CCPA Radar tracks publicly announced enforcement actions, settlements, and penalty decisions under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Its purpose is to provide a clear, practical view of how California regulators interpret and enforce privacy obligations in real cases.
The radar brings together key information on enforcement trends, including the regulator, the organization involved, the amount of the penalty, the legal basis of the violation, and the core compliance issues identified in each matter. By presenting these cases in one place, CCPA Radar helps privacy, legal, compliance, and security teams better understand which failures most often lead to regulatory action.
More than a list of fines, CCPA Radar is designed as a working compliance resource. It shows how regulators approach topics such as opt-out mechanisms, dark patterns, children’s data, privacy notices, vendor contracts, and the technical implementation of consumer rights. This makes it easier to translate enforcement activity into concrete lessons for internal privacy governance and risk management.
The Walt Disney Company
Penalty:
USD 2.75 million
Opt-out not effective across devices and streaming services
Core issue:
February 11, 2026
Date:
Main public findings:
California DOJ alleged that Disney failed to fully effectuate consumers' requests to opt out of sale/sharing across all devices and streaming services linked to their accounts. DOJ described the settlement as the largest CCPA settlement in California history at the time of the announcement.
Cause of the violation:
Core issue:
Recommendations:
Source:
Disney's privacy controls were allegedly fragmented, so consumers had to opt out separately across services and devices even though Disney linked those services and devices for business purposes.
Opt-out not effective across devices and streaming services
Apply opt-out choices account-wide where accounts and devices are linked; avoid device-by-device compliance logic; map how personal information flows across services; test whether an opt-out actually stops downstream sale/sharing across the full ecosystem.