Sometimes even the strongest magic cannot hide a compliance misstep, as the Federal Trade Commission (FTC) reminded Disney that even their enchantments must follow the rules. On September 2, 2025, a settlement of $10 million was reached between Disney Worldwide Service, Inc. and Disney Entertainment Operations LLC (Disney) and the FTC. Disney is one of the most trusted children’s entertainment conglomerates in the world. How did it come to be that the FTC was fining them for violating children’s privacy?

Once Upon a Violation: What Happened Behind the Magic

When making magic there are certain ingredients needed to make the perfect spell. Disney has the animation and they teamed up with Google LLC’s YouTube to bring their videos to the world, making magic happen in the eyes of children everywhere. According to the complaint against Disney videos may be uploaded to YouTube only through a channel. Disney has operated or uploaded videos to more than 1,250 YouTube Channels.

In the Complaint it was explained that, “in 2019, YouTube told content creators, including Disney, that they would be ‘required to tell [YouTube] if [their] content is made for kids in order to comply with the Children’s Online Privacy Protection Act (COPPA)…’” Content creators could set the audience either at a channel or video level, labeling the video as either made for kids (MFK) or not made for kids (NMFK). If the setting was done on a video level that video would be labeled as chosen, however, if the setting was done on a channel level the default label for all videos posted within the channel would be the same.

The resulting outcome of these settings was also explained in the complaint:

“When a video is set as MFK, certain functionality is disabled by YouTube – with respect to that video – for example, comments, ‘autoplay on home’, and targeted advertising are disabled. Playback in the Miniplayer, which allows a video to continue to play on a small screen as a user browses YouTube, is also disabled, as is the ability for a user to save a video to a playlist or to watch later.”

These settings are in place to protect children and their use of YouTube. Of the 1,250 channels Disney uploads videos to some are labeled as MFK, and others as NMFK. However, even in the channels labeled NMFK Disney uploaded videos targeted to children. The complaint made against Disney goes through the types of videos reviewed and why they should be classified as MFK.

Disney’s misclassification wasn’t just a technical hiccup, it meant children’s data could be collected for targeted advertising, the very practice COPPA was designed to prevent. Disney failed to ensure that children’s personal data was protected when videos meant for young audiences weren’t correctly marked as “Made for Kids,” enabling tracking and targeted advertising that COPPA prohibits.

A Spell Gone Wrong

No one quite knows the reason behind Disney’s failure to mark the channels correctly. However, failure to correctly label their channels means that children who should be protected under COPPA are not receiving the protections required under the law. The lack of these protections means that more Disney videos are viewed by these children, putting more money in Disney’s pockets.

Although YouTube’s settings made such a misclassification possible, this is a prime example of how data controllers are responsible for making sure platforms, tools, and processes used for data privacy comply with the law. Here the magic was happening, but the spell was all wrong. “This case underscores the FTC’s commitment to enforcing COPPA, which was enacted by Congress to ensure that parents, not companies like Disney, make decisions about the collection and use of their children’s personal information online,” said FTC Chairman Andrew N. Ferguson.

A New Spell Brewing

As the FTC continues to enforce COPPA, passed in 1998, the U.S. Senate has also passed the Kids Online Safety Act (KOSA), a law that would add a “duty of care” for platforms, which is waiting for Congressional approval as we already reported here. Together with COPPA enforcement, it signals a growing focus on protecting children online. Although the future of the KOSA is uncertain, it is an effort to further strengthen the protections in COPPA. As we see the introduction of new legislation and new enforcement of old legislation it is obvious that the protection of children and their use of the internet is an important topic in the United States.

And while the U.S. is strengthening its own protection spellbooks, the European Union has long written its own.

Different Spellbook, Same Magic

While U.S. regulators attempt to strengthen their own protection spellbooks, the EU Member States are equally committed to protecting children and their use of online platforms. Under the GDPR, this kind of misclassification could equally violate children’s data protection rules. Article 8 requires verifiable parental consent for minors under 13–16, depending on the Member State. Additionally, the Digital Services Act (DSA) places limits and obligations on various digital services and online platforms. Though the U.S. and the EU may have different spellbooks, their purpose is shared, protecting children’s data and restoring parental control.

We can see in the Disney mishap that privacy by design should be used to ensure that magical spells are cast exactly according to the spellbook, keeping all ingredients in their proper portions and places. If Disney had an internal process for allocating videos to YouTube channels and labeling them in accordance with the intended audience, they would not have had to rely on YouTube’s settings alone and would have created the magic without any additional compliance issues. All these regulations remind us that true magic happens when every step of the spell is followed.

True and Lasting Magic Lies in Compliance by Design

Disney’s $10 million fine is a reminder that compliance is the invisible thread that keeps the magic intact. The true magic spell for protecting children’s data is woven long before the first video is uploaded or the first ad is placed.

Without a little forethought, even the most enchanting brands can find themselves under a compliance curse. To keep the magic alive, companies must craft systems that respect privacy by default and ensure proper consent. Whether in the U.S. under COPPA or in the EU under the GDPR or DSA, making magic should not come at the cost of protecting children’s data.

Because when compliance becomes part of the spell, it becomes the kind of magic that protects as much as it dazzles.

| | , | , , , , , ,