Earlier this month, the California Attorney General (“AG”) announced a $2.75 million settlement with Disney to resolve allegations that Disney violated the CCPA and California’s unfair competition statute by failing to provide CCPA-compliant opt-out mechanisms. The settlement payment is a record for a CCPA-based enforcement action.
The complaint accompanying the settlement targets alleged gaps in Disney’s implementation of opt-out mechanisms and presents a cautionary tale for businesses relying on third-party opt-out software. This post examines the Disney settlement and offers steps your organization can take to evaluate and align its opt-out mechanisms with the CCPA’s requirements.
Disney’s Targeted Advertising Activities
The AG’s complaint alleged that Disney engaged in two categories of cross-context behavioral advertising activities involving its Disney+, Hulu, and ESPN+ platforms. The first is targeted ads delivered by Disney as an advertiser, where Disney discloses user data to third-party ad-tech platforms to deliver Disney ads. The second is ads published on Disney platforms, in which Disney combines its user data with information licensed or purchased from data brokers and other third parties to create audiences for advertisements delivered on Disney platforms.
Although Disney offered various opt-out mechanisms across its platforms, the AG described those mechanisms as “disjointed” and as having “key gaps that obstructed the ability of consumers to completely opt-out of and stop all sales/sharing of their data.” Examples of the alleged gaps include:
- Opt-out requests submitted through a website form only applied to advertisements on Disney platforms and did not stop disclosures to third parties in connection with the delivery of Disney ads on third-party platforms.
- Consumers who used an opt-out preference signal or an opt-out toggle available on a brand’s streaming app or website were (1) only opted out of data disclosures to third parties in connection with Disney AdTech Partner Activity and (2) only opted out for the relevant app or website rather than across all Disney platforms, even where the consumers were logged into a Disney account.
- Disney did not provide an in-app opt-out mechanism on its connected TV streaming apps and instead directed users to visit Disney’s website webform. The AG alleged an opt-out submitted via that webform “would have no impact on the embedded code that transferred personal information from these connected TV streaming apps to its ad-tech partners” and effectively meant Disney connected TV apps provided no effective opt-out mechanism.
The AG alleged that these gaps resulted in several CCPA violations, including selling or sharing personal information contrary to consumers’ opt-out preferences, failing to respect opt-out preference signals, failing to provide easily-executable opt-out mechanisms involving minimal steps, and failing to provide opt-out mechanisms that reflect how Disney interacted with consumers (i.e., through connected TV streaming apps).
The AG also alleged that Disney’s deficient opt-out mechanisms and related representations deceived consumers and therefore violated California’s unfair competition statute.
Lessons Learned
Businesses should consider the following steps and lessons to evaluate their own opt-out mechanisms and other privacy rights enablement tools.
- Review “Off-the-shelf” Opt-out Tool Implementation. Disney cited “vendor and technological challenges” as the cause of its opt-out mechanism gaps. The settlement underscores, however, that such challenges, even if common for businesses using off-the-shelf tools across multiple platforms, do not excuse non-compliance with the CCPA. Businesses should therefore review any third-party tools they rely on to effectuate opt-outs and adjust their configurations as necessary to ensure: (1) that the tools effectively stop all sales and sharing of personal information for cross-context behavioral advertising with as few steps as possible and (2) that opt outs apply across all websites, apps, and platforms the consumer interacts with.
- Audit Privacy Rights Implementation and Response. Businesses should periodically submit mock opt-out and other privacy rights requests through the channels they make available to consumers to test the consumer experience and validate backend response processes. These audits can be crucial, as ineffective privacy rights implementation has recently become a common theme in state privacy law enforcement actions.
- Make Opt-out and Privacy Rights Mechanisms Simple to Use. The complaint criticized Disney’s opt-out processes as requiring consumers to “jump[] through hoops” and emphasized that a user should only have to submit a single request to effectively opt out of all Disney cross-context behavioral advertising across platforms. The AG’s press release also included quotes from Attorney General Bonta stating that “[a] consumer’s opt-out right applies wherever and however a business sells data—businesses can’t force people to go device-by-device or service-by-service” and that making opt-out requests “should not be complicated or cumbersome.” Businesses should therefore focus on simplicity and ease of use when designing opt-out processes to mitigate the chances of regulatory scrutiny.
Conclusion
CCPA-compliant opt-out implementation is more complex than procuring and activating a third-party tool—especially for businesses with multiple online platforms. The Disney enforcement action emphasizes that vendor and technological challenges are not an excuse. Businesses should scrutinize the implementation of those tools carefully and request or create custom implementation features if necessary.
