On February 11, 2026, the California Attorney General announced a $2.75 million settlement with Disney, then the largest penalty in the history of the California Consumer Privacy Act (CCPA).
There was no breach or stolen database behind this enforcement action. Regulators fined the company because customers’ choices were not properly honored.
For any enterprise running consent and preference management across disconnected systems, the case is the clearest account yet of what fragmented preference management costs. It also held the record for less than three months, which tells you where enforcement is heading.
Anatomy of a Stranded Preference
Preference management is the practice of capturing, storing, and enforcing a person’s choices about how their data is used and how they are contacted, across every system and channel that handles their data.
The Disney investigation is a case study in what happens when the “enforcing” part fails.
Investigators found a defect that repeated across every opt-out route. When a consumer used an opt-out toggle in one streaming app, the choice applied only to that service, and often only to that device, even when the person was logged into an account spanning Disney+, Hulu, and ESPN+.
The web opt-out form stopped some data sharing. However, some data was still being “sold” to third-party advertising partners. And Global Privacy Control (GPC) signals were honored only on the specific device transmitting them, even for logged-in users.
Every route captured the consumer’s choice, but none properly communicated it.
The Standard Regulators Now Apply
The Disney complaint should concern every multi-brand enterprise.
Disney linked devices and identities effectively when targeting consumers with advertising, yet failed to apply that same linking when consumers exercised their opt-out rights.
The principle is simple: If your systems can recognize a person across devices and services in order to monetize them, regulators expect you to recognize the same person when they tell you to stop.
The settlement turned that standard into binding obligations. Disney must now:
- Honor opt-outs across all streaming services associated with an account
- Place a functioning opt-out inside every app
- Confirm to consumers that their request was processed
- Report its progress to the attorney general’s office every 60 days under court oversight
These settlement terms indicate what privacy regulators broadly expect from all organizations under the CCPA.
Preference Management Has to Travel as Far as the Data
The lesson from this run of enforcement is about architecture.
Capturing a preference at the point of interaction is the easy part; the compliance risk lives between the choice being recorded and the data being sold, shared, or activated.
- A preference center bolted onto each brand, app, or channel will keep producing stranded choices, because nothing connects one instance to the next.
- A preference management platform built around a single record of each person’s choices, enforced in real time wherever their data flows, closes the gap.
Gartner’s Market Guide for Privacy UX points in the same direction, recommending that consent and preference management be unified in one platform and synchronized across every touchpoint. The enforcement record has turned that from an efficiency argument into a deadline.
Disney’s settlement began with a consumer pressing an opt-out toggle that clearly indicated their preference. But the choice failed to travel to the relevant places in Disney’s systems.
How far would a choice made in your own systems travel today? Because California regulators have already started checking.