California AG Announces Settlement for CCPA Violations

California privacy enforcement has entered its “no more hiding behind clunky buttons” era, and honestly, it was overdue. The latest headline-grabbing example is California Attorney General Rob Bonta’s February 11, 2026 settlement with Disney, a case that turned a familiar legal idea into a very practical warning: if a consumer says “stop sharing my data,” a business cannot respond with a maze, a shrug, or a polite-looking setting that works only on Tuesdays.

The settlement is a big deal not just because of the money, but because of what the state says went wrong. According to the Attorney General, Disney failed to fully honor consumers’ requests to opt out of the sale or sharing of personal information across Disney+, Hulu, and ESPN+ when those services were tied to the same account. In other words, California is signaling that privacy rights must work across the full customer experience, not just on whichever screen happened to be open when a consumer clicked a toggle.

That matters far beyond one entertainment giant. This case sits on top of a growing stack of CCPA enforcement actions involving retailers, publishers, streaming services, food delivery platforms, and mobile game companies. Taken together, these cases show a clear pattern: California is no longer impressed by privacy theater. Regulators want functioning opt-out tools, truthful disclosures, proper contracts, respect for Global Privacy Control, and special care when children or sensitive data are involved.

What Happened in the Disney Settlement

On February 11, 2026, the California Attorney General announced a $2.75 million settlement with Disney, described as the largest public CCPA settlement to date. The case stemmed from the Attorney General’s 2024 investigative sweep of streaming services and connected TV platforms, an initiative aimed at testing whether companies were actually honoring opt-out rights in the places consumers really use them: websites, mobile apps, and television apps.

The core allegation was deceptively simple. Disney allegedly provided opt-out methods, but those methods did not fully do the job. Consumers could submit choices through webforms, toggles, or Global Privacy Control signals, yet those choices allegedly did not always stop data sharing across all services and devices associated with the consumer’s account. California’s position was essentially this: partial compliance is still noncompliance, just with better graphic design.

One of the most striking details from the complaint was the idea that a consumer using a computer, tablet, and connected TV across Disney+, Hulu, and ESPN+ might have had to repeat the opt-out process up to ten times. That detail reads less like a privacy workflow and more like a side quest nobody asked for. California’s point was blunt: any one valid opt-out method should have been enough.

The settlement requires more than a check written with a very expensive pen. It also requires Disney to implement consumer-friendly opt-out methods with minimal steps, honor opt-out preference signals such as Global Privacy Control where applicable, provide clear notice, give consumers a way to confirm their opt-out has been processed, avoid confusing choice architecture, notify third parties when opt-out requests are received, and maintain ongoing compliance monitoring and reporting. The judgment also reinforces protections for children and minors, who cannot have their data sold or shared without the required affirmative authorization.

Why This Settlement Matters So Much

1. California is testing how privacy tools work in the wild

For years, some companies treated privacy compliance like a paperwork problem. Update the policy, add a link, hold a meeting, congratulate everyone, and go get coffee. California is clearly done with that approach. The Disney matter shows that regulators are willing to test whether an opt-out actually propagates across systems, brands, devices, and ad-tech flows. The legal requirement is no longer just “have a button.” It is “make the button actually do the thing.”

2. Account-wide identity creates account-wide obligations

Many digital businesses love unified accounts because they improve personalization, analytics, retention, and cross-platform engagement. That business convenience cuts both ways. If a company can recognize a user across services for advertising or profiling purposes, California’s enforcement posture suggests the consumer’s privacy choice should travel just as efficiently. A company does not get to be one giant ecosystem for monetization and three separate islands for opt-out compliance.

3. Global Privacy Control is not decorative

The CCPA gives California consumers the right to opt out of the sale or sharing of personal information, including through a user-enabled Global Privacy Control. That is supposed to make opt-out easier, not inspire a philosophical debate inside a product team about whether the browser really meant it. California has repeatedly emphasized that GPC must be treated as a valid request where the law requires it. In plain English: if the signal arrives, businesses should not act surprised every single time.

4. Dark patterns and confusing choices are squarely in the crosshairs

The Disney judgment, like other California actions, focuses on user experience. That means hidden links, unlabeled icons, circular settings menus, and other “you can opt out if you can solve this puzzle” designs are risky. California expects opt-out methods to be easy to execute and require minimal steps. Privacy rights are not meant to feel like an escape room.

The Bigger Enforcement Pattern Behind the Headline

The Disney settlement did not come out of nowhere. It is part of a visible enforcement arc that has been building for years. The AG’s office has been remarkably consistent in the message, even as the industries change.

Sephora became an early landmark case in 2022. California alleged the retailer failed to disclose that it was selling personal information, failed to honor opt-out requests sent through Global Privacy Control, and failed to cure the violations within the then-existing cure window. That case made it painfully clear that ad-tech arrangements can count as a sale under the CCPA, even when a company prefers to call them “marketing partnerships” and hope nobody asks follow-up questions.

DoorDash followed in 2024, with allegations that the company sold customer personal information without providing notice or an opportunity to opt out. This reinforced a basic but critical rule: consumers must be told what is happening and must have a real chance to stop it.

Tilting Point, also in 2024, pushed enforcement into children’s privacy. California alleged the mobile game company collected and shared children’s data in connection with a popular game without obtaining parental consent. That settlement signaled that mobile apps are not somehow floating above the law just because they are colorful and full of cartoon spatulas.

Healthline raised the stakes in 2025. The AG announced a $1.55 million settlement after alleging that online tracking technology on Healthline.com enabled sharing of data that could suggest a reader had a serious health condition. The settlement also included a notable restriction on sharing article titles that could reveal a diagnosis. That case showed California’s concern with sensitive context, not just raw identifiers. When a page title plus a tracker can tell a story about a person’s health, regulators notice.

Sling TV brought the streaming issue into sharper focus later in 2025. California alleged that consumers were misdirected to cookie preferences and faced difficult, multi-step workflows that did not provide an easy way to stop the sale of personal information. The settlement also addressed children’s privacy protections, showing that the state is not viewing opt-out and minors’ rights as separate planets.

Jam City added another warning for app developers in late 2025. The AG alleged the company failed to provide CCPA-compliant opt-outs in its mobile apps and that some games sold or shared personal information from users between 13 and 16 without the required affirmative opt-in consent. Translation: if your monetization strategy depends on in-app advertising, your privacy design had better live inside the app too.

What Businesses Should Learn Right Now

Audit your data map like your budget depends on it

Because it probably does. Businesses need a current understanding of what personal information is collected, where it flows, which third parties receive it, and which activities count as selling or sharing under California law. A privacy policy written by optimistic people in 2023 is not a substitute for a real data inventory in 2026.

Test opt-out journeys across every channel

Web, mobile web, iOS, Android, connected TV, logged-in experience, logged-out experience, bundled accounts, legacy account states, pseudonymous profiles, and ad-tech integrations all need testing. The most dangerous sentence in privacy compliance may be, “It should work.” California seems very interested in whether it actually works.

Do not outsource responsibility to vendors

Several recent analyses of California enforcement point to the same lesson: using third-party tools does not transfer legal accountability. Vendor limitations, platform quirks, and software constraints may explain a problem, but they do not excuse it. If your business benefits from a sophisticated advertising ecosystem, it also inherits the obligation to make that ecosystem respect consumer rights.

Make the opt-out visible and understandable

Consumers should not need a magnifying glass, a flowchart, and emotional support to find the correct setting. If the method is hidden, mislabeled, overloaded with unrelated choices, or designed to confuse, California is likely to view it as a problem.

Pay special attention to minors and sensitive contexts

Children’s data, teen users, health-related content, and high-sensitivity contexts are recurring themes in enforcement. If a company deals with those categories, privacy compliance is not a side project. It belongs in product design, contract review, ad-tech governance, and ongoing monitoring.

What This Means for Consumers

For California consumers, the settlement is a reminder that privacy rights under the CCPA are not theoretical. Consumers have the right to ask businesses to stop selling or sharing personal information, including through Global Privacy Control. They also have the right to expect that an opt-out request will be honored without unnecessary friction.

That expectation may sound obvious, but digital businesses have spent years normalizing overly complicated privacy controls. A company can make sign-up effortless, remember a password across five devices, recommend a new show in six seconds, and serve a targeted ad before your popcorn is ready. In that context, asking consumers to repeat an opt-out over and over again is not a technical inevitability. It is a design choice, and California is increasingly treating it that way.

Real-World Experiences from the CCPA Front Lines

Talk to privacy professionals, product managers, and even regular users who have tried to exercise their opt-out rights, and a common theme shows up fast: the hard part is rarely the legal text. The hard part is the messy, unglamorous reality of getting systems to behave consistently. One team might discover that the website honors an opt-out beautifully, while the mobile app ignores it, the connected TV app never received the feature, and a vendor dashboard still sends audience data to advertising partners because somebody checked the wrong box six quarters ago. Privacy compliance often fails not in one dramatic explosion, but in a thousand tiny leaks.

Another common experience is organizational whiplash. Marketing teams want data flows to remain smooth. Engineering teams want requirements that are precise and testable. Legal teams want the disclosures to be accurate. Nobody wakes up hoping to build a broken opt-out mechanism, yet plenty get built because each team assumes another team has the weird corner cases covered. The Disney case lands right in that gap. It suggests that California expects companies to coordinate across product lines, devices, interfaces, and vendors. Saying “the app team owns that” will not be much comfort if the state decides the company owns all of it.

Consumers, meanwhile, often experience privacy controls as an exercise in low-grade irritation. They click “Your Privacy Choices,” land on a cookie page, toggle something that sounds promising, refresh the page, and then wonder whether anything actually changed. Maybe it did. Maybe it only affected one browser. Maybe it only disabled analytics while targeted advertising kept humming in the background like nothing happened. That uncertainty is exactly what regulators appear to be targeting now. A right that consumers cannot easily find, understand, or verify does not feel much like a right.

There is also a surprisingly human lesson here for companies: trust is operational. Consumers do not measure trust only by brand reputation or a polished privacy statement. They measure it in tiny moments. Did the setting make sense? Did it work the first time? Did the company respect the choice everywhere, or did the customer have to keep repeating it like a very tired parrot? Those moments shape whether users believe a company is serious about privacy or merely performing it.

The businesses that come out ahead in this environment will likely be the ones that treat privacy controls as product features, not legal footnotes. They will test them, document them, revisit them after app updates, and make sure the controls work in the environments where people actually use the service. That approach may not be glamorous, and it definitely will not fit on a motivational poster, but it is a lot cheaper than finding out the Attorney General has been clicking around your interface with professional curiosity.

Conclusion

The California AG’s settlement over CCPA violations is more than a one-company story. It is a snapshot of a tougher, more technical phase of privacy enforcement. The message from California is consistent and increasingly hard to miss: opt-out rights must be real, easy, account-aware where appropriate, and honored across the actual ecosystem a business uses to collect, share, and monetize data.

For businesses, that means privacy compliance can no longer live only in policies and presentations. It has to live in product architecture, vendor contracts, quality assurance, account design, ad-tech controls, and reporting. For consumers, the case is a welcome reminder that the law is catching up to the digital shrug that too often greets privacy choices. In California, at least, “we gave them a link somewhere” is starting to sound a lot less like compliance and a lot more like a future settlement announcement.