The policy authorizes any subsidiary or affiliated entity within the Walt Disney Family of Companies to access a user's personal information both to perform services for the primary data controller and independently for that subsidiary's own purposes, subject to applicable law.
This analysis describes what Disney+'s agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes a dual-role access structure across a portfolio of more than 40 named brands, under which each subsidiary entity may use personal information for its own independent data controller purposes, not solely in a service capacity. This arrangement may require evaluation under GDPR purpose limitation and data minimization principles, as well as CCPA obligations governing intra-group data flows.
Interpretive note: The breadth of permissible independent use by subsidiary entities as data controllers depends on applicable law in each jurisdiction and may be more limited in practice under GDPR and state privacy frameworks than the policy's broad assertion suggests.
Under this clause, personal information collected through any Disney-branded property may be accessed and used independently by other members of the Walt Disney Family of Companies, including ESPN, Hulu, Marvel, National Geographic, and others, for purposes each entity determines as a data controller. The agreement does not require a separate consent event for each subsidiary's independent use, subject to applicable law.
Cross-platform context
See how other platforms handle Intra-Family Cross-Brand Data Sharing and similar clauses.
Compare across platforms →Monitoring
Disney+ has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Other members of The Walt Disney Family of Companies may access your information where they perform services on behalf of the data controllers (as data processors) and, unless prohibited under applicable law, for use on their own behalf (as data controllers) for the purposes described in this policy.— Excerpt from Disney+'s Walt Disney Company Privacy Policy
1) REGULATORY LANDSCAPE: This provision engages GDPR Articles 4(7), 26, and 5 (purpose limitation, data minimization) for EU and UK users, and CCPA's definitions of business purpose and service provider for California residents. The FTC has general enforcement authority over unfair or deceptive data practices in the US. Where subsidiary entities use data for independent purposes beyond the original collection context, applicable law may constrain the breadth of this assertion. 2) GOVERNANCE EXPOSURE: High. The assertion that over 40 named subsidiary brands may access and use personal information as independent data controllers, based on a single privacy policy disclosure rather than entity-specific consent, creates potential exposure under GDPR's purpose limitation requirements and CCPA's restrictions on data use beyond disclosed business purposes. 3) JURISDICTION FLAGS: EU and UK users present heightened exposure, as GDPR requires a clear lawful basis for each processing purpose by each data controller. California residents have rights to request a list of specific third parties to whom personal data has been disclosed. The intra-group structure may require evaluation in any jurisdiction with data minimization or purpose limitation requirements. 4) CONTRACT AND VENDOR IMPLICATIONS: Organizations entering co-branded or partnership arrangements with Disney entities should assess which subsidiary brands may access shared consumer data and on what basis. The provision's assertion that subsidiaries may act as independent data controllers may affect downstream data processing agreements and liability allocation. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should map which personal information categories flow to which subsidiary entities, on what legal basis, and for which stated purposes. An audit of whether the policy's disclosed purposes are sufficiently specific to satisfy GDPR Article 13/14 transparency requirements for each controller entity is warranted. US teams should assess whether intra-group flows require disclosure updates under state privacy law.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes a dual-role access structure across a portfolio of more than 40 named brands, under which each subsidiary entity may use personal information for its own independent data controller purposes, not solely in a service capacity. This arrangement may require evaluation under GDPR purpose limitation and data minimization principles, as well as CCPA obligations governing intra-group data flows.
Under this clause, personal information collected through any Disney-branded property may be accessed and used independently by other members of the Walt Disney Family of Companies, including ESPN, Hulu, Marvel, National Geographic, and others, for purposes each entity determines as a data controller. The agreement does not require a separate consent event for each subsidiary's independent use, subject to applicable …
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Disney+.