Four Takeaways For CCPA-Covered Businesses From The Healthline Settlement

On July 1, 2025, California Attorney GeneralBonta announced the largest settlement in the history of the CCPA, fining Healthline Media LLC $1.55M for alleged violations of the CCPA and its regulations. Healthline did not admit any wrongdoing in the settlement. Below are four key takeaways for businesses regulated by the CCPA:

1. Opt-outs are critical, GPC is quickly becoming the standard, and third-party software must be configured properly and work. Businesses engaging in sales or sharing predicated on cookies must make sure that their blocking software (e.g.,OneTrust) is configured properly and is configured to recognize GPC. The Colorado AG has listed GPC, and only GPC, as a valid universal opt-out mechanism. And the Connecticut AG has followed suit in a press release. Businesses must be sure to recognize GPC if they are engaged in sales, sharing, or targeted advertising. For most platforms, this is as simple as checking a box. But these configurations must be audited and verified. And because marketing teams always are reacting to dynamic market conditions, frequent (i.e., quarterly) audits are strongly advised.
2. Diagnostic health data that is not PHI may be a category unto itself. The CCPA defines "sensitive personal information" to include "personal information concerning a consumer's health" [CCPA, 1798.140(ae)(2)(B)], but nowhere prohibits the sale or sharing of sensitive personal information. Rather, processing of sensitive personal information is subject to a "right to limit" [see CCPA, 1798.121], and all personal information is subject to a more general opt-out from sale or sharing. [see CCPA, 1798.120; 1798.100(a)(2)]. The Healthline settlement contains a flat bar on the sharing or sale of health data related to diagnostic medical articles, subject to certain exceptions including exceptions applying to HIPAA PHI. This underscores a more general concern by the AG regarding data potentially disclosing medical diagnoses and indicates that the AG considered this data to be especially sensitive.
3. Contracts with third parties should be audited. If a business sells or shares personal information with a third party, it must have an agreement that meets the contract requirements set out in section 7053 of the CCPA regulations. These requirements were specifically referenced in the settlement, and it is clear that it is the business's (i.e., the controller and website owner's) responsibility to ensure that all contractual provisions are in place for service providers, third parties, and hybrid entities. This can be especially challenging in the adtech ecosystem, even as there are standard agreements that purport to serve as a one-stop shop for compliance with CCPA and other state omnibus laws. Given the complexity, this issue is worth confirming with counsel to ensure compliance, and it is critical to (a) understand who these parties are, what role they have, and what agreements are in place and (b) have a system for vetting new vendors before they are added to websites or other data flows.
4. Cooperation is important and probably valuable under most circumstances. The AG's complaint notes that more than 65,000 California consumers were impacted, but it is not clear how the $1.55M penalty was computed. The complaint notes [at paragraph 28] that Healthline enacted remedial measured when contacted. This likely helped reduce the overall fine.

Digital advertising and its implication for privacy compliance continue to present challenges for all affected businesses. The gravamen of the Healthline settlement is that operationalizing compliance is an ongoing obligation, especially when the data in question is disclosed to third parties.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.