Corporate Accountability Project | California Enforcement
Disney DTC, LLC · Privacy Enforcement · 2026
Disney Sold Your Kids’ Data While Hiding the Opt-Out Button
The California Attorney General forced Disney and ABC to pay $2.75 million and overhaul their surveillance advertising practices on Disney+, Hulu, and ESPN+ after the company blocked millions of subscribers from exercising their legal privacy rights.
● High Severity
TL;DR
Disney DTC, LLC and ABC Enterprises ran behavioral advertising on Disney+, Hulu, and ESPN+ using personal data collected from millions of subscribers, including children and teenagers, while deliberately making it difficult for users to opt out. The company buried opt-out controls behind unlabeled icons, hidden menus, and confusing choice architecture designed to prevent users from actually exercising their rights under California law.
The California Attorney General secured a $2.75 million penalty and a court-supervised compliance program covering the entire Walt Disney Family of Companies. This is the largest consumer privacy settlement in California state history. Disney admitted no wrongdoing.
The magic of Disney was built on the trust of families. That trust was quietly sold to advertisers. Demand transparency from every platform that profits from your attention.
Key Numbers
$2.75M
State penalty, largest CCPA consumer privacy settlement in CA history
3+
Streaming platforms affected: Disney+, Hulu, ESPN+
3 yrs
Court-supervised compliance monitoring period
60 days
First compliance update deadline after judgment entry
0
Executives held personally accountable
Breakdown of Misconduct
Core Allegations
What Disney Did · 5 Points
▾
| 01 | Disney DTC and ABC Enterprises conducted cross-context behavioral advertising on Disney+, Hulu, and ESPN+ by collecting subscribers’ personal information and selling or sharing it with third-party advertisers without adequate notice or accessible opt-out controls. | high |
| 02 | Disney used personal data obtained from users’ activity across multiple services and third-party platforms to build advertising profiles, targeting subscribers based on behavior they exhibited far outside Disney’s own ecosystem. | high |
| 03 | Disney’s opt-out interfaces relied on hidden menu icons, unlabeled carets, arrows, and buried links that required users to scroll unnecessarily through text, adding friction that the judgment explicitly identifies as a tool to suppress consumer choice. | high |
| 04 | Disney presented multiple privacy choice interfaces (cookie preferences, email marketing, vendor-specific processing) designed to confuse consumers into believing those choices fulfilled their opt-out rights for data selling and sharing, when they did not. | high |
| 05 | Disney sold and shared personal data of consumers it knew, or had actual knowledge, were children (under 13) and minors (ages 13-15) without the required parental or minor authorization mandated by CCPA. | high |
Regulatory Failures
How Oversight Broke Down · 4 Points
▾
| 01 | Disney violated the California Consumer Privacy Act of 2018 and the Unfair Competition Law by failing to provide legally required notices about its data-selling practices in a clear and conspicuous manner accessible to ordinary consumers. | high |
| 02 | Disney failed to implement a consumer-friendly, minimal-step opt-out process as required under the CCPA, instead creating a system that the judgment found to be structured around discouraging users from completing opt-out requests. | high |
| 03 | Disney failed to honor Opt-Out Preference Signals from browsers and devices in a consistent, account-wide manner, meaning that users who opted out on one device or platform remained tracked on others without their knowledge. | high |
| 04 | Disney failed to notify third parties when a consumer had requested an opt-out of sale or sharing, in violation of CCPA requirements to direct data recipients to stop using that consumer’s data. | med |
Profit Over People
Revenue Prioritized Over Privacy Rights · 4 Points
▾
| 01 | Disney built an advertising revenue model on Disney streaming platforms that depended on cross-context behavioral advertising: collecting and selling subscriber data to third parties to fund targeted ad delivery across Disney+, Hulu, and ESPN+. | high |
| 02 | Disney continued selling and sharing consumer personal information to third parties while simultaneously claiming to provide privacy protections, benefiting financially from data transactions it obscured from its own subscribers. | high |
| 03 | The $2.75 million penalty represents enforcement costs absorbed as a business expense rather than a structural deterrent: Disney’s streaming advertising revenues are many orders of magnitude larger than the settlement amount. | med |
| 04 | By monetizing children’s and minors’ personal data on its family-oriented platforms without parental consent, Disney extracted advertising profit from the most vulnerable segment of its subscriber base. | high |
Corporate Accountability Failures
Weak Penalties, No Exec Liability · 4 Points
▾
| 01 | Disney settled without admitting any liability, meaning the company accepted a $2.75 million penalty while legally maintaining it did nothing wrong, setting no precedent for internal accountability or reform of executive decision-making. | high |
| 02 | No individual Disney executives, directors, or officers face personal consequences under this judgment; the injunction binds the corporate entity and its subsidiaries but insulates the people who designed and approved these practices. | high |
| 03 | All compliance reports, reviews, and information shared with the California Attorney General under this judgment are classified as confidential and exempt from public records law disclosure, limiting public accountability for ongoing compliance. | med |
| 04 | Disney’s release from liability upon payment covers any civil claims related to opt-out rights on Disney streaming services that were or could have been brought, effectively foreclosing additional enforcement for these specific practices. | med |
The Language of Legitimacy
Technocratic Design That Neutralizes Consumer Rights · 3 Points
▾
| 01 | Disney’s choice architecture presented users with overlapping privacy menus (cookie preferences, email marketing toggles, vendor measurement options) that appeared to offer meaningful control while routing users away from the actual data-sale opt-out. | high |
| 02 | The judgment required Disney to stop using language and design architecture likely to confuse or deceive consumers into believing that other privacy choices (cookie toggles, marketing preferences) constitute a full opt-out from data selling and sharing. | high |
| 03 | The opt-out notice system on Disney platforms failed to scale and format correctly across browsers, apps, and connected devices, making it functionally inaccessible for a large share of subscribers who access Disney services through TVs and mobile apps. | med |
Timeline of Events
2018
California Consumer Privacy Act signed into law, granting consumers the right to opt out of the sale or sharing of their personal information and requiring clear notices from businesses that engage in data selling.
2020
CCPA becomes enforceable. Disney operates Disney+, Hulu, and ESPN+ as covered businesses collecting and selling subscriber personal information for cross-context behavioral advertising without compliant opt-out mechanisms.
2022-2025
California AG investigates Disney DTC and ABC Enterprises for CCPA violations including failure to provide accessible opt-out controls and continued sale and sharing of personal data including that of children and minors.
Feb 11, 2026
Superior Court of California, County of Los Angeles enters Final Judgment and Permanent Injunction (Case No. 26STCV04425). Disney agrees to pay $2.75 million and undertake a three-year court-supervised compliance program.
30 days after judgment
Disney must wire $2.75 million to the California Attorney General’s Office pursuant to Civil Code Section 1798.199.90.
60 days after judgment
Disney must provide first compliance update to the People, with updates continuing every 60 days until all Disney services comply with the opt-out requirements of the judgment.
180 days after judgment
Disney must implement and maintain a full compliance monitoring program covering all Disney services for three years, with annual reports filed with the California AG.
Direct Quotes from the Legal Record
QUOTE 1
Disney’s hidden opt-out design
Regulatory Failures
“shall not require a CONSUMER to unnecessarily search or scroll through text to effectuate DEFENDANTS’ opt-out or use hard-to-find-links, unlabeled carets, arrows, or other hidden menu icons, that add unnecessary steps and may be unclear.”
💡 The court is requiring Disney to stop doing exactly what it was doing: hiding the opt-out behind obscure UI elements. This is not accidental bad design. It is a documented pattern the company must now be legally compelled to abandon.
QUOTE 2
Confusing consumers into surrendering privacy rights
Language of Legitimacy
“DEFENDANTS shall avoid language and choice architecture likely to confuse or deceive CONSUMERS into believing that other choice(s) either: (i) must also be selected in order to opt out of SELLING or SHARING, or (ii) constitute an opt-out instructing DEFENDANTS not to SELL or SHARE the CONSUMER’S PERSONAL INFORMATION.”
💡 This confirms Disney built a system with multiple fake “privacy” levers designed to make users think they had opted out when they had not. This is textbook dark pattern design deployed against millions of paying subscribers.
QUOTE 3
Children and minors’ data sold without consent
Core Allegations
“DEFENDANTS shall continue to not SELL or SHARE the PERSONAL INFORMATION of consumers that it has actual knowledge are CHILDREN or MINORS unless the MINOR or PARENT, in the case of a CHILD, has affirmatively authorized such SELLING OR SHARING.”
💡 The phrase “continue to not” reveals this protection existed before the judgment, meaning Disney knew it was obligated not to sell children’s data and did so anyway, prompting this enforcement action and explicit court order.
QUOTE 4
Disney must stop subverting user decision-making
Regulatory Failures
“DEFENDANTS shall not implement other user choices in a manner likely to subvert or impair user decision-making or choice related to opting out of the SELLING or SHARING of their PERSONAL INFORMATION.”
💡 A court is ordering a trillion-dollar entertainment company to stop manipulating its own subscribers. This language would not appear in a court order if the conduct had not already occurred at scale.
QUOTE 5
Cross-context behavioral advertising defined
Core Allegations
“CROSS-CONTEXT BEHAVIORAL ADVERTISING means the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded internet websites, applications, or services, other than the business… with which the consumer intentionally interacts.”
💡 Disney was not just using data from Disney+. It was using data collected from your behavior across the entire internet to target you on its own platforms. Your streaming subscription was also an enrollment in a surveillance system you never agreed to.
QUOTE 6
The scope of “Disney Services” covered
Core Allegations
“DEFENDANTS includes any U.S. corporate member of The Walt Disney Family of Companies that links to or includes The Walt Disney Company privacy policy… on its website, application, or online service.”
💡 This judgment does not just cover Disney+ and Hulu. It covers the entire Walt Disney empire, any property that uses Disney’s privacy policy, which is virtually every digital product the company operates in the United States.
QUOTE 7
Compliance reports kept secret from the public
Accountability Failures
“All reports, reviews, and sharing of information pursuant to this JUDGMENT shall be treated as confidential and as exempt from disclosure under the relevant public records laws.”
💡 The public will never know the details of how Disney is complying. Disney’s compliance reports are shielded from the very consumers whose data was sold. Accountability is happening behind closed doors, funded by a settlement that represents a rounding error in Disney’s revenue.
QUOTE 8
No admission of wrongdoing
Accountability Failures
“without this JUDGMENT constituting evidence of or an admission by DEFENDANTS regarding any issue of law or fact alleged in the Complaint on file, and without DEFENDANTS admitting any liability.”
💡 Disney pays $2.75 million, accepts a permanent injunction, and submits to three years of monitoring, all while legally maintaining it did nothing wrong. This is how corporate accountability functions in America: expensive enough to generate headlines, cheap enough to be a line item.
Commentary
What exactly did Disney do wrong?
▾
Disney operated Disney+, Hulu, and ESPN+ while selling and sharing subscribers’ personal data with advertisers for behavioral targeting, without giving consumers a clear, accessible way to stop it. California law (the CCPA) requires companies to provide a simple opt-out of data selling. Disney instead built a maze: multiple confusing menus, hidden links, unlabeled icons, and fake privacy choices that led users away from the actual opt-out. For children and teenagers, the law requires affirmative parental consent before any sale of data. Disney violated that protection too.
How serious is this violation?
▾
This settlement is the largest consumer privacy deal in California state history, which tells you the AG considered the conduct significant. But measured against Disney’s scale, a $2.75 million penalty is not a deterrent. Disney generates billions in advertising revenue from its streaming platforms. The real consequence here is the three-year court supervision and the permanent injunction, which legally requires Disney to redesign its privacy infrastructure across all U.S. digital services. Whether that surveillance architecture was built with intent or negligence, the effect on millions of subscribers was the same: their right to say no was taken from them.
Were children specifically targeted?
▾
The judgment explicitly addresses children under 13 and minors aged 13 to 15, requiring Disney to stop selling their data without parental or minor authorization. Disney is a company whose identity is built on children’s content. Disney+ markets itself to families. The fact that Disney was selling the personal information of children and teenagers on platforms like Disney+ for behavioral advertising purposes, without the consent the law requires, is not an abstract policy failure. Real children’s data was sold to real advertisers. That conduct is unacceptable, and the law required a court order to stop it.
What are dark patterns and why do they matter here?
▾
Dark patterns are interface designs that manipulate users into doing things that benefit the company rather than the user. In this case, Disney’s opt-out system was architected to make opting out hard, confusing, and incomplete. Multiple fake privacy menus created the illusion of control. Hidden icons and unlabeled arrows buried the real opt-out. This is not accidental. Designing a privacy interface requires explicit decisions about what to show, where to show it, and how to label it. Every choice Disney made in its UI pushed users away from exercising their legal rights and kept them enrolled in a data-selling system that generated revenue for Disney.
What does Disney have to do now?
▾
Disney must redesign the opt-out experience across all Disney streaming services to be clear, accessible, minimal steps, and functional across all devices (phones, TVs, apps, browsers). It must implement Opt-Out Preference Signals correctly. It must notify third parties when a consumer opts out. It must provide confirmation to users that their opt-out has been processed. It must submit compliance updates to the California AG every 60 days until full compliance is achieved, then annual reports for three years. All of this is court-supervised and subject to enforcement if violated.
Does this affect me if I’m a Disney+ or Hulu subscriber?
▾
If you are a California resident who subscribed to Disney+, Hulu, or ESPN+ before February 2026, your personal information was sold or shared with advertisers for behavioral targeting without a proper opt-out being offered to you. Disney is now legally required to give you a real, working opt-out. If you are outside California, you have fewer legal protections, but you have the same right to demand better. Many companies apply California-level privacy protections nationwide when forced to by enforcement. The more consumers demand opt-out rights, the more companies will be pressured to provide them everywhere.
Why didn’t Disney admit wrongdoing?
▾
Admitting liability creates exposure in civil litigation. If Disney admitted its practices were unlawful, individual subscribers and potentially class action plaintiffs could use that admission against it in other proceedings. The no-admission settlement structure is standard corporate practice: pay the penalty, accept the injunction, and legally preserve the claim that nothing was wrong. It is a rational business decision. It is also a system that lets corporations treat legal violations as a cost of doing business, absorb the penalty as overhead, and move on without any meaningful reckoning by the people who designed the practices in question.
What can I do to prevent this from happening again?
▾
If you are a California resident, exercise your CCPA rights now: go to your Disney account settings and use the “Do Not Sell or Share My Personal Information” link. If you cannot find it, report that to the California AG’s office at oag.ca.gov. Support the California Privacy Protection Agency’s rulemaking and enforcement efforts. Advocate for a federal privacy law with a private right of action so that individual consumers can sue companies directly, not just wait for the AG. Contact your federal and state representatives about mandatory data minimization rules that would prohibit companies from collecting data they do not need. Support organizations like the Electronic Frontier Foundation, Privacy Rights Clearinghouse, and the ACLU that fight surveillance capitalism in court and in Congress.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
