California's attorney general issues largest CCPA fine to date

California Attorney General Rob Bonta announced his office reached the largest California Consumer Privacy Act settlement to date, a USD2.75 million penalty and corrective measures to Disney over claims of CCPA opt-out requirement noncompliance. The action tops the USD1.55 million settlement Bonta's office secured with Healthline Media 1 July 2025 over similar opt-out allegations.

The settlement specifically pertains to gaps in the implementation of Disney's opt-out methods across its streaming services. That probe was part of a broader 2024 investigative sweep covering streaming service opt-out practices.

"California's nation-leading privacy law is clear: A consumer's opt-out right applies wherever and however a business sells data — businesses can't force people to go device-by-device or service-by-service," Bonta said in a statement. "In California, asking a business to stop selling your data should not be complicated or cumbersome. My office is committed to the continued enforcement of this critical privacy law."

The findings

The investigation by Bonta's office found specific issues with Disney's opt-out toggle, webform and responses to Global Privacy Control signals. 

According to the office, the toggles "only applied the request to the specific streaming service the user was watching, and often only the specific device the consumer was using." Webform opt-outs were limited to Disney advertising platforms and offerings, leaving user data open to sharing and sales through embedded third-party tracking pixels. And GPC signals were only honored on the device used to make an opt-out request rather than all user devices.

"Effective opt-out is one of the bare necessities of complying with CCPA," Bonta's office noted in a press release. "The investigation found that Disney's opt-out processes did not allow a consumer — even when logged into their account — to completely opt-out of and stop all sale or sharing of their data, in violation of the CCPA."

Frankfurt Kurnit Klein & Selz Partner Daniel Goldberg, AIGP, CIPP/US, said the monetary penalty pales in comparison to "the cost required to respond to an investigation of this complexity and bring a company of this size into compliance." 

"The attorney general's position is that if a company can unify consumer identity across services for advertising or analytics purposes, it should be able to unify opt-outs as well," Goldberg added. "In practice, that is far easier said than done. Systems are often designed in silos or acquired over time. There are also technological limitations when linking certain types of data, especially once hashed or separated across environments. Regulatory expectations do not always align neatly with technological realities."

Ongoing opt-out issues

A majority of the seven CCPA settlements reached by Bonta's office to date focus on user opt-out violations. Additionally, the office joined the California Privacy Protection Agency and attorneys general in Colorado and Connecticut for a September 2025 investigative sweep dedicated to potential GPC signal noncompliance.

"We have identified businesses refusing to honor consumers' requests to stop selling their personal data and have asked them to immediately come into compliance with the law," Bonta said in September 2025. "California and our sister states are committed to continued collaboration to actively enforce consumers' important privacy rights and are paying close attention to business compliance with the Global Privacy Control."

Connecticut and Minnesota recently divulged respective findings on opt-out issues during 2025 comprehensive privacy law enforcement reviews.

Connecticut Attorney General William Tong said a majority of the new Connecticut Data Privacy Act complaints focused on insufficient responses to data deletion requests, noting companies are "making it hard" to exercise the right to delete. Minnesota Attorney General Keith Ellison indicated his office received 200 complaints under the state's comprehensive law over the last six months, with a majority pertaining to deletion rights.

The IAPP Global Summit 2026 will feature high-level state privacy enforcement dialogue from enforcers themselves. Representatives from state attorneys general offices in California, Connecticut, Delaware and Indiana, and CalPrivacy will come together for a 31 March breakout panel to discuss how the Consortium of Privacy Regulators approaches coordinated enforcement and shared priorities.

Joe Duball is the news editor for the IAPP.