On February 11, 2026, the California Attorney General announced a $2.75 million settlement with Disney for failing to implement valid opt-out methods. This is the largest enforcement action to date under the California Consumer Privacy Act (CCPA).

The settlement highlights a significant $2,750,000 Identity Gap— failure to match sophisticated consumer identity tracking with equally robust privacy measures.

Read about this $2.75 million settlement to learn lessons from the 2026 CCPA settlements, common identity verification mistakes that lead to CCPA violations, and how to balance privacy and security when verifying consumers.

Disney’s $2.75M CCPA Settlement: the Case

On February 11, 2026, the California Attorney General announced a $2.75 million settlement with Disney, marking it the largest CCPA penalty to date. The investigation revealed that Disney's streaming services (Hulu, ESPN+, Disney+) violated privacy laws by failing to honor user requests to opt-out of the sale or sharing of their Personal Information.

Key aspects of the settlement:

• Failed opt-out mechanisms
  Disney's opt-out processes were fragmented and ineffective. Opt-out toggles only applied the opt-out request to a single device or service, rather than universally across the user’s entire account. Opt-out forms only stopped the sharing of personal data through the company’s own advertising platform, but third-party data sharing, used for advertising, continued.
• Persistent data sharing
  Connected TV streaming apps didn’t offer an in-app opt-out, directing consumers to a web form instead. Even after users requested to opt out, Disney continued to share consumer data with third-party advertisers.
• Disregard for Global Privacy Control (GPC)
  Disney failed to consistently honor GPC signals, a browser setting that automatically signals a user's choice to opt-out of tracking in all devices and apps. Opt-outs were limited to a single device the consumer was using, even when the consumer was logged into their account.

On February 11, 2026, the California Attorney General announced a settlement with Disney, requiring the company to:

1. Pay $2.75 million in civil penalties, and
2. Implement functioning opt-out methods that fully stop the sale or sharing of consumers’ Personal Information.

Notable CCPA Enforcement Settlements in Recent Years

The Disney case in 2026 is not an exception from the norm. There are many high-profile California Consumer Privacy Act enforcement settlements, and the number is growing over the last several years. These cases show that regulators are focusing on broken opt-out mechanisms, failure to honor Global Privacy Control signals, improper data sharing, children’s privacy, tracking technologies, and misleading disclosures.

The California Attorney General announced several high-profile CCPA settlements in recent years. CCPA enforcement actions include:

• General Motors (2026), $12.75 Million
  General Motors recently reached a $12.75 million settlement with the CCPA. This is currently the largest publicly announced CCPA settlement. The Attorney General alleged that General Motors collected and sold drivers’ geolocation and driving behavior data through its OnStar services without obtaining proper consent. The data was reportedly shared with data brokers and insurance-related companies.
• The Walt Disney Company (2026), $2.75 Million
  The California Attorney General announced a $2.75 million settlement with Disney to resolve alleged CCPA violations. Opt-out requests were not consistently applied across Disney+, Hulu, and ESPN+. Disney shared consumer data with third parties for advertising purposes but failed to to provide functional opt-out mechanisms.
• Healthline Media (2025), $1.55 Million
  Healthline used tracking technologies that could reveal sensitive health conditions, shared this data with third parties, and failed to implement functioning opt-out mechanisms.
• Jam City (2025), $1.4 Million
  Jam City allegedly failed to provide opt-out mechanisms in mobile apps and shared the data of teens aged 13–15 without obtaining affirmative opt-in consent.
• Sling TV (2025), $530,000
  The opt-out process was difficult and confusing. Sling TV failed to provide in-app privacy controls. The company also failed to provide sufficient privacy protections for children.
• Tilting Point Media (2024), $500,000
  Tilting Point Media violated the CCPA since it collected and shared children’s data without obtaining proper parental consent in a game based on SpongeBob SquarePants.
• DoorDash (2024), $375,000
  DoorDash shared customer data with third parties for marketing purposes without notifying users or providing an opt-out option.
• Sephora (2022), $1.2 Million
  This was the first public CCPA enforcement action. Sephora failed to disclose that it sold personal information and ignored Global Privacy Control signals.

What the 2026 CCPA Streaming Service Settlements Revealed

In 2026, several major streaming platforms agreed to pay a combined $2.75 million to settle allegations for misleading disclosures and improper data sharing. They failed to implement valid consumer identity verification. The companies were either asking for too much personal information before processing consumer requests or failed to verify identities correctly.

Consumer identity verification is a crucial step for privacy compliance.

The 2026 settlements sent a clear message: regulators are focusing on how companies perform identity verification processes, especially when sensitive personal information is involved.

Read more about differences between age gating vs. age assurance, and how to identify consumers correctly.  

Persistent data sharing with third parties was another big issue. For streaming services, data sharing is especially important because they collect large volumes of viewing history, payment details, device identifiers, and behavioral data.

Recent CCPA settlements show several key enforcement trends, where regulators are focusing:

• Misleading opt-out mechanisms.
• Failure to honor Global Privacy Control signals.
• Improper use of tracking technologies.
• Sensitive data misuse (health, location, driving behavior).
• Sharing children’s and teens’ data without notifying users or providing an opt-out option.
• Cross-device and cross-platform identity resolution.
• Misleading privacy disclosures.

Note that these lessons apply for many industries, including streaming services, health services, fintechs, SaaS platforms, ecommerce stores, mobile apps, and other online services.

The $2.75 Million Identity Gap Explained

The phrase identity gap refers to the disconnect between two opposing obligations: consumer identity verification and the data minimization principle.

CCPA identity requirements and privacy obligations set opposing requirements for information collection, including:

1. Reliably identifying consumer identity.
2. Collecting only the minimum amount of information necessary.

Many organizations require consumers to provide too much information during verification. They ask for government IDs, full addresses, phone numbers, or copies of utility bills, even when simpler methods would be sufficient.

Others go in the opposite direction by not requiring sufficient information for consumer identification. They often approve requests based on an email address alone, without verifying whether the requester actually controls the account. That could lead to identity theft.

Both approaches create legal risk.

Under the CCPA, businesses must use a "reasonable" method for consumer identity verification. The reasonable method depends on the type of request and the sensitivity of the data involved.

The $2.75 million identity gap is a clear example of what happens when companies fail to strike that balance.

How Streaming Services Violated CCPA Identity Requirements

The core of the violation was not a data breach, but a technical and legal disparity in how streaming services handled consumer identity verification. There was a disparity between advertising and privacy, and it was too difficult for users to exercise their rights.

There are several key issues where the Walt Disney Company violated the California Consumer Privacy Act:

1. The identity gap

The core violation was Disney's asymmetrical use of identity data. The regulators found that while Disney’s advertising technology was highly sophisticated at identifying and linking users across all their devices (Smart TVs, laptops, and phones) for targeted ads, its privacy systems were fragmented.

If you logged into a Disney+ account on different devices, the company knew you were the same person. However, when you opted out of data sharing on your phone, other devices didn’t honor that choice.

Under the CCPA, if a business has the technical capability to link a consumer’s identity across platforms for advertising, it must apply that same identity resolution to honor an opt-out request across these platforms.

2. Difficult and inefficient opt-out process

Regulators found that it far too difficult for users to exercise their rights to opt out from the sharing of personal data.

The process was fragmented and involved up to 10 separate steps to data sharing across the entire Disney ecosystem.

Opting out of third-party data sharing required unnecessary verification steps. For example, some platforms required logged-in users to re-verify their identity or provide additional personal information just to opt out. Under CCPA, such excessive authorization is explicitly forbidden if the user is already authenticated.

3. Failure to honor GPC Signals

In 2026, the Global Privacy Control (GPC) signal is a mandatory legal requirement under CCPA. GPC informs about the consumer’s choice by sending a "Do Not Sell/Share My Data" request.

The regulators found that Disney and other streaming services were ignoring these browser-level signals. Opt-outs were limited to a single device the consumer was using, even when the consumer was logged into their account.

The settlement mandated honoring a GPC signal. If a user is logged in, a GPC signal must be transmitted to account for the user's entire profile.

In other CCPA investigations of streaming services, violations involved several common mistakes in consumer verification.

Some streaming services requested excessive documentation when executing user rights. For example, upon deletion requests, consumers were asked to provide more information than the business already had.

Others relied on weak verification methods. In some cases, a person could obtain account information by just providing an email address. Thus, unauthorized individuals could gain access to other users’ data.

In conclusion, regulators pointed out the following CCPA violations of streaming services in recent years:

• Excessive barriers when trying to exercise user rights.
• Insufficient verification methods.
• No documented verification policies.
• Inconsistent handling of requests across devices.
• Limited employee training.
• Weak audit trails.

Lessons Businesses Can Learn from the 2026 CCPA Settlements

The $2.75 million Disney settlement in February 2026 and the Smith & Wesson Broken Banner case have collectively redefined the legal definition of consent. It’s no longer enough to have a banner; the banner must honor user choices. Businesses must implement robust verification processes.

Here are the core critical lessons businesses must learn from the 2026 enforcement cases.

1. The Symmetry of Identity rule

The biggest takeaway from the Disney settlement is what regulators call Identity Symmetry. If a marketing team uses sophisticated enough tools to link a user across multiple devices for personalized ads, a business must respect user privacy choices throughout their account as well.

Disney was able to identify users across the entire Disney’s platform for targeting but failed to respect user privacy choices across platforms. Even logged in users needed to opt out device-by-device.

2. Businesses must honor Global Privacy Control signals

In 2026, the Global Privacy Control (GPC) signal is a mandatory legal requirement, signaling consumers’ "Do Not Sell/Share My Data" request.

A browser GPC signal is legally equivalent to a user clicking "Reject All.

Thus, your CMP must detect the sec-gpc header on the first request and block all tracking before consent.

3. Businesses must implement frictionless opt-out processes

Rejecting tracking should be as easy as accepting it.

If it takes more clicks to "Reject" than to "Accept," or you ask consumers to provide excessive data when they want to opt out, your consent is legally void.

In Disney’s case, regulators criticized streaming services for multi-step verification processes where logged-in users were forced to re-verify their identity or navigate complex menus to stop data sharing.

Businesses should implement a one-click opt-out method and do not require users to repeatedly log to exercise their right to opt out.

4. Partial compliance is not enough

The Smith & Wesson case teaches us that having a banner that works "most of the time" is legally a non-compliant banner.

5. Businesses must record user consent

Honoring user choices regarding tracking is not enough. Businesses must have proofs of opt-out requests and opt-out implementation. Keep records of each request and verification decision.

Note: A verification workflow that was sufficient two years ago may no longer meet CCPA regulatory expectations.

What Counts as a Valid Consumer Identity Under CCPA

The verification process should sufficiently identify consumers without collecting unnecessary personal information. There should be proportionality between privacy risk and verification processes.

There is no one universal consumer identity verification under CCPA.

Instead, businesses must use commercially reasonable efforts, based on the context, to fulfill the CCPA identity requirements.

Examples of acceptable consumer identity verification under CCPA include:

• Logging into an existing account.
• Clicking a verification link sent to a registered email address.
• Confirming information already on file.
• Completing multifactor authentication.

Higher-risk requests may require stronger CCPA consumer request verification.

For example, a request for specific purchase history or viewing behavior may need additional confirmation steps.

Common Identity Verification Mistakes That Lead to CCPA Violations

When performing CCPA consumer request verification, most compliance failures come from a few repeated mistakes, including:

1. Using weak verification controls
   Some companies approve consumer requests based only on an email address. Such practice can expose personal information to unauthorized parties.
2. Making opt-out a multi-step process
   Rejecting tracking should be as easy as accepting it. Businesses should implement a one-click opt-out method and do not require users to repeatedly log to exercise their right to opt-out.
3. Fragmented out-out process
   If a company is able to identify users across the entire platform and across devices for targeting, it must also respect user privacy choices device-by-device (phone, laptop, and Smart TV) as well.
4. Applying the same privacy requirements to every request
   Collecting user data for marketing and deleting an account do not carry the same level of risk. Consumers must be able to delete their accounts without providing additional information already collected by a business.
5. Failing to document decisions
   Businesses must record user consent and company’s decisions for proof of compliance. Without records, it is difficult to demonstrate compliance during an investigation.
6. Collecting excessive data
   privacy laws, including CCPA, require respecting the data minimization principle. Data minimization under the CCPA means businesses shouldn’t collect information that isn't necessary for a specific purpose. For example, consumers don’t need to provide additional identity info just to delete their account. Requesting a driver's license or passport when an email confirmation would suffice is also a common issue.
7. Retaining verification data too long
   To reach CCPA compliance, don’t store copies of IDs and other sensitive documents indefinitely. Delete verification data when it is no longer needed.

How to Balance Privacy and Security When Verifying Consumers

To balance privacy and security, use the least intrusive and proportionate method. For most account-based services, email confirmation is often enough. For more sensitive requests, you may need stronger authentication, such as zero-knowledge verification or progressive assurance.

This is the Privacy-Security paradox. To comply with laws, such as California’s CCPA, the Maryland Kids Code, or the 2026 COPPA amendments, businesses must verify users; however, if they ask for too much personal information, they could be fined for excessive data collection.

Balancing privacy and security requires shifting from data collection to data attestation. This could help to avoid CCPA privacy violations.

1. Use zero-knowledge verification

Zero-Knowledge Proofs (ZKP) are the gold standard in 2026 for verifying consumer identity.

In April 2026, the European Commission launched the EU Age Verification App, deployed to protect children online and help companies to comply with privacy standards.

This free, open-source tool allows users to verify their age once via a government ID. The app determines user’s age and sends a secure signal to a company "This user is over 18."

Instead of collecting passport details, birthdate, or other sensitive data, a company receives only a cryptographic "Yes/No" token.

Since you never possess sensitive data, your liability in a data breach is zero.

2. Deploy progressive assurance

For age verification, use a tiered approach based on risk.

1. Tier 1 (low risk): Use AI Facial Age Estimation (e.g., Yoti). These AI tools estimate age based on a selfie without identifying the person. No ID is required, and the image is immediately deleted after verification.
2. Tier 2 (medium risk): Use verified metadata, such as mobile ID or a bank-verified token.
3. Tier 3 (high risk): This is often needed in financial services. Employ full Video KYC with liveness detection.

3. Follow the FTC 2026 guardrails

On February 25, 2026, the FTC issued a Policy Statement that granted enforcement discretion to companies using age-verification tech, but only if they follow these strict rules:

• Purpose limitation
  Don’t use verification data for marketing, profiling, or training your AI.
• Prompt deletion
  Once you receive the signal "This user is over 18," the raw document image must be immediately deleted from your systems.
• Confidentiality
  If you use a third-party verifier, you are legally responsible for auditing their security.

How Consent Management Platforms Support CCPA Compliance

A Consent Management Platform (CMP) does more than collect Cookie Consent.

Modern CMPs help businesses manage consumer privacy requests, display cookie banners based on user location, maintain audit logs, and support compliance workflows.

Platforms such as CookieScript can help organizations:

• Display a Cookie Consent banner or cookie popup on your website.
• Give users full control to accept, decline or change cookie settings on the banner.
• Customize the banner for desktop and mobile devices for accessibility.
• Show cookie table (with name, type, purpose and duration) for full disclosure of cookies.
• Show a cookie banner based on user's location.
• Show the auto-translated banner to users as per their browser language.
• Auto-block third-party cookies till the user gives consent.
• Add a callback widget for the banner so users can revoke consent at any time.
• Generate a Cookie Policy with detailed disclosure of cookie use and link it to your Cookie Banner.
• Scan your website for cookies to auto-update your cookie list and Cookie Policy.
• Generate audit-ready consent logs.

CookieScript also offers affordable pricing. You can get a fully compliant consent management tool for as little as €8 per month per domain for basic features, or €19 per month per domain for full compliance.

You could also try 14-day free trial.

Frequently Asked Questions

What happened in Disney’s $2.75 Million CCPA settlement case?

On February 11, 2026, the California Attorney General announced a $2.75 million settlement with Disney, marking it the largest CCPA penalty to date. The investigation revealed that Disney's streaming services (Hulu, ESPN+, Disney+) violated privacy laws by failing to honor user requests to opt out of the sale or sharing of their personal information. Use CookieScript CMP to handle user requests- it delivers the right balance of compliance, affordability, and ease of use.

What are recent CCPA key enforcement trends that regulators are focusing on?

Recent CCPA settlements revealed these privacy enforcement trends: misleading opt-out mechanisms, failure to honor Global Privacy Control signals, improper use of tracking technologies, sensitive data misuse, sharing children’s and teens’ data without notifying users or providing an opt-out option, cross-device and cross-platform identity resolution, and misleading privacy disclosures. Use CookieScript CMP to ensure CCPA compliance. It was ranked by users as the best CMP on G2. 

What does the identity gap in 2026 CCPA settlements mean?

The phrase identity gap refers to the disconnect between two opposing obligations: CCPA identity verification and the data minimization under CCPA. Companies have two opposing compliance obligations: reliably identifying consumer identity and limiting data collection only to what is necessary. Use CookieScript CMP to ensure CCPA compliance. It was ranked by users as the best CMP on G2. 

How did Disney's streaming services violate CCPA identity requirements?

The core of Disney’s $2.75M CCPA violationCCPA violation was not a data breach, but a technical and legal disparity in how it handled consumer identity verification. Disney's streaming services used sophisticated technical means to link a consumer’s identity across platforms for advertising, but they failed to protect users' privacy: it was too difficult for users to exercise their rights. Use CookieScript CMP to comply with CCPA and avoid violations.

How to balance privacy and security when verifying consumers?

To balance privacy and security, use the least intrusive and proportionate method. For most account-based services, email confirmation is often enough. For more sensitive requests, you may need stronger authentication, such as zero-knowledge verification or progressive assurance. Use CookieScript CMP to manage user consent and avoid CCPA violations.

What are common identity verification mistakes that lead to CCPA violations?

Most CCPA compliance failures during identity verification come from a few repeated mistakes, including using weak verification controls, making opt-out a multi-step process, using a fragmented out-out process, applying the same privacy requirements to every request, failing to document decisions, collecting excessive data, and retaining verification data too long. Use CookieScript CMP to avoid CCPA violations.