Disney Settlement Over California Consumer Privacy Act Opt-Out Failures
Disney agreed to pay $2.75 million to settle allegations by the California Attorney General that it violated the California Consumer Privacy Act (CCPA) by making it difficult for consumers to opt out of the sale/sharing of their personal data. California alleged Disney’s opt-out mechanisms contained gaps that prevented users—including those logged into their accounts—from fully stopping data sharing across Disney’s services, devices, and platforms, and that data continued to be shared with third-party ad-tech companies whose code was embedded in Disney websites and apps.
The settlement (pending court approval) requires Disney to implement a more comprehensive privacy program and provide California officials a compliance update within 60 days describing changes made to align with CCPA requirements. State officials characterized the penalty as the largest fine to date under the CCPA; Disney did not admit liability as part of the agreement and said it continues to invest in privacy protections across its streaming services.
Sources
Related Stories
Disney Fined for COPPA Violations on YouTube
Disney has agreed to pay a $10 million settlement following allegations that it violated the Children’s Online Privacy Protection Act (COPPA) by failing to properly label thousands of its YouTube videos as directed at children. This mislabeling allowed Disney and its partners to collect personal data from children under 13 and serve them targeted advertisements without obtaining parental consent, actions that are explicitly prohibited under COPPA. The Federal Trade Commission (FTC) initially investigated the case before referring it to the Department of Justice (DoJ), which announced the settlement and emphasized the importance of protecting children’s privacy online. The settlement highlights the ongoing regulatory scrutiny of large content providers on platforms like YouTube, especially regarding compliance with child privacy laws. YouTube had previously updated its policies to require content creators to label videos as "made for kids" or not, following its own record $170 million COPPA settlement in 2019. The Disney case underscores the legal and financial risks for companies that fail to adhere to these requirements, reinforcing the government’s commitment to enforcing parental rights and safeguarding children’s data online.
2 months ago
Regulatory scrutiny of consumer data collection and opt-out compliance
A U.S. congressional investigation by the Joint Economic Committee’s Democratic minority estimated that identity theft tied to breaches at **four major data brokers** has cost American consumers roughly **$20 billion**, and highlighted how some brokers obscured legally required “opt-out” pages (including use of `no-index` tactics that made deletion/opt-out pages harder to find). The report, prompted by investigative reporting, said several large brokers subsequently engaged with congressional staff and changed practices to make it easier for consumers to control the collection and sale of their personal data. California regulators separately escalated enforcement of opt-out requirements under state privacy law, with the **California Privacy Protection Agency (CPPA)** fining **PlayOn Sports** **$1.1 million** over allegations that its *GoFan* ticketing platform used tracking technologies for targeted advertising without providing a compliant, easy-to-use opt-out mechanism. The CPPA said users—including large numbers of high school students—were effectively forced to “agree” to tracking to access paid tickets and services, and that directing users to industry opt-out programs (e.g., Network Advertising Initiative / Digital Advertising Alliance) did not satisfy California’s requirement that companies provide their **own** opt-out tool and clear disclosures.
1 weeks ago
Class-action settlements tied to data exposure and privacy claims
Comcast agreed to pay **$117.5M** to settle a class action tied to a large-scale breach disclosed in late 2023 that potentially affected **31M+** people. Comcast attributed the intrusion to **CitrixBleed** (Citrix NetScaler ADC/Gateway), a vulnerability that can enable **session hijacking** and credential theft; researchers warned stolen session tokens could remain valid even after patching, extending attacker access. The proposed settlement (preliminarily approved) provides reimbursement for documented losses (up to **$10,000** per person) and compensation for time spent responding, while Comcast denies wrongdoing. Separately, Google agreed to pay **$135M** to settle Android users’ claims that devices transmitted data to Google servers over **cellular networks** in the background without meaningful consent, with individual payouts capped (reported up to **$100**) and additional **injunctive relief** requiring clearer disclosures and express consent during setup. Two dermatology practices also reached settlements over cybersecurity incidents exposing patient data; one New Jersey practice reported unauthorized network access spanning **Dec 2023–Mar 2024** and exposure of **PHI/PII** (including SSNs and treatment/insurance data) affecting **373,630** individuals, offering cash benefits plus credit monitoring/identity protection while denying liability.
1 months ago