The top privacy regulators from California, Colorado, Maryland, New Jersey, and Oregon joined panel presentations at February’s California Lawyers Association Privacy Summit. This conference followed the announcement of California’s privacy enforcement settlement with Disney.

We attended the summit and wanted to share highlights and key takeaways from the Disney settlement.

US State Regulators at CLA Summit

A highlight of the CLA events is the regulators’ panels, and this year did not disappoint, featuring multiple sessions with current and former regulators. We noticed an increasingly collegial and friendly attitude among the regulators; this is a group of people from five different states (with more not on stage) who are not just comfortable working together, but, based on their rapport, appear to be truly enjoying it.

There is no “Privacy Patchwork” (at least according to the regulators)

  • Privacy experts have been claiming for years that there is a “Privacy Patchwork” of complicated and conflicting state laws.
  • The regulators were having none of this. Several of them noted that there are far more fundamental similarities than differences between them. One example is that your risk assessments can be multi-jurisdictional.
  • We agree that there is much overlap among the state privacy laws. Our Multi-state Substantial Compliance Assessment was built to capitalize on that overlap, reducing duplicative work and accelerating compliance efforts.

“Enforcers be enforcing!”

  • “Enforcers be enforcing!” isn’t a joke; it’s a direct quote from a regulator. It means that in their own view, enforcement efforts are increasing. The CA Attorney General said that they brought more case actions in 2025 than in all of her other years combined.
  • Regulators from states that lack the enforcement resources of CA were also busy, focusing on less public investigations and resolving consumer complaints behind-the-scenes, especially while their laws still include cure periods for non-compliant businesses.
  • Several regulators noted that they will use their UDAP laws to fill gaps in privacy statutes. One noted that, unlike their privacy statutes, many state UDAP laws do not have applicability thresholds.
  • We heard broad agreement that the focus on children’s data will continue, and this is not a partisan issue. All agree that more must be done to protect children from inappropriate data uses.
  • Future focus areas include: age assurance for children’s data processing; algorithmically-driven (aka surveillance) pricing; social media; ADMT/AI, especially chatbots and AI agents.

Regulators want you to get an “A” for “works and plays well with others”

  • The similarities between the state laws extend to the state practices, as the regulators agreed that they approach matters in substantially the same way.
  • The regulators’ mission is to protect consumers. Many emphasized that they read every single consumer complaint, and these complaints quite often drive larger investigations.
  • Responding to a regulator inquiry or investigation is no time to show off your Moot Court advocacy skills. Companies that think they can intimidate or bully the regulators do themselves and their clients a great disservice. They want you to work collaboratively with them to resolve issues quickly, at least until it is clear that you are an enforcement target.
  • The former regulators panel emphasized that bringing your business and technical colleagues to the regulator discussions shows that you care about privacy and that you took (and will take more) reasonable steps to comply.
  • Regulator FAQs and Guidance are the best place to start when you have to respond, because you need to know what the enforcer is looking to enforce.

The fine is only the beginning of the Disney Settlement

The biggest news at the CLA event was California’s largest fine to date: $2.75 million in a settlement with Disney. That’s a significant amount, but the non-monetary, injunctive obligations are even bigger news.

If you can identify consumers across sites, apps, and devices for targeted advertising, you can opt out across them too

  • The CA regulators emphasized that they expect reciprocity: in other words, it should be as easy for a consumer to opt out across a company’s multiple services and devices as it is to recognize them across these domains. Disney must use GPC/UOOMs as one way to make things easier, even for logged-in customers.
  • Through acquisitions, Disney had created three separate networks (Disney+, Hulu, ESPN+). Disney invested in the technical capability to recognize customers across these properties from a single sign-on, but according to the complaint, Disney required up to 10 separate opt-outs across services, apps, and devices. CA is clear: they expect equal ease between data onboarding and opting out.
  • The settlement reiterates the CCPA requirement that Disney must inform third parties about relevant consumer opt-outs and direct them to comply. In addition – and this one is new in going from a MAY to a MUST – Disney must take “reasonable and appropriate steps” to ensure that such third parties use Disney’s personal information appropriately.

It’s not the fall that kills you, it’s the sudden stop at the end

  • $2.75 million in fines might not sound like much for a $94 billion-a-year company like Disney, but the total cost of defending the enforcement action and complying with its injunctive obligations may be over 10 times that amount.
  • The injunctive relief is as significant as the fine. The settlement imposes massive technical and monitoring costs upon Disney for the next three years; another panel sympathized with the difficult, non-monetary compliance obligations facing Disney as a result of this settlement.

Next Steps:

  • It is only a matter of time – and probably not much time – until the 12-state Privacy Consortium announces joint enforcement sweeps and large-scale joint actions.
  • If AdTech providers can identify and track consumers across sites, apps, accounts, and devices, they can figure out how to comply with the privacy requirements that come with that capability. This message was delivered by regulators both on-stage and off. Companies should re-evaluate asymmetric data onboarding and opt-out processes and focus on making them equally easy for consumers.
  • Can we emphasize this enough? Know what your vendors are doing and have a program that verifies their compliance. The regulators don’t buy blaming your vendor.
  • If you thought 2025 was the year of protecting children’s and minors’ data, 2026 will be more of the same, even the much-diminished FTC is getting on board with this bipartisan focus.

 

SafeGuard Privacy is not a law firm, and the information in this customer alert is not legal advice. Consult your legal counsel for advice about this information and how it may apply to your business.