US CCPA: Disney to Pay $2.75M for Failed Consumer Opt-Out via Global Privacy Control

California Attorney General announced a $2.75 million settlement with Disney on February 11, 2026, making it the largest CCPA fine ever imposed. The settlement stems from Disney's failure to honor consumer opt-out requests across its streaming platforms, including requests made through Global Privacy Control (GPC), the browser-based signal that lets users opt out of data sale and sharing automatically.

US CCPA: Disney to Pay $2.75M for Failed Consumer Opt-Out via Global Privacy Control

This is the seventh CCPA enforcement action from the California AG's office, following cases against Sephora ($1.2 million in 2022), DoorDash, and others. For publishers and marketers who collect user data through advertising, the message is clear: ignoring GPC signals carries real financial consequences.

How Disney Violated CCPA Opt-Out Requirements

The investigation, part of a 2024 sweep targeting streaming services, uncovered serious gaps in how Disney handled privacy opt-out requests across three channels.

When consumers used Disney's opt-out toggle, the company only applied it to the specific streaming service and device being used. Data selling and sharing continued freely across other connected Disney services and devices.

Requests submitted through Disney's webform fared no better. The company stopped sharing data through its own advertising platform but continued selling personal information to embedded third-party ad-tech companies. On top of that, many of Disney's connected TV apps had no in-app opt-out method at all.

The GPC signal failures were equally problematic. When consumers sent a Global Privacy Control signal through their browser, Disney limited the opt-out to that single device, even when the consumer was logged into their account across multiple services.

Attorney General Bonta put it plainly: "A consumer's opt-out right applies wherever and however a business sells data — businesses can't force people to go device-by-device or service-by-service."

GPC Compliance Is Now a Legal Priority for US Marketers

Global Privacy Control is a browser-based signal created in 2020 that communicates a user's preference not to have their data sold or shared. It is built into Firefox and Brave, and available through extensions on Chrome and Safari. Under California law, businesses must treat GPC signals as valid opt-out preference signals under the CCPA.

The actual volume of GPC traffic on most websites remains low today. But the legal risk is disproportionately high. California has made GPC enforcement a priority, and the Disney fine proves that even low-adoption signals carry multi-million-dollar consequences when ignored. With AB-3048 now requiring major browsers and mobile operating systems to natively support opt-out preference signals by January 2026, adoption will only grow.

Beyond California, states like Colorado, Connecticut, and Montana also recognize universal opt-out mechanisms. Marketers operating across US privacy jurisdictions need to treat GPC compliance as a baseline requirement, not an edge case.

What the Disney Settlement Means for Marketers and Publishers

The Disney case makes the compliance standard very specific. Opt-out requests, whether through toggles, webforms, or GPC signals, must apply across all services, all devices, and all third-party data sharing arrangements tied to a user's account. Piecemeal opt-out mechanisms will not hold up under enforcement.

Marketers should audit their current opt-out processes against this standard. If a consumer sends a GPC signal on one device, that opt-out should propagate across the entire account. If a webform opt-out stops direct data sharing but not third-party ad-tech sharing, the process is incomplete.

The most practical way to close these gaps is through a Consent Management Platform (CMP) that detects GPC signals automatically and applies them across the full ad-tech stack. Manual processes leave room for exactly the kind of inconsistencies that cost Disney $2.75 million.

Regular testing matters as well. Companies should verify that data sales and sharing are fully blocked when GPC is detected, and keep records of those tests. Documented compliance efforts provide a stronger defense if regulators come calling.

UniConsent Built-In GPC Signal Support

UniConsent provides built-in support for browser GPC signals, designed to help publishers and marketers comply with California privacy laws without additional development work. When a visitor arrives with GPC enabled, UniConsent detects the signal and syncs it with IAB CCPA and CPRA consent frameworks, automatically marking the session as "Do Not Sell or Share."

GPC signals are also synced with IAB GPP and US Privacy consent strings, so the opt-out preference carries through to your entire advertising ecosystem. UniConsent handles CCPA, CPRA, GDPR, and other global regulations from a single platform, and as a Google-certified CMP, consent signals are recognized by Google's advertising services.

The Disney settlement is a turning point for GPC enforcement. Businesses that integrate GPC support through a CMP now can avoid the compliance gaps that led to this record fine.

References

• California Attorney General Announces $2.75 Million Settlement with Disney
• California Imposes Largest CCPA Fine to Date on Disney - Clark Hill
• GPC Compliance Is Becoming a Legal Priority for U.S. Marketers - MarTech

About UniConsent

UniConsent is a part of Transfon's privacy-first User Experience Platform that serves tens of millions of users per day to provide a seamless privacy experience for both users and publishers in the age of post GDPR. Contact us to know more: hello@uniconsent.com