CCPA Enforcement Takes Opt-Out Rights to "Infinity and Beyond"

By Josh Arkulary 

Following our recent alert regarding privacy enforcement under the California Consumer Privacy Act (CCPA), the California Attorney General (AG) announced a $2.75 million settlement with The Walt Disney Company on February 11, 2026, the largest CCPA settlement to date. The settlement concerned Disney’s alleged failure to adequately honor consumers’ opt‑out requests across devices and services. While the case arose in the consumer streaming context, its implications extend well beyond entertainment and directly into other industries, including the drug and device ecosystem.

“Mickey Mouse” Opt-Outs

The AG alleged that Disney violated the CCPA by failing to fully effectuate consumers’ requests to opt out of the “sale” or “sharing” of personal information. Although Disney provided multiple opt‑out mechanisms, those mechanisms did not operate consistently across all devices or services (e.g., Disney+, Hulu, ESPN) linked to a consumer account. 

“Consumers shouldn’t have to go to infinity and beyond to assert their privacy rights. Today, my office secured the largest settlement to date under the CCPA over Disney's failure to stop selling and sharing the data of consumers that explicitly asked it to,” said Attorney General Rob Bonta. The AG’s investigation identified several recurring issues:

• Failure to Propagate Across Devices: When a user opted out on one device (e.g., a tablet), the request did not carry over to other devices (e.g., a connected TV) linked to the same account.
• The "Ten-Click" Problem: Because opt-outs were fragmented by service and device, a user might have to submit up to ten different opt-out requests (one toggle or Global Privacy Control [GPC] signal request per service on each device, plus a webform) to fully stop data sharing.
• Ignoring GPC: Disney recognized GPC signals but only honored them for the specific device, rather than the user's entire account, which the AG deemed a failure to treat GPC as a universal opt-out.

Why This Matters to Medical Device Companies

Many medical device companies do much more than manufacture hardware. Their products often include mobile apps, cloud platforms, and patient engagement tools. As a result, they routinely handle personal data across multiple systems and environments, such as:

• Data moving between devices, mobile apps, and web portals
• Use of third‑party analytics tools, software development kits, or cloud vendors
• Hosting websites and providing patient education programs 

The Disney settlement underscores a practical point: technical complexity is not a defense. If a company can recognize the same user across devices for purposes like product improvement, support, or analytics, regulators have signaled that they expect the company to apply that same capability when honoring an opt-out request, regardless of where or how the request is submitted.

Sale and Sharing Risks in the Device Context

Under the CCPA, “selling” or “sharing” personal information does not require traditional advertising. In the medical device space, common activities can trigger these rules without companies realizing it, including:

• Using third‑party analytics or tracking tools in companion apps or websites
• Sharing data for targeted or cross‑context advertising in patient‑facing platforms
• Sending connected device data to vendors for analytics or system optimization

These risks are easy to miss, particularly when companies offer a variety of consumer-facing tools that extend beyond the clinical setting. Companies can unintentionally step into regulated territory without the safeguards regulators expect.

What To Do Now

Medical device companies should treat the Disney settlement as an additional signpost on the roadmap for enforcement priorities and take proactive steps to reduce exposure, including:

• Mapping opt‑out pathways across devices, apps, portals, and services to confirm they operate account‑wide where appropriate.

• Testing opt‑out effectiveness, including GPC signals, to confirm effectiveness across all associated devices and platforms, including websites and apps. 

• Aligning identity and privacy architectures so that the same account-level view used for data collection and use can also be used to apply consumer choices.

“The AG established that a patient should not have to opt out on a device-by-device or app-by-app basis. If data moves freely across a connected device ecosystem, an opt‑out needs to move just as freely.”

Josh Arkulary, Associate Attorney

How Gardner Law Can Help

If you have questions about the CCPA’s opt-out requirements or other privacy matters, or if you need experienced counsel to help design, enhance, or implement privacy or AI governance programs, contact Gardner Law. Our attorneys have deep experience advising drug and device manufacturers of all sizes on both commercial and pre-commercial privacy, AI, and cybersecurity matters.