On 11 February 2026, Attorney General Rob Bonta announced a $2.75 million settlement with The Walt Disney Company over claims that Disney’s streaming services did not fully honor consumer requests to opt out of the sale or sharing of personal information across devices and services tied to a consumer’s Disney account.
What happened
The judge approved a Final Judgment and Permanent Injunction that both sides agreed to, so the case ended without a trial and without Disney admitting wrongdoing. Under the order, Disney must pay $2.75 million in civil penalties to the California Attorney General’s Office within 30 days of the order taking effect. The order also requires Disney to make opting out simple and quick, including honoring opt-out preference signals (like browser-based opt-out signals).
After a consumer opts out, Disney must make sure the opt-out actually stops the sale or sharing of the person’s data and stops cross-context behavioral advertising where the law requires it. When someone is logged in, the opt-out must apply across the person’s account, not just one app, one service, or one device. Disney must also send the state progress updates every 60 days until the fixes are in place, and then follow a three-year monitoring program with required reporting.
Going deeper
California’s lawsuit centers on the CCPA’s opt-out framework, mainly Civil Code § 1798.120 and Civil Code § 1798.135. The complaint alleges Disney kept selling or sharing personal information after consumers told Disney to stop, which the state ties to § 1798.120(a) and (d).
§ 1798.120 creates the substantive right to opt out of sale/sharing, while § 1798.135 supplies the operational plumbing, required notice, user-facing controls, and signal recognition, so the opt-out is not a paper right that only works on one device or one service.
How this affects healthcare organizations
Enforcement materials frame incomplete opt-outs as noncompliance, especially when a company can recognize a person across services but still makes opt-outs work only on one device or one product. Healthcare systems and vendors that use identity resolution for analytics or targeted advertising may face similar scrutiny over whether ‘Do Not Sell or Share’ flows actually stop sales/sharing and cross-context behavioral advertising after an opt-out, including when an opt-out preference signal is used.
A close healthcare parallel is the California Attorney General’s July 1, 2025 enforcement action against Healthline Media LLC, which ended in a $1.55 million settlement over alleged CCPA violations tied to online tracking and opt-out failures on a health information site. Rob Bonta said investigators found Healthline failed to let consumers opt out of targeted advertising and continued sharing data with third parties even after opt-outs, including via Global Privacy Control signals, while also transmitting information that could suggest a reader had a serious health condition.
See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)
FAQs
Does the CCPA apply to HIPAA protected health information (PHI)?
CCPA generally does not apply to PHI collected by a HIPAA covered entity or business associate when that PHI is governed by the HIPAA Privacy/Security/Breach Notification Rules.
Does the CCPA exempt an entire hospital or clinic just because it follows HIPAA?
CCPA uses a data-based and context-based exemption, not a blanket healthcare company free pass.
Does CCPA exempt business associates?
CCPA’s health exemption covers PHI collected by a business associate under HIPAA and pulls HIPAA definitions for business associate, covered entity, and PHI into the exemption section.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Mara Ellis
