Lessons for Businesses From 2026's First California Privacy Enforcement Actions

Read Time: 8 minutes

Key Takeaways: In early 2026, California regulators have issued three significant enforcement actions under the California Consumer Privacy Act, with combined penalties exceeding $4.2 million. Together, these actions reveal intensifying regulatory focus on how businesses implement opt-out mechanisms, comply with opt-out preference signals, and facilitate consumer rights requests.  

In the first few months of 2026, California regulators have sent a clear message regarding opt-out mechanism enforcement under the California Consumer Privacy Act (“CCPA”). On February 11, 2026, California Attorney General Rob Bonta announced a $2.75 million settlement with Disney and ABC, marking the largest CCPA settlement to date. Shortly thereafter, in the first week of March, the Enforcement Division of the California Privacy Protection Agency (“CalPrivacy”) announced two additional CCPA enforcement actions totaling nearly $1.5 million in penalties involving Ford and PlayOn Sports.

The Disney enforcement action stemmed from an investigative sweep conducted in January 2024 targeting streaming services and connected television devices for potential CCPA violations. The PlayOn Sports action represents the first CalPrivacy decision addressing privacy violations involving students and California schools. The Ford action arose from CalPrivacy’s review of data privacy practices by connected vehicle manufacturers following a similar enforcement action brought last year against Honda.

While each of these cases involved distinct factual circumstances, a key feature in all three actions is the regulatory scrutiny surrounding opt-out mechanisms under CCPA.

Breaking Down the Alleged Violations

Disney

The core issue highlighted in the Disney complaint was that Disney can track consumers across all its streaming services for advertising purposes, but it did not apply that same capability when consumers tried to opt out of Disney’s data collection.

Specifically, the complaint alleged the following issues with regard to Disney’s opt-out mechanisms:

  • Opt-Out Toggles Were Not Sufficiently Comprehensive: When consumers used toggle settings to opt out, Disney only applied the request to that specific service and device. The toggle did not stop selling or sharing from other devices or services connected to the consumer’s account, even when the consumer was logged in.
  • Disney’s Webform Did Not Prevent Data From Being Shared With Third Parties: When consumers opted out using Disney’s webform, Disney only stopped the sharing of personal data only through its advertising platform and offerings. However, data continued flowing to third-party ad-tech companies embedded in Disney’s sites and apps.
  • GPC Signals Only Recognized On Specific Device: Global Privacy Control (GPC) is a browser signal that automatically communicates an opt-out preference. Disney only honored GPC for the specific device sending the signal, even when the consumer was logged into their account. CCPA regulations require businesses to apply GPC across a known consumer’s entire relationship with the business.
  • Connected TV Apps Did Not Offer Opt-Out: Many of Disney’s TV apps lacked any in-app opt-out mechanism, instead pointing consumers to the webform, which did not actually stop data sharing from those apps.

PlayOn Sports

According to CalPrivacy, PlayOn Sports used tracking technologies to collect personal information and deliver targeted advertisements to ticketholders and other individuals using its services. The company’s GoFan platform is the official ticketing platform for the California Interscholastic Federation (the state’s sports governing body) and is used by approximately 1,400 California schools for selling digital tickets to high school sporting events, theater performances, and other school activities.

The alleged CCPA violations included the following:

  • Forced Acceptance of Tracking Technologies: PlayOn Sports allegedly forced Californians to click “agree” to tracking technologies before they could use their tickets and provided no other option for closing the banner.
  • Improper Opt-Out Redirection: Instead of providing its own method for consumers to opt out as required by CCPA, PlayOn Sports directed users exclusively through the Network Advertising Initiative and Digital Advertising Alliance rather than providing its own mechanism.
  • Failure to Honor Opt-Out Preference Signals: PlayOn Sports allegedly failed to recognize opt-out preference signals, such as GPC.
  • Insufficient Privacy Notice: PlayOn Sports’ privacy policy had not been updated in the past year, failed to inform consumers of certain CCPA rights, and included misleading statements with respect to whether the company sold personal information, as the term is defined by CCPA.

Ford

According to CalPrivacy, Ford required consumers to take unnecessary steps to exercise certain privacy rights and was deficient in facilitating certain valid requests.

Specifically, the action alleged the following CCPA violations:

  • Unnecessary Identity Verification Requirement: Ford required consumers to complete an email verification step before they could opt out of the sale and sharing of data collected through the website and connected devices. Under CCPA, a business may not require consumers to verify requests to opt out of the sale or sharing of their information.
  • Failure to Process Certain Requests: As a result of the verification requirement, Ford did not process opt-out requests unless consumers completed the email verification step, resulting in valid requests going unprocessed.

The Settlement Terms

Disney

In addition to the $2.75 million penalty, Disney must:

  • Provide compliance updates to the Attorney General every 60 days until they are fully compliant with the CCPA;
  • Honor opt-out requests across all services linked to a consumer’s account when they’re logged in;
  • For logged-out users, either prompt them to log in or apply the opt-out at the device/browser level; and
  • Maintain a compliance monitoring program for three years.

PlayOn Sports

In addition to the $1.10 million fine, PlayOn Sports must:

  • Conduct risk assessments;
  • Provide accurate and complete disclosures for its digital properties, including website privacy policy, cookie banners, and consent management platform, that are easy to read and understand;
  • Complete quarterly scans of its website to maintain a full and current inventory of tracking tools utilized; and
  • Implement proper and functional opt-out mechanisms.

Ford

In addition to the approximate $375,000 fine, Ford must:

  • Modify its methods for consumer rights requests to ensure that opt-out requests are easy and require minimal steps;
  • Honor all opt-out requests to the extent it is able to do so within the time period required by CCPA; and
  • Conduct an audit of the tracking technologies used on its website and ensure such tools function properly to facilitate opt-out requests.

These remedial measures underscore that monetary penalties alone are not the full extent of CCPA enforcement. The ongoing reporting obligations and multi-year compliance monitoring impose significant operational burdens and continued regulatory oversight, reinforcing that California regulators are committed to ensuring substantive compliance, not just collecting fines.

Practical Takeaways

Together, these three enforcement actions provide companies with a roadmap for what California regulators expect from businesses when it comes to opt-out compliance. The following lessons have emerged from the Disney, PlayOn Sports, and Ford settlements:

  • Honor Opt-Out Preference Signals: These enforcement actions have identified failures to properly recognize universal opt-out mechanisms as a key compliance gap. This is low-hanging fruit for regulators when identifying non-compliance.
  • Opt-Outs Must Be Frictionless: Businesses cannot impose unnecessary steps on consumers seeking to exercise their opt-out rights. Email verification, multi-step processes, or other barriers not required by the law and that discourage consumers from completing the opt-out process violate CCPA.
  • Third-Party Tools Do Not Transfer Legal Accountability: Under the CCPA, businesses are responsible for honoring consumer privacy rights, even when using third-party tools. Outsourcing technical functions does not transfer legal accountability.  Disney reportedly cited “vendor and technological challenges” as a reason for its compliance missteps, but the settlement makes clear that such challenges do not excuse non-compliance.
  • Opt-Outs Must Work Across Your Entire Ecosystem: If your business can identify consumers across multiple services, devices, or platforms for advertising purposes, your opt-out mechanisms must function with equal comprehensiveness. When a consumer opts out while logged into an account, that preference should apply across all linked services and devices and not require the consumer to repeat the request multiple times.
  • Expect Increasing Technical Scrutiny: These enforcement actions reflect a trend toward technical investigation of privacy practices. Investigative sweeps have not just reviewed policies, but have been testing the adequacy of opt-out mechanisms. Businesses should assume future enforcement will involve similar technical testing and should proactively ensure their privacy controls work as intended across all platforms.
  • Risk Assessments Now Required: Beginning January 1, 2026, businesses that sell or share personal information must conduct risk assessments under the CCPA. These enforcement actions have explicitly required the businesses to conduct risk assessments and engage in ongoing governance and technical monitoring to ensure alignment between privacy promises, privacy practices, and the law.
  • Broader Implications Across Industries: These enforcement actions targeted streaming services, digital ticketing platforms, and automotive manufacturers, demonstrating that CCPA enforcement extends across diverse sectors. Any company that collects personal information and engages in data sharing or targeted advertising should view these settlements as a warning to audit their own privacy controls.

Koley Jessen is committed to staying informed about developments related to state privacy laws and will offer guidance as new information emerges. If you are unsure about your business’s compliance needs or the steps required to adhere to state privacy laws, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area for expert assistance.

Special thanks to Law Clerk Ellie Johnson for her contributions to this article.

This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Related Services

Explore Our

Newsroom


Learn about the latest legal news, firm announcements, and upcoming events on the topics important to you and your business.

View All Insights
A close-up view of a modern bridge against a clear sky. The bridge features a sleek, curved design with an underside illuminated by warm sunlight, creating a contrast of light and shadow. The railing and cables are visible, adding to the architectural det
Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

trellis19