• 5 min read
Disney’s $2.75m CCPA hit exposes broken privacy plumbing
Disney’s record $2.75m CCPA settlement highlights how legacy consent tools and modern identity-driven ad stacks no longer line up.

Image: TechRadar
A record CCPA settlement with deeper technical stakes
In February 2026, the California Attorney General announced a $2.75 million settlement with Disney DTC and ABC Enterprises — the largest to date under the California Consumer Privacy Act (CCPA).
Most coverage has focused on legal nuance and enforcement posture. The more practical lessons for privacy and engineering teams are technical: the settlement exposes how two infrastructure layers inside many enterprises no longer match up.
On one side is a privacy tech layer built around cookies, banners, and webforms. On the other is a data layer built on identity graphs, pseudonymous profiles, and cross-system data flows.
According to the Attorney General’s complaint, the four technical failures at Disney — gaps for logged-out users, disconnected tooling, missing cross-brand propagation, and absent app/CTV opt-outs — are all symptoms of that misalignment.
A principle that redefines the scope of opt-outs
The settlement hinges on a blunt rule:

Recommended reading
Mira Murati’s lab unveils Inkling, a 975B open model
“If a business can associate a consumer’s devices with the consumer for advertising purposes, it can and must associate those devices with the consumer for purposes of honoring the consumer’s opt-out rights.”
In practice, that means:
- The scope of opt-out obligations follows the scope of data monetization, not the footprint of your consent management platform.
If an ad stack can resolve an anonymous device signal to a known profile for targeting, that consumer is “identified” for legal purposes. The obligation attaches to the use of identity capabilities, regardless of who built or operates them.
If identity is used to target, the same identity has to be used to exclude once a consumer opts out.
Four symptoms of infrastructure misalignment
1. Identity parity: logged-out users still count
Many organizations only apply opt-outs to authenticated users, arguing they cannot identify someone who is logged out.
The settlement challenges that logic. If pseudonymous profiles and device-level identifiers are already used to recognize and target that same person across visits without a login, then they are “identified” in the eyes of the law. Opt-outs have to reach that same identity graph.
2. Architectural fragmentation: CMP vs DSR silos
Most privacy programs now run two distinct tools:
- A consent management platform (CMP) to decide which trackers and tags fire on web pages
- A data subject rights (DSR) system to process webform submissions such as Do Not Sell or Share requests
When these are not integrated, a consumer can disappear from some backend datasets after submitting a webform, while the CMP keeps firing the same tags on every visit. The request is captured; the collection infrastructure never sees it, so data sharing continues.
3. Cross-brand propagation: one opt-out, many properties
If a media company operates multiple streaming properties on a single advertising stack, and a customer opts out on one, the settlement treats that as an opt-out across all properties that monetize the data together.
The technical ability to push that signal across brands usually exists; what’s often missing is the compliance logic that wires opt-outs into those capabilities. The same applies downstream: simply blocking tags on your own site does not touch data already held by ad-tech partners — they must be explicitly notified every time an opt-out is processed.
4. Non-browser surfaces: apps and CTV left out
Cookie-centric consent tooling was built for browsers and doesn’t automatically cover mobile apps, connected TV (CTV), or other non-browser channels.
In Disney’s case, CTV users could only opt out by going to a separate webform on another device. That form had no effect on the CTV app’s code that was still transmitting data to ad-tech partners. The mechanism technically existed, but it did not bind to the data flows it was supposed to govern.
The structural problem: privacy bolted on, not built in
These four failures share a structural root. Modern data infrastructure is highly distributed, and retrofitting privacy controls into it is not a quick quarter-long project.
The article argues that this difficulty reflects a deeper framing error: treating privacy primarily as a regulatory response instead of a data infrastructure question.
Privacy programs oriented around specific statutes are inherently reactive. A new law, settlement, or enforcement sweep appears, and teams scramble to patch the latest gap. That’s the predictable outcome when privacy is a checklist sitting on top of data flows rather than a capability embedded inside them.
Rethinking privacy as a data capability
A more durable model, the piece argues, starts at the data layer itself. When privacy controls are tied directly to identity resolution and cross-system data flows, they can flex as regulations change.
Under that approach, new rules still add obligations, but the core framework for honoring consumer choices across identifiers, channels, and partners already exists. The work shifts from reconstruction to configuration.
The proposed path forward is not another surface-level tool to satisfy the next law. It is to embed privacy controls into the data infrastructure that actually moves and monetizes data across the organization — so that the next wave of regulation is absorbed rather than bolted on.
AI Editor
Ava covers the rapidly evolving world of artificial intelligence, from foundational models and research labs to the real-world economics of intelligence. With a background in computational linguistics, she cuts through the hype to find out what actually works. She firmly believes that benchmarks are just marketing until reproduced in the wild.
via TechRadar


