Disney has reached a settlement with the state of California, agreeing to a $2.75 million fine and the implementation of a comprehensive privacy program. This agreement addresses claims that the company violated California’s privacy law by making it overly challenging for consumers to prevent their data from being shared and sold.
California Attorney General Rob Bonta asserted that Disney’s opt-out procedures effectively prevented consumers from halting data sharing and sales across all devices, streaming services, and platforms linked to their Disney accounts.
This enforcement action is the second against Disney within a five-month period. Previously, in September, the Federal Trade Commission fined Disney $10 million for violations related to child privacy.
The settlement terms, which await court approval, state that Disney does not admit liability or guilt for the alleged violations.
A Disney spokesperson commented that the company, as an “industry leader in privacy protection,” continues to dedicate substantial resources to establish a high standard for responsible and transparent data practices across its streaming services.
Beyond the financial penalty, Disney is required to provide California with an update within 60 days detailing the steps taken to comply with the California Consumer Privacy Act (CCPA). The CCPA mandates that companies must offer consumers simple methods to opt out of data sharing or selling.
This fine represents the largest ever imposed under the CCPA.
The investigation revealed that Disney’s opt-out mechanisms did not fully enable consumers, even those logged into their accounts, to completely prevent data sharing. The inquiry identified “key gaps” in each of Disney’s offered opt-out methods, which permitted the company to continue selling and sharing consumer data, according to a press release from Attorney General Bonta.
For instance, Bonta alleged that when a user attempted to opt out using toggles within Disney’s websites and applications, the company only applied the request to the specific streaming service being viewed and typically only on the particular device in use.
The press release indicated that, in most cases, utilizing the toggle would not prevent data selling or sharing from other devices or services linked to the consumer’s account.
Similarly, consumers who opted out via a Disney webform were unable to halt all sharing or selling of their personal data. Bonta stated that even after customers completed these forms, Disney continued to sell and share consumer data with “specific third-party ad-tech companies whose code Disney embedded in its websites and apps.”
Furthermore, Disney did not offer an in-app opt-out method, instead directing consumers to a webform. This approach “effectively leaving consumers with no way to stop Disney’s selling and sharing from these apps,” according to the press release.
Attorney General Bonta emphasized in a statement, “Consumers shouldn’t have to go to infinity and beyond to assert their privacy rights.” He added that California’s privacy law is unambiguous: “A consumer’s opt-out right applies wherever and however a business sells data — businesses can’t force people to go device-by-device or service-by-service.”
The investigation into Disney commenced following Bonta’s announcement of an “investigative sweep” targeting streaming services in January 2024.
Following its initial update to California within 60 days of the judge’s approval of the proposed order, Disney will be required to submit further progress reports every 60 days until all its services fully adhere to CCPA requirements.
