FTC Targets Disney and Apitor in Latest Children’s Privacy Enforcement Actions

Want to receive these privacy recaps in your inbox each week? Subscribe here.

The FTC is ramping up its enforcement of children’s privacy with two new COPPA settlements that should grab the attention of every company: Disney will pay $10 million for YouTube configuration failures that led to unauthorized data collection from kids under 13, while toy maker Apitor faces a $500,000 penalty for enabling third-party location tracking without parental consent. 

Meanwhile, the EU General Court delivered welcome news for transatlantic data flows, confirming the adequacy of the US transfer framework and allowing continued EU-US data transfers without additional authorization.

Keep reading to learn more and get my takeaway.

United States

FTC Focuses on Children’s Privacy, With Two Proposed COPPA Orders

The Federal Trade Commission announced proposed orders based on alleged COPPA violations by two companies:

Disney allegedly failed to properly configure YouTube settings to indicate its videos were “Made for Kids”, resulting in the collection of personal information for targeted advertising from children under 13 without parental consent. The proposed settlement requires Disney to pay $10 million and implement a program to review videos for their appropriate designation before uploading them to YouTube.

Toy maker Apitor Technology allegedly enabled a third party to collect geolocation information from children without parental consent. The data collection was conducted via a third-party SDK integrated into a robot toy’s companion app. The app required users to enable location sharing to use it and connect the toy, but it did not incorporate a process to obtain parental consent before such sharing could occur. 

The proposed order provides for a $500,000 penalty and obligations to notify parents and obtain parental consent before collecting personal information from children. 

TAKEAWAY

Children’s privacy has been a recent area of focus in state and federal regulatory enforcement, as well as private litigation. 

In August 2025, Google agreed to a $30 million payment to settle claims that its targeted advertising practices on YouTube using data collected from children violated various state laws (Case 5:19-cv-07016-SVK in the Northern District of California). 

In July 2025, Utah’s Attorney General filed a complaint against Snap based on allegations that the company collected personal information from users of its My AI feature, even after users indicated they were under age 13. 

And in May 2025, the Michigan Attorney General filed a lawsuit against Roku based in part on the alleged collection of personal information from users of platform sections and content directed to children. 

With the increasing passage of children’s privacy laws globally and across states (see, for example, recent bills passed in Oregon, Vermont, Nebraska, Connecticut, and Nevada, as well as the now effective New York Child Data Protection Act), we can expect this enforcement trend to continue and become more complex, as companies will be forced to navigate the patchwork of children’s privacy laws. 

EU General Court Confirms Adequacy of US Transfer Framework.

Dismissing an action to annul the framework for the transfer of personal data from Europe to the United States, the EU General Court ruled that the United States, as of the date of the filing of the decision, ensured an adequate level of protection for personal data transferred from the European Union and therefore that the adequacy decision previously adopted by the European Commission can continue to be upheld, allowing for the transfer of personal data to the United States without further authorization.

TAKEAWAY

The action was based, in part, on allegations that the practice of U.S. intelligence agencies collecting personal data in bulk from the EU without prior authorization was not sufficiently restricted. 

However, the court pointed out that, under US law, such intelligence activities are subject to ex post judicial oversight by the Data Protection Review Court, which the EU General Court found to be a level of protection essentially equivalent to that guaranteed by EU law. 

The General Court also pointed out that the European Commission will be required to monitor the legal framework and may decide, if necessary, to suspend, amend, or repeal the adequacy decision or limit its scope if the legal framework changes. 

A LITTLE MORE PRIVACY, IF YOU PLEASE

• The CNIL Imposes Fines on Google and Shein for Failing to Comply with Cookie Rules (Source: CNIL)
• Privacy enhancing technologies (PETs): What you need to know (Source: Didomi)
• CNIL’s pixel proposal: A summertime buzzkill for privacy professionals (Source: Thomas Adhumeau)

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.