California Attorney General Announces Settlement for Alleged CCPA

California privacy enforcement has entered its “we are so done with your half-working opt-out button” era. The latest headline-grabbing example is the California Attorney General’s settlement with Disney, a case that did not just bring a record-dollar number. It delivered a sharper message: if a company can connect users, devices, apps, and ad-tech systems well enough to target ads, it should also be able to connect those same dots when a consumer says, “Please stop.” That is the heart of modern CCPA enforcement, and it is why this settlement matters far beyond a single media giant.

For businesses that still treat privacy compliance like a website footer problem, California has news: the footer is no longer enough. The state’s enforcement pattern now reaches browser signals, in-app controls, connected TV interfaces, identity resolution, vendor contracts, children’s privacy settings, and even the design choices that make a privacy tool either easy to use or maddeningly slippery. In other words, this is no longer about whether a company has a privacy policy. It is about whether the policy works in real life.

What Happened in the Latest California CCPA Settlement?

The settlement most observers are talking about centers on Disney and was announced in February 2026. California alleged that Disney failed to fully effectuate consumers’ requests to opt out of the sale or sharing of personal information across all devices and streaming services linked to a Disney account. That included services such as Disney+, Hulu, and ESPN+. According to the Attorney General, consumers who tried to opt out through certain toggles or webforms often did not get a complete stop to data sharing. In some cases, the request applied only to one device or one service, while data sharing continued elsewhere in the same account ecosystem.

That detail is the whole plot twist. California’s position is not just that businesses must offer an opt-out. The state is making clear that the opt-out has to actually work in the way an ordinary person would reasonably expect it to work. If a logged-in user says “do not sell or share my personal information,” the user should not need to repeat that request device by device like they are collecting stamps. The settlement also addressed the use of Global Privacy Control, or GPC, and alleged that Disney treated some GPC-based requests too narrowly, limiting them to the device sending the signal even when the consumer was logged in.

Just as important, the settlement focused on app-based experiences. Many people use streaming platforms on connected TVs, mobile apps, and living-room devices rather than traditional desktop websites. California’s enforcement stance is that privacy rights have to follow the consumer into those environments too. A webform buried somewhere else on the internet does not magically become “easy to use” just because the company can point to it in a lawsuit.

The result was a $2.75 million settlement, the largest CCPA settlement announced by the California Attorney General to date, along with injunctive terms requiring Disney to improve its opt-out architecture, apply opt-outs more effectively across services, provide clearer notices, and report on compliance progress. That turns the case into more than a penalty. It becomes a compliance blueprint, or if you prefer, a very expensive user-experience memo.

Why This Settlement Matters More Than the Dollar Amount

1. Cross-device privacy is no longer optional

The biggest lesson is that California increasingly sees privacy rights as account-level and system-level rights, not isolated browser events. A company cannot benefit from linking devices and services for advertising while pretending those same connections do not exist when a consumer opts out. That logic also appeared in California’s earlier public statements around streaming services, where officials said logged-in users should be able to have opt-out choices honored across different devices.

2. “Easy to use” means easy for normal humans, not compliance lawyers

California regulators are clearly reading the CCPA through a practical consumer lens. If a user has to hunt through hidden menus, fill out fields the company already knows, bounce from a TV app to a browser, or untangle cookie settings from legal opt-outs, that process may be viewed as defective. The law does not require a scavenger hunt. It requires a real right.

3. GPC has moved from theory to enforcement reality

The Global Privacy Control has been around for a while, but California keeps treating it like a real switch, not a decorative suggestion. The Sephora case helped put GPC on the map in 2022. The Disney matter reinforces that businesses must honor opt-out preference signals in a meaningful way. If a company collects personal information online and sells or shares it, California expects GPC to work as a valid request to stop that activity.

4. Connected TV and app ecosystems are in the enforcement spotlight

This is not an accident. California’s 2024 investigative sweep specifically targeted streaming services and devices. The state essentially announced the exam before handing out the grades. That sweep later fed into the Sling TV settlement and then the Disney action, making clear that regulators are watching how privacy rights are implemented in living-room technology, not just websites viewed on laptops.

How California Built to This Moment

The Disney settlement makes more sense when viewed as part of a longer enforcement story. In 2022, the Sephora settlement became the early landmark case. California alleged that Sephora sold personal information, failed to make the proper disclosures, and failed to process opt-out requests submitted through GPC. That case signaled that California was serious about web tracking and ad-tech arrangements, even when companies did not label them that way.

In 2024, California announced a settlement with DoorDash over allegations that it sold customer personal information without proper notice or an opt-out opportunity. That same year, California and the Los Angeles City Attorney’s Office settled with Tilting Point Media over children’s data issues in the mobile game SpongeBob: Krusty Cook-Off. The state alleged that the company collected and shared children’s data without obtaining parental consent, showing that child-directed services remain a major risk zone.

Then 2025 arrived like a privacy professor who brought extra homework. In July, California announced a $1.55 million settlement with Healthline Media. The case focused on online tracking technologies, targeted advertising, and the sharing of data suggesting that a person may have a serious health condition. That was a major moment because it linked CCPA enforcement to sensitive inference issues and signaled that article titles, browsing behavior, and ad-tech transmissions can raise serious privacy concerns when health content is involved.

In October 2025, California settled with Sling TV, alleging that the company offered confusing opt-out tools, mixed cookie choices with CCPA rights, required logged-in users to submit extra information, and failed to provide effective in-app methods on the devices many consumers actually use. The case also addressed children’s privacy, pushing for kid-focused profiles and stronger protections when minors are likely watching.

In November 2025, California announced a $1.4 million settlement with Jam City, alleging the mobile game developer failed to provide in-app opt-outs across its popular apps and failed to obtain the affirmative opt-in required before selling or sharing the data of certain teens. That brought the enforcement story squarely into mobile app territory.

Meanwhile, the California Privacy Protection Agency, or CPPA, has been building a parallel body of enforcement. Its actions against Honda, Todd Snyder, and Tractor Supply focused on excessive data collection during rights requests, asymmetrical user choice, broken privacy portals, missing notices, inadequate contracts, and failures to honor opt-out preference signals such as GPC. Put simply, the Attorney General and the CPPA are singing from the same hymn sheet: opt-out rights must be functional, friction-light, and technically real.

What the Alleged Violations Reveal About CCPA Compliance in 2026

If you line up these cases side by side, a pattern appears. California is not just punishing companies for missing a notice or using the wrong label. It is targeting a deeper operational problem: privacy rights often break at the exact point where marketing systems, product design, identity tools, and vendor relationships collide.

Broken assumption No. 1: “Our cookie banner covers it”

Apparently not. California has repeatedly challenged companies that blurred cookie preferences and CCPA opt-outs, or suggested that turning off one setting was enough when it was not. Consumers do not care about a company’s internal taxonomy of tracking tools. They care whether their data stops flowing.

Broken assumption No. 2: “The opt-out works on the website, so we’re fine”

Also no. Streaming apps, connected TVs, mobile games, and account-linked services are all now firmly inside the enforcement zone. If the user journey lives inside an app, California expects the privacy control to live there too.

Broken assumption No. 3: “We can ask for extra data to process the request”

The CPPA’s enforcement advisory and later actions pushed back hard on that idea. Businesses should not force consumers to provide more information than necessary to exercise privacy rights, especially opt-outs. Requiring verification where it is not legally required is starting to look less like security and more like friction.

Broken assumption No. 4: “Our vendors handle compliance”

California keeps reminding businesses that outsourcing a tool does not outsource liability. The Todd Snyder matter was especially blunt on that point. If a consent or privacy management platform is misconfigured, the business using it is still on the hook.

Broken assumption No. 5: “Sensitive inferences are somebody else’s problem”

The Healthline case suggests otherwise. Data does not need a giant flashing label that says “medical record” to become sensitive in practice. If a browsing pattern, page title, or ad-tech transmission can reveal or strongly suggest a health condition, regulators are paying attention.

What Businesses Should Do Right Now

First, audit privacy rights by actual user journey, not by policy document. Test what happens when a logged-in consumer opts out on a phone, a Smart TV, a tablet, and a browser with GPC enabled. Do not ask your legal team whether the process seems compliant. Ask an ordinary person whether it seems sane.

Second, map your identity logic. If your company links devices, household profiles, account IDs, ad IDs, and pseudonymous identifiers for advertising, analytics, personalization, or attribution, you need to know whether an opt-out request follows those same pathways. A privacy choice that dies at the first device boundary is a lawsuit waiting for better lighting.

Third, simplify the interface. California’s enforcement posture increasingly overlaps with user-experience design. Hidden links, deceptive toggles, asymmetrical choices, and extra steps are not just annoying. They may be legally dangerous.

Fourth, revisit contracts and vendor governance. California continues to emphasize that businesses need the right contractual terms with service providers, contractors, and third parties. The words on paper matter, but so does verifying that the real data flow matches the paper.

Fifth, treat children’s privacy and teen privacy as a live issue. The Sling TV, Tilting Point, and Jam City matters show that California is not limiting its focus to adults clicking around on ecommerce sites. If children or teens are likely using the service, default settings, disclosures, consent, and advertising logic need closer scrutiny.

Real-World Experiences and Practical Lessons From the CCPA Enforcement Wave

One reason these California cases feel so instructive is that they reflect what privacy teams keep running into in the real world. A company often believes it has an opt-out because one exists somewhere in the system. Then someone tests the full experience and discovers the request only works on one browser, one app environment, or one flavor of tracking. Marketing says the preference center is live. Product says the app setting is coming in the next sprint. Engineering says identity resolution is complicated. Legal says the disclosure language is technically correct. Then California arrives and gently, but not cheaply, points out that none of those excuses matter to the consumer.

Another common experience is the “consent manager mirage.” Businesses buy a vendor tool, install a banner, and assume the hard part is over. But California’s recent actions suggest regulators want proof that the machinery actually functions. If the portal fails to process a request, if a toggle does not reach every downstream recipient, or if a GPC signal is ignored because it did not match the business’s preferred workflow, the company still owns the failure. The message is simple: technology vendors are helpers, not hall passes.

Privacy teams also learn, often painfully, that user experience is now part of legal risk. A privacy request that looks clean on a desktop monitor can become absurd on a connected TV, a gaming console, or a mobile app. What seemed like a harmless extra click in design review can look like an unlawful burden in enforcement. Businesses that test rights requests in the same environments where customers actually use the service are in a much better position than businesses that rely on screenshots in slide decks.

There is also a growing recognition that data categories do not tell the whole story. A title of an article, a game profile, a viewing pattern, or an advertising segment may not sound dramatic in isolation. Yet when combined with context, those details can reveal health concerns, children’s usage, or highly personal interests. The Healthline matter especially shows how quickly “just browsing data” can turn into something regulators view as sensitive. That experience should push businesses to assess not only what data they collect, but what a reasonable observer could infer from it.

Finally, the strongest companies are learning to treat privacy operations like product operations. They inventory signals. They track defects. They test edge cases. They train staff. They monitor vendor performance. They document remediation. That may not sound glamorous, but it is far cheaper than becoming the next colorful press release. California’s settlements are not just punishment stories. They are field notes from regulators showing where modern privacy programs tend to break under pressure.

Conclusion

The California Attorney General’s latest settlement over alleged CCPA violations is a sharp reminder that privacy compliance is no longer a paperwork exercise. It is an operational discipline. The state’s message has become unmistakable: if a company says consumers can opt out, that choice must work across the places where the company actually collects, connects, sells, or shares data. If a browser signal says stop, stop means stop. If a service is used on apps and TVs, privacy controls have to function there too.

For businesses, the safest takeaway is not panic. It is honesty. Test what really happens. Reduce friction. Fix the broken handoffs between legal promises and technical reality. California is showing the market that the age of symbolic compliance is ending. The companies that adapt now will spend less time explaining themselves later, and a lot less money doing it.