8 Total
0 High severity
5 Medium severity
3 Low severity
Summary

This is the Walt Disney Company's unified privacy policy, covering personal information collected across Disney+, Hulu, ESPN+, theme parks, cruise ships, retail stores, and all other Disney-branded digital and physical properties. The policy authorizes collection of precise location data, device identifiers, viewing and activity history, camera images at physical properties, call recordings, and payment information, and permits sharing of identifiers or hashed email addresses with third-party advertising partners for targeted advertising on Disney and non-Disney sites. The policy additionally discloses that information shared with certain third parties, including Hulu's content and distribution partners and the National Geographic Society, becomes subject to those third parties' own privacy practices once transferred.

Technical / Legal Breakdown

This privacy policy governs the collection, use, sharing, and retention of personal information across the full portfolio of Walt Disney Family of Companies properties, including digital platforms (Disney+, Hulu, ESPN+, ABC, Marvel, National Geographic), physical locations (theme parks, resorts, cruise ships, stores), and guest call centers, with applicable law identified as the legal basis for processing. The policy authorizes collection of registration data, transaction data, precise and approximate location information, device identifiers, IP addresses, viewing and activity data, still and video images from cameras at physical properties, call recordings, and public forum posts; it further authorizes use of this information for targeted advertising based on activity on Disney properties and on third-party sites and applications. The policy asserts that other members of the Walt Disney Family of Companies may access user information both as data processors on behalf of the data controller and independently as data controllers in their own right, and it discloses that when Hulu shares information with business partners including content programmers, distributors, and device partners, those partners then control that information under their own privacy practices. The policy engages GDPR and UK GDPR for EU and UK residents, CCPA and applicable US state privacy laws for US residents, COPPA for children under 13 in the United States, and the Brazilian LGPD for Brazilian residents, with jurisdiction-specific rights described in supplemental notices. Material compliance considerations include the breadth of intra-family data sharing across a large number of subsidiary brands, the assertion that cross-brand data flows may occur for each member's independent purposes, and the disclosure that information shared with third parties such as Hulu's business partners or National Geographic Society falls outside the scope of this policy once transferred.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Get Compliance
Featured — Medium severity
Featured — Low severity

Monitoring

Disney+ has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Get Monitor Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Get Compliance

Cross-platform context

See how other platforms handle Children's Privacy and Parental Consent and similar clauses.

Compare across platforms →

Mapped Governance Frameworks

CCPA/CPRA
California, USA
View official text ↗
COPPA
United States Federal
View official text ↗
Connecticut Data Privacy Act Amendments
US-CT
View official text ↗
CAN-SPAM
United States Federal
View official text ↗
FTC Act Section 5
United States Federal
View official text ↗
GDPR
European Union
View official text ↗
Indiana Consumer Data Protection Act
US-IN
View official text ↗
Kentucky Consumer Data Protection Act
US-KY
View official text ↗
UK GDPR
United Kingdom
View official text ↗
Universal Opt-Out Mechanism Expansion 2026
US
View official text ↗
VPPA
United States Federal
View official text ↗
Archival ProvenanceSource & Archival Record
Last Captured May 5, 2026 05:34 UTC
Capture Method Automated scheduled archival capture
Document ID CA-D-000575
Version ID CA-V-001188
SHA-256 00f1d01d84ae9b8dd3f1666ae7de8d1a893a5ebc987b1f6d661ef14d92b34703
✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Governance Monitoring

Monitor governance changes across the platforms you rely on.

Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.

Create free account Compare plans