California Attorney General Rob Bonta recently announced a settlement with the Disney Corporation that resolved claims the company violated the California Consumer Privacy Act (CCPA) by not complying with consumers’ requests to opt-out of the sale or sharing of their data across all devices and streaming services associated with consumers' Disney accounts.
Under the settlement, Disney is required to pay $2.75 million in civil penalties and must use opt-out methods that fully stop the company’s sale or sharing of consumers’ personal information.
“Consumers shouldn’t have to go to infinity and beyond to assert their privacy rights. Today, my office secured the largest settlement to date under the CCPA over Disney's failure to stop selling and sharing the data of consumers that explicitly asked it to,” said Attorney General Bonta.
Details of the Investigation
The California Department of Justice’s investigation into Disney follows from a January 2024 investigative sweep of streaming services for possible CCPA violations. Effective opt-out is one of the minimal requirements of the CCPA, the DOJ explained. The investigation found that Disney’s opt-out processes didn’t let a consumer — even when logged into their account — to completely opt-out of and stop all sale or sharing of their data, which is a violation of the CCPA. Specifically, the investigation found that each of the methods the company gave had significant loopholes that permitted Disney to keep selling and distributing consumers’ data. These tactics included the following:
- Opt-Out Toggles. If a user asked to opt-out of the sale or sharing of their data with an opt-out toggle in Disney’s websites and apps, the company merely applied the request to the specific streaming service the user was watching. Moreover, in some instances, Disney only applied the request to the specific device the consumer was using. As a result, in most cases, using the toggle wouldn’t stop selling or sharing from other devices or services connected to the consumer’s account.
- Webform. If a user opted out using Disney’s webform, they only stopped the sharing of personal data through the company’s own advertising platform and offerings. Nonetheless, Disney kept selling and sharing the consumer’s data with specific third-party ad-tech companies whose code Disney embedded in its websites and apps. Disney also didn’t provide an in-app, opt-out method in many of its connected TV streaming apps; instead, they directed consumers to its webform, which effectively left consumers with no way to stop Disney’s selling and sharing from these apps.
- The Global Privacy Control. For consumers who opted out via the Global Privacy Control (GPC), Disney restricted the request to the specific device being used by the consumer, even when the consumer was logged into their account. The GPC is an easy-to-use “Stop Selling or Sharing My Data” switch that’s available on some internet browsers or as a browser extension.
More on the California Consumer Protection Act
The California Consumer Privacy Act is a state law that secures privacy rights for California consumers. These include the right to know the way in which businesses collect, share, and disclose their personal information. Businesses subject to the CCPA have specific responsibilities, including responding to consumer requests to exercise these rights and supplying consumers with specific notices that explain their privacy practices.
The CCPA has opened up a whole new world of privacy protection and increased privacy rights for California consumers, notes the Attorney General’s Office. The CCPA gives California consumers control over the personal information that businesses collect about them, including the right to request that businesses stop selling or sharing their personal information.
“California’s nation-leading privacy law is clear: A consumer’s opt-out right applies wherever and however a business sells data — businesses can’t force people to go device-by-device or service-by-service,” Attorney General Bonta commented. “In California, asking a business to stop selling your data should not be complicated or cumbersome. My office is committed to the continued enforcement of this critical privacy law.”
Attorney General Bonta said he is committed to the enforcement of California’s nation-leading privacy law. The Disney settlement is the latest enforcement action under the CCPA. Bonta has previously announced settlements with Sephora and DoorDash as well as mobile app gaming company, Jam City; streaming service, Sling TV; website publisher, Healthline.com; and entertainment company, Tilting Point Media.
To monitor the businesses’ compliance with the CCPA, the Attorney General conducted investigative sweeps related to location data, streaming apps and devices, employee information, and surveillance pricing.
Bottom Line
With some exceptions, California businesses can’t sell or share consumers’ personal information after they receive an opt-out request (unless the company again subsequently gives them authorization allowing them to do so). Businesses must wait at least a year before asking a consumer to opt back in to the sale or sharing of their personal information.