The race between technological developments and the enforcement of regulations governing them is finally beginning to tighten. The Disney settlement is one of the cases illustrating the gradual narrowing of this gap. At least when it comes to the privacy sphere, mass media and entertainment conglomerates, like tech giants, do not operate in a regulatory vacuum anymore but rather need to comply with the laws and provide consumers the rights they are entitled to.
- The settlement
The Disney settlement concerns the failure of Disney’s streaming service, including Disney+, Hulu and ESPN+, to properly effectuate consumers’ opt-out requests across devices and services. Disney’s system created an opt-out illusion, leaving the impression that consumers fully opted out while in reality additional steps were needed. The opt-out relates to the sharing or sale of consumers’ data. By opting out, consumers exercise their right to require the company to stop selling or sharing their personal data, thus preventing the company from illegal conduct. In the present case, the plaintiffs claimed that when they opted out in one platform, that choice was not automatically applied across the others, ultimately leading to infringement and improper application of the opt-out system. Furthermore, the settlement for the California Attorney General’s enforcement action amounted to $2.75 million, which the Walt Disney Company agreed to pay. In addition to the amount, Disney also needs to implement opt-out methods, fully stopping the sale and sharing of personal information. As AG Bonta stated: «Consumers shouldn’t have to go to infinity and beyond to assert their privacy rights…» (California Attorney General, 2026).
The case at hand did not only concern the flow of data and privacy but also the mere interface design, technical architecture and the formal versus real compliance gap. This is precisely what makes it so relevant. Moreover, according to California, the main issue was the fragmentation of the process by which consumers were led to believe they opted out, while that was not the reality. It was, at least, capable of misleading a reasonable consumer. Additionally, it goes beyond the privacy issue by violating the Unfair Competition Law (Marmor and Ricci, 2026). This made the issue both more complex and more urgent.
Worth noting is that this was an isolated investigation of the California Department of Justice. There was a broader investigative sweep aimed at various streaming services and connected TVs or devices (Marmor and Ricci, 2026).
- Comparison to the EU
Overall, privacy and data standards in the EU appear to be significantly stricter. The GDPR is the main legislation governing the protection of personal data in the EU. It mandates lawful basis for processing which can be through contract, legal obligation, legitimate or vital interest and consent. Article 21 GDPR provides for the right to object. One of the identified fields is direct marketing. It is particularly sensitive, hence when a person objects processing of personal data for this purpose, it must be stopped immediately. With increased involvement of technology in everyday lives, new legislation has emerged to limit the power of tech companies and strengthen data protection, especially considering the value it gained from an economic perspective. The EU is continuously enforcing new rules and guidelines to fight this evolving misuse stemming from exponential digital development.
In simple terms, the US requires specific request or order made by the user not to process, whereas the EU framework generally requires the company to justify processing from the outset under one of the GDPR’s lawful bases. This exemplifies quite an opposing perspective and legislative and societal architecture. The US framework empowers companies, whereas the EU framework is generally more rights-centred. Henceforth, an equivalent case in Europe would likely be subject to different, and possibly stricter, legal framework. That is, the consequences would likely be more drastic. Additionally, the Disney EU users are protected under different law, meaning that Disney can implement opt-out mechanisms efficiently but it chooses not to.
- Differentiation between logged-in and non-logged-in users and other issues
Nevertheless, there are certain issues arising from the case. Different types of users are clearly identified, and different rules apply to each category. More specifically, there are logged-in users and non-logged-in ones. The former have more protection compared to the latter. Therefore, it may be concluded that the judgment improves enforcement for users who are logged in. Their request for opting out covers all Disney streaming services that can be associated with their account (California Attorney General, 2026). By contrast, a user who is not logged in may be required either to log in or to provide additional personal data (California Attorney General, 2026). This can signal that Disney still holds the upper hand and is able to collect personal data as a “payment” method for opting out. It is possible that such conduct is also backed up by a technological argument, still it is something to be analysed further.
It might be harder to effectively retrieve and stop the data from flowing because of the involvement of related third parties. This can be viewed as a paradox because the privacy rights are respected more for those who provided more data, while those who did not are asked to provide in order to be protected. In other words, the same technical architecture of data centralisation and cross-platform tracking is used to stop such conduct. This leaves a question of the platform ecosystem’s privacy rights because of the deep centralisation and the need for identification.
- Relevance of compliance obligations
The fine Disney must pay is relevant; however, further action on compliance is more important. Especially considering Disney’s annual turnover, which in 2025 amounted to revenue of $94.4 billion (The Walt Disney Company, 2025), $2.75 million may appear as “cost of doing business”. It is symbolic. The financial penalty signals that even giants, like Disney, cannot get away with misconduct.
Significantly higher importance is given to the injunctive and monitoring obligations. The settlement requires changes to the opt-out – make them more consumer-friendly, regular updates to the AG, and a three-year monitoring program (California Attorney General, 2026). The monitoring program and connected assessment refer to the effective implementation and maintenance of a consumer-friendly and cross-platform opt-out scheme. The only concern is that this information is confidential, thus not accessible to the public. Consumers therefore have to rely on the authorities to ensure that Disney has genuinely changed its conduct, rather than engaged in reputational management through making empty promises.
Nevertheless, the privacy enforcement through institutional supervision suggests that the State sees noncompliance as an issue of the system. Product teams, engineers and lawyers have to cooperate and continuously monitor. A one-time fine is insufficient for the scale of the problem and the damage it can cause.
- Beyond Disney
As previously mentioned, the Disney settlement is not an isolated issue. It follows previous enforcement actions against Sling TV, which was accused of similar misconduct (Marmor and Ricci, 2026; Marmor, Shively and Angle, 2025). The wide investigative sweep started in January 2024, firstly targeting streaming services (California Attorney General, 2024). All is rooted in the California Consumer Privacy Act as a landmark law securing increased privacy rights. People are encouraged to learn more about their rights, including the one to prohibit businesses from using and selling their data without proper notification, disclosure, or user-provided agreement.
The message to the entire industry is evident: superficial privacy compliance is no longer sufficient – regulators moved to the mechanics of consumer experience, focusing on examination of how privacy choices are presented and their real effects. Here is a clear intersection between market conduct and privacy. It may be argued that privacy-choice design affects consumer behaviour and determines the volume of extractable data. This influences the commercial advantages platforms gain from personalised ads and cross-service integration. Furthermore, the design even nudges users to disclose more data by structuring the way they interact with the platform.
The first frontier was the dark patterns. Now we are encountering compliance fragmentation. Platforms, particularly when operating across connected services, can exploit legal and technical grey zones. This behaviour may be commercially rational, because weaker privacy protection can generate more data-driven transactions, more personalised ads, and ultimately greater profit. However, Disney’s settlement showcases a shift in the regulators’ approach where fragmentation is perceived as a legal failure and not an accident. Other services should learn from this and reinvent themselves before it’s too late.
- End of a symbolic opt-outs era
The conclusion is that rights must travel with the consumer and not be stopped when third parties join the game. In today’s highly technologically interconnected world, California’s approach is the only correct response. The focus should be on the effectiveness, and not formal compliance. Opt-out mechanisms should be clear, easier and minimally burdensome. They should not require multiple logins across connected platforms with each specific platform necessitating separate opt-out. Disney’s case significantly helps this development due to its brand name and status.
From the EU law perspective, opt-out approach at hand may appear as reactive and not preventive. It is based on correcting the misuse instead of providing more control to consumer from the inception. Companies are still allowed to use the data until the users instruct them not to, while in the right-centred EU, the approach would be reversed. Processing of data occurs only after legal basis is established for it. Nevertheless, the settlement exemplifies a shift in regulator’s focus from formal compliance towards an effective enforcement. Furthermore, even the business-oriented system is starting to acknowledge the need to empower consumers. This leads to the converging view: privacy rights must be effective in practice, not merely formally available.
Product design is no longer an escape route. This case perfectly exposes the gap between written laws and platform conduct. An unclear and lengthy procedure to opt out is both inconvenient and creates a privacy theatre. It signals respect for the choice while limiting its effect, ultimately producing an illusion. It is not a question of new rules but the proper implementation of existing ones. Now, companies have two options: align the technological architecture with consumer rights or face the consequences.
BIBLIOGRAPHY
California Attorney General (2026), “California Won’t Let It Go: Attorney General Bonta Announces $2.75 Million Settlement with Disney for CCPA Violations”, available «https://oag.ca.gov/news/press-releases/california-wont-let-it-go-attorney-general-bonta-announces-275-million»
Marmor, R. and Ricci, K.N. (2026), “Caught in a Mousetrap: Disney to Pay $2.75M for Consumer Opt-Out Missteps”, Holland & Knight, 13 February. available at «https://www.hklaw.com/en/insights/publications/2026/02/caught-in-a-mousetrap-disney-to-pay-for-consumer-opt-out-missteps»
Marmor, R., Shively, A.L. and Angle, K. (2025) ‘Sling TV to Pay $530K for Alleged CCPA Violations as Regulators Continue Focus on Privacy Controls’, Holland & Knight, 12 November. Available at «https://www.hklaw.com/en/insights/publications/2025/11/sling-tv-to-pay-530k-for-alleged-ccpa-violations»
California Attorney General (2026), “[Proposed] Final Judgment and Permanent Injunction.”
California Attorney General (2024), “Attorney General Bonta Announces Investigative Sweep Focusing on Streaming Services’ and Connected TV Platforms’ Compliance with California Consumer Privacy Act.” available at «https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-investigative-sweep-focuses-streaming-services%E2%80%99»
