California’s Attorney General reaches $530,000 settlement with streaming service provider over CCPA opt-out failures and children's privacy

Alert
|
6 min read
F. Paul Pittman |
Hope Anderson |
Abdul M. Hafiz

On October 30, 2025, following a 2024 investigative sweep, California Attorney General Rob Bonta ("Cal AG") announced a $530,000 settlement with a company providing streaming services (the "Company") for alleged violations of the California Consumer Privacy Act (CCPA) focusing on deficient opt out mechanisms and children privacy protections. The stipulated judgment imposes detailed injunctive obligations, including app-level opt-out toggles, prohibitions on dark patterns, children's profiles that default off sale/sharing and cross-context behavioral advertising, designations for kids content, and a three-year compliance program with annual reporting. This action continues California's focus on technical functionality and user experience of opt-out rights and builds on recent settlements against Healthline, Tilting Point, and Tractor Supply.

Background and Allegations

The Company operates an internet-based live TV and streaming service delivered via a website and apps on connected living-room devices, offering both paid subscriptions and a free, ad-supported tier.  The Company engages in targeted advertising using both first-party and purchased third-party data to build enhanced audience profiles and enable cross-context behavioral advertising.  In January 2024, the Cal AG announced an investigative sweep to assess streaming services and connected TV providers' compliance with the CCPA's right to opt-out.  This settlement is a direct result of the Cal AG's investigation.

Key Violations

The Cal AG identified several significant violations in its investigation of the Company:

  1. Ineffective Opt-Out Mechanisms: The Company steered consumers to cookie preference controls via a "Your Privacy Choices" link rather than providing easy, minimal-step CCPA opt-out methods that stop cookie and non-cookie selling/sharing across devices and offline.
  2. Failure to Offer In-App Opt-Out on Living-Room Devices: The Company did not provide opt-out methods within its apps on various TV and player devices, directing consumers to the website instead, contrary to expectations that opt-outs be available where consumers use the service.  Further, the Company did not honor opt-out requests made via its website when consumers returned to watching on their living-room device via the TV app.
  3. Use of Dark Patterns and Friction in Choice Architecture: The Company used hard-to-find links and confirmatory steps that added unnecessary friction and could deter consumers from exercising opt-out rights.  Even logged-in consumers were required to complete a webform with information the Company already possessed, creating unnecessary friction and confusion about whether opt-outs were honored.
  4. Inadequate Children's Privacy Protections: The Company failed to provide kids profiles that defaulted off sale/sharing and targeted advertising, did not obtain affirmative authorization for the selling or sharing of personal information when children under 16 were likely watching (or parental consent for children under 13), did not age screen users, did not automatically disable data practices when parental controls were enabled, and inconsistently designated child-directed channels for restricted advertising treatment.

Settlement Terms

In addition to the $530,000 fine, the Company agreed to implement comprehensive remedial measures, including:

1. Notice:

  • Provide a clear and conspicuous notice informing consumers that it collects personal information of consumers from third parties, sells consumers' personal information, and conducts cross-context behavioral advertising using consumers' personal information obtained from third parties.  Additionally, the Company must inform consumers of their opt-out rights.

2. Opt-Out Mechanisms:

  • Provide prominent "Do Not Sell or Share My Personal Information" or "Your Privacy Choices" links across its websites and apps.
  • Avoid hard-to-find links, confirmation screens, or mixing cookie choices with CCPA opt-out mechanisms.
  • Minimize opt out steps by providing consumers with a simple and easy to find execution mechanism (e.g., toggle, QR code, etc.); not requiring webforms that solicit information already known to the business; and effectuate opt-out requests account-wide (i.e., across devices and browsers) for logged-in users.

3. Children and minors:

  • Allow consumers to create "kids" (or similarly named) profiles.
  • Maintain a system for programmers (defined as third parties who license content to the Company) to designate their content as made for children or minors.
  • For kids profiles and channels designated as made for children or minors, ensure that the default state is set to off for the sale/sharing of personal information and cross-context behavioral advertising.
  • For channels marked as made for children or minors, not allow advertising partners to show targeted ads using personal information about the consumer or their household.
  • At least annually, and as new channels are added, assess if any additional channels are appropriately designated as channels made for children or minors.
  • Delete children and minors' personal information that the Company has actual knowledge it has collected through the effective date.

Key Takeaways and Recommendations

This settlement provides several important insights for businesses, especially those offering streaming services and/or collecting the personal information of children:

  1. UX and "Choice Architecture" Matters. Businesses must be proactive in ensuring they are providing consumers with an easy and simple way to opt out of the selling or sharing of personal information including assessing the opt out mechanisms provided across the various ways in which consumers engage with the business (e.g., via TV, mobile app, website, etc.).  Businesses should avoid dark patterns that confuse or add friction to the user experience.  Additionally, businesses should not require consumers to complete a webform when they have logged-in to the services provided by the business.
  2. Cookie Preferences Are Not Adequate. Businesses must ensure they do not bury the CCPA opt out with other choices, like cookie preferences, that do not provide the same broad directive to stop selling or sharing data.  Businesses should clearly provide a "Do Not Sell or Share My Personal Information" or "Your Privacy Choices" link to effectuate consumer opt-outs.

  3. Children's Privacy is Paramount. Businesses must recognize, unlike the federal Children's Online Privacy Protection Act, the CCPA's definition of minor extends to children under 16 years old.  Thus, businesses must ensure they obtain affirmative consent before selling or sharing personal information of minors. 

    Importantly, the Cal AG's requirement of a business to implement a system for programmers to designate children and minor content is a novel enforcement approach which businesses should note when developing their compliance program.

    The Cal AG also noted that the Company had access to account-level data about its consumers and their households obtained from data brokers and other third-party vendors, including the presence of children under 16 years old in the household. Businesses should conduct robust data mapping of their data collection practices regardless of the data source and ensure it complies with requirements relating to children and minors' personal information.

  4. Routinely Review Privacy Policies. Ensure privacy policies are updated annually and contain all required disclosures, accurately describe data collection and sharing practices, including information about opt-out preference signals and how they are processed.
  5. Ongoing Sweeps: This settlement is positioned as part of DOJ's investigative sweep of streaming services, with the Cal AG highlighting continued CCPA enforcement momentum.  The Cal AG has also already announced several investigative sweeps relating to location data and employee information.  Businesses who are subject to the CCPA should continue to review their compliance efforts and prioritize remediating any gaps they may identify.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2025 White & Case LLP

Contacts

F. Paul Pittman
F. Paul Pittman
Partner|Washington, DC
Services
Data, Privacy & Cybersecurity, Fintech, Technology, Mergers & Acquisitions, Life Sciences and Healthcare, Privacy Advisory and Compliance
Hope Anderson
Hope Anderson
Partner|Los Angeles
Services
Data, Privacy & Cybersecurity, Technology, Artificial Intelligence (AI), Privacy Advisory and Compliance, AI Regulatory, Content and non-privacy data regulation
Abdul M. Hafiz
Abdul M. Hafiz
Law Clerk|Washington, DC
Services
Data, Privacy & Cybersecurity, Litigation, Life Sciences and Healthcare

Service areas

Top