PrivacyLawMap
Back to Blog
EnforcementMarch 28, 20268 min read

2026 CCPA Enforcement Wave: Disney, PlayOn Sports, and Ford Fines Explained

Share:

The Biggest Quarter for California Privacy Enforcement

The first quarter of 2026 has been the most active enforcement period in the history of US state privacy law. Between February and March 2026, California regulators issued over $4.2 million in combined fines and settlements across three major cases — all centered on a common theme: businesses making it too difficult for consumers to exercise their opt-out rights.

Case 1: Disney/ABC — $2.75 Million (February 2026)

The California Attorney General announced a $2.75 million settlement with The Walt Disney Company and ABC on February 11, 2026 — the largest CCPA settlement to date.

What Happened

The AG's investigation found that Disney failed to fully process consumer requests to opt out of the sale and sharing of personal information. Specifically, Disney's websites and apps continued sharing user data with third-party advertising partners even after consumers submitted opt-out requests. The company's opt-out mechanism did not effectively stop all data sharing across its properties.

Key Takeaway

An opt-out button that does not actually stop all data sharing is worse than no button at all. Regulators are testing whether opt-out mechanisms work in practice, not just whether they exist.

Case 2: PlayOn Sports — $1.1 Million (March 2026)

The California Privacy Protection Agency (CPPA) announced a $1.1 million administrative fine against PlayOn Sports (formerly 2080 Media, Inc.) on March 3, 2026.

What Happened

PlayOn operates the GoFan ticketing platform, which is the official ticketing system for the California Interscholastic Federation (CIF) and approximately 1,400 California schools. The CPPA found that PlayOn used tracking technologies — including third-party cookies, persistent trackers, and advertising pixels — to collect personal information and deliver targeted advertising to ticketholders, including students attending school sporting events.

Key Takeaway

Processing children's data without proper consent carries severe consequences. The school context made this case especially significant — parents buying tickets to their children's games were unwittingly having their data used for targeted advertising.

Case 3: Ford Motor Company — $375,703 (March 2026)

The CPPA announced a decision against Ford Motor Company on March 5, 2026, imposing a $375,703 penalty.

What Happened

Ford required consumers to complete an email verification step before their opt-out requests would be processed. Under CCPA regulations, businesses may not require consumers to verify their identity when opting out of the sale or sharing of personal information. By adding this verification requirement, Ford created friction that prevented valid opt-out requests from being processed.

Key Takeaway

The opt-out process must be as simple as possible. Adding unnecessary steps — even seemingly reasonable ones like email verification — violates the CCPA's consumer-friendly design requirements. The CPPA has made it clear that opt-out requests require no verification.

The Common Thread: Opt-Out Friction

All three cases share the same underlying issue: businesses creating barriers that prevent consumers from effectively exercising their right to opt out. Whether through broken mechanisms (Disney), unauthorized tracking (PlayOn), or unnecessary verification steps (Ford), the message from California regulators is clear — the opt-out right must work seamlessly.

What Your Business Should Do Now

  1. Audit your opt-out mechanism — test that opting out actually stops all data sharing with third parties, not just some of it
  2. Remove opt-out verification requirements — do not require email confirmation, account login, or identity verification for opt-out requests
  3. Implement Global Privacy Control (GPC) — the CPPA has confirmed GPC must be honored as a valid opt-out signal
  4. Audit your tracking technologies — know exactly what cookies, pixels, and tracking scripts run on your site and which third parties receive data
  5. Pay special attention to children's data — if your services are used by or in connection with minors, extra scrutiny applies
  6. Check which laws apply to you — use our privacy law calculator to understand your full compliance obligations across all states

Penalties Are Growing

The CPPA's maximum fine per violation increased in 2026 to $2,663 for unintentional violations and $7,988 for intentional violations or those involving minors. With the Disney settlement setting a new ceiling at $2.75 million and the dedicated CPPA actively pursuing cases alongside the AG, businesses should expect enforcement to intensify.

Track all enforcement actions on our enforcement and penalties tracker, and review your obligations using the California compliance checklist.

Last updated: March 28, 2026.

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.