Largest CCPA Fine to Date
- Katarzyna Celińska
- 11 hours ago
- 2 min read
The California Attorney General has issued the largest CCPA settlement to date, a $2.75 million penalty against Disney for alleged failures related to opt-out rights implementation.
🔗 Link
From a financial perspective, the amount is not enormous, especially for a global organization like Disney.
But this case is important. It shows the direction of regulatory enforcement in California and beyond.
According to the Attorney General’s office, the issue was not a data breach. The enforcement focused on failures in the implementation of optout mechanisms, specifically across Disney’s streaming services .
Photo: Freepik
The investigation found:
➡️ Opt-out toggles applied only to specific services or devices, not universally.
➡️ Webform opt-outs were limited in scope and did not fully stop data sales/sharing.
➡️ Global Privacy Control signals were not consistently honored across devices .
The Attorney General made it clear:
➡️ If a company can unify consumer identity for advertising and analytics purposes,
➡️ it should also be able to unify opt-out rights.
✅ Mechanisms to enable opt-out from sale or sharing of personal information are not technically complicated to implement.
However, for organizations whose revenue models rely heavily on:
➡️ targeted advertising,
➡️ cross-platform identity tracking,
➡️ third-party data sharing,
➡️ robust and effective opt-out implementation may conflict with commercial incentives.
But regulators are increasingly signaling that business convenience does not override statutory rights.
The Disney settlement surpasses a previous $1.55 million CCPA settlement involving Healthline Media over similar opt-out issues .
I hope that in the future, penalties will be significant enough to create real deterrence, particularly for organizations that treat personal data as a commodity rather than a protected asset.
From a governance standpoint, companies operating in California should:
➡️ Review opt-out mechanisms across all services and devices,
➡️ Ensure Global Privacy Control signals are properly honored,
➡️ Test whether identity unification applies equally to opt-out logic,
➡️ Align marketing systems with privacy architecture.
Author: Sebastian Burgemejster
Comments