Go Back
Data Privacy Alerts

Data Privacy Alert: California Secures Record $2.75M CCPA Settlement Over Opt-Out Failures

Read how California continues to lead the states in privacy rights enfocement, this time reaching a $2.75 million settlement for failure to facilitate consumer opt-outs for those who wanted them.
Download the PDF Version

Why This Announcement Is Important

California regulators are signaling zero tolerance for incomplete or fragmented opt-out mechanisms under the CCPA. The latest $2.75 million settlement, the largest in CCPA history, reinforces that businesses must ensure consumers’ “Do Not Sell or Share” requests apply universally across devices, services, and platforms.

Opt-out rights must work seamlessly. Partial compliance is no longer defensible.

Overview of the CCPA Settlement

California Attorney General Rob Bonta announced a $2.75 million settlement with The Walt Disney Company following a 2024 investigative sweep into streaming services.

The investigation found that Disney failed to fully effectuate consumers’ requests to opt out of the sale or sharing of their personal information. Specifically:

  • Opt-out toggles applied only to the specific streaming service or device being used, not across the consumer’s entire account.
  • Webform submissions stopped certain internal advertising sharing but did not prevent data sharing with embedded third-party ad-tech vendors.
  • Global Privacy Control (GPC) signals were honored only at the device level, even when users were logged into their account.
  • Some connected TV apps did not offer an in-app opt-out mechanism, instead redirecting users elsewhere.

Under the settlement:

  • Disney must implement opt-out methods that fully stop selling or sharing across all associated services.
  • The company must pay $2.75 million in civil penalties.
  • Ongoing compliance reporting and oversight are required.
  • Future noncompliance could trigger additional penalties of up to $2,500 per violation.

This marks the seventh CCPA enforcement action by the California Attorney General’s office and the largest monetary penalty to date.

Key Implications of the CCPA Settlement

  1. Account-Level Opt-Out Is Mandatory - If a consumer is logged in, opt-out must apply across all services tied to that account, not just one app or device.
  2. GPC Signals Must Be Honored Properly - Global Privacy Control is legally recognized in California. Limiting it to device-level action may violate the law if account-level data sales continue.
  3. Third-Party Code Is Your Responsibility - Embedded ad-tech pixels, SDKs, or APIs do not shield companies from liability. If data continues to flow after opt-out, the business remains accountable.
  4. Ease of Use Is a Compliance Requirement - Opt-out links must be clear, conspicuous, and effective immediately or through a simple toggle. Regulators are scrutinizing user experience, not just policy language.
  5. Enforcement Is Expanding - The AG has conducted sweeps targeting streaming platforms, location data brokers, employee data practices, and surveillance pricing. Enforcement is coordinated and systematic.

Expert Analysis from Fahad Diwan, JD, FIP, CIPP/M, CIPP/C, Director of Product Marketing, Data Governance, Exterro

The recent $2.75 million CCPA settlement, the largest in the law's history, is a massive wake-up call for organizations. It proves that simply offering a surface-level "Do Not Sell or Share" mechanism is not enough; regulators are scrutinizing user experience to ensure opt-out rights work seamlessly.
The core issue exposed here is fragmented consent. When opt-out toggles only apply to a single device, or when webforms fail to halt data sharing with embedded third-party ad-tech vendors, the business remains fully accountable. If a consumer is logged in, their privacy choices must be honored universally across all associated services. Partial compliance is no longer defensible.
To protect your organization, having a consent and preference management solution is essential. These tools automate the collection, tracking, and synchronization of consumer consent across all your digital properties, third-party trackers, and internal systems. By establishing acentralized source of truth for user preferences, you can ensure that when a consumer exercises their rights, all downstream sharing truly and immediately stops.

Data Privacy Tip

Opt-out compliance must work everywhere, across devices, accounts, and third-party integrations, not just in policy language. Organizations should ensure they have clear visibility into where personal data flows and whether consumer choices are truly stopping downstream sharing. For practical guidance, read our blog post, An Accurate Data Catalog Is the Foundation of Data Risk Management.

Redefining how your business manages data risk.
Get Started
Mitigating enterprise data risk.
ResourcesBlogPodcastCase StudiesWhitepapers
ProductseDiscoveryDigital ForensicsData GovernancePlatform & Intelligence
IndustriesFinancial Services & InsuranceHealthcare & Life SciencesEnergy & UtilitiesGovernment & Public Sector
CompanyNews & PressCareersTrust CenterContact Us
© 2026 Exterro. All rights reserved
Trust CenterModern Slavery StatementPrivacy PolicyWebsite Terms of Use
Do Not Sell or Share My Personal Information