Credit: Disney Did your data get breached because of Disney? Did a third-party company gain access to your data?
Disney Reaches Settlement in Massive California Lawsuit
There’s a certain trust that comes with walking through the gates of a Disney Park. Whether guests are strolling down Main Street, U.S.A. or planning their next streaming night with Disney+, there’s an expectation that the magic extends beyond attractions and entertainment. For generations, families have aligned themselves with the storytelling power of The Walt Disney Company, often without a second thought about what happens behind the scenes.
But in today’s digital age, the “magic” doesn’t just live in the parks. It follows fans onto their phones, smart TVs, tablets, and laptops. Every click, every stream, and every account login is part of a much larger ecosystem. And increasingly, consumers are paying closer attention to how their personal information is handled.
Over the past year, California regulators have been scrutinizing major streaming services as part of broader enforcement efforts under the California Consumer Privacy Act (CCPA). The law gives consumers the right to know how their data is collected and shared — and, importantly, the right to opt out of the sale or sharing of that information. What investigators uncovered in one high-profile case has now resulted in a significant settlement.
The California Investigation Put Major Streaming Platforms Under the Microscope
According to DEADLINE, California Attorney General Rob Bonta announced that The Walt Disney Company has agreed to a $2.75 million settlement to resolve alleged violations of the CCPA. The investigation began in January 2024 as part of a large-scale probe into streaming platforms and their compliance with state privacy law.
According to the Attorney General’s office, investigators found that Disney did not fully honor consumers’ requests to opt out of the sale or sharing of their personal data across devices and streaming services connected to their accounts. While opt-out mechanisms were present, regulators determined that gaps in the process allowed certain data sharing to continue.
The CCPA requires businesses to provide clear and effective tools for consumers who wish to stop the sale or sharing of their personal information. The law also recognizes Global Privacy Control (GPC) signals, which allow users to send automated opt-out requests through their browsers or devices.
Gaps in the Opt-Out Process Sparked Concern
Investigators found that opt-out toggles on Disney websites and apps often applied only to a specific streaming service or device, rather than the user’s entire account. In practice, this meant that opting out on one platform did not necessarily prevent data sharing across others tied to the same login.
In addition, Disney’s webform reportedly stopped data sharing through its own advertising platform but allowed continued sharing with certain third-party ad-tech companies embedded within its services. Some connected TV apps lacked in-app opt-out options altogether, instead directing users to a webform that regulators determined did not fully halt data sharing.
Global Privacy Control signals were also limited to individual devices, even when users were logged into their accounts, rather than applying universally across their profiles.
These alleged shortcomings ultimately led to the $2.75 million settlement, marking the seventh CCPA enforcement action under Attorney General Bonta. Previous settlements have involved companies such as Sephora, DoorDash, Jam City, Sling TV, Healthline.com, and Tilting Point Media.
The $2.75 Million Settlement Marks a Turning Point
Under the terms of the settlement, Disney must pay civil penalties and implement opt-out mechanisms that completely stop the sale or sharing of personal information when requested by consumers. The company is required to ensure its systems align with CCPA standards moving forward.
While $2.75 million represents a fraction of Disney’s overall business operations, the settlement carries symbolic weight. It underscores California’s continued commitment to enforcing privacy rights and signals to other major media companies that compliance is not optional.
Back in September 2025, Disney also reached a settlement with the Federal Trade Commission related to “Made for Kids” content not being correctly labeled, which allowed data collection without parental consent under the Children’s Online Privacy Protection Act (COPPA). At that time, Disney acknowledged shortcomings and implemented new procedures to comply with federal guidelines.
What This Means for Disney Guests and Streaming Subscribers
For future travelers and Disney+ subscribers alike, the immediate impact is procedural rather than experiential. Guests visiting the parks won’t notice operational changes tied directly to the settlement. However, users interacting with Disney’s digital platforms may see more comprehensive opt-out tools and clearer data-sharing disclosures.
The California Attorney General’s office has made clear that investigative sweeps will continue to monitor compliance with the CCPA. For consumers, that means increased oversight and, ideally, stronger protections moving forward.
No matter how you feel about Disney or its products, the larger conversation remains important: transparency and meaningful choice matter when it comes to personal data.
Is this simply part of an evolving digital landscape, or does it signal a deeper shift in how major entertainment companies must operate? As privacy laws continue to expand, one thing is certain — the magic of trust may be just as important as the magic on screen.