On July 1, 2025, California Attorney General Rob Bonta announced the largest California Consumer Privacy Act (CCPA) settlement to date: a $1.55 million civil penalty and injunctive relief against Healthline Media LLC, publisher of the globally ranked health website Healthline.com. The enforcement action stems from Healthline's use of online tracking technologies, which allegedly enabled the unauthorized sharing of consumers' sensitive health-related information with third-party advertisers, all without proper consent, notice, or opt-out mechanisms.
The proposed settlement, pending court approval, underscores the DOJ's continued prioritization of robust enforcement under the CCPA. It also serves as a reminder to publishers, AdTech companies, and digital health platforms of their heightened compliance obligations when dealing with sensitive consumer data and behavioral tracking.
Alleged Violations by Healthline
According to the complaint filed by the California DOJ, Healthline violated the CCPA and California's Unfair Competition Law through the following actions:
- Failure to Honor Opt-Out Requests: Healthline failed to properly respect consumers' requests to opt out of the sale or sharing of personal information — including those transmitted through Global Privacy Control (GPC) signals. Even after such requests, certain trackers continued relaying data to advertising partners.
- Purpose Limitation Breach: The CCPA limits a business's use of personal information to its original purpose of collection or compatible one. Healthline violated this principle by using and transmitting article titles to its AdTech partners (e.g., "You've Been Newly Diagnosed with MS") that could reveal a consumer's medical condition — far beyond the purpose originally disclosed.
- Lack of CCPA-Compliant Contracts: Healthline did not ensure that its advertising partners had CCPA-required privacy provisions in place, instead relying on assumptions about adherence to industry-standard frameworks without verification.
- Deceptive Consent Banner: Despite presenting users with a "consent" interface to manage cookie and tracker preferences, Healthline continued to deploy tracking cookies even when users opted out, an alleged deceptive practice under the Unfair Competition Law.
Injunctive Relief and Compliance Requirements
In addition to the monetary penalty, the proposed settlement requires Heathline to implement changes to its compliance program, including:
- Functioning Opt-Out Mechanisms: Healthline must ensure that it opt-out tools (including those recognizing GPC signals) are operational and effective across all data-sharing endpoints.
- Ban on the Disclosure of Article Titles Tied to Diagnoses: Healthline is now barred from disclosing article titles that could reasonably suggest a specific consumer has been diagnosed with a disease.
- Mandatory Contractual Safeguards: Healthline must audit all third-party advertising contracts for CCPA-required privacy terms and confirm that these partners have executed agreements with sufficient safeguards.
- Accurate Privacy Disclosures: The company is required to maintain a privacy policy and cookie banner that transparently reflects its actual data collection, sharing, and consumer rights processes.
Implications for Digital Health Publishers, AdTech, and Content Providers
This enforcement action represents a major development in how the California DOJ applies CCPA obligations to contextually sensitive online content, especially in sectors like digital health and wellness. Notably:
- Title + Identifiers = Personal Information: The DOJ's position in this matter takes an expansive view of the definition of "personal information" under the CCPA, namely, that the combination of article title and cookie identifiers can constitute personal data if it allows inferences about a consumer's health condition.
- Cookies Alone Are Not Exempt: This settlement confirms the DOJ's longstanding view that cookie-based identifiers, especially when linked to behavior (e.g., browsing health articles), are within the scope of "sharing" and require opt-out rights under the CCPA.
- High Sensitivity is not High Complexity: Even sophisticated health publishers are not immune from liability. A website's health content — when paired with behavioral analytics — may raise heightened scrutiny from regulators regardless of whether the publisher itself stores medical records or runs a HIPAA-covered entity.
Recommended Next Steps for Healthcare Providers and Other Businesses
Businesses operating in the digital health, publishing, or AdTech sectors — particularly those relying on behavioral targeting or third-party trackers — should take immediate steps to assess their exposure and enhance compliance practices:
- Audit Tracking Technologies: Map all trackers, pixels, and cookies deployed on consumer-facing pages — particularly those involving sensitive topics.
- Verify GPC and Opt-Out Functionality: Confirm that opt-out signals (including GPC) are honored in real time and that downstream data flows cease upon request.
- Update Contracts with Ad Partners: Ensure all agreements with advertisers or analytics vendors include CCPA-mandated clauses around data use, consumer rights, and restricted processing.
- Avoid Inference-Based Profiling Without Consent: Refrain from transmitting user behavior or page metadata that may reveal sensitive traits unless the consumer has provided informed, affirmative authorization.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
