On February 11, 2026, the California Attorney General announced a $2.75 million settlement with Disney over CCPA violations. It is the largest enforcement settlement in the law's history. Crucially, it was not about a breach, a data sale gone wrong, or children's privacy.
It was about opt-out requests that did not work the way they were supposed to.
For compliance teams managing consent and preference programs, this settlement is not just news. It is a signal about where enforcement is heading and what regulators expect your systems to do right now.
What Happened
The AG's investigation found that Disney's streaming services, which include Hulu, ESPN+, and Disney+, failed to propagate consumer opt-out requests across all devices and services linked to a user's account.
When a consumer submitted an opt-out request on one platform, that preference did not automatically carry across the rest of the Disney ecosystem. The company's advertising systems, however, had no trouble recognizing and targeting those same users across all platforms.
The AG cited four specific violations:
- Continued data selling after receiving opt-outs. Disney kept selling and sharing personal information even after consumers directed them to stop.
- Failure to honor Global Privacy Control signals. GPC signals were not treated as valid opt-out requests across the full ecosystem.
- Unnecessarily complex opt-out methods. The process required too many steps and was not easy to use.
- No in-app opt-out for app users. Consumers whose primary interaction was through mobile apps were routed to a web form that did not function properly.
The Asymmetry Argument
The most consequential piece of the AG's reasoning is what privacy professionals are calling the asymmetry argument.
Disney's defense was that it could not technically provide a comprehensive, identity-based opt-out across all devices and services. The AG rejected this outright: if a business can associate a consumer's devices with the consumer for advertising purposes, it can and must associate those devices with the consumer for honoring opt-out rights.
This argument collapses the traditional boundary between "what marketing can do" and "what compliance needs to do". If your ad tech stack can resolve identities across channels, your consent system must match that resolution. The gap between those two capabilities is no longer a technical limitation. It is a compliance failure.
Why This Matters Beyond Disney
This settlement is the second enforcement action from the AG's 2024 investigative sweep of streaming services, and the penalties are escalating. The $2.75 million fine is more than five times the amount of the first streaming-sweep settlement and over $1 million more than any prior AG action.
Every CCPA enforcement case to date has involved opt-out rights. The pattern is unmistakable. The AG is building a systematic body of precedent around the most fundamental consumer right in the law, and the bar keeps rising.
Combined with CalPrivacy's own enforcement activity, which includes more than 100 open investigations and over 10,000 consumer complaints, the pressure on organizations to get consent management right is intensifying.
What Your Consent Program Should Address Now
If this settlement makes you want to audit your own setup, here are the areas that matter most based on what the AG is targeting.
Cross-Device Preference Propagation
When a user opts out on one device or platform, that preference must propagate across every connected service, app, and website tied to their account. If your consent management system treats each touchpoint independently, you likely have the same gap Disney was penalized for.
The fix is not just a configuration change. It requires an identity resolution layer that connects consent records to user accounts and pushes those preferences downstream to every system that processes personal data.
GPC Signal Compliance
Global Privacy Control is no longer optional in California. If your site receives a GPC signal and does not treat it as a valid opt-out request, you are out of compliance.
This means your consent management platform needs to detect GPC headers, apply them as opt-out directives, and ensure that downstream systems (analytics, advertising, data partners) respect that signal in real time.
Opt-Out Process Simplicity
The AG specifically criticized opt-out methods that require too many steps. Your process should be as frictionless as possible. No hidden menus. No excessive scrolling. No routing app users to a broken web form.
Test your opt-out flow the way a consumer would experience it. If it takes more than three clicks from any entry point, simplify it.
Confirmation and Documentation
The Disney settlement requires confirmation that opt-out requests were processed. Building a confirmation mechanism into your preference center, whether through email confirmation, in-app notification, or visual acknowledgment, demonstrates compliance and builds consumer trust.
Regular Compliance Assessment
The settlement includes a three-year compliance assessment program with annual reporting to the AG. Even without a settlement, building periodic consent audits into your compliance calendar is a best practice that reduces exposure.
The Bigger Picture
The enforcement trajectory is clear. In 2025, we saw increased state-level privacy enforcement with the formation of the Consortium of Privacy Regulators spanning 10 states. In 2026, CalPrivacy has ramped up data broker enforcement, the DELETE Act is operational with more than 215,000 California residents signed up, and new regulations around automated decision-making and cybersecurity audits have taken effect.
Consent management is no longer a "set it and forget it" workstream. The organizations that treat it as a living program, one that evolves alongside their marketing stack and regulatory requirements, are the ones that will avoid becoming the next settlement headline.
Where to Start
If your consent program was configured more than 18 months ago and has not been meaningfully updated since, start with these three steps:
- Map your current opt-out flow end to end. Document every touchpoint where a consumer can submit an opt-out, and trace whether that preference reaches every system that needs it.
- Test GPC compliance. Install a GPC-enabled browser extension, visit your site, and verify that your consent management platform recognizes and honors the signal.
- Audit your identity resolution. If your marketing systems can connect a user across devices, your consent system should have the same capability. If it does not, that is the gap to close first.
The Disney settlement is not the end of this story. It is a data point in an enforcement trend that is accelerating. The question is whether your consent architecture is built for where the law is heading, or still configured for where it was two years ago.
