Disney $2.75 Million CCPA Fine: Biggest Penalty so Far

When service users tell a provider not to share their data, that provider must honor their preference everywhere they use the service. When they don’t, the California Attorney General’s Office will act — as it did on February 11, announcing that Disney has agreed to a $2.75 million settlement.

The claims: Disney failed to properly implement opt-out mechanisms across its multiple streaming services and devices, violating consumer privacy rights under the California Consumer Privacy Act (CCPA).

It’s the biggest publicly disclosed CCPA penalty on record, eclipsing the previous high of $1.55 million handed to Healthline.com’s owner in 2025.

More Than Just a Fine

The settlement figure is striking, but it’s likely not the most expensive part of this story for Disney. Investigations of this scale generate significant collateral costs — legal resources, architectural changes, and internal audits — and the burden doesn’t end at settlement. Disney must now report on its remediation efforts every 60 days, making compliance an ongoing operational obligation rather than a one-time payment.

What Actually Went Wrong?

According to the Attorney General, Disney failed to implement a fully effective “Do Not Sell or Share My Personal Information” mechanism across its streaming platforms. Regulators alleged that certain advertising and analytics technologies continued collecting and transmitting personal information even after users opted out. The opt-out process, they claimed, was neither comprehensive nor consistently applied across Disney’s platforms and devices.

The enforcement action sent a clear message: offering an opt-out link is not enough. Consumer choices must be technically enforced, and data flows to third parties must actually stop when required.

This is harder than it sounds. When systems operate in silos — or are acquired at different points in time (like the Hulu integration) — validating consent across all of them becomes genuinely complex. However, regulators are increasingly treating this cross-platform consistency as a core compliance requirement, not an edge case.

A Shift in Enforcement

The California Privacy Protection Agency has enforced the CCPA since 2020, but the nature of that enforcement has evolved. Early actions focused primarily on transparency — whether organizations were being truthful with consumers. Since 2022, the focus has shifted toward the technical: do privacy controls actually work?

That shift matters. It means that having the right language in your privacy policy, or even the right banner on your website, is no longer sufficient. What regulators are now asking is whether the underlying data flows reflect the choices users made.

The Cross-Platform Problem

One dimension of this case that deserves more attention is how a failure in one channel can signal a broader breakdown. Large streamers like Disney typically share adtech vendors, data partners, consent logic architecture, and compliance policies across platforms.

When consent enforcement fails on the web, there is a high probability that the same logic — or the same misunderstanding of what “sale” or “sharing” means — is producing failures elsewhere.

This is why web monitoring has value that extends beyond the browser. If a compliance team can detect that ad calls are still firing after opt-out, or that tracking pixels are transmitting despite a user’s stated preference, that is a clear signal to investigate mobile and connected TV environments — before a regulator does it for you.

What This Means for You

Disney can absorb a $2.75 million penalty. Most organizations cannot — at least not without serious consequences. The lesson from this case is that consumer advertising opt-out failures are now firmly in regulators’ crosshairs, and the bar for “compliance” is technical, not just procedural.

In this environment, you can’t rely on assumptions about whether your controls are working. You need visibility into what’s actually happening on your site.

Reflectiz continuously monitors your website’s cookies, pixels, and third-party tags, auditing them against actual user consent choices in real-time. If your site is dropping advertising cookies after a “Do Not Sell” request, or firing tracking pixels despite an opt-out, it flags the issue immediately — giving your compliance team the chance to act before a regulator does.

Don’t wait for an enforcement action to find out your opt-out mechanism is broken.

[Check your website’s compliance status today]

FAQs

Does the Disney case set a precedent for other organizations?

Yes. The case signals that advertising opt-out failures are now firmly in regulators’ crosshairs, and the compliance bar is technical, not just procedural. Unlike Disney, most organizations cannot absorb a multi-million dollar penalty without serious consequences, making proactive compliance monitoring essential.

How has CCPA enforcement changed since 2020?

Early enforcement focused on transparency — whether companies were being honest with consumers in their disclosures. Since 2022, the California Privacy Protection Agency has shifted its focus to the technical: do privacy controls actually work in practice? A correct privacy banner or policy is no longer enough if the underlying data flows don’t match user choices.

Is the $2.75 million settlement the full cost to Disney?

No. The settlement figure is just one part of the total cost. Disney also faces significant legal expenses, internal audits, and architectural changes to its systems. Additionally, Disney must report on its remediation progress every 60 days, making compliance an ongoing operational burden rather than a one-time payment.

What did Disney actually do wrong?

Disney failed to properly implement a “Do Not Sell or Share My Personal Information” opt-out mechanism across its streaming platforms and devices. Advertising and analytics technologies continued collecting and transmitting personal information even after users had opted out, and the opt-out process was not consistently applied across all of Disney’s platforms.

What is the Disney CCPA fine and when was it announced?

On February 11, 2026, the California Attorney General’s Office announced that Disney agreed to a $2.75 million settlement for violating the California Consumer Privacy Act (CCPA). It is the largest publicly disclosed CCPA penalty on record.

What is the key compliance lesson from this case?

Having an opt-out link or the right privacy policy language is not sufficient. Consumer opt-out choices must be technically enforced — meaning data flows to third parties must actually stop when a user requests it, across every platform and device.

What signal does a web compliance failure send about other channels?

A failure detected on the web — such as ad calls firing after opt-out — is a strong indicator that the same logic errors may exist in mobile apps and connected TV environments. Detecting issues in one channel should trigger investigation across all others, before a regulator does it first.

What type of monitoring can help prevent a similar violation?

Continuous real-time monitoring of cookies, pixels, and third-party tags — audited against actual user consent choices — can detect when tracking technologies fire despite an opt-out. This gives compliance teams the ability to identify and fix violations before a regulator discovers them.

What was the previous record for a CCPA fine?

The previous highest publicly disclosed CCPA penalty was $1.55 million, issued to the owner of Healthline.com in 2025.

Why is cross-platform consent enforcement so difficult?

Large organizations like Disney operate multiple platforms, often acquired at different times (such as Hulu), each with its own adtech vendors, data partners, and consent logic. When systems are siloed or integrated inconsistently, ensuring that a user’s opt-out is honored everywhere becomes genuinely complex — but regulators now treat this cross-platform consistency as a core requirement, not an edge case.