Disney Pays to Settle FTC Claims of Privacy Law Violations

If you’ve ever clicked a tiny settings toggle and accidentally changed your entire life, congratulations:
you already understand the heart of the government’s case against Disney. According to federal regulators,
the company’s handling of “Made for Kids” labeling on YouTube helped enable the collection of children’s
personal data for advertisingwithout the notice and verifiable parental consent required under U.S. children’s
privacy rules. The result: a $10 million civil penalty, a court-approved order, and a very public reminder that
“kids content” and “ad tech” can’t share a sandbox unless the rules are followed.

This story matters beyond one household-name brand. It’s a modern privacy lesson about how data is collected
(often passively), how platforms rely on creators to label content, and why regulators keep repeating the same
basic message: if children are involved, you don’t get to wing it.

What Happened: The Settlement in Plain English

The Federal Trade Commission alleged that Disney allowed personal data to be collected from children under 13
who watched kid-directed Disney videos on YouTube, without the required parental notice and consent. Federal
authorities said this was tied to how certain videos were labeled (or not labeled) as “Made for Kids,” a setting
that affects what kinds of ads can run and what kinds of data can be gathered.

The quick timeline

• September 2025: Regulators announced a proposed settlement and described the alleged COPPA violations tied to Disney’s YouTube content.
• Late December 2025: A federal judge approved the order, making the settlement official and enforceable.
• Going forward: Disney must pay the civil penalty and follow an ongoing compliance framework that focuses on how it designates videos as kid-directed.

What the FTC Said Disney Did Wrong

A small label with huge consequences

On YouTube, “Made for Kids” isn’t just a friendly sticker. It’s an operational switch that changes the experience:
it limits certain features and restricts personalized ads. Regulators alleged that some Disney content that was
child-directed was not properly labeled as such. When the label is missing (or incorrect), YouTube may treat the
video more like general-audience contentmeaning more tracking and more targeted advertising options can become
available.

The government’s complaint describes Disney as an “operator” of an online service directed to children in connection
with the videos it uploads, and alleges that third parties collected personal information from children on Disney’s
behalf in violation of COPPA requirements. In other words: even if a platform is doing the technical collection, a
brand that benefits from the content and the ads can still have legal responsibility for what’s happening.

How ad money fit into the story

Regulators said Disney earned advertising revenue in multiple ways on YouTubeby receiving a portion of YouTube’s
ad revenue placed on Disney videos, and by selling some ads directly. That matters because COPPA isn’t just about
“what data exists.” It’s also about incentives: when kid-directed content is monetized like adult content, the risk
of unlawful data collection and targeting goes up.

Why COPPA is so strict here

COPPA is built around one idea: parents (not brands, platforms, or advertisers) should decide whether children under
13 can have their personal information collected and used online. If an online service is directed to childrenor
has actual knowledge it is collecting data from childrenthen it has to provide notice and obtain verifiable parental
consent before collecting, using, or disclosing children’s personal information.

COPPA 101: The Rules Behind the Headlines

What counts as “personal information” for kids?

People often assume “personal information” means a child typing in their full name and home address. Under COPPA,
the definition is broader. It can include online contact information, precise identifiers, and “persistent identifiers”
used to recognize a user over time and across servicesexactly the kind of building block modern ad targeting runs on.

What “verifiable parental consent” means in practice

Verifiable parental consent is not a vibes-based concept. It’s a real, documented process designed to ensure a parent
is actually authorizing data collection. The details vary depending on the method (and the context), but the general
standard is: you can’t collect first and ask questions later.

That’s why COPPA enforcement often focuses on defaults. If a system is set up so that kid-directed content can slip
into a data-collection path without a parent being notified and asked first, regulators tend to view that as a design
problemnot an “oops.”

The Settlement Terms: $10 Million and a Compliance Overhaul

The civil penalty

Disney agreed to pay $10 million in civil penalties to resolve the allegations. Importantly, settlements like this
typically do not require a company to admit wrongdoing; they require the company to pay the penalty and comply with
the order’s forward-looking requirements.

The injunction and the “Audience Designation” program

The order doesn’t stop at money. It also requires Disney to comply with COPPA going forward and to establish and
implement a program to review whether videos it publishes to YouTube should be designated as “Made for Kids.”
The order describes this as an “Audience Designation” programessentially a structured, documented process for
deciding how each video should be labeled.

The core compliance concept is simple: “Don’t guess.” Create a repeatable system that evaluates kid-directed signals
(think: subject matter, characters, themes, and the likely audience). Then document it, train people on it, and check
that it’s working.

A “future-proof” twist: age assurance

One of the more interesting parts of the FTC’s messaging around the order is its nod toward age assurance technology.
The settlement framework anticipates a world where platforms may be able to determine the age (or age range/category)
of users more reliably. If the platform implements robust age assurance and restricts kids’ data collection accordingly,
the operational burden on content creators could change.

Translation: regulators are pushing the ecosystem toward a safer default for kids, even if that means the underlying
mechanics of compliance evolve over time.

Why This Case Is a Big Deal for Brands and Creators

1) “It’s the platform’s job” is not a legal shield

The Disney matter reinforces a recurring enforcement theme: you can’t outsource children’s privacy compliance to a
platform and call it a day. If your content is directed to children, and you benefit from distribution and advertising,
regulators may treat you as an operator with responsibilitiesespecially if your actions (like mislabeling) help enable
unlawful data collection.

2) Kids’ content is a trust business

Regulators repeatedly frame COPPA cases in terms of trust. Parents let kids watch beloved characters because it feels
safer. When that viewing experience is paired with behind-the-scenes tracking and targeted advertising, regulators view
it as more than a technical compliance gapit becomes a breach of expectations.

3) “Kid-directed” is about reality, not intent

Whether something is “directed to children” isn’t decided by a brand’s internal hope that “this is for everyone.”
It’s driven by the content itself and its likely audience. If your video features kid-focused themes and recognizable
children’s characters, the safer assumption is that regulators will treat it as kid-directed unless you have a strong,
documented reason otherwise.

4) The YouTube “Made for Kids” ecosystem remains under scrutiny

COPPA enforcement in the YouTube context has a long tail. Regulators have previously pursued major actions tied to
children’s data on the platform. The Disney settlement fits into that broader arc: the government is signaling that
“Made for Kids” labeling isn’t optional housekeepingit’s part of legal compliance.

Practical Lessons: A COPPA-Smart Checklist for Publishers

This is not legal advice, but it is a reality check. If you publish content that could reasonably be watched by children,
here are practical takeaways that align with what regulators are emphasizing.

1) Audit your library like a regulator would

1. Inventory your channels and series (including older uploadsyes, even the ones from the “we don’t talk about that era” phase).
2. Identify kid-directed signals: characters, themes, language level, bright animation styles, songs, toys, or child-focused storytelling.
3. Review labels at the video level, not just a channel default. One channel can host multiple audience types.
4. Spot-check ad behavior to ensure kids’ content isn’t being monetized with personalized targeting.

2) Build a “Made for Kids” workflow that survives vacations

Compliance can’t depend on one superhero employee who remembers every setting. Create a documented process:
who reviews, what criteria they use, what happens when there’s uncertainty, and how decisions are recorded.
The settlement’s emphasis on documentation and training is a hint about what regulators expect.

3) Treat ad tech as part of your product

If ads run on your content, ad tech is part of the user experienceand for kids, it’s part of your legal risk.
Ask basic questions: Are personalized ads disabled on kid-directed content? Are third-party trackers limited?
Are there controls to prevent targeting based on behavioral profiles of under-13 viewers?

4) Document, train, and test (because “we meant well” is not a control)

The order’s logic points to three operational habits:
documentation (written program and decisions),
training (repeatable knowledge across staff),
and assessment (checking effectiveness on a regular schedule).
Those are the hallmarks of a compliance program that regulators take seriously.

What Parents and Viewers Should Know

Why targeted ads to kids raise alarms

Under COPPA, the issue isn’t just “ads exist.” The bigger concern is whether the ads are based on tracking and the
collection of personal information without parental involvement. Behavioral targeting depends on identifiers and
profilingexactly what COPPA tries to restrict for children under 13.

What “Made for Kids” changes on YouTube

When content is correctly labeled as “Made for Kids,” it generally limits personalized advertising and restricts some
engagement features. That’s not a punishment for creatorsit’s a safety setting for minors. If a children’s cartoon is
not labeled as “Made for Kids,” that mismatch can create privacy and safety concerns.

What Might Come Next for Kids’ Privacy

Age assurance: the promise and the pitfalls

Regulators are increasingly talking about age assurancemethods that aim to determine whether a user is a child (or at
least likely to be in a protected age bracket). Done well, it could reduce reliance on self-labeling and improve safety
defaults. Done poorly, it can raise new privacy risks (because “proving your age” can itself involve more data collection).

More enforcement, higher expectations

The Disney settlement is another signal that kids’ privacy enforcement isn’t slowing downespecially where large,
widely viewed content is involved. Brands, studios, and creators who produce kid-friendly content should assume that
“compliance-by-default” is becoming the baseline expectation.

Experiences Related to Disney’s FTC Settlement

A headline like “$10 million settlement” can feel abstractlike it belongs to corporate boardrooms and legal filings.
But kids’ privacy enforcement is really about everyday moments: the way families use screens, the way creators upload
videos, and the way advertising follows attention like a puppy with separation anxiety. Here are a few real-world style
experiences (composite examples) that mirror the dynamics regulators are concerned about.

Experience 1: The “Why Is My Kid Getting That Ad?” moment

A parent puts on a familiar animated video to buy ten minutes of quietmaybe during dinner prep, maybe during a work
call. Everything seems normal until the ads start to feel oddly specific: toy ads that match a recent shopping search,
or promotions that seem tuned to a child’s viewing habits. The parent may not be thinking “persistent identifiers,”
but they notice the vibe shift: this doesn’t feel like generic kids’ advertising anymore. That discomfort is exactly
what COPPA is designed to address. When children’s viewing leads to targeted advertising without a parent being notified
and asked for consent, regulators see the system as bypassing the adult who is supposed to be in control.

Experience 2: The creator’s labeling panic

On the publishing side, imagine a channel manager juggling dozens of uploads. The “Made for Kids” choice might be one
step in a long checklist: title, thumbnail, description, scheduled time, monetization settings, comments, and audience
designation. If the team relies on a channel-wide default (“this channel is for general audiences”), kid-directed videos
can slip through mislabeledespecially if content varies by series. Suddenly, a compliance inquiry or a platform prompt
turns routine uploading into a fire drill. The lesson here isn’t that creators are careless; it’s that compliance can’t
be left to memory and habit. Regulators expect a deliberate, repeatable process that catches mistakes before they ship.

Experience 3: The brand meeting where the mood changes

Marketing teams love metrics. Legal teams love not getting subpoenaed. Kids’ privacy cases tend to be the moment those
two worlds collide. A typical experience is a meeting where someone proudly shares a performance slideviews are up,
engagement is strong, ad revenue is growingand then someone else asks a simple question: “Are those videos kid-directed,
and are we sure they’re labeled correctly?” Suddenly, the room remembers that “good performance” can also mean “higher
exposure” if the compliance settings are wrong. This is where brands often realize that privacy compliance isn’t a
bolt-on; it’s part of distribution strategy. If you want the upside of massive reach, you also inherit the responsibility
that comes with that reach.

Experience 4: The parent’s more-boring-but-better routine

Another common experience after big privacy stories: parents adjust habits. They might switch to supervised profiles,
prefer clearly designated kids’ spaces, reduce autoplay, or rely on downloads/offline viewing when possible. None of
this requires becoming a privacy lawyer. It’s simply a practical reaction to the idea that some online experiences may
collect more data than families expect. COPPA enforcement doesn’t eliminate every risk, but it nudges the ecosystem toward
safer defaultsand it gives parents more reason to demand them.

Conclusion

Disney’s $10 million settlement over alleged children’s privacy law violations is a reminder that “kids content” comes
with “kids rules.” Regulators focused on how video labeling on YouTube can influence data collection and advertising,
and the settlement pushes toward structured, documented decisions about whether content is made for children.

For publishers and creators, the big takeaway is operational: build a real process for audience designation, treat ad tech
as part of the experience, and document decisions like you might need to explain them laterbecause in a COPPA world,
you just might.