Disney+ · Walt Disney Company Privacy Policy · View original document ↗

Intra-Family Cross-Brand Data Sharing

Medium severity Medium confidence Explicitdocumentlanguage Unique · 0 of 352 platforms
Share 𝕏 Share in Share 🔒 PDF
Monitor governance changes for Disney+ Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

The policy authorizes any subsidiary or affiliated entity within the Walt Disney Family of Companies to access a user's personal information both to perform services for the primary data controller and independently for that subsidiary's own purposes, subject to applicable law.

This analysis describes what Disney+'s agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This provision establishes a dual-role access structure across a portfolio of more than 40 named brands, under which each subsidiary entity may use personal information for its own independent data controller purposes, not solely in a service capacity. This arrangement may require evaluation under GDPR purpose limitation and data minimization principles, as well as CCPA obligations governing intra-group data flows.

Interpretive note: The breadth of permissible independent use by subsidiary entities as data controllers depends on applicable law in each jurisdiction and may be more limited in practice under GDPR and state privacy frameworks than the policy's broad assertion suggests.

Consumer impact (what this means for users)

Under this clause, personal information collected through any Disney-branded property may be accessed and used independently by other members of the Walt Disney Family of Companies, including ESPN, Hulu, Marvel, National Geographic, and others, for purposes each entity determines as a data controller. The agreement does not require a separate consent event for each subsidiary's independent use, subject to applicable law.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Delete Your Data
    Visit the Disney Data Subject Rights Portal and submit a request to access, correct, or delete personal information held by Walt Disney Family of Companies entities.

Cross-platform context

See how other platforms handle Intra-Family Cross-Brand Data Sharing and similar clauses.

Compare across platforms →

Monitoring

Disney+ has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Get Monitor Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
Other members of The Walt Disney Family of Companies may access your information where they perform services on behalf of the data controllers (as data processors) and, unless prohibited under applicable law, for use on their own behalf (as data controllers) for the purposes described in this policy.

— Excerpt from Disney+'s Walt Disney Company Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

1) REGULATORY LANDSCAPE: This provision engages GDPR Articles 4(7), 26, and 5 (purpose limitation, data minimization) for EU and UK users, and CCPA's definitions of business purpose and service provider for California residents. The FTC has general enforcement authority over unfair or deceptive data practices in the US. Where subsidiary entities use data for independent purposes beyond the original collection context, applicable law may constrain the breadth of this assertion. 2) GOVERNANCE EXPOSURE: High. The assertion that over 40 named subsidiary brands may access and use personal information as independent data controllers, based on a single privacy policy disclosure rather than entity-specific consent, creates potential exposure under GDPR's purpose limitation requirements and CCPA's restrictions on data use beyond disclosed business purposes. 3) JURISDICTION FLAGS: EU and UK users present heightened exposure, as GDPR requires a clear lawful basis for each processing purpose by each data controller. California residents have rights to request a list of specific third parties to whom personal data has been disclosed. The intra-group structure may require evaluation in any jurisdiction with data minimization or purpose limitation requirements. 4) CONTRACT AND VENDOR IMPLICATIONS: Organizations entering co-branded or partnership arrangements with Disney entities should assess which subsidiary brands may access shared consumer data and on what basis. The provision's assertion that subsidiaries may act as independent data controllers may affect downstream data processing agreements and liability allocation. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should map which personal information categories flow to which subsidiary entities, on what legal basis, and for which stated purposes. An audit of whether the policy's disclosed purposes are sufficiently specific to satisfy GDPR Article 13/14 transparency requirements for each controller entity is warranted. US teams should assess whether intra-group flows require disclosure updates under state privacy law.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 3 platforms — free Get Monitor

Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has authority over unfair or deceptive data practices involving multi-entity data sharing arrangements affecting US consumers.
    File a complaint →

Provision details

Document information
Document
Walt Disney Company Privacy Policy
Entity
Disney+
Document last updated
May 5, 2026
Tracking information
First tracked
May 8, 2026
Last verified
July 9, 2026
Record ID
CA-P-015939
Document ID
CA-D-00575
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
00f1d01d84ae9b8dd3f1666ae7de8d1a893a5ebc987b1f6d661ef14d92b34703
Analysis generated
May 8, 2026 08:25 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Disney+
Document: Walt Disney Company Privacy Policy
Record ID: CA-P-015939
Captured: 2026-05-08 08:25:00 UTC
SHA-256: 00f1d01d84ae9b8d…
URL: https://conductatlas.com/platform/disney/walt-disney-company-privacy-policy/provision/CA-P-015939/intra-family-cross-brand-data-sharing/
Accessed: July 12, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Medium
Categories

Other risks in this policy

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Get Compliance

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Disney+'s Intra-Family Cross-Brand Data Sharing clause do?

This provision establishes a dual-role access structure across a portfolio of more than 40 named brands, under which each subsidiary entity may use personal information for its own independent data controller purposes, not solely in a service capacity. This arrangement may require evaluation under GDPR purpose limitation and data minimization principles, as well as CCPA obligations governing intra-group data flows.

How does this clause affect you?

Under this clause, personal information collected through any Disney-branded property may be accessed and used independently by other members of the Walt Disney Family of Companies, including ESPN, Hulu, Marvel, National Geographic, and others, for purposes each entity determines as a data controller. The agreement does not require a separate consent event for each subsidiary's independent use, subject to applicable …

Is ConductAtlas affiliated with Disney+?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Disney+.