California fines Disney $2.75 million for data privacy violations

Disney has agreed to a $2.75 million fine with the state of California and implementation of a comprehensive privacy program in response to allegations that it broke the state’s landmark privacy law by making it exceedingly difficult for consumers to opt out of having their data shared and sold.

California Attorney General Rob Bonta alleged the company’s opt-out process made it impossible for consumers to stop data sharing and sales across all devices, streaming services and platforms associated with their Disney accounts.

The enforcement action is the second against Disney in five months. In September, the Federal Trade Commission fined Disney $10 million for child privacy violations.

Under the terms of the settlement, which is still subject to court approval, Disney does not accept liability or offer an admission of guilt for committing the alleged violations. 

A Disney spokesperson said that as an “industry leader in privacy protection, Disney continues to invest significant resources to set the standard for responsible and transparent data practices across our streaming services.”

In addition to the fine, Disney must update California within 60 days of measures it has taken to comply with the California Consumer Privacy Act (CCPA), which requires companies to make it easy for consumers to opt out of having their data shared or sold.

The fine is the largest ever levied under the CCPA.

The investigation found that Disney’s opt-out processes did not allow consumers, including those logged into their accounts, to ensure they were wholly exempt from data sharing. The probe found that each of the opt-out methods Disney offered had “key gaps that allowed Disney to continue to sell and share consumers’ data,” a Bonta press release said.

For example, if a user tried to opt out using toggles in Disney’s websites and apps, the company only considered the request in the context of the specific streaming service the consumer was watching and typically only on the specific device being used, Bonta alleged.

“This meant that in most instances, using the toggle would not stop selling or sharing from other devices or services connected to the consumer’s account,” the press release said.

Similarly, people opting out using a Disney webform could not stop all of their personal data from being shared or sold, according to Bonta, who said even when customers filled out the forms Disney kept selling and sharing consumer data with “specific third-party ad-tech companies whose code Disney embedded in its websites and apps.”

Disney also did not provide an in-app opt-out method and instead directed consumers to the webform, “effectively leaving consumers with no way to stop Disney’s selling and sharing from these apps,” the press release said.

“Consumers shouldn’t have to go to infinity and beyond to assert their privacy rights,” Bonta said in a statement. “California’s nation-leading privacy law is clear: A consumer’s opt-out right applies wherever and however a business sells data — businesses can’t force people to go device-by-device or service-by-service.”

The probe into Disney began after Bonta announced a January 2024 “investigative sweep” of streaming services.

After its initial update to California within 60 days of the judge signing off on the proposed order, Disney will be mandated to provide additional progress reports every 60 days until all services comply with CCPA requirements.