Favoring Compliance Over Fines: What The Latest CCPA Settlement Tells Us About California Privacy Enforcement

The California attorney general has secured a stipulated Final Judgment and Permanent Injunction against Disney DTC LLC and ABC Enterprises Inc. resolving alleged violations of the California Consumer Privacy Act (CCPA) related to consumers' rights to opt out of the sale and sharing of their personal information.

The action focused on California consumers' rights to opt out of businesses sharing their personal information across streaming platforms, which may be owned by the same company or used by unrelated companies in cross-context behavioral advertising. That term, as defined under the statute, refers to targeted advertising based on personal information collected across distinct services, websites or applications. The attorney general alleged deficiencies in how consumers were notified of advertising practices across platforms and how they could exercise their opt-out rights.

The judgment was entered without admission of liability and without trial but imposes injunctive obligations and a $2.75 million civil penalty. This action reflects a move beyond enforcing notice and disclosure requirements in online or in-app privacy policies, focusing instead on the usability, clarity and functionality of opt-out mechanisms.

Key injunction requirements: Under the stipulated judgment, the company must implement a number of compliance measures, including:

• Providing clear and conspicuous notice that it uses personal information for cross-context behavioral advertising, including personal information obtained from third parties. The notice must meaningfully describe the categories of data collected and direct consumers to an effective opt-out mechanism.
• Implementing a consumer-friendly, easy opt-out process requiring minimal steps. The company must honor opt-out preference signals and ensure that a logged-in user's opt-out choice applies across all associated services tied to that account. For consumers who are not logged in, the company must at minimum apply the opt-out at the browser, application or device level, including any associated pseudonymous advertising profiles.
• Complying with limits on "choice architecture." The company may not design cookie settings or other preference interfaces in a way that confuses consumers into believing additional steps are required to opt out of sale or sharing. The order prohibits interface designs that subvert or impair user decision-making regarding opt-out rights.
• Notifying third parties to whom it has sold or with whom it has shared personal information when a consumer submits an opt-out request and taking reasonable and appropriate steps to ensure compliance downstream.

Ongoing compliance oversight: As with most prior CCPA settlements, this one requires periodic updates to the attorney general regarding the company's compliance measures, for at least three years following the judgment.

Within 60 days of entry, the company must provide the attorney general with progress updates regarding its compliance with the new opt-out requirements, and it is required to continue providing those updates every 60 days until full compliance is achieved.

In addition, for three years, the company must maintain a compliance program designed to assess whether its opt-out mechanisms are effective, consumer-friendly and fully implemented across all accounts, devices and services. Annual reports must be submitted to the attorney general documenting the results of those reviews.

Emerging trends in CCPA settlement amounts: The $2.75 million settlement amount is consistent with prior CCPA settlements, in which negotiated penalties remain well below the statute's maximum. The CCPA authorizes civil penalties of up to $2,633 per violation and $7,988 per intentional violation. In theory, that framework could produce staggering exposure for consumer-facing platforms. In reality, public CCPA settlements, including with Sephora ($1.2 million), Healthline ($1.55 million) and now in this matter ($2.75 million), have remained in the low single-digit millions.

The gap between statutory maximums and actual settlements reflects several practical considerations.

• First, regulators are not pressing the outer limits of how "violations" might be counted. The CCPA's use of "per violation" could be interpreted to include multiple transactions with a single consumer. Instead, recent CCPA settlements suggest that California regulators apply the statutory penalties on a "per consumer" basis, preferring to focus on ensuring compliance over maximizing penalties.
• Second, litigation risks and costs appear to matter. Proving the sale or sharing of personal information at trial, particularly in cross-context advertising environments, may require extensive expert analysis. A negotiated resolution that imposes operational changes may be more efficient than litigating statutory interpretations.
• Third, injunctive relief is doing much of the regulatory work. In this case, the most consequential outcome is not the dollar amount but the mandated re-engineering of opt-out flows, account-wide propagation of consumer preferences, vendor oversight and multiyear compliance monitoring. The latter two requirements are commonly included in most CCPA settlements. These provisions do more to regulate the company's products and privacy practices than to punish the company for past conduct. From the regulators' perspective, these remedied provisions may well be more significant and beneficial to consumers than simply punishing past conduct.

Expansive interpretations and modest checks: The practical tension shown by CCPA settlements so far is that regulators can adopt broad interpretations of the CCPA, including what constitutes "sharing," what triggers cross-context behavioral advertising obligations and the statutory requirements for honoring opt-out signals across devices, while the monetary settlement amounts remain modest for large enterprises. Because settlement numbers are often economically rational, to date no potential defendants have challenged California privacy regulators' broad interpretations of the comprehensive state privacy law.¹ As a result, much of the CCPA's operational meaning is being shaped through negotiated settlements rather than court precedent.

Egregious violations and privacy-adjacent statutes may trigger higher settlement amounts: Notwithstanding the actions described above, regulators in both California and Texas have reached significantly higher settlement amounts where sensitive personal information was involved or where existing consumer protection or narrower privacy statutes were also at issue. For example, last year, the Texas attorney general announced a $1.4 billion settlement with Meta over biometric data practices related to its facial recognition photo "tagging" feature. Texas also reached a $1.375 billion settlement with Google over alleged unlawful tracking and data collection (including a consumer's location, incognito activity and biometric data) without the consumer's consent. And in 2023, the California attorney general reached a $93 million settlement with Google to resolve allegations that it deceived consumers by collecting their precise geolocations and using them for advertising purposes, even when a consumer had turned off the location tracking setting on their phone.

The Texas actions against Google referenced above were filed before the state's comprehensive privacy law took effect and therefore relied on other Texas statutes, including laws prohibiting deceptive trade practices and regulating biometric data. California's settlement with Google invoked California's false advertising and unfair competition laws, although its injunctive terms draw significant parallels to the notice requirements in the CCPA

Footnote

1. Tractor Supply Co. challenged aspects of the California Privacy Protection Agency's investigatory authority during subpoena enforcement proceedings in state court, but the matter was resolved before reaching the merits of the case.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.