On February 11, the California Attorney General’s Office announced a settlement with Disney for alleged violations of California privacy law. At $2.75 million, the settlement is the largest CCPA penalty to date. The monetary penalty, however, is only part of the story. Below are my key observations. You can read the complaint here and the settlement here.

1. Cost of Noncompliance

While $2.75 million is the largest CCPA penalty to date, the penalty is only a fraction of the total cost. The cost required to respond to an investigation of this complexity and bring a company of this size into compliance likely dwarfs the civil penalty. The judgment includes a compliance program with 60-day check-ins until certain requirements are met. The takeaway is straightforward: regulatory enforcement is expensive, even before you factor in penalties. Investigations require engineering time, legal resources, internal audits, vendor coordination, and often architectural changes. 

2. This Action Is About Notice and Universal Opt-Out

The action centers on notice and the right to opt out of targeted advertising. The California AG’s Office alleged that Disney obtained personal information (such as device identifiers, device type, IP address, user interaction data, and login information) across its services and from third parties, and used this data to target advertising to consumers both on its own services and on third-party services. According to the AG, each Disney service had its own opt-out flow, but they did not communicate with one another and the opt-outs were “disjointed.” If a consumer wanted to fully opt out, they would need to exercise their choice up to 10 times to achieve a true opt-out. As a result, the overall process was deemed deficient.

Opt-outs must be consumer-friendly, easy to execute, require minimal steps, and be operationally unified. Per the AG, if a company can unify consumer identity across services for advertising or analytics purposes, it should be able to unify opt-outs as well.

None of this is surprising. The law requires honoring universal opt-outs, and prior actions (like Sling) have referenced this. That said, compliance is easier said than done. Systems are often designed in silos or acquired over time. For example, Disney is still in the process of merging Hulu into its app. There are also technological limitations when linking certain types of data, especially once hashed or separated across environments. This is another example of how regulatory expectations do not always align neatly with technological realities.

3. Vendor Limitations Are Not a Defense

Speaking of technological limitations, many of the actions we’ve seen over the past year involve companies relying on vendor solutions that ultimately do not function as intended. For example, misconfigurations, layout issues, or even deeper implementation problems. Per the AG, Disney cited vendor limitations. While the vendor is not named in the judgment, OneTrust publicly lists Disney as a client. If that is accurate, this would be yet another action where OneTrust is involved.

The settlement also includes express obligations requiring Disney to take reasonable and appropriate steps to ensure that third parties use personal information in a manner consistent with Disney’s CCPA obligations.

The takeaway is simple: a company is responsible for the actions and limitations of its vendors. A “Hakuna Matata” approach to vendor management will not excuse noncompliance. (The complaint started the Disney puns, not me.)

4. Cross-Context Behavioral Advertising Is Expanding the Opt-Out Conversation

This is where things get especially interesting. You may have noticed that in Section 2 above I referenced targeted advertising and not sales or shares. The settlement requires Disney to provide clear and conspicuous notice and a link to the opt-out not only for services that sell or share personal information, but also for services that conduct cross-context behavioral advertising using personal information obtained from third parties. It further requires that once a consumer opts out, Disney must stop selling and sharing personal information and stop conducting cross-context behavioral advertising for that consumer.

The CCPA textually requires opt-out for sales and sharing. It does not expressly create a standalone right to opt out of processing for targeted advertising absent a sale or share. If a company ingests personal information from a third party and does not itself sell or share that information onward, the CCPA’s opt-out right would ordinarily attach to the disclosing business, not the recipient. The recipient may have contractual or regulatory obligations to honor opt-out signals passed downstream, but the statute does not clearly impose a separate opt-out obligation solely because the recipient uses the data for advertising.

This settlement suggests the AG may be advancing a broader theory: that engaging in cross-context behavioral advertising using third-party data can itself trigger opt-out obligations, even absent a downstream sale or share by the recipient. That approach looks closer to other state privacy laws that provide a right to opt out of processing for targeted advertising. The complaint even uses the term “targeted advertising,” which is not defined in the CCPA.

5. Obligations Around Data Received from Third Parties

Another notable development in this action is the focus on personal information obtained from third parties.

The settlement imposes specific notice obligations regarding cross-context behavioral advertising conducted using personal information obtained from third parties. Disney must provide clear and conspicuous notice describing the categories of sources from which the personal information is collected and direct consumers to the notice of the right to opt out.

Prior enforcement has largely focused on outbound disclosures. Here, inbound data use is front and center.

If your advertising model relies on enrichment data, onboarding data, or audience segments from partners, you should expect regulators to examine how you disclose and operationalize rights around that inbound data, not just what you disclose to others.

6. Another Ad Tech Case. Another CTV Case. But More Sophisticated.

Here we have another ad tech case, and another case involving connected TV and streaming services. The AG’s Office is clearly paying close attention to how identity, devices, and advertising ecosystems operate in practice.

At the same time, this is the most technologically complex ad tech case yet. Disney is not just a publisher. It is also an advertiser and appears to operate components of its own ad tech stack. The AG dug into how the opt-out worked across business units, services, devices, and identity systems. While Disney had many of the right optics, the investigation focused on mechanics and whether the system actually worked. Enforcement is getting more technical.

7. GPC Continues to Matter

The Global Privacy Control appears again. If a consumer is logged in when a company receives a GPC signal, the expectation is that the opt-out applies across the business. If the consumer is not logged in, the company must treat the opt-out as applying to that browser, application, or device and any consumer profile associated with it, including pseudonymous profiles. 

8. Children Are Referenced. But No COPPA Claims.

The complaint references Section 1798.120(c), which addresses sales of personal information of consumers under 16. But there are no COPPA claims, and we have not seen COPPA claims in recent CCPA enforcement. The AG appears focused on enforcing California-specific rights related to sales and sharing, rather than layering in federal children’s privacy law. That may reflect an effort to differentiate California enforcement.