EvilCorporations.com • Case No. 25STCV04425 • 13 min read

The Happiest Place on Earth Was Watching You the Whole Time

Disney’s Illegal Data Empire: Children, Streaming, and the $2.75 Million Cover Story

The Non-Financial Ledger: What a Number Can’t Repay

Think about the last time you signed up for Disney+. Maybe you made an account for your kid, typed in your email, clicked through the terms, and got to the cartoons. You thought that was the end of it. You trusted a company that has spent a century selling you the idea that it exists to protect childhood magic.

You were wrong. While your kid was watching, Disney was watching you.

Every click, every title, every scroll, every device you used. That behavior was packaged and moved. Not to make your experience better. To sell advertising. To third parties you never heard of, who built profiles on you, who targeted you with ads based on what you watched, when you watched it, and who you were watching with.

The cruelest part is not that Disney did this. It’s how they kept you from stopping it. They built the opt-out so badly on purpose. The button to protect yourself was buried. The menu was unlabeled. The process required more steps than it needed. Other choices on the same screen were designed to make you think you had already opted out when you hadn’t. The California Attorney General’s own court filing describes this design as architecture “likely to confuse or deceive consumers.” That’s a legal term. In plain language: they built a maze and told you it was a door.

Parents who signed up to give their children a safe digital space had their household data harvested and sold without their knowledge. Teenagers between 13 and 15 had their data on the table. Children under 13 were explicitly named in the court order as a protected class, which means regulators saw enough to make it a point of legal emphasis.

The $2.75 million settlement is the largest consumer privacy deal in California state history. It sounds like accountability. For a company with the revenue of a small nation, it is a rounding error. There is no mechanism in this judgment to compensate the people whose data was taken. There is no provision for individual restitution. There is no admission of guilt. There is a check, a compliance program, and a release of all future claims on the same conduct. Disney paid for the right to close the file.

What was lost cannot be recovered. Data sold to third parties does not come home. The profiles built on your viewing habits, your household, your children, persist. The court order requires Disney to notify third parties of opt-out requests, but it cannot require those third parties to delete what they already have. The harm already happened. The settlement address what comes next. It says nothing about what came before.

Legal Receipts: What the Court Order Actually Says

Every line below comes directly from the Proposed Final Judgment and Permanent Injunction, Case No. 25STCV04425, filed in the Los Angeles Superior Court in February 2026. These are not paraphrases.

“DEFENDANTS shall avoid language and choice architecture likely to confuse or deceive CONSUMERS into believing that other choice(s) either: (i) must also be selected in order to opt out of SELLING or SHARING, or (ii) constitute an opt-out instructing DEFENDANTS not to SELL or SHARE the CONSUMER’S PERSONAL INFORMATION to all THIRD PARTIES.”

• This paragraph proves Disney’s interface was engineered to mislead. The court would not mandate that Disney stop doing something it had never done. This is a behavioral prohibition drawn from documented practice.
• The specific scenarios listed, making users believe they had to complete additional steps or that a different choice had already opted them out, are design patterns that privacy researchers call “dark patterns.” The court is describing dark patterns by name without using the term.

“The NOTICE OF RIGHT TO OPT-OUT OF SALE/SHARING shall be formatted and designed to fit and scale to the web browser, application, or device where it is provided, and shall not require a CONSUMER to unnecessarily search or scroll through text to effectuate DEFENDANTS’ opt-out or use hard-to-find-links, unlabeled carets, arrows, or other hidden menu icons, that add unnecessary steps and may be unclear.”

• This is the court describing Disney’s actual interface. The fact that these specific design elements, unlabeled carets, hidden arrows, obscured menu icons, are named in a permanent injunction means regulators documented them as part of the company’s opt-out obstruction.
• The word “unnecessarily” is doing important work here. It confirms the added friction was not accidental or the result of poor design. It was gratuitous. It was there to make you give up.

“DEFENDANTS shall continue to not SELL or SHARE the PERSONAL INFORMATION of consumers that it has actual knowledge are CHILDREN or MINORS unless the MINOR or PARENT, in the case of a CHILD, has affirmatively authorized such SELLING OR SHARING.”

• The phrase “continue to not” implies this was already Disney’s stated policy. The inclusion of this clause in a court-ordered injunction signals that regulators found reason to make it legally binding, not just a self-reported commitment.
• Children under 13 require parental authorization. Teens aged 13 to 15 must affirmatively authorize it themselves. The fact that both categories are specifically enumerated in a civil enforcement action tells you who was at the center of the state’s concern.

“DEFENDANTS shall implement a consumer-friendly, easy to execute opt-out process that allows CONSUMERS to opt-out with minimal steps.”

“This JUDGMENT having been stipulated to by the parties… without this JUDGMENT constituting evidence of or an admission by DEFENDANTS regarding any issue of law or fact alleged in the Complaint… and without DEFENDANTS admitting any liability.”

• Disney did not admit it did anything wrong. By agreeing to a stipulated judgment, the company resolved the case without a trial, without a public evidentiary record, and without any finding of guilt. This is standard corporate litigation strategy: pay the fine, deny everything, change only what you must.
• Because there was no trial, the full scope of what Disney collected, who they shared it with, and how long it went on was never entered into the public record. The judgment is the ceiling of what we know for certain.

“DEFENDANTS, and their directors, officers, employees, affiliates, subsidiaries, and successors, are released and discharged from and against any and all civil claims related to requests to opt-out of SALE or SHARING of PERSONAL INFORMATION on DISNEY STREAMING SERVICES that were asserted, or that could have been asserted, in the Complaint.”

• This is the legal term for closing the door. For $2.75 million, Disney bought immunity from every civil privacy claim related to this conduct that was or could have been brought in this case. California’s consumers cannot sue Disney over this specific misconduct under the CCPA or the Unfair Competition Law.
• The release covers “affiliates and successors,” which means future versions of the company, future branding, future ownership structures, are also shielded from accountability for past conduct.

Societal Impact Mapping

Public Health: The Invisible Injury of Surveillance

Data privacy violations cause documented harms that go beyond the abstract. When personal behavior is tracked, sold, and weaponized for targeting, the people most exposed are also the most vulnerable.

• Children and teenagers are the most at-risk population in any behavioral advertising ecosystem. The court’s explicit protection of users under 13 and users aged 13 to 15 reflects the understood harm of exposing minors’ consumption habits, household data, and identity markers to unknown third-party buyers.
• Cross-context behavioral advertising, which Disney was conducting, aggregates data from multiple platforms and services to build detailed psychological profiles. Adolescent exposure to this kind of targeted advertising is linked by researchers to anxiety, body image harm, and compulsive consumption behaviors.
• Parents who believed they were creating safe digital environments for their children were operating under a false assumption. The psychological cost of that betrayal, learning that a trusted brand was harvesting your family’s data, is real and uncompensated.
• The opt-out obstruction described in the judgment means that users who tried to protect themselves and failed, because the system was designed to make them fail, may have remained in surveillance-based advertising pipelines longer than they consented to, including through health-adjacent targeting categories.

Economic Inequality: Who Bears the Cost When Data Gets Sold

Surveillance-based advertising is not a neutral market activity. It concentrates power in the hands of corporations and their third-party buyers while extracting value from ordinary people who have no visibility into the transaction and no share of the proceeds.

• Disney charges subscribers a monthly fee for access to its streaming platforms. Those same subscribers’ behavioral data was then sold or shared with third parties for additional revenue. Consumers paid twice: once with money, once with their privacy. They were compensated for neither.
• The $2.75 million fine is paid to the California Attorney General’s Office, not to the individuals whose data was mishandled. The people who were surveilled receive no direct restitution under this settlement.
• Third-party data buyers use behavioral profiles to price and target financial products, insurance, employment, and housing opportunities. Consumers whose data was sold into these pipelines without consent may face downstream economic consequences they cannot trace back to their Disney account.
• Lower-income households, which depend more heavily on streaming services as their primary entertainment, are disproportionately exposed to these data extraction practices because they have fewer alternatives and less legal recourse when their data is misused.
• The compliance reports Disney must file with the California Attorney General are explicitly designated as confidential under public records law. The public, whose money funded the streaming subscriptions and whose data was sold, has no right to read those reports.

The “Cost of a Life” Metric: What $2.75 Million Actually Means

• Disney’s annual revenue exceeds $88 billion. The $2.75 million fine represents roughly 0.003% of annual revenue. For a household earning $60,000 a year, the equivalent penalty would be $1.88.
• California’s CCPA allows fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. At $7,500 per user affected, reaching $2.75 million would require fewer than 367 documented violations. Disney’s streaming platforms have tens of millions of California subscribers.
• The compliance program costs Disney some operational overhead and legal fees. But the company also purchased a full civil release from all CCPA and UCL claims arising from this conduct. The fine is a one-time exit fee from legal exposure, not a proportional punishment.

What Now: Who’s Responsible and What You Can Do

This judgment applies to Disney DTC, LLC and ABC Enterprises, Inc., headquartered in Burbank, California, and extends by explicit court order to every U.S. corporate member of The Walt Disney Family of Companies that links to or uses The Walt Disney Company’s privacy policy.

Who Carries This

• The entities named as defendants are Disney DTC, LLC (a Delaware LLC) and ABC Enterprises, Inc. (a California corporation). The judgment binds their directors, officers, employees, agents, subsidiaries, affiliates, and successors.
• The People of the State of California are represented by California Attorney General Rob Bonta, with Deputy Attorneys General Maneesh Sharma, Amos E. Hartston, and Yen P. Nguyen leading the case.
• Disney was represented in negotiations by attorneys Alysa Z. Hutnik and Austin J. Del Priore of Kelley Drye & Warren LLP, Washington, D.C.

Watchlist: Regulatory Bodies With Jurisdiction

• California Attorney General’s Office (primary enforcement body for the CCPA; filed and settled this case; monitors Disney’s compliance reports for three years).
• California Privacy Protection Agency (the dedicated state agency created by the CPRA to enforce and expand the CCPA; retains independent authority over privacy violations).
• Federal Trade Commission (FTC): holds federal jurisdiction over deceptive trade practices and children’s online privacy under COPPA; can pursue parallel federal action independent of this state settlement.
• U.S. Department of Justice (DOJ): has authority to pursue federal enforcement under statutes that parallel or exceed state CCPA protections where federal law applies.

What You Can Do Right Now

• Navigate to your Disney account settings today and locate the “Do Not Sell or Share My Personal Information” link. The judgment requires Disney to make this easy to find and execute. If it is not easy to find, document it with a screenshot and file a complaint with the California Privacy Protection Agency at cppa.ca.gov.
• If you are not a California resident, your state may have its own privacy law with opt-out rights. Check whether your state has passed a consumer data privacy act and file with your state attorney general’s consumer protection office if you believe a company is violating it.
• Use a browser configured to send Global Privacy Control (GPC) signals. Under this judgment, Disney is required to honor GPC signals as valid opt-out preference signals. Firefox with a privacy extension, Brave browser, and DuckDuckGo’s browser app all support GPC by default.
• If you have children on Disney platforms, create separate child profiles with restricted data settings and verify the opt-out has been applied to those profiles specifically. The court order requires Disney to apply opt-outs account-wide, but verify it yourself.
• Support the Electronic Frontier Foundation (EFF), the Electronic Privacy Information Center (EPIC), and your local digital rights mutual aid organizations. These groups litigate, legislate, and educate on your behalf with no corporate funding.
• Pressure your city and county governments to adopt local data broker ordinances. State-level privacy law, as powerful as the CCPA is, still settles for cents on the dollar. Local enforcement and procurement rules that exclude data brokers hit the supply chain where state fines cannot.