Corporate Misconduct Accountability Project | Digital Privacy Enforcement
CLASS ACTION FILED: Abdullah v. Disney DTC LLC, Case 4:25-cv-10996-HSG, N.D. California • ESPN.com embeds Google, Magnite, and Comscore trackers without California user consent • $5,000 statutory penalty per violation under CIPA • Class: all California residents who accessed ESPN.com • Data transmitted includes IP addresses, device fingerprints, browsing behavior, and location data •
Disney DTC LLC ยท CIPA Class Action ยท California ยท December 2025
Every Time You Visited ESPN.com, Disney Sold You
A class action lawsuit filed in December 2025 accuses Disney of secretly embedding surveillance trackers on ESPN.com that harvest the personal data of millions of California users without their knowledge or consent, then feeding that data into a massive advertising auction ecosystem.
๐ด CRITICAL
TL;DR
Disney operates ESPN.com as a covert data harvesting platform. Every time a California user visits ESPN.com, Disney’s website silently installs tracking technologies from Google, Magnite, and Comscore that capture your IP address, device fingerprint, browsing behavior, location, and dozens of other data points. This data is fed into real-time advertising auctions where your personal profile is sold to the highest bidder, generating enormous revenue for Disney and its ad partners. None of this happens with your consent. Disney never asked. Under California’s Invasion of Privacy Act, this is illegal, and a class action lawsuit filed December 26, 2025 demands accountability for every California user harmed.
Disney built a surveillance machine and called it a sports website. Every click you made without consent was a violation of your rights. Join the fight to end corporate surveillance capitalism and demand real penalties for companies that treat your privacy as a product to sell.
$5,000
Statutory penalty per CIPA violation per user
3
Tracker systems deployed (Google, Magnite, Comscore)
$5M+
Minimum controversy amount (Class Action Fairness Act)
$52/yr
Estimated market value of one user’s browsing history
โ ๏ธ The Allegations: A Breakdown
Core Surveillance Allegations
What Disney did to every California visitor
| 01 | Disney DTC LLC embedded third-party tracking technologies from Google (Google Ads, DoubleClick, Tag Manager), Magnite Inc. (formerly Rubicon Project), and Comscore Inc. (ScorecardResearch) directly into ESPN.com’s code, causing these trackers to automatically install on every visitor’s browser. | high |
| 02 | These trackers function as “pen registers” and “trap and trace devices” under California Penal Code Section 638.51, capturing outgoing IP addresses, routing information, device metadata, and behavioral signals that identify users and track them across the internet. | high |
| 03 | Disney never obtained consent from California users before installing these trackers, and never sought a court order authorizing their use. The company activated surveillance technology on millions of users in direct violation of CIPA Section 638.51. | high |
| 04 | The data collected includes users’ IP addresses, browser type, screen resolution, operating system, pages visited, session duration, scroll depth, mouse movements, click behavior, referring URLs, unique identifiers (cookies and ad IDs), and geolocation based on IP. | high |
| 05 | Magnite’s Prebid auction scripts transmitted a “us_privacy” value of “1YNY” to its servers during user sessions, a signal that explicitly indicated no user consent had been obtained. Disney continued operating these trackers regardless. | high |
Profit Over Privacy
How Disney monetized your data without asking
| 01 | Disney used the trackers to integrate user data into real-time bidding (RTB) ecosystems. In RTB, user data is auctioned to advertisers in milliseconds. The more detailed the user profile, the higher the bid. Disney profited directly from selling access to its users’ most intimate behavioral data. | high |
| 02 | The collected browsing histories carry a market value estimated at more than $52 per user per year. Disney enabled the collection of this data from millions of California users annually, generating enormous advertising revenue while users received nothing. | high |
| 03 | All three tracker operators (Google, Magnite, and Comscore) are registered data brokers in California. Disney deliberately chose registered data brokers as its tracking partners, maximizing the commercial exploitation of user data at scale. | high |
| 04 | Through “cookie syncing,” the trackers share user identifiers across partner platforms, building comprehensive profiles that persist even when users delete their cookies. Disney’s system was designed to make user surveillance permanent and unavoidable. | medium |
Community Impact
What data harvesting means for real people
| 01 | IP addresses collected by Disney’s trackers enable advertisers to target users by household, ZIP code, and city. When combined with other data broker information, they can identify individuals by name, connect them across devices, and build profiles that include race, political beliefs, health conditions, and sexual orientation. | high |
| 02 | Data brokers openly sell profiles including location data, political preferences, military status, and government employment records. The trackers Disney embedded feed directly into this ecosystem, exposing ESPN users to targeting by insurers, employers, law enforcement, and political operations. | high |
| 03 | According to a NATO research report cited in the complaint, data brokers can use IP addresses to link users across devices, identify home locations, and build profiles used for manipulation, targeting, spam, phishing attacks, and even surveillance by government agencies. | medium |
Corporate Accountability Failures
Disney designed this system to operate without accountability
| 01 | Disney’s tracking infrastructure activated automatically the moment a user’s browser loaded ESPN.com, with no visible notification, no consent request, and no opt-out mechanism at the point of data collection. The entire system was designed to be invisible. | high |
| 02 | Disney had strong financial incentives to deploy trackers without obtaining consent. Seeking consent before deploying trackers would reduce the volume of usable data, lowering advertising revenue. The company prioritized profit over legal compliance and user rights. | high |
| 03 | The losing bidders in real-time advertising auctions still receive and retain the user data broadcast during the bidding process. This means Disney’s surveillance extended to potentially dozens of third parties per user visit, none of whom users consented to share data with. | high |
๐ Timeline of Events
Pre-2025
Disney DTC LLC incorporates Google Ads, DoubleClick, Tag Manager, Magnite, and Comscore tracking scripts into ESPN.com’s codebase, enabling mass data collection from all website visitors.
During 2025
Plaintiff Saleha Abdullah, a California resident in Contra Costa County, visits ESPN.com. Without her knowledge or consent, trackers capture her IP address, device fingerprint, browsing behavior, and transmit this data to Google, Magnite, Comscore, and dozens of downstream advertising partners.
Dec 26, 2025
Class action complaint filed in the Northern District of California (Case 4:25-cv-10996-HSG). Plaintiff Saleha Abdullah sues Disney DTC LLC on behalf of all California residents who accessed ESPN.com, alleging violations of California Penal Code Section 638.51.
๐ฌ Direct Quotes from the Legal Filing
QUOTE 1
What trackers collect from every visitor
Core Allegations
“Through the Trackers, the Third Parties collect detailed user information including IP addresses, browser and device type, screen resolution, operating system, pages visited, session duration, scroll depth, mouse movements, click behavior, referring URLs, unique identifiers (such as cookies and ad IDs), and geolocation based on IP.”
๐ก This itemized list makes clear that Disney’s surveillance apparatus collects not just basic visit data, but a comprehensive physical and behavioral portrait of each user, without their knowledge.
QUOTE 2
No consent was ever obtained
Regulatory Failures
“At no time prior to the installation and use of the Trackers on Plaintiff’s and Class Members’ browsers, or prior to the use of the Trackers, did Defendant procure Plaintiff’s and Class Members’ consent for such conduct. Nor did Defendant obtain a court order to install or use the Trackers.”
๐ก Under CIPA, consent or a court order is required. Disney obtained neither. This is not a gray area or a technical ambiguity. It is a clear choice Disney made to bypass the law entirely.
QUOTE 3
Disney’s financial motive to skip consent
Profit Over Privacy
“Defendant has a strong financial incentive to deploy the Trackers on its Website without obtaining user consent. By enabling the collection of IP addresses and device-level identifiers through these technologies, Defendant facilitates integration into real-time bidding ecosystems.”
๐ก The lawsuit names the motive directly: money. Consent would reduce data volume and advertising revenue. Disney calculated that ignoring the law was more profitable than following it.
QUOTE 4
Magnite received “no consent” signal and kept going
Core Allegations
“Figure 14 shows Rubicon receiving… a us_privacy value of ‘1YNY’ indicating no consent. These parameters reflect device fingerprinting, locale identification, and behavioral context, none of which are required for routing or transport but are used by Magnite to segment, classify, and bid on the user’s advertising impressions.”
๐ก Disney’s own system was transmitting a “no consent” signal to Magnite’s servers. The data collection continued anyway. This is not an oversight. This is a deliberate choice to violate user rights.
QUOTE 5
Real-time bidding as mass data leak
Community Impact
“Even the losing DSPs still benefit because they also receive and collect the user data broadcasted during the RTB auction process. This information can be added to existing dossiers DSPs have on a user.”
๐ก In a typical ad auction triggered by your visit to ESPN, dozens of companies receive your personal data, not just the winner. Disney created a surveillance broadcast system that irrevocably exposes users to an unlimited number of third parties.
QUOTE 6
Browsing history valued at $52 per year
Economic Harm
“Consumers’ web browsing histories have an economic value of more than $52 per year, while their contact information is worth at least $4.20 per year, and their demographic information is worth at least $3.00 per year.”
๐ก Disney extracted real economic value from users who received nothing in return. This is not a victimless privacy technicality. It is theft of something valuable that belongs to you.
๐ฌ Commentary
ESPN is a free website. Isn’t data collection just how it pays for itself?
This argument sounds reasonable until you examine what Disney actually built. There is a fundamental difference between a company explaining how it uses data and asking for consent, versus covertly installing surveillance infrastructure that activates the moment you arrive. California law is clear: you cannot install pen registers or trap and trace devices on someone’s devices without their consent or a court order. Disney did not ask. The “free service in exchange for data” model only works legally if users actually agree to that exchange. Disney chose to skip the agreement part entirely, turning ESPN users into products without their knowledge.
Is this lawsuit serious, or is it a frivolous CIPA claim?
This lawsuit is grounded in evidence. The complaint includes screenshots of network traffic analysis showing Google, Magnite, and Comscore receiving detailed user data in real time, DNS lookup records confirming IP address transmission, and packet-level captures proving the data transfers happened before any consent mechanism was presented. Multiple California federal courts have found that web trackers of this type meet the statutory definition of pen registers under CIPA. The claim is well-supported technically and legally. Disney faces $5,000 in statutory penalties per violation per user, with the class potentially numbering in the millions.
What exactly is a pen register and why does that matter?
A pen register is a device or process that records routing and addressing information, originally used on telephone lines to capture the numbers dialed. California’s Invasion of Privacy Act extended this concept to digital communications. When Disney’s trackers capture your IP address, full page URLs, referrer headers, and device identifiers, they are collecting exactly the kind of routing and addressing information that CIPA was designed to protect. California courts have consistently held that web trackers meeting this definition cannot be deployed without user consent. Disney deployed them on millions of users without asking anyone.
What can I do to prevent this from happening again?
Use a privacy-focused browser (Firefox with uBlock Origin, or Brave) that blocks third-party trackers by default. Install a browser extension like Privacy Badger or uBlock Origin. Enable “Enhanced Tracking Protection” in Firefox or use DNS-level blocking. Demand that Congress pass comprehensive federal privacy legislation that requires affirmative consent for data collection. Support the Electronic Privacy Information Center (EPIC), the Electronic Frontier Foundation (EFF), and ACLU Digital Rights, all of which are fighting for stronger privacy protections. Write to your representatives demanding real penalties for companies that harvest data without consent. And if you are a California resident who visited ESPN.com, you may be a member of this class action.
Why is Disney doing this when it is one of the world’s most profitable companies?
Because the advertising revenue from data harvesting is substantial, the legal risk historically has been low, and the companies doing it can afford to fight lawsuits. Disney’s ESPN brings in billions in revenue annually. The incremental advertising revenue from tracking data is meaningful even for a company this size. More importantly, the entire programmatic advertising ecosystem, which powers most of the internet’s “free” content, depends on this kind of unconsented data harvesting. Disney is not an outlier. It is behaving exactly like every other major media company. That is what makes this systemic. The entire model needs to change, and that requires legal accountability at scale.
๐ก Explore Corporate Misconduct by Category
Corporations harm people every day โ from wage theft to pollution. Learn more by exploring key areas of injustice.
- ๐ Product Safety Violations โ When companies risk lives for profit.
- ๐ฟ Environmental Violations โ Pollution, ecological collapse, and unchecked greed.
- ๐ผ Labor Exploitation โ Wage theft, worker abuse, and unsafe conditions.
- ๐ก๏ธ Data Breaches & Privacy Abuses โ Misuse and mishandling of personal information.
- ๐ต Financial Fraud & Corruption โ Lies, scams, and executive impunity.
