The Non-Financial Ledger: What Was Actually Stolen

You opened a browser. You wanted to check a score, read a recap, maybe track your fantasy team. That is it. You were not filling out a form. You were not creating an account. You were not handing anyone your information. You were watching sports on the internet.

Disney had other plans.

Before you finished loading the page, before the headline fully rendered on your screen, software invisible to you had already fired across your device. It read your IP address and sent it to Google. It read your screen dimensions and sent them to Magnite. It recorded which page you landed on, how you got there, and what operating system you were running, then packaged all of it and transmitted it to servers you never agreed to contact. This happened in milliseconds. You had no idea it was occurring. You had no way to stop it.

Now understand what that data becomes. Your IP address is not an abstract number. It is a coordinate. Advertisers can use it to determine your neighborhood, your approximate household, the device in your kitchen versus the phone in your pocket. Combined with your browser fingerprint, which Disney’s trackers also captured, including your screen resolution, installed fonts, language settings, and device type, you become a unique individual in a database you never consented to join. You cannot delete yourself from it. When you clear your cookies, the complaint explains, the trackers simply reassign you a new ID and reconstruct your profile from scratch. The system was engineered to outlast your attempts to opt out.

That profile does not sit in one place. It was sold. Auctioned, technically, in real time, to dozens of companies simultaneously. The complaint documents that when a single real-time bidding auction occurs, even the companies that lose the bid still receive your data. They keep it. There are, in the words of cited federal regulators, “few if any technical controls” ensuring those losing bidders do not retain your information for unrelated purposes. Your data was broadcast like a public announcement to a room full of strangers, most of whom you will never identify, none of whom you authorized.

Consider who buys from data brokers. The complaint names health insurers, life insurers, banks, e-commerce platforms, and federal law enforcement including the FBI and ICE, who purchase this kind of data without warrants. Data brokers also sell inferences: not just that you visited ESPN, but predictions about your race, income bracket, immigration status, sexual orientation, and political affiliations. These inferences are built algorithmically from the behavioral traces your browsing leaves behind. You never disclosed any of this. The machine decided it for you.

You trusted a sports website. Disney turned that trust into inventory. They did not ask. They did not tell you. The only reason anyone knows is because a California resident named Saleha Abdullah, from Contra Costa County, decided to sue.

Legal Receipts: What the Filing Actually Says

The complaint is 62 pages of documented technical evidence. These are the statements that matter most.

“When users visit the Website, Defendant causes tracking technologies to be installed, executed, embedded, or injected in visitors’ browsers. These include, but are not limited to, the following: Google Ads / DoubleClick / Tag Manager Tracker; Rubicon / Magnite Tracker; Comscore Tracker.”
— Complaint ¶ 6

• This establishes that Disney actively caused the trackers to be placed on users’ devices. Disney is not a passive bystander; Disney wrote the code that made this happen.
• Three named trackers are all operated by entities that are registered California data brokers, a legal designation that triggers specific obligations Disney bypassed entirely.

“The third parties who operate the above-listed trackers use pieces of User Information collected via the Website as described herein for their own independent purposes tied to broader advertising ecosystems, profiling, and data monetization strategies that go beyond Defendant’s direct needs for their own financial gain.”
— Complaint ¶ 7

• Disney is admitting, through the complaint’s allegations, that these trackers serve purposes beyond Disney’s own advertising needs. Third parties are extracting independent value from ESPN users’ data entirely for themselves.
• This is the core of the surveillance capitalism model: Disney hands your data to partners who monetize it in ways Disney cannot fully control or account for.

“Plaintiff and the Class Members did not consent to the installation, execution, embedding, or injection of the Trackers on their devices and did not expect their behavioral data to be disclosed or monetized in this way.”
— Complaint ¶ 12

• Consent is the legal hinge of this entire case. Under CIPA § 638.51, pen registers require either user consent or a court order. Disney obtained neither.
• The complaint further notes that Disney never sought a court order at any point before, during, or after deploying these trackers.

“Figure 14 shows Rubicon receiving (1) viewport width and height, (2) renderable area dimensions (vpw, vph), (3) language settings, (4) a full mobile User-Agent string, (5) ESPN’s publisher domain and page URL (https://www.espn.com/), and (6) a us_privacy value of ‘1YNY’ indicating no consent.”
— Complaint ¶ 158

• “1YNY” is a standardized U.S. privacy signal used in the ad-tech industry. The first digit indicates CCPA applies. The third character “N” indicates the user has NOT opted out of sale. The fourth character “Y” indicates the publisher has tagged this as a “limited service provider agreement.” The overall signal was present and readable in the data stream, yet transmission proceeded regardless.
• This is not an accidental oversight. The consent-state field was being logged and transmitted in real time, meaning the system was designed to read consent status and continue data collection anyway.

“Even the losing DSPs still benefit because they also receive and collect the user data broadcasted during the RTB auction process. This information can be added to existing dossiers DSPs have on a user.”
— Complaint ¶ 116 (citing EPIC)

• Every single auction sends your data to every single bidder, not just the winner. A single page load on ESPN.com can result in your personal information being transmitted to dozens of companies simultaneously.
• The Federal Trade Commission has flagged this exact mechanism, noting it “incentivizes invasive data-sharing” and sends consumer data “to potentially dozens of bidders simultaneously.”

“DNS requests occurred during the Website’s loading sequence and before any consent was displayed, providing direct evidence that Plaintiff’s IP-addressing information was sent to Magnite’s infrastructure as part of Defendant’s tracking and bidding integrations.”
— Complaint ¶ 160

• Data transmission happened before any consent interface was even shown to the user. The system was not designed to ask first and transmit second. It transmitted first. Full stop.
• This sequence is technically documented via DNS request logs captured during Plaintiff’s session, making it verifiable forensic evidence rather than a legal theory.

“Some have characterized real-time bidding as ‘the biggest data breach ever recorded’ because of the sheer number of entities that receive personal information.”
— Complaint ¶ 123 (citing Dr. Johnny Ryan, ICCL)

Societal Impact Mapping

Public Health

The data harvested from ESPN.com users does not stay in the advertising silo. It flows into systems that make consequential decisions about people’s lives.

• Health insurers are documented buyers of data broker profiles. Inferences drawn from browsing behavior, including which health-related content someone reads, can be used to model risk and price premiums, creating financial penalties for people who never disclosed a diagnosis.
• The complaint cites NATO research documenting that data brokers build profiles containing sexual orientation, immigration status, and other sensitive attributes through inference. These categories, if accessed by employers or insurers, create vectors for discrimination that would be illegal if gathered directly but is legally murky when purchased from a data broker.
• Behavioral tracking data has been sold to and used by federal law enforcement agencies including ICE for deportation investigations, without warrants. ESPN.com visitors who are undocumented or who have undocumented family members face a concrete physical safety risk from this data pipeline they never agreed to enter.
• Phishing and spam attacks are documented downstream harms of data broker exposure. When your profile, including your approximate address, browsing habits, and device identifiers, is sold to entities with no oversight, it finds its way into criminal data markets. The complaint documents that individual identity theft incidents can cause financial losses up to $10,200 per victim.

Economic Inequality

The economic structure of this surveillance system is a one-way transfer: users generate the value, corporations capture all of it.

• Consumers’ web browsing histories carry an economic value of over $52 per year. Contact information adds at least $4.20 annually. Demographic data adds at least $3.00. Disney and its tracker partners extract this value from every ESPN.com visitor while paying users nothing and asking for nothing.
• Internet companies earned an estimated $202 per American user in 2018 through data mining and sale. That figure was projected to exceed $434 per user by 2022, representing an industry exceeding $200 billion. ESPN.com’s millions of users are a significant component of that extraction, yet they receive only a free sports score page in return.
• The McKinsey Global Institute found that businesses leveraging behavioral data insights outperform competitors by 85% in sales growth and 25% in gross margin. The competitive advantage built on illegally harvested user data distorts entire markets, benefiting corporations that break privacy laws over those that comply.
• The Duke Sanford Cyber Policy Program documents that data brokers explicitly sell income-level data, which is used by insurers, banks, and e-commerce platforms to price-discriminate. People with lower incomes, identifiable through their browsing patterns and IP geolocation, may face higher rates and worse terms on financial products as a direct result of data pipelines seeded by websites like ESPN.com.
• The complaint documents an OECD finding that illegal data markets price individual data points from $0.50 for an address to $8 for a Social Security number to $850 for a bank account record. The data flow from ESPN.com feeds these same markets. Users bear all the risk; corporations collect all the profit.

The “Cost of a Life” Metric

What Now?

Disney DTC LLC operates through the same corporate hierarchy that owns Disneyland, Marvel, Lucasfilm, and ABC. The entity filing targets are below. Contact them directly.

• Disney DTC LLC: The named defendant. Delaware limited liability company. Principal business address: 500 South Buena Vista Street, Burbank, CA 91521 (per ESPN.com Terms of Use).
• The Walt Disney Company: Parent corporation of Disney DTC LLC. Publicly traded (NYSE: DIS). Board of Directors is publicly listed and subject to shareholder pressure.
• Attorneys of Record: Reuben D. Nathan, Nathan & Associates APC, Newport Beach, CA; Ross Cornell, Law Offices of Ross Cornell APC, Big Bear Lake, CA. The complaint was filed December 26, 2025.

Regulatory Watchlist

• California Attorney General: Primary enforcer of CIPA and California Consumer Privacy Act (CCPA). File a complaint at oag.ca.gov. Data broker registration violations are directly actionable.
• Federal Trade Commission (FTC): The FTC published its own report on Real-Time Bidding in December 2024 (cited in this very complaint). File at ftc.gov/complaint. The FTC has already flagged RTB as a mechanism that “incentivizes invasive data-sharing.”
• California Privacy Protection Agency (CPPA): The dedicated state agency for privacy enforcement created under the California Privacy Rights Act. Contact at cppa.ca.gov.
• Electronic Privacy Information Center (EPIC): EPIC is cited in the complaint itself and actively monitors RTB abuses. Support their litigation and advocacy work at epic.org.

Grassroots & Mutual Aid Steps

• If you are a California resident who visited espn.com at any point before December 26, 2025, you may be a class member. Contact the attorneys of record to get on the record: rnathan@nathanlawpractice.com or rc@rosscornelllaw.com.
• Install a tracker blocker. uBlock Origin (browser extension) blocks the exact Google, Magnite, and Comscore domains named in this complaint. It is free and takes two minutes.
• Use a DNS-level blocker like NextDNS or Pi-hole at home. The complaint documents that tracker DNS requests fire before consent is shown and before you interact with any page. DNS-level blocking is the only protection that works at that layer.
• Share this case with your local legal aid organization or law school privacy clinic. Class action participation rates determine settlement size. More Californians on the record means more leverage.
• Demand that your local, state, and federal representatives pass comprehensive federal privacy legislation. The United States has no federal equivalent of Europe’s GDPR. That gap is why this case must be fought state by state.
• Support the work of advocacy organizations fighting data broker regulation: Electronic Frontier Foundation (EFF) at eff.org, EPIC at epic.org, and the ACLU’s Privacy & Technology Project.