ARTICLE
8 July 2025

California Attorney General Enters $1.55 Million CCPA Settlement With Healthline Media

HK
Holland & Knight

Contributor

Holland & Knight is a global law firm with nearly 2,000 lawyers in offices throughout the world. Our attorneys provide representation in litigation, business, real estate, healthcare and governmental law. Interdisciplinary practice groups and industry-based teams provide clients with access to attorneys throughout the firm, regardless of location.
California Attorney General Rob Bonta has settled claims against Healthline Media (Healthline) for violations of the California Privacy Protection Act (CCPA) related to the company's sharing...
United States California Privacy

Highlights

  • California Attorney General Rob Bonta has settled claims against Healthline Media (Healthline) for violations of the California Privacy Protection Act (CCPA) related to the company's sharing of personal information and alleged failure to properly implement opt-out mechanisms, resulting in disclosures about activity on the Healthline website to third parties who used it for advertising purposes.
  • The complaint describes some of the data shared – articles with titles suggesting a particular medical diagnosis – as "highly intimate" but sidesteps discussion of whether this data may be "sensitive personal information" under the CCPA.
  • The causes of action include violation of the CCPA's "purpose limitation" requirement, alleging that Healthline's disclosure of readership information to third parties was not expected by consumers, even though the company's privacy policy disclosed that it provided information to third parties for advertising purposes.
  • The enforcement action highlights regulators' increased focus on using extensive technical tests to scrutinize whether opt-out mechanisms a company is offering work correctly.

California Attorney General (AG) Rob Bonta announced a settlement with Healthline Media LLC relating to the company's website tracking practices and failure to honor consumer opt-out requests, allegedly in violation of the California Consumer Privacy Act (CCPA).

Background

This enforcement action represents the third CCPA enforcement action brought by regulators in California this year and the largest settlement yet for alleged violations of the CCPA to date. Spring orders from the California Privacy Protection Agency (which has concurrent enforcement authority) focused on failures by an auto manufacturer and a clothing retailer.

Factual Allegations

According to a complaint filed concurrently with the settlement, Healthline operates Healthline.com, a medical information website with health and wellness articles. Healthline generates revenue by showing targeted ads to its site visitors, including approximately 6.5 million monthly California visitors. The company uses online trackers like cookies and pixels to share information about its readers with advertisers.

When investigators tested Healthline's opt-out mechanisms in fall 2023, they found that even after users opted out through the methods set up by Healthline (including the Global Privacy Control signal), the website continued to transmit personal information to advertising companies, including the full titles of health-related articles that users were reading. This information was then potentially available to data brokers who could update consumer profiles with sensitive health information inferences. An investigator observed, for example, that after viewing a page on Healthline.com related to Crohn's disease, he or she received a streaming TV advertisement for a medication used to treat Crohn's.

Identified Violations of Law

The AG alleges in the complaint that Healthline committed the following violations of the CCPA:

  1. Failure to Honor Consumer Opt-Outs. Healthline sold/shared consumers' personal information despite receiving direction from consumers not to sell or share that data, in violation of Civil Code § 1798.120(a), (d) and § 1798.135(a), (c)(4).
  2. Lack of Contracts with Advertising Technology Vendors. Healthline's agreement with the third parties who received consumer data did not contain terms required under Civil Code § 1798.100(d).
  3. Violation of "Purpose Limitation Principle." By "invisibly sharing data of a more intimate nature to third parties," Healthline processed data for beyond the purposes for which the personal information was collected in violation of Civil Code § 1798.100(c). This allegation is based on a finding that processing goes beyond the primary purpose when it is not reasonably expected by the consumer, using the assessment factors outlined in Cal. Code Reg., tit. 11, § 7002(b).

The AG also alleges that Healthline engaged in deceptive practices by offering a cookie banner that purported to allow consumers to disable advertising cookies but failed to do so in violation of Business and Professions Code § 17200.

Consequences for Healthline

According to the proposed judgment, Healthline has agreed to:

  1. pay $1.55 million in civil penalties to be deposited into the Consumer Privacy Fund
  2. implement a compliance program that includes regular testing of opt-out mechanisms, annual reviews of contracts with third parties and reporting to the AG for three years
  3. stop selling or sharing personal information combined with information that allows recipients to determine that a consumer is viewing a specific "Diagnosed Medical Condition Article"
  4. provide proper notice to consumers regarding the sale and sharing of their personal information and their right to opt out
  5. process consumer requests to opt out of sales or sharing signaled via an Opt-Out Preference Signal, including the Global Privacy Control

Implications

The complaint represents the first time a California regulator has dug in on whether a processing activity violates the "purpose limitation principle." Prior enforcement actions have focused on technical compliance issues such as how/whether options to offer privacy rights are offered and whether contracts are in place with vendors who place cookies.

The theory behind the AG's current action against Healthline seems to be that the disclosure of certain information about articles viewed on a health information website to vendors who could use the information for advertising purposes was so offensive that consumers could not reasonably have expected it to occur. This seems to apply to all California consumers who visited Healthline's website, not just those who expressed an opt-out preference. This theory could be used by California or other regulators in other contexts to bring actions where processing activities seem inherently invasive, even if they are disclosed in a privacy policy.

Interestingly, though "personal information collected and analyzed concerning a consumer's health" is included in the definition of "sensitive personal information" under the CCPA, the California AG does not raise the question of whether information about activity on Healthline.com is sensitive, which could have triggered an obligation on Healthline to offer a right to limit processing. This could be because the AG did not need to go there. Since the issue here was the disclosure of personal information for cross-contextual advertising, consumers have an opt-out right regardless of how the data is classified. But questions remain as to whether the type of data at issue is health information, which could be subject to opt-in consent requirements in other states.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More