California Fines Disney $2.75 Million in Record CCPA Case
California regulators have issued their largest penalty yet under the California Consumer Privacy Act, announcing a $2.
AI-Driven Threat Detection for Quantum-Enabled Side-Channel Attacks
California regulators have issued their largest penalty yet under the California Consumer Privacy Act, announcing a $2.75 million settlement with The Walt Disney Company after investigators found that consumer opt-out requests were not consistently honored across devices and streaming platforms.
The case centers on a straightforward expectation that is becoming harder for companies to meet: when users tell a service not to share their data, that signal must follow them everywhere they use it.
How Did We Get Here?
The CCPA, and later the California Privacy Rights Act, introduced some of the strongest consumer privacy protections in the United States, enforced by the California Privacy Protection Agency.
For the first few years, enforcement often focused on whether companies told consumers the truth?
This settlement suggests something different: regulators are increasingly interested in whether privacy rights work.
What Investigators Found
According to state officials, consumers who tried to opt out of data selling or sharing still had information moving through certain channels when they used other devices or service features.
Investigators pointed to:
opt-outs that applied on one device but not another
data sharing that continued in certain streaming environments
insufficient oversight of how partners handled user information
privacy workflows that didn’t match what users were led to expect
Disney did not admit wrongdoing as part of the settlement but agreed to implement enhanced controls to ensure opt-out choices are applied consistently.
The Cross-Device Challenge Behind the Case
Modern digital platforms rarely live in one place. A single account can connect a mobile app, smart TV, browser session, third-party ad network, and content partner.
In that environment, a user’s privacy choice isn’t a single switch. It’s a series of coordinated signals that must move across devices, systems, and vendors.
Regulators are increasingly treating that coordination as a core compliance requirement.
Automated Signals Are Now Part of the Equation
California has also emphasized the importance of Global Privacy Control (GPC), a browser-based mechanism that automatically communicates a user’s opt-out preference. Businesses are expected to recognize and honor that signal across downstream data flows.
This places additional pressure on companies whose digital ecosystems involve multiple integrations, identity systems, and advertising partners.
The Expanding Definition of “Sharing”
Under the CPRA’s amendments, “sharing” doesn’t necessarily require money to change hands. Passing personal information along for cross-context behavioral advertising may trigger the same obligations as a sale.
Does your company use the following?
ad-tech platforms
analytics suites
embedded tracking tools
multi-channel marketing systems
If the answer is yes, the implications are significant. Responsibility for personal data doesn’t end when it leaves the first party’s servers.
A Broader Enforcement Pattern Is Taking Shape
The Disney case is not an outlier. It aligns with a growing set of signals from California regulators:
privacy rights must function across the entire user experience
data-sharing ecosystems are under closer scrutiny
companies must be able to demonstrate how opt-outs move through their systems
compliance failures increasingly involve operational gaps rather than policy errors
As more state privacy laws take effect nationwide, California’s direction is becoming a bellwether.
The post California Fines Disney $2.75 Million in Record CCPA Case appeared first on Centraleyes.
*** This is a Security Bloggers Network syndicated blog from Centraleyes authored by Rebecca Kappel. Read the original post at: https://www.centraleyes.com/california-fines-disney-2-75-million/
About Author
.png?width=3196&height=457&name=Affirm-CTA-02%20(1).png "Context-Based Attestation: A Practical Approach to High-Confidence Identity Verification")
