On July 1, 2025, the California Attorney General's Office (AG) announced a proposed $1.55 million settlement with Healthline Media, operator of the popular website Healthline.com. The AG alleges Healthline violated numerous provisions of the California Consumer Privacy Act (CCPA), including by disclosing to advertisers the titles of articles viewed by particular consumers, which could be used to infer that the reader had been diagnosed with a disease.
As with prior CCPA settlements, Healthline has agreed to comply with injunctive terms in addition to the monetary fine. If the settlement terms are approved by the court, Healthline will be required to conduct annual reviews of its privacy practices for the next three years and share the results in annual reports. Healthline will also be required to update its contracts with advertisers to ensure they contain the required data protection terms and provide mechanisms by which consumers may opt out of sharing their data for the purposes of targeted advertising.
The AG's underlying complaint alleges that Healthline violated three provisions of the CCPA and one provision of California's Unfair Competition Law (UCL):
- Failing to meet the purpose-limitation principle: Under the CCPA, businesses may not use personal information for purposes outside those for which it was originally collected, unless the new use would be reasonably expected by the customer. Healthline allegedly sent article titles referencing specific medical conditions and diagnoses to third parties through online trackers, potentially allowing third parties to determine specific health-related information about the reader. Third parties then used that information to serve targeted ads related to those diseases. The AG argued this violated the purpose-limitation principle because there was no reasonable expectation by the consumer that such detailed and intimate medical information would be used to serve ads. While Healthline.com did have a privacy policy that mentioned the potential for targeted advertising, the AG argued that a blanket statement regarding ads did not adequately disclose the sharing of specific article titles.
- Failing to maintain a functional opt-out mechanism: Under the CCPA, consumers have the right to request that businesses stop sharing or selling personal information through an opt-out mechanism. Healthline.com provided an opt-out mechanism, but it was misconfigured and Healthline failed to test it, resulting in data being shared with third parties even after consumers elected to opt out.
- Failing to ensure that third-party contracts comply with CCPA requirements: Businesses that sell or share information with third parties must enter contracts requiring that those third parties abide by CCPA standards, which include purpose limitations and mechanisms for tracking and complying with consumer opt-outs. Healthline assumed, but did not verify, that its contractors abided by an industry contractual framework.
- Misleading customers about purported privacy measures: California's UCL prohibits deceptive business practices. The AG alleged that Healthline.com's use of a cookie banner that purported to disable tracking cookies but did not actually do so was a violation of the UCL.
The proposed settlement demonstrates ongoing active enforcement of privacy rules in California. Both the AG and the California Privacy Protection Agency have concurrent jurisdiction to enforce the CCPA. Healthline's is the third enforcement action announced in 2025 and the largest settlement under the CCPA to date. Businesses should take care to ensure their online privacy disclosures, internal practices and data-sharing agreements with all third parties comply with the CCPA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
