out only covered what Disney controlled directly—it didn't extend to its advertising technology partners.

This is the same gap Privisy detects: trackers that fire even after a user has expressed a privacy preference.

3. GPC Signal Ignored

Disney did not properly respect the Global Privacy Control (GPC) signal. When a logged-in user had GPC enabled in their browser, Disney limited the effect to that specific device rather than applying it to the entire account.

Under AB 3048, effective 2026, businesses must treat the GPC signal as a valid opt-out request. Disney's implementation was technically partial—another case where "we support GPC" didn't match "we actually respect GPC."

The Pattern Behind the Penalty

Reading through the AG's findings, a clear pattern emerges: Disney built compliance mechanisms that looked right on paper but didn't work end-to-end in practice. Their webforms processed opt-outs. Their CMP claimed GPC support. Their privacy policy was written. But none of it was tested in a way that would reveal the gaps.

This is exactly the problem Privisy was built to solve.

How Privisy Would Have Caught This

Privisy's scanning engine runs five stages of compliance verification. Each one maps directly to a failure in the Disney settlement:

• Tracker detection with network interception: Privisy intercepts every outbound network request during a scan—not just what the CMP reports. Any tracker that fires after an opt-out signal is recorded and flagged. Disney's ad-tech partners would have been caught here.
• GPC signal validation: Privisy re-visits every scanned page with the GPC header enabled and monitors whether trackers continue to fire. If a site claims to respect GPC but still sends data to Google, Meta, or any other third party, the test fails. Disney's device-scoped GPC implementation would not have passed this check.
• Opt-out completeness review: Privisy audits the presence and functionality of "Do Not Sell or Share" mechanisms across all user-facing surfaces. A webform that only applies to one service while others keep tracking would be flagged as an incomplete implementation.
• UI compliance checks: The scanner verifies that opt-out links are present, accessible, and not buried in dark patterns—meeting the CCPA's requirements for prominence and symmetry.
• Privacy policy analysis: Privisy cross-references the policy text against actual tracker behavior to identify discrepancies—cases where what the policy says and what the site does don't align.

What This Means for Your Business

If a company the size of Disney—with dedicated legal, privacy, and engineering teams—can end up with a $2.75 million settlement, no business should assume it's automatically compliant because it has a cookie banner and a privacy policy.

The AG's investigation focused on streaming services, but the same failures occur across e-commerce, media, SaaS, and virtually every sector that monetizes user data through advertising. The specific failures—incomplete opt-outs, ad-tech leakage, and ignored GPC signals—are not Disney-specific. They're industry-wide problems.

The settlement also signals that the AG's office is actively looking for these gaps. This won't be the last enforcement action of this kind.

What To Do Next

1. Test your GPC implementation at the network level. Don't rely on your CMP's documentation. Verify that trackers actually stop when the GPC signal is present.
2. Audit your opt-out flows end-to-end. An opt-out request should propagate to every partner, every device, and every service under your account. Trace the data flow.
3. Identify every third-party tracker. Your CMP manages what you've configured. Privisy finds what you've missed—the ad-tech vendors, analytics scripts, and embedded widgets that aren't in your consent manager's inventory.
4. Get an independent audit. Internal review has obvious limitations. An external scan reveals what your team has normalized or overlooked.