Disney failed to honor California residents’ privacy opt-out requests for three years, prompting California regulators to impose a $2.75 million fine in 2023. The company continued collecting and selling consumer data even after users explicitly requested that their information not be shared with third parties, a direct violation of California’s Online Privacy Protection Act (CalOPPA). This case illustrates how major corporations sometimes ignore legal privacy protections and the financial consequences when state authorities discover the violations.
The specific violation involved Disney’s failure to implement opt-out mechanisms that met CalOPPA’s standards. When consumers visited Disney’s websites and mobile apps, they were supposed to have the right to request that their information not be sold or shared. Disney provided these mechanisms, but the company didn’t actually honor the requests—data continued flowing to third parties for years without consumer permission.
Table of Contents
- What California Privacy Law Requires for Opt-Out Rights
- How Disney’s Violation Worked and Why It Took Three Years to Discover
- The Enforcement Action and Financial Penalty
- What This Means for California Residents and Privacy Rights
- Why Privacy Opt-Out Systems Fail
- Other Privacy Enforcement Actions Against Major Companies
- The Future of Privacy Enforcement and Corporate Compliance
- Conclusion
What California Privacy Law Requires for Opt-Out Rights
CalOPPA, passed in 2003 and amended multiple times, requires websites and online services that collect personal information from California residents to disclose what data they collect and give users the right to opt out of its sale or sharing. The law specifically mandates that companies must honor opt-out requests and maintain systems to ensure those requests are followed through. Many websites display “Do Not Sell My Personal Information” links, which are direct responses to CalOPPA’s requirements.
The opt-out requirement applies even when a company doesn’t explicitly market itself as selling data. If any personal information moves to third parties for any purpose outside the company’s direct service to the user, that typically qualifies as a “sale” under California law. This means tech companies, retailers, media companies, and entertainment firms must all provide opt-out mechanisms. A consumer visiting a streaming service or retail site might expect their browsing history won’t be packaged and sold to advertisers, but without proper opt-outs, it often is.
How Disney’s Violation Worked and Why It Took Three Years to Discover
Disney’s privacy opt-out system accepted requests but failed to process them. When California residents attempted to opt out of data sharing through the company’s website, Disney acknowledged the request but then continued collecting and selling their personal information to data brokers and third-party advertisers. The violation spanned from 2016 to 2019, a three-year window during which the company had multiple opportunities to fix the problem and chose not to. one critical limitation in catching these violations is that regulatory agencies typically discover them only after receiving consumer complaints or conducting targeted investigations.
Many companies likely operate non-functional opt-out systems for extended periods without penalty simply because no one audits them. The California Attorney General’s office eventually investigated Disney after receiving complaints, but without proactive oversight, similar violations could persist indefinitely at other companies. The fine—$2.75 million—represented a significant amount but was far less than the cumulative value Disney likely generated from selling the data of thousands of consumers for three years.
The Enforcement Action and Financial Penalty
California’s Attorney General announced the settlement with Disney in December 2023, concluding that the company had violated CalOPPA by failing to honor opt-out requests and by misrepresenting its data-sharing practices. Disney agreed to pay $2.75 million in civil penalties and to implement corrective measures, including establishing a working opt-out system and conducting regular audits to ensure compliance. The company was also required to delete consumer data that had been collected in violation of the law.
This enforcement action set a notable precedent because Disney is one of the largest media companies in the world, and the fact that it faced penalties for privacy violations sends a signal to other major corporations. However, some consumer advocates argue the penalty is relatively modest for a company with Disney’s resources and the scale of the violation. For perspective, Disney’s annual revenue exceeds $80 billion, making a $2.75 million fine roughly equivalent to a small traffic violation for an average household.
What This Means for California Residents and Privacy Rights
The Disney case confirms that California residents’ legal right to opt out of data sharing is only as good as the enforcement mechanism behind it. Before this settlement, many consumers didn’t realize that companies accepting their opt-out requests weren’t necessarily following through. After the enforcement action, residents have greater assurance that at least the companies caught and penalized will implement functional systems—though this doesn’t guarantee every company complies. The case also highlights a tradeoff in privacy regulation.
CalOPPA established rights for consumers but relies on state investigators or consumer complaints to identify violations. Unlike some other regulatory areas where compliance is automated or constantly monitored, privacy enforcement often works retroactively. This means violations can persist for years before anyone takes action. For consumers wanting to protect their privacy now, the safer approach is to assume that some companies may ignore opt-out requests and to take additional steps like using privacy-focused browsers, enabling do-not-track signals, and limiting what information they volunteer on websites initially.
Why Privacy Opt-Out Systems Fail
Opt-out systems fail for several reasons, some technical and some intentional. On the technical side, large companies like Disney operate dozens of interconnected databases and third-party data-sharing relationships. Implementing a system that honors opt-outs across all these systems requires coordination and integration work that many companies deprioritize. On the intentional side, some companies are essentially indifferent to compliance because the cost of data-sharing revenue exceeds the expected cost of penalties.
A critical warning for consumers: even after implementing corrective measures, there’s no guarantee a company won’t experience future compliance failures. Disney’s 2023 settlement doesn’t prevent the company from facing similar violations in the future if it fails to maintain its new systems. Regulatory resources are also limited, meaning regulators can’t possibly audit every company annually. This creates a compliance environment where some companies may calculate they can violate the law for years, pay a penalty only if caught, and still come out ahead financially.
Other Privacy Enforcement Actions Against Major Companies
Disney isn’t the only major company that has faced California privacy penalties. In recent years, the California Attorney General’s office has taken enforcement actions against other tech and media companies for similar violations. Google, Amazon, and various social media platforms have faced settlements for failing to properly implement opt-out mechanisms or for misrepresenting their data practices.
Each case reinforces the point that privacy law exists, but enforcement is episodic rather than continuous. A specific example: similar enforcement actions have targeted companies that operate fake opt-out buttons designed to make opting out difficult or impossible. In some cases, companies made the “Sell My Data” button obvious but buried the “Do Not Sell My Data” option, or made the opt-out process require multiple steps while keeping opt-in as a single click. These practices violate the spirit of privacy law even if they technically include an opt-out option.
The Future of Privacy Enforcement and Corporate Compliance
The Disney case suggests that state-level privacy enforcement is likely to intensify, particularly as California’s privacy laws continue evolving. California’s Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), expanded privacy protections beyond CalOPPA. Future enforcement actions may become more frequent and potentially involve larger penalties as regulators develop stronger cases and companies face greater pressure from consumers.
Looking ahead, the trend indicates that state attorneys general are investing more resources in privacy investigations and that private lawsuits are becoming another avenue for enforcement. Companies have incentive to treat privacy compliance as a core operational requirement rather than a legal afterthought, but the Disney case demonstrates that even market leaders sometimes fail to do so. For regulators, the challenge remains balancing adequate enforcement to encourage compliance with realistic limits on oversight resources.
Conclusion
Disney’s $2.75 million penalty for ignoring California privacy opt-outs for three years demonstrates that major corporations can violate privacy law with minimal immediate consequences, though they eventually face enforcement action. The case reinforces that CalOPPA and similar laws provide protections on paper, but actual enforcement depends on state investigators identifying violations and pursuing penalties. California residents relying on opt-out buttons to protect their privacy should understand that not every company honors these requests immediately, and that discovering violations often takes years.
For consumers, the Disney case serves as a reminder that privacy protection requires multiple layers. Opting out through company mechanisms is important, but supplementing that with additional privacy practices—like using privacy tools, limiting initial data sharing, and being selective about which websites receive personal information—provides better protection than relying on opt-outs alone. As privacy enforcement intensifies, more companies will face penalties, which may eventually raise the cost of compliance violations high enough to motivate genuine privacy protection across the board.