Disney to Pay $10 Million for Collecting Children’s Personal Data: A Settlement Overview

Disney Worldwide Services, Inc. and Disney Entertainment Operations LLC have reached a significant settlement of $10 million to address allegations of systematically collecting personal data from children under 13, in violation of the Children’s Online Privacy Protection Act (COPPA) Rule. The U.S. Department of Justice, acting on behalf of the Federal Trade Commission, filed a lawsuit in the United States District Court for the Central District of California, Western Division. The suit accused Disney of improperly labelling child-directed content on its YouTube channels. By defaulting many videos to “Not Made for Kids,” Disney inadvertently allowed persistent identifiers to be assigned to young viewers, facilitating targeted advertising and other data-driven features that should have been disabled for children. The complaint highlighted that Disney uploaded tens of thousands of videos across over 1,250 channels, many featuring animated characters and content clearly aimed at children.

Despite YouTube’s 2019 requirement for creators to identify “Made for Kids” content to comply with COPPA, Disney’s corporate policy designated channels as either entirely child-directed or entirely not, with infrequent adjustments to individual video settings. This resulted in features such as autoplay, comments, and interactive prompts remaining active on children’s videos, leading to unauthorised data collection and targeted advertisements. The United States District Court noted patterns in Disney’s settings dashboard where the “Audience” toggle was misconfigured, resembling a stealthy payload that exploited default settings to exfiltrate user data. Although not traditional malicious code, the YouTube audience flag served as an attack vector, enabling third-party trackers to harvest persistent identifiers from minors without verifiable parental consent. The settlement requires Disney to implement a comprehensive compliance program, including automated checks of audience designations and regular third-party audits, with potential penalties for non-compliance. 

Categories: Privacy Violations, Children’s Online Safety, Corporate Compliance 

Tags: Disney, Settlement, COPPA, YouTube, Personal Data, Children, Compliance, Advertising, Privacy, Misconfiguration