On February 11, the California Attorney General announced a $2.75 million settlement with Disney, resolving allegations that the company violated the California Consumer Privacy Act (“CCPA”) by failing to fully effectuate California consumers’ requests to opt out of the sale or sharing of their personal data across all devices and streaming services associated with their accounts. This is the CA AG’s largest CCPA settlement to date, and the second (after Sling TV) that stems from the agency’s investigative sweep into streaming services.
The Final Judgment and Injunction (the “Order”) focuses on alleged deficiencies in each of Disney’s opt-out methods and reiterates the office’s expectation that opt-outs submitted by logged-in users must take effect across all devices, brands, and services controlled by the business.
The Complaint
The Attorney General’s Complaint alleges that when logged-in consumers attempted to opt out through a toggle on one of Disney’s websites or apps, Disney applied the request only to that specific website or app, and often only to the specific device the consumer was using. The CA AG characterized this as a “disjointed opt-out system” that required the consumer to opt out several times, implying that the CA AG expected Disney to engineer a single opt-out for all of Disney’s services.
The CA AG also claimed that certain Disney TV streaming apps did not provide an in-app opt-out mechanism, instead directing consumers to the company’s opt-out webform. The Complaint alleges that when logged-in users opted out through Disney’s webform, Disney did stop selling and sharing personal data through its own advertising platform and offerings, but did not stop selling to or sharing with third-party companies embedded in websites and apps. Similarly, when a logged-in consumer opted out through the Global Privacy Control (“GPC”), an opt-out preference signal that businesses are required to accept under the CCPA, Disney limited the request to the specific device in use.
The Settlement
In addition to the monetary penalty, the settlement imposes a number of injunctive terms, many of which appear to go beyond the scope of the CA AG’s allegations in the Complaint.
- Opt-Outs (Logged-In Users): Disney must effectuate opt-out requests from logged-in consumers across all Disney streaming services associated with their Disney account.
- Opt-Outs (Non-Logged-In Users): For consumers who submit an opt-out request but are not logged in or do not have a Disney account, Disney must inform the consumer that it may be necessary to log in, or request the consumer provide the minimum amount of personal information, to process the opt-out fully. For consumers who do not have a Disney account, choose not to log in, or who do not provide necessary additional information, Disney must treat the opt-out request as a request to opt-out of the sale or sharing for the browser, application, or device and any consumer profile that Disney associates with that browser, application, or device, including pseudonymous profiles maintained by Disney in connection with selling, sharing, or cross-context behavioral advertising.
- Opt-Out Links in Streaming Services: Disney must provide a clear and conspicuous opt-out link within all Disney streaming services that either (a) effectuates the consumer’s choice to opt out, or (b) directs the consumer to the notice of right to opt out of sale and sharing. The notice must be easy to access and must include an easy-to-use opt-out method, such as a toggle or check box.
- Notice of Right to Opt Out: Disney’s Notice of Right to Opt Out must be “formatted and designed to fit and scale to the web browser, application, or device where it is provided, and shall not require a consumer to unnecessarily search or scroll through text… or use hard-to-find-links, unlabeled carets, arrows, or other hidden menu icons, that add unnecessary steps and may be unclear.”
Broader Implications of Settlement
The Order implies that companies whose consumers may log in to their accounts across multiple channels must create a universal opt-out tied to that account. The Order does not, on the other hand, require that companies treat their logged-out users in the same manner – for instance, by creating a “probabilistic” identity graph that seeks to detect and link cross-channel identities.
But it is nonetheless difficult for many companies to architect back-end, server-based connectivity between and across all content and retail channels, for instance, between a browser (e.g., reading a GPC signal) and other disconnected databases. Companies will need to build this connectivity in some cases. Consent management platforms offer certain helpful tools, which provide a front layer of compliance, but they often require testing and legal assessment as well as back-end architecture to connect multiple databases, as well as a careful review of the language shown to consumers.
In turn, this potential operational difficulty is a factor that companies should consider when they assess whether to maintain certain affiliates or divisions as separate entities. The CA AG has not gone so far as to suggest that separate, albeit affiliated, entities must coordinate their opt-out processes, particularly if those entities are not commonly branded and if they otherwise follow “do not sell/share” protocols when they exchange personal information with each other. Thus, maintaining companies as independent corporate structures and “businesses” under the CCPA may provide an element of relief from onerous architecting and coordination of opt-outs and other consumer requests. However, given the CA AG’s consideration of Disney Streaming Services to include Hulu, ESPN, and Disney, the agency likely expects co-branded affiliated entities to coordinate opt-out processes.
Conclusion
Businesses should assess their opt-out processes for compliance and consider whether consumer opt-out requests are limited to the specific device or service in use. Through the SlingTV and Disney enforcement actions and settlements, the CA AG has made clear that in its view, CCPA compliance includes effectuating consumer opt outs across devices and services. And with the beginning of a new investigative sweep into retail, grocery, and hotel sectors, businesses should be prepared for compliance inquiries.