Disney CCPA Settlement: $2.75M Fine and What Every Business Must Learn About Opt-Out Compliance
On February 11, 2026, California Attorney General Rob Bonta announced a $2.75 million settlement with The Walt Disney Company — the largest CCPA settlement in California history. The case centered on a deceptively simple issue: when a consumer opted out of data sharing on one Disney streaming service, the opt-out did not carry across to Disney\'s other platforms like Hulu or ESPN+.
This settlement, combined with a $1.1 million PlayOn Sports fine and a $375,703 Ford Motor Company fine in March 2026, signals that California regulators are treating opt-out compliance failures as their top enforcement priority. Businesses of every size need to pay attention — the combined Q1 2026 CCPA penalties now exceed $4.2 million.
What Happened: The Disney Settlement
The California AG\'s investigation found that Disney offered consumers multiple methods to opt out of data sharing — including a webform, opt-out toggles, and Global Privacy Control (GPC) signals. On paper, these mechanisms looked compliant. In practice, they were fragmented and inconsistent.
The Core Violation
When a consumer logged into their Disney account and submitted an opt-out request on Disney+, the opt-out was not applied to Hulu, ESPN+, or other Disney streaming services connected to the same account. Consumers had to manually repeat opt-out requests on each service and device to fully stop data sharing.
For consumers who opted out via GPC, the situation was even worse. Disney treated the GPC signal as applying only to the specific device and browser sending the signal — even when the consumer was logged into their account. This meant Disney continued to sell and share data from the same consumer\'s other devices.
Settlement Terms
Under the settlement, Disney must:
- Pay $2.75 million in civil penalties
- Honor opt-out requests across all streaming services linked to a consumer\'s account when the consumer is logged in
- Prompt consumers who are not logged in to log in, or collect enough information to apply the opt-out as broadly as possible
- Maintain a compliance monitoring program for three years
- Submit progress updates to the AG every 60 days until all services are compliant
Ford Motor Company: $375,703 for Opt-Out Friction
Just weeks after the Disney settlement, the California Privacy Protection Agency (CPPA) announced a $375,703 fine against Ford Motor Company for a different but related issue: adding unnecessary friction to the opt-out process.
Ford required consumers to verify their email address before their opt-out requests would be processed. Consumers who did not click the confirmation link in the verification email had their requests simply ignored — and Ford continued to sell and share their personal information.
The CPPA emphasized a critical legal distinction: while the CCPA allows businesses to verify a consumer\'s identity for requests to delete, know, or correct personal information, it explicitly prohibits requiring verification for opt-out requests. Opt-out must be simple, immediate, and frictionless.
Ford must now process all previously unfulfilled opt-out requests, provide compliant submission methods, and audit tracking technologies on Ford.com to ensure proper handling of opt-out preference signals like GPC.
PlayOn Sports: $1.1M for Student Privacy Violations
In the first week of March 2026, the CPPA fined PlayOn Sports $1.1 million for using tracking technologies to deliver targeted ads to users of its GoFan digital ticketing platform — used by roughly 1,400 California schools — without providing a proper opt-out mechanism. Instead of operating its own opt-out, PlayOn directed users to third-party ad industry tools. Read our full analysis of the PlayOn Sports enforcement action.
The Pattern: California\'s Enforcement Acceleration in 2026
These three actions are not isolated incidents. They represent a deliberate enforcement strategy focused on opt-out compliance. Combined with the broader enforcement wave, the pattern is clear:
| Company | Fine | Date | Enforcer | Primary Violation |
|---|---|---|---|---|
| Walt Disney Company | $2,750,000 | Feb 11, 2026 | CA AG | Cross-service opt-out failure |
| PlayOn Sports (GoFan) | $1,100,000 | Mar 3, 2026 | CPPA | No proper opt-out mechanism |
| Ford Motor Company | $375,703 | Mar 5, 2026 | CPPA | Email verification friction in opt-out |
Together, that\'s over $4.2 million in penalties in just the first 10 weeks of 2026. For context, the CCPA\'s per-violation fine amounts for 2026 are:
- $2,663 per unintentional violation
- $7,988 per intentional violation or violation involving a minor\'s data
These per-violation amounts multiply quickly when applied across thousands or millions of affected consumers. The Disney settlement alone suggests roughly 1,000+ individual violations were alleged.
5 Compliance Lessons Every Business Should Learn
1. Opt-Out Must Work Across All Services and Platforms
If your company operates multiple websites, apps, or brands, a consumer\'s opt-out request on one must apply across all of them — at least when the consumer is logged into a shared account. Siloed opt-out mechanisms are a compliance failure. Review how your data-sharing practices work across your entire digital ecosystem.
2. GPC Signals Must Be Honored Comprehensively
When a logged-in consumer sends a GPC signal from one device, you must apply the opt-out to their entire account, not just that browser session. California, Colorado, and Connecticut all require businesses to honor GPC as a valid opt-out request. Use our GPC Compliance Checker to verify your obligations, and check out our guide on the multi-state GPC enforcement sweep.
3. Never Require Verification for Opt-Out Requests
The Ford settlement makes this crystal clear: you cannot require email verification, identity verification, or any other authentication step before processing an opt-out request. The CCPA explicitly prohibits adding friction to the opt-out process. Make opt-out one click or one signal — no confirmation emails, no extra steps. See our full guide on CCPA opt-out requirements.
4. Audit Your Tracking Technologies Regularly
Both Disney and Ford were required as part of their settlements to audit all tracking technologies (cookies, pixels, web beacons) on their websites. Businesses should proactively do this at least quarterly to ensure that tracking is properly suppressed when a consumer opts out or sends a GPC signal. A consent management platform (CMP) can automate much of this, but it must be properly configured.
5. Document Everything
The CPPA and AG\'s office are increasingly sophisticated in their investigations. Maintain detailed records of your opt-out mechanisms, how they work technically, when they were last audited, and how consumer requests are processed. Disney\'s three-year compliance monitoring requirement shows regulators expect ongoing proof of compliance. Use our California compliance checklist as a starting point.
How to Check if Your Business Is at Risk
If your business collects personal information from California consumers — whether through a website, app, or connected device — these enforcement actions are directly relevant. Use our Privacy Law Calculator to check which state laws apply to your business, and review the California privacy law page for a complete overview of CCPA/CPRA requirements.
Key questions to ask your team:
- If a consumer opts out on one of our platforms, does the opt-out apply everywhere?
- Do we honor GPC signals? Do we treat them as account-wide when the user is logged in?
- Is our opt-out process truly frictionless — no email verification, no extra steps?
- When was the last time we audited our tracking technologies?
- Can we demonstrate our compliance if a regulator asks?
Frequently Asked Questions
How much can the CCPA fine a business per violation?
As of 2026, the CCPA\'s civil penalty amounts are $2,663 per unintentional violation and $7,988 per intentional violation or violation involving a minor\'s data. These amounts are adjusted annually for inflation. Penalties are assessed per consumer, per violation — so a single compliance failure affecting thousands of consumers can result in millions of dollars in fines. The Disney settlement of $2.75 million is currently the largest single CCPA settlement. See our full enforcement tracker for all CCPA fines to date.
Does the CCPA require businesses to honor Global Privacy Control (GPC)?
Yes. California law treats GPC signals as a valid consumer request to opt out of the sale and sharing of personal information. When your website or app detects a GPC signal (the HTTP header Sec-GPC: 1), you must stop selling or sharing that consumer\'s data. The Disney settlement reinforced that GPC must be honored account-wide, not just per device. Use our GPC Compliance Checker to understand your obligations.
Can a business require email verification before processing an opt-out request?
No. The Ford settlement explicitly established that requiring email verification for opt-out requests violates the CCPA. While businesses may verify identity for deletion, correction, and access requests, the law prohibits requiring verification for opt-out requests. The opt-out process must involve minimal steps and no unnecessary friction.
Who enforces the CCPA — the Attorney General or the CPPA?
Both. The California Attorney General (AG) and the California Privacy Protection Agency (CPPA) have overlapping enforcement authority. The AG typically handles larger cases (like the Disney settlement), while the CPPA\'s Enforcement Division handles cases stemming from its own investigations (like the Ford and PlayOn actions). Both can issue fines and require changes to business practices.
Do these enforcement actions apply to businesses outside California?
The CCPA applies to any for-profit business that collects personal information from California residents and meets certain thresholds — regardless of where the business is physically located. If your website is accessible to California consumers and you meet the applicability criteria, these enforcement patterns are directly relevant to you. Check our calculator to determine your obligations.
Last updated: March 29, 2026.Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.