• Blog
  • Privacy
  • Disney $2.75 Million CCPA Fine: Biggest Penalty so Far 

Disney $2.75 Million CCPA Fine: Biggest Penalty so Far 

Onn Nir

Onn Nir

Content Manager

  • February 23, 2026
  • 4 min read
  • February 23, 2026
  • 4 min read
disney ccpa fine
Share article
twitter linkedin medium facebook

When service users tell a provider not to share their data, that provider must honor their preference everywhere they use the service. When they don’t, the California Attorney General’s Office will act — as it did on February 11, announcing that Disney has agreed to a $2.75 million settlement.

The claims: Disney failed to properly implement opt-out mechanisms across its multiple streaming services and devices, violating consumer privacy rights under the California Consumer Privacy Act (CCPA).

It’s the biggest publicly disclosed CCPA penalty on record, eclipsing the previous high of $1.55 million handed to Healthline.com’s owner in 2025.

More Than Just a Fine

The settlement figure is striking, but it’s likely not the most expensive part of this story for Disney. Investigations of this scale generate significant collateral costs — legal resources, architectural changes, and internal audits — and the burden doesn’t end at settlement. Disney must now report on its remediation efforts every 60 days, making compliance an ongoing operational obligation rather than a one-time payment.

What Actually Went Wrong?

According to the Attorney General, Disney failed to implement a fully effective “Do Not Sell or Share My Personal Information” mechanism across its streaming platforms. Regulators alleged that certain advertising and analytics technologies continued collecting and transmitting personal information even after users opted out. The opt-out process, they claimed, was neither comprehensive nor consistently applied across Disney’s platforms and devices.

The enforcement action sent a clear message: offering an opt-out link is not enough. Consumer choices must be technically enforced, and data flows to third parties must actually stop when required.

This is harder than it sounds. When systems operate in silos — or are acquired at different points in time (like the Hulu integration) — validating consent across all of them becomes genuinely complex. However, regulators are increasingly treating this cross-platform consistency as a core compliance requirement, not an edge case.

A Shift in Enforcement

The California Privacy Protection Agency has enforced the CCPA since 2020, but the nature of that enforcement has evolved. Early actions focused primarily on transparency — whether organizations were being truthful with consumers. Since 2022, the focus has shifted toward the technical: do privacy controls actually work?

That shift matters. It means that having the right language in your privacy policy, or even the right banner on your website, is no longer sufficient. What regulators are now asking is whether the underlying data flows reflect the choices users made.

The Cross-Platform Problem

One dimension of this case that deserves more attention is how a failure in one channel can signal a broader breakdown. Large streamers like Disney typically share adtech vendors, data partners, consent logic architecture, and compliance policies across platforms.

When consent enforcement fails on the web, there is a high probability that the same logic — or the same misunderstanding of what “sale” or “sharing” means — is producing failures elsewhere.

This is why web monitoring has value that extends beyond the browser. If a compliance team can detect that ad calls are still firing after opt-out, or that tracking pixels are transmitting despite a user’s stated preference, that is a clear signal to investigate mobile and connected TV environments — before a regulator does it for you.

What This Means for You

Disney can absorb a $2.75 million penalty. Most organizations cannot — at least not without serious consequences. The lesson from this case is that consumer advertising opt-out failures are now firmly in regulators’ crosshairs, and the bar for “compliance” is technical, not just procedural.

In this environment, you can’t rely on assumptions about whether your controls are working. You need visibility into what’s actually happening on your site.

Reflectiz continuously monitors your website’s cookies, pixels, and third-party tags, auditing them against actual user consent choices in real-time. If your site is dropping advertising cookies after a “Do Not Sell” request, or firing tracking pixels despite an opt-out, it flags the issue immediately — giving your compliance team the chance to act before a regulator does.

Don’t wait for an enforcement action to find out your opt-out mechanism is broken.

[Check your website’s compliance status today]

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Related Articles

How AI will Reshape Retail Security Threats
  • February 19, 2026
  • 1 min read

How AI will Reshape Retail Security Threats

How AI Is Already Reshaping Retail Security Threats (And What’s Next)
  • February 12, 2026
  • 5 min read

How AI Is Already Reshaping Retail Security Threats (And What’s Next)

The AUS Prosura Breach: Critical Lessons for Financial Services Security
  • February 9, 2026
  • 4 min read

The AUS Prosura Breach: Critical Lessons for Financial Services Security

The CTEM Maturity Divide: What Separates the 16% from Everyone Else
  • February 9, 2026
  • 1 min read

The CTEM Maturity Divide: What Separates the 16% from Everyone Else

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free
linkedin twitter facebook

All rights reserved 2025 © Reflectiz

Book a Demo

Book a Demo