California Hits Disney With Record Privacy Fine
California regulators fined Disney $2.75 million for violations related to consumer data privacy, the largest penalty of its kind to date. The settlement underscores the active enforcement of state privacy laws, which apply to any company handling consumer health data. This action sets a new precedent for digital privacy enforcement in the state.
- The investigation into Disney, initiated in January 2024, was part of a broader sweep of streaming services to check for compliance with the California Consumer Privacy Act (CCPA). Investigators found that Disney's opt-out procedures were fragmented, requiring users to manage settings on each device or service individually rather than applying the opt-out across the entire account. - This settlement is the seventh major CCPA enforcement action by California Attorney General Rob Bonta, following actions against companies like Sephora, DoorDash, and Healthline.com. - Under the California Privacy Rights Act (CPRA), which amended the CCPA, "sensitive personal information" now includes health data, and businesses must provide consumers with the right to limit its use and disclosure. - For consumer health apps, data not covered by HIPAA often falls under the jurisdiction of the CCPA/CPRA, which defines personal information broadly to include data from wearables and wellness apps. - California's Confidentiality of Medical Information Act (CMIA) is in some ways stricter than HIPAA, applying to a broader definition of "medical information" and allowing patients to sue providers directly for violations. A 2022 law extended CMIA to cover mental health digital services, including mobile apps. - Startups in the consumer health space should practice data minimization by collecting only essential user data, implementing strong encryption for data both at rest and in transit, and using role-based access control to limit employee access to sensitive information. - The 2023 California Delete Act, effective in 2026, will create a centralized system for residents to request the deletion of their personal information from all registered data brokers in a single request, which includes non-HIPAA health data. - Recent major healthcare data breaches, such as the one affecting 13.4 million Kaiser Permanente patients due to third-party trackers on its website and apps, highlight the risks associated with sharing data with tech platforms for analytics or advertising.
