The California Privacy Protection Agency (“CPPA”) and the Office of the California Attorney General (“CA AG”) have recently concluded several high profile settlements following investigations of alleged consumer difficulties in fully exercising opt-out rights that exist under the California Consumer Privacy Act (“CCPA”).1 These settlements underscore the importance that California regulators attach to consumers being able to exercise their privacy rights, and in particular the right to opt out of the sale and sharing of personal information. They also provide a useful road map as to the minimum requirements that businesses need to satisfy in managing the consumer exercise of rights to opt out of the sale and sharing of their personal information to avoid regulatory enforcement.
I. Final Judgment and Permanent Injunction with Disney stream services
In the first case, the CA AG entered into a February 2026 stipulated Final Judgment (without admission of liability) with Disney DTC, LL and ABC Enterprises Inc. resolving alleged violations of consumer opt out rights. The judgment imposed a $2.75 million civil penalty and injunctive requirements to implement opt-out methods that prevent Disney from selling or sharing consumers’ personal information. The CA AG concluded following an investigation that even when a consumer was logged in to Disney’s streaming service account and using Disney’s webform, opt out requests would only be applied to the specific streaming service the user was watching, or to the specific device the consumer was using (e.g. either a tablet, smart phone or computer, but not all). Similarly, for opt-out requests made using the Global Privacy Control (GPC), Disney limited the request to the specific device the consumer was using, even when logged into their account.
The CA AG concluded that use of the Disney opt-out toggle would “not stop selling or sharing from other devices or services connected to the consumer’s account.”
In addition, if a consumer opted out using Disney’s webform, the final judgment concluded that if Disney ceased sharing of personal information through its own advertising platform and offerings it would not prevent the sale and sharing of personal information with ad tech companies whose code was embedded on its website and apps. Disney also failed to provide an in-app opt-out method in many of its connected TV streaming apps, instead directing consumers to its webform.
Compliance measures:
- Clear and conspicuous notice regarding cross-context behavioral advertising using personal information obtained from third parties. This notice requires giving consumers a meaningful understanding of the information and categories of sources from which the PI is collected and directs consumers to an effective opt-out mechanism. (Para. 25);
- Implement a consumer-friendly, easy opt-out process allowing consumers “to opt-out with minimal steps” including through use of an opt-out preference signal. The opt-out choice shall be applied to all associated streaming services associated with the consumer’s account. (Para. 26);
- Must avoid creating “choice architecture” such as cookie preferences or direct email marketing preferences and related language that lead consumers to believe that other choices must be selected to opt out of selling or sharing or that they constitute an opt out not to sell or share PI. (Para. 29)
- Consumers’ opt-out choice requires notification to all third parties to whom Disney has sold or shared a consumer’s PI directing the third party to comply with consumer’s request and forward the request to any other person to whom the third party has made the PI available. (Para. 30)
Compliance Program
- 60-day progress updates provided to the CA AG until full compliance with the new opt-out requirements is achieved. (Para. 33)
- A 3-year compliance program to assess and monitor whether opt out processes are being effectively provided implementing a “consumer’s opt-out choice account-wide on each web property, application, and device used to access DISNEY SERVICES. An annual report shall be provided during this three year period. (Para. 34)
II. CalPrivacy Settlement with High School Ticketing Platform for Tracking and Opt-Out Practices
In its first enforcement action involving students’ data privacy, the California Privacy Protection Agency (“CalPrivacy”) in early March 2026 announced an enforcement action and $1.1 Million fine agreed to by PlayOn Sports, which used tracking tools on its websites such as third-party cookies, persistent trackers, and metapixels to collect PI and send targeted behavioral advertising to ticketholders, including students at California schools. Playon then allegedly sold and shared collected PI with “advertising, social media, and analytics partners.”
CalPrivacy alleged that between 2023-2024 PlayOn forced Californians to click “agree” on the company’s cookie banner to the use of tracking technologies for the sale and sharing of their PI before they could use their tickets or view PlayOn’s websites, without providing customers, including students, a Company-provided equivalent option to reject, or opt out of the sale and sharing of their PI. This latter fact was particularly concerning to CalPrivacy given the high percentage of teens using the platform to attend ticketed school events. Instead, the company stated in its privacy policy that consumers should opt out directly with third parties via the Network Advertising Initiative (NAI) and Digital Advertising Alliance (DAA).
CalPrivacy credited PlayOn for its remediation efforts in December 2024, which included substantially revising its website, privacy policy and notice banners, including honoring opt-out preference signals, before even learning about the CalPrivacy investigation. It also cooperated with the Enforcement Division about its privacy practices.
In addition to the $1.1 Million fine, the settlement with CalPrivacy requires the ticketing provider to:
- Provide its own clear, accessible means to opt out of tracking technology sale and sharing of PI;
- Conduct risk assessments under the CCPA regulations tied to the selling and sharing of PI;
- Ordered PlayOn to comply with prohibition of sale or sharing PI of consumers aged 13-15 without affirmative op-in consent.
III. Key Takeaways from these California Privacy Enforcement Actions
Enforcement of consumer opt-out rights continues to be among the highest CCPA priorities. Each of the CalPrivacy enforcement actions over the past year, and this high-profile CA AG settlement with a leading media streaming provider, have addressed the consumer’s ability to exercise his/her right under the CCPA to opt out of the sale and sharing of PI. Opt-out mechanisms need to reflect the way consumers engage with a business, be easy to use and understand and not require unnecessary verification requirements to complete opt-out requests (in the separate Ford Motor Company enforcement action). Consumer notices should clearly describe all available consumer rights and be reviewed and updated at least annually. Consumer options should be designed symmetrically, to offer both an “agree/accept all” button as well as a “decline all” button in cookie banners.
Regularly inventory, test, monitor and audit your use of tracking technologies. CalPrivacy’s orders require PlayOn and Ford (in their separate enforcement settlement) to maintain comprehensive inventories of tracking tools used on their websites and to conduct internal audits and monitoring to ensure that opt-out choices are fully applied to these technologies.
CA Privacy Enforcement is Focused on Ensuring Compliance, Not Maximizing Settlement Fines
With updated CCPA civil penalty amounts of $2663 per violation and $7988 for each intentional violation, regulators could potentially maximize fines by counting multiple transactions involving each consumer. However, settlement amounts to date seem to be assessed on a single violation per consumer basis, preferring to focus on injunctive prospective relief rather than punishing past conduct. As a result, no potential defendants have yet challenged California regulators’ broad-ranging enforcement of the CCPA and what amounts to “sharing”, cross-context behavioral advertising and the statutory requirements for honoring opt-out signals across devices. Injunctive relief commitments have included: curative modification to opt-out processes to make them easier to exercise without “friction” points; account-wide exercise of consumer preferences; vendor oversight; and multiyear risk assessments and compliance monitoring plans. Negotiated resolutions which include compliance programs that require operational reforms are a more efficient use of government resources than the costly litigation of CCPA regulations. And the risk/reward for businesses also probably weighs heavily in favor of reaching an acceptable settlement of its optout practices in the future versus litigating a potentially harsher litigation outcome (with potentially heavier fines on a per violation basis).
1See Press Release, State of California Department of Justice, “California Won’t Let It Go: Attorney General Bonta Announces $2.75 Million Settlement with Disney, Largest CCPA Settlement in California History” at https://oag.ca.gov/news/press-releases/california-wont-let-it-go-attorney-general-bonta-announces-275-million
