CCPA Settlement Targets Gaps in Opt-Out Processes That Prevented Consumers From Fully Exercising Rights
The California Attorney General recently announced the "largest CCPA settlement in California history," stemming from allegations that a company's opt-out processes violated the state's consumer privacy law.
On February 11, 2026, the California Attorney General announced a $2.75 million settlement with Disney DTC, LLC and ABC Enterprises, Inc. ("Disney"), marking the "largest [California Consumer Privacy Act ("CCPA")] settlement in California history" to date. The settlement stems from an investigative sweep focusing on streaming services' compliance with CCPA opt-out requirements and resolves allegations regarding opt-out methods that prevented consumers from completely opting out of the selling/sharing of their personal information—a right provided under the CCPA.
The complaint identified critical gaps in each of the company's opt-out methods and alleged that "[w]hile Disney diligently linked consumer devices and data for purposes of targeting consumers with ads, it failed to link those same devices and data when it came to complying with consumers' exercise of their statutory right to opt out of targeted advertising." In addition to the civil penalty, the settlement requires various remedial measures be taken by the company, including, among others: (i) providing notice to consumers of targeted advertising practices relying on personal information obtained from third parties; (ii) implementing a simple opt-out process with minimal steps; (iii) effectuating opt-out requests across all streaming services associated with a user account; (iv) advising consumers who are not logged into their account that additional information may be necessary to fully effectuate the request; and (v) for a period of three years, annually submitting a written report to the California Attorney General regarding compliance with the company's program monitoring and assessing the effectiveness of opt-out methods.
The case serves as a cautionary tale for businesses selling/sharing personal information for targeted advertising purposes. First, businesses should review their existing opt-out methods to ensure they are "frictionless, simple, and comprehensive." Second, if a business has the ability to associate a consumer with—and across—their devices, the business should ensure it does so for opt-out purposes so that consumers are not forced to submit multiple requests from multiple devices to fully opt out of the sale/sharing of personal information. Lastly, businesses should review their websites for compliance purposes, including as it relates to honoring opt-out preference signals and providing clear cookie-related disclosures.
