← All posts Enforcement Analysis

Disney Paid $2.75M Because Their Opt-Out Button Only Worked on One Screen

The California Attorney General's largest CCPA settlement to date. Disney had opt-out mechanisms — toggles, webforms, GPC signal detection. The problem: none of them propagated across services. Here's what went wrong technically and what should have been deployed.

What CalPrivacy found

Disney offered consumers multiple ways to opt out of data sale and sharing: webforms, in-app toggles, and Global Privacy Control (GPC) signal recognition. On paper, they were compliant.

In practice, none of these mechanisms worked correctly:

  • Opt-out toggles were service-scoped, not account-scoped. A consumer watching Disney+ who opted out was still having their data sold through Hulu, ESPN+, and other Disney platforms. Different service, different toggle state.
  • GPC signals were device-scoped. Opting out via the browser's Global Privacy Control header on your laptop didn't apply to the same account on your phone, your TV, or any other device.
  • No cross-service propagation. There was no mechanism to fan out an opt-out decision across Disney's entire service portfolio. Each platform maintained its own independent consent state.

The settlement requires Disney to overhaul its opt-out mechanisms so that a single consumer request halts data sharing across all services, all devices, and all third-party partners associated with the consumer's account.

The technical failure

This isn't a legal compliance failure. It's an infrastructure architecture failure.

Disney almost certainly had consent state stored somewhere for each service. The problem is that consent was stored per service rather than per account, with no event-driven propagation between services. Each platform was a silo.

This is extremely common in companies that grew through acquisition or have multiple product lines. Each service has its own user database, its own consent mechanism, its own third-party vendor integrations. Nobody built the connective tissue.

What should have been deployed

1. A centralized consent state store

One source of truth for consent decisions, keyed to the consumer's account — not the service, not the device. When a consumer opts out anywhere, the state store records it once at the account level.

const consentStore = new ConsentStateStore({
  key:       "account_id",    // not service_id, not device_id
  signals:   [Signal.GPC, Signal.OPT_OUT_TOGGLE, Signal.WEBFORM],
  scope:     "account-wide",  // applies across all services
});

2. GPC detection at the edge

Every service endpoint checks for the Sec-GPC: 1 header. When detected, the middleware writes to the centralized consent store — not to a service-local cookie or preference. This is ~50 lines of middleware per service, but it has to write to the same store.

3. An event-driven propagation pipeline

When consent state changes, an event fires. Every downstream service and every third-party vendor that receives consumer data subscribes to that event. The pipeline calls each vendor's opt-out/deletion API automatically.

const propagator = new ConsentPropagator({
  source:     consentStore,
  downstream: [
    "disney-plus", "hulu", "espn-plus",   // internal services
    "analytics", "ad-platform", "cdp",       // third-party vendors
  ],
  trigger:    ConsentEvent.OPT_OUT,
  mode:       "fan-out",       // propagate to all, not just the originating service
});

4. Vendor contracts with technical enforcement

It's not enough to have a contract that says "stop processing on opt-out." The infrastructure has to actually call the vendor's deletion/opt-out API when consent changes. Without both the legal clause and the API call, you're compliant on paper and leaking data in production.

The fine math

$2.75M was a settlement. The statutory maximum is $7,988 per consumer, per violation, no cap. Disney has tens of millions of subscribers across Disney+, Hulu, and ESPN+. If each subscriber's opt-out only applied to one service instead of all of them, that's potentially a separate violation per service per consumer.

The settlement was a discount.

Does this apply to you?

If your company has multiple products, multiple user-facing services, or multiple third-party integrations that receive consumer data — and your opt-out mechanism doesn't propagate across all of them from a single consumer action — you have the same exposure Disney had.

This is one of the five compliance modules we deploy. The consent signal processing pipeline is purpose-built for this exact problem: centralized consent state, GPC detection, and fan-out propagation to every downstream service and vendor.

// Free CCPA gap assessment — we'll map your consent signal architecture and tell you where the gaps are. 60 minutes, 48-hour gap report.