Disney settles COPPA violations with $10M fine over children's data collection

Disney has agreed to pay a $10 million civil penalty to settle allegations of violating the Children's Online Privacy Protection Act (COPPA). According to the U.S. Department of Justice, Disney collected personal information from children under 13 without verifiable parental consent through tracking technologies embedded in its apps and websites, including those for Disney, ESPN, and ABC. These tracking technologies, such as cookies and beacons, gathered persistent identifiers used for targeted advertising. COPPA requires obtaining parental consent before collecting personal information from children, and considers persistent identifiers as personal information. The DOJ stated that Disney was aware of these practices but failed to take corrective action. This settlement highlights the importance of compliance with privacy laws, particularly concerning children's data. For cybersecurity professionals, it underscores the necessity of robust privacy programs and regular audits of data collection practices. The significant fine serves as a reminder that regulators are actively enforcing COPPA, and non-compliance can result in substantial penalties. The technical implications are clear: tracking technologies can be considered personal information under COPPA, and their use must be carefully managed to ensure compliance.