The Most Trusted Brand in Children’s Entertainment Was Secretly Building Data Profiles on Kids

There is a specific kind of cruelty in this case. Disney, the company that built its entire identity on the trust of parents and the wonder of children, used that trust as cover to harvest children’s personal information without telling anyone. 👀

According to a federal court order entered December 23, 2025, in the Central District of California, Disney Worldwide Services, Inc. and Disney Entertainment Operations LLC violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children under 13 through their YouTube channels, without providing required notice to parents and without obtaining verifiable parental consent. The complaint charges that Disney failed on three separate, clearly defined legal obligations: it failed to provide complete direct notice to parents, failed to post a proper online notice of its data collection practices regarding children, and failed to get verified parental permission before collecting, using, or sharing children’s personal data.

The personal information at stake covered a wide range: names, home addresses, phone numbers, email addresses, Social Security numbers, photographs, audio files containing a child’s voice, geolocation data down to the street level, and persistent device identifiers. These are tiny digital tags, embedded in cookies and device serial numbers, that follow a child across every website and app they visit, building a profile over months and years. Disney collected all of this from children who came to watch Mickey Mouse and Moana.

Inside the Allegations: What Disney Actually Did to Children

The court order lays out the core violations in clinical language that deserves translation into plain English. Disney published videos to YouTube channels directed at children. YouTube’s platform, operating in the digital advertising economy, collects personal information from viewers in order to serve targeted advertising and build behavioral profiles. COPPA exists precisely to block this machinery from running on children under 13 without parental knowledge and consent.

Disney’s obligation under COPPA was specific and non-negotiable. Before collecting any personal information from a child, Disney had to tell parents directly, tell them through a clearly posted online notice, and get their verified permission. The law defines “collection” broadly: it covers not just forms children fill out, but passive tracking of a child online. Device identifiers fall squarely within that definition.

Disney failed all three obligations. The company’s videos reached children. The platform collected data from those children. Parents received no direct notice. Disney posted no clear online notice of its data practices. And Disney never secured verified parental consent.

The data Disney failed to protect covers the full range of information a predator, data broker, or advertiser could want from a child: name, physical address, phone number, email address, Social Security number, photographs, video and audio files capturing the child’s image and voice, geolocation data, and persistent tracking identifiers that reconstruct a child’s digital behavior over time.

Corporate Accountability Fails the Public: The $10 Million Fine Is a Publicity Stunt

Disney agreed to pay $10 million. Their legal counsel held the funds in escrow before the order was even signed, signaling this resolution was choreographed long before any public announcement. The payment goes to the United States Treasury. None of it goes directly to the families whose children’s data was collected without consent. None of it funds monitoring, remediation, or victim notification.

Disney’s annual revenue exceeds $88 billion. The $10 million penalty represents roughly 0.011% of that figure. By comparison, a household earning $60,000 per year paying a proportionate fine would owe about $6.60. This is the economic reality of corporate accountability under the current regulatory framework: fines function as a cost of doing business, not a deterrent.

Critically, Disney neither admits nor denies the allegations. The order states clearly: “Defendants neither admit nor deny any of the allegations in the Complaint.” The company faces no admission of guilt on the public record. No Disney executive is named in the complaint. No officer faces personal financial liability. No one loses a job. No board member faces scrutiny. The corporation settles, pays a fraction of a percent of its annual revenue, and moves on.

How Capitalism Exploits Delay: Years of Non-Compliance as a Business Strategy

COPPA became law in 1998 and its rules took effect in 2000. The law has been in force for a quarter century. Every major corporation with a digital presence, particularly one as reliant on children’s content as Disney, has operated with full knowledge of COPPA’s requirements for over two decades. There is no plausible claim of ignorance.

Disney maintained YouTube channels publishing content directed at children. The YouTube platform collects personal information from viewers. The intersection of these two facts created a clear, well-publicized COPPA compliance obligation. Disney’s alleged failure to meet that obligation, for the duration of time these channels operated without proper consent mechanisms, represents a sustained business decision: the cost of compliance was weighed against the cost of being caught, and the choice to delay was made.

This is how delay functions as a structural corporate advantage. Every quarter that a company collects data without proper consent is a quarter of additional behavioral data, advertising revenue, and platform engagement metrics gathered at children’s expense. The eventual fine, when it comes, covers only the penalty, not the profits already extracted. The business model of non-compliance often remains net positive even after enforcement.

Regulatory Capture and Loopholes: Why COPPA’s Enforcement Gap Persists

The FTC enforces COPPA, but the agency operates with limited resources against thousands of digital platforms and content creators. The framework relies heavily on self-reporting and good faith compliance. Companies designate their own content audiences, run their own consent processes, and maintain their own records. Third-party auditing is the exception, not the rule. 🔍

The court order requires Disney to establish an “Audience Designation Program” to review its YouTube videos and label children’s content as “Made for Kids.” Disney has 180 days to implement this program and must maintain it for 10 years. But this obligation existed before this case. YouTube’s own policies, updated after a separate 2019 FTC enforcement action against YouTube, already required creators to label children’s content. Disney’s alleged failure to do so adequately speaks to the limits of self-policing in a system where the financial incentives favor data collection over data protection.

The order also creates escape hatches. Disney’s Audience Designation Program obligations disappear entirely if YouTube implements its own age-verification measures or restricts data collection from children platform-wide. Disney’s compliance obligations are thus contingent on decisions made by another corporation, YouTube, that has its own financial interest in continuing data collection. This structure offloads regulatory responsibility onto corporate arrangements rather than fixed legal standards.

Profit-Maximization at All Costs: The Economics of Tracking Children

The digital advertising industry runs on behavioral data. Persistent identifiers, the kind COPPA explicitly protects children from, allow advertisers to track a user’s behavior across websites, build psychological profiles, and serve targeted advertisements. Children, with their predictable interests and parental influence over household purchasing decisions, represent valuable advertising targets.

YouTube’s advertising model is particularly valuable for children’s content channels. High-engagement children’s content commands premium advertising rates. The audience demographic, children aged 2-12 and their parents, is precisely the target that consumer goods companies, toy manufacturers, fast food brands, and entertainment companies pay top dollar to reach. Collecting behavioral data from that audience, even without explicit parental consent, serves the platform’s and the content creator’s shared financial interests.

Disney’s YouTube channels did not exist purely as public service announcements. They served Disney’s commercial interests: promoting films, characters, theme parks, merchandise, and streaming subscriptions. The data collection embedded in those channels, even if passive and platform-driven, fed an advertising infrastructure that ultimately generated revenue. The children whose data was collected were simultaneously the audience and the product.

This Is the System Working as Intended

The Disney COPPA settlement is not an aberration. It fits a clear pattern. In 2019, YouTube and Google paid $170 million to settle COPPA violations for collecting data from children on YouTube. That settlement required YouTube to change its practices, including creating the Made for Kids labeling system that Disney allegedly failed to use properly. The cycle continued: policy change, inadequate compliance, eventual enforcement, settlement without admission of guilt, repeat.

TikTok paid $5.7 million in 2019 for COPPA violations. Operators of children’s apps have paid millions more in smaller settlements. The pattern reveals that COPPA fines function as a predictable line item in corporate budgets, not as consequences that fundamentally change corporate behavior. Each settlement is treated as closure, the case is resolved, and the underlying incentives that produced the violation remain intact.

Under neoliberal capitalism, children’s data protection suffers from the same structural failure as environmental protection, worker safety, and consumer fraud: the costs of compliance fall on the corporation immediately, while the costs of non-compliance fall on the harmed parties, often children and families with no direct legal recourse, and arrive only after years of regulatory process. The math favors non-compliance.

The Language of Legitimacy: How Legal Process Neutralizes Outrage

Read the court order carefully and notice what it does not say. It does not say Disney was wrong. It resolves “all matters in dispute.” It notes that defendants “neither admit nor deny.” It uses phrases like “Covered Service” and “Audience Designation Program” and “Verifiable Parental Consent” that transform child privacy violations into abstract procedural categories. 📄

This language performs a specific function. It converts the straightforward story of a corporation tracking children without their parents’ knowledge into a technical compliance matter. Parents reading this court order are not addressed as harmed parties. Their children are not named. The human consequences of data collection without consent, exposure to profiling, behavioral targeting, potential data breaches, the construction of commercial profiles on minors, receive no mention whatsoever.

The order’s structure also grants Disney remarkable protection from future liability. The facts alleged in the complaint can be taken as true in future enforcement proceedings related to payment. But Disney’s lack of admission means those facts cannot be used against the company in any private civil litigation by the families whose children were affected. The settlement closes doors.

What the Permanent Injunction Actually Requires

The court permanently enjoins Disney from: failing to notify parents directly before collecting children’s data, failing to post clear online notice of its data practices regarding children, and collecting, using, or disclosing children’s personal information without verified parental consent. These are the obligations COPPA already imposed. The injunction makes them individually enforceable against Disney with contempt penalties, which does represent a meaningful escalation in accountability going forward.

Disney must also implement the 10-year Audience Designation Program, designating a qualified employee to oversee it, training staff annually, documenting the program in writing, and assessing its effectiveness every 12 months. Disney must maintain compliance records for 10 years and submit compliance reports sworn under penalty of perjury. The FTC retains the right to interview Disney employees and conduct undercover compliance checks.

These are real requirements. They create ongoing oversight obligations that did not exist before. But they address the symptom: Disney’s failure to properly label content for children. They do not address the underlying system: a digital advertising infrastructure built on behavioral data collection that generates profit from children’s attention and information.

Pathways for Reform: What Corporate Accountability Should Actually Look Like

The gap between what this settlement delivers and what genuine corporate accountability requires is wide. Several reforms would bring enforcement closer to the scale of harm.

First, civil penalties should scale to corporate revenue, not stand as fixed dollar amounts. A $10 million fine against a $200 billion corporation is structurally different from a $10 million fine against a small business. Revenue-linked penalties create proportionate deterrence. The European Union’s GDPR fines up to 4% of global annual revenue. Applied to Disney, that standard would produce penalties in the range of $3.5 billion, a figure that concentrates corporate attention.

Second, executives who approve, oversee, or profit from violations should face personal liability. The current framework holds corporations accountable as abstract legal entities while the human decision-makers remain insulated. Personal financial liability, and in serious cases criminal referral, would change corporate decision-making at the level where decisions actually get made.

Third, settlements of this kind should include direct redress for affected families, not just payments to the Treasury. Parents whose children’s data was collected without consent deserve notification and the practical ability to request deletion of their children’s data.

Fourth, third-party auditing of COPPA compliance, rather than corporate self-assessment, would close the compliance gap that self-policing creates. Independent auditors with access to platform data and advertising systems would identify violations before they require years of federal investigation.

Conclusion: The Children Were Never the Priority

There is a useful test for evaluating any corporate accountability case. Ask: does the outcome make the harmful behavior unprofitable, or does it simply impose a manageable cost? In the Disney COPPA settlement, the answer is clear. A $10 million fine does not make years of improper data collection unprofitable. It prices the violation. It defines, implicitly, what consent violations of this type cost in the American regulatory market.

Children under 13 cannot protect themselves in a digital environment designed by adults to extract value from their attention and behavior. COPPA exists precisely because the market will not protect them on its own. But the law’s enforcement is only as effective as its penalties, and penalties calibrated to avoid corporate inconvenience are not enforcement. They are a licensing fee.

Disney built its reputation on magic and trust. It built its YouTube channels on children’s attention. And it built its data collection practices on the assumption that the cost of getting caught would remain manageable. On December 23, 2025, a federal judge confirmed that assumption was correct. ⚖️

Frivolous or Serious: An Assessment of This Case

This case is serious and well-founded. COPPA’s requirements are unambiguous, have been in force for 25 years, and were the subject of major prior enforcement actions that placed every significant YouTube content creator on notice. The three violations charged, failure to notify parents directly, failure to post proper online notice, and failure to obtain verifiable parental consent, each have clear statutory definitions. The court found jurisdiction, and Disney stipulated to the order without contesting the legal framework.

The fact that Disney neither admits nor denies the allegations is a feature of the settlement process, not evidence that the charges lacked merit. Federal agencies do not bring COPPA enforcement actions against companies the size of Disney without substantial evidence. The $10 million penalty, while inadequate as a deterrent, reflects the legal maximum available under the statutory framework rather than a measure of the case’s weakness. The case is legitimate, well-documented, and, in its structural inadequacy as a deterrent, a precise illustration of why stronger legislation is overdue.