California Attorney General Rob Bonta’s office has announced another fine under the California Consumer Privacy Act (CCPA), this time against media giant Disney. At $2.75 million dollars, it is the largest CCPA fine to date, far outstripping last year’s $1.55M settlement with Healthline. 

This latest enforcement action is a result of the AG’s 2024 investigative sweep of digital streaming services for CCPA compliance.

The case focuses, unsurprisingly, on respecting California consumers’ right to opt-out. However, the Disney settlement is notable because it signals that California regulators are enforcing an increasingly demanding level of CCPA compliance that requires more technological sophistication.

Cross-Platform Opt-Outs

Disney operates quite a few websites and apps that engage in the selling and/or sharing of consumers’ personal information. Under the CCPA, this triggers the right to opt-out. Disney was apparently giving consumers a way to opt-out on these various platforms, but it limited the opt-outs to a specific service and often only to a specific device.

Why is this a problem? CCPA regulations state that when a consumer opts out on one device, if that device is associated with a known consumer, then the business should apply the opt-out to that consumer in general. For example, if a consumer is logged in to a business’s website and submits an opt-out, that same consumer should also be opted out if they later access the business’s mobile app.

The Disney settlement further says that if a consumer is not logged in or does not have an account, Disney must inform them of how they can fully effectuate an opt-out, such as by logging in to their account or otherwise providing more information.

Same Goes for GPC Opt-Outs

The rule for implementing opt-outs across devices and platforms doesn’t just apply to manually submitted opt-outs, it applies to opt-out preference signals as well. 

Opt-out preference signals are signals sent by a consumer’s web browser that automatically indicate their request to opt-out . At this point, the only widely recognized signal is the Global Privacy Control (GPC) standard. 

The Disney case makes clear that when a business detects an opt-out preference signal, it should opt the consumer out across devices and platforms whenever possible. For example, if the consumer is logged into their account and activates the GPC signal in their browser, the business must do more than honor the opt-out on that device; it should apply the opt-out to all selling and sharing of that consumer’s data. If it’s not possible to do so, the business must inform them of how to do a full opt-out.

This rule will become even more important when California’s new law requiring all browsers to support opt-out preference signals takes effect in 2027.

DIY Compliance Is Getting Complicated

Every new privacy enforcement case increases our knowledge of what it takes to be compliant. What the Disney settlement tells us is that regulators have demanding expectations for CCPA compliance, even when it requires a complex technological solution. Businesses need to respond to GPC signals, associate them with a known consumer, and apply them across multiple platforms and devices when possible.

The technology complexity of compliance, along with the increasing complexity of the laws themselves, makes DIY privacy compliance a tough challenge for most businesses. TrueVault brings compliance within reach for businesses of all sizes. Within a matter of days, you can quickly get your company up to speed with the latest privacy requirements, including honoring opt-outs across logged-in devices.

Contact our team to learn how easy compliance can be.