On July 1, 2025, the California Attorney General’s office announced a $1.55 million settlement with Healthline Media LLC (Healthline) for alleged violations of the CCPA and UCL. The action is the most detailed to date and covers a range of issues affecting businesses, especially those involved with processing health data and advertising. Below are key takeaways from the case, followed by a summary of the underlying facts and settlement terms.
Key Takeaways
Enforcement Trends
- $1.55 million is the largest CCPA fine to date. With the law now five years old, expect larger penalties going forward.
- The penalty could have been much higher. According to the complaint, more than 65,000 consumers experienced failed opt-outs. That’s significantly more than in the recent Todd Snyder CPPA enforcement action, where the opt-out was down for only 40 days and the fine was $345,178. Healthline likely benefited from cooperating with the AG’s office. Paragraph 28 of the settlement highlights that Healthline began remedial efforts after being contacted. The case is a reminder that working with regulators toward solutions can make a meaningful difference in enforcement outcomes.
- Sales and targeted advertising remain a top priority for regulators. Yet another enforcement involving cookies, pixels, and data flows related to targeted advertising. This is the low hanging fruit.
- Another case where opt-outs didn’t work, possibly due to vendor issues. The complaint suggests that the consent management platform failed to properly identify and block all relevant trackers. While the failure may have originated with the vendor, the responsibility rests with the business. This is another reminder that using third party tools doesn’t absolve a company from ensuring they are correctly implemented and compliant.
- Another example of partial compliance falling short. Healthline had most of the required language in its privacy policy and passed the opt-out string, but the technical implementation didn’t work. This reflects a broader enforcement trend: regulators are enforcing strict compliance with the letter of the law, and systems must function exactly as required.
- Contracts must include terms required by the CCPA. Similar to the last point, contracts that omit specific statutory language were found inadequate. Provisions that I often see in practice, such as allowing processing “for the purposes contemplated” or “as otherwise agreed to in writing by the parties,” did not meet the law’s requirements. Make sure contracts follow the statute. Close isn’t enough.
Novel Aspects
- First CCPA action against a publisher. The AG’s office expressly connects this case to the Sephora action from 2022 (where Sephora was an advertiser), sending a message that publishers are equally responsible for ad tech compliance. Per Paragraph 4 of the complaint:
- “Both cases underscore that businesses that place or display online advertising must carefully review that their systems operate as intended and comply with California’s privacy laws. Businesses’ over-reliance on vendors, outdated boilerplate contracts, and deprecated privacy signals can result in violations of the law, leading to substantial penalties. Borrowing the old phrase, businesses should trust—but verify—that their privacy compliance measures work as intended.”
- First CCPA action involving health data. The AG’s office treated data about diagnosed medical condition articles as sensitive. This follows the broader nationwide trend: increased scrutiny of tracking technologies and health data. We've seen this from the FTC, as well as through new consumer health privacy laws in Washington, Nevada, Connecticut, and other states. Now California is joining the wave.
- First action expressly applying the CCPA’s purpose limitation principle. Paragraph 22 of the complaint invokes Section 7002 of the CCPA Regs, which limits how businesses can use personal information based on reasonable consumer expectation. While I’ve written about how Section 7002 could effectively shift certain types of sensitive data processing from opt-out to opt-in or even to outright prohibition, this is the first time we’ve seen it enforced in this way. It also mirrors a broader nationwide trend of tightening purpose limitation standards. Maryland's new privacy law, for example, imposes strictly necessary purpose limitation requirements for processing sensitive personal data.
- The scope of purpose limitation is up for debate. Under the settlement, Heathline is permitted to engage in future sales or shares of sensitive personal information if it provides notice and offers a right to limit. However, the settlement also prohibits Healthline from selling or sharing personal information combined with specific diagnosed medical condition articles. How do we reconcile these positions? One reading is that some types of sensitive data, like diagnosed medical condition articles, are too sensitive for sale or sharing, even with disclosure. They may need opt-in or be prohibited entirely. Paragraph 22 of the complaint supports that view, stating that “even detailed privacy disclosures regarding other intended uses of data may violate the principle if the disclosed purposes differ substantially from the consumer’s reasonable expectations.” That position could create real complexity with business compliance and arguably put the CCPA more in line with other state privacy laws. Another interpretation is that the prohibition in the settlement is narrow and fact-specific. Perhaps if Healthline had provided disclosure and offered the right to limit from the outset, it could have continued those practices. Privacy professionals will have much to debate.
- First action discussing the CCPA safe harbor. The CCPA safe harbor limits a business’s liability when it communicates an opt-out to a third party. But the AG’s office found that Healthline couldn’t rely on the safe harbor because it lacked clear contract language ensuring that third parties it provided opted-out consumer data to would honor the opt-out. Again, contract language matters.
Broader Implications
- This was a sophisticated investigation. The AG’s office did more than review privacy policies. It looked at the actual deployment of cookies and pixels, browser local storage, transmission of data, and cookie sync pixels. Investigators also reviewed documentation on cookies and submitted requests to data brokers to assess the downstream impact on consumer profiles. If you land in regulator crosshairs, expect a comprehensive technically informed review.
- The settlement supports industry self-regulation but makes clear it is not a shield. The AG’s office acknowledges that frameworks like the IAB’s, including use of the U.S. Privacy String, can help businesses meet their CCPA obligations. This is a major win for industry as it demonstrates that the CCPA is taking self-regulation seriously. But participation must be verified, and implementation must be accurate. Simply signing on or using the string is not enough if the underlying systems or contracts do not comply.
- Addresses the treatment of third parties that become service providers. The settlement addresses a nuanced but increasingly important issue: when a business passes data to a third party, and a consumer later opts out, that third party may be required to switch roles and act as a service provider. Healthline failed to ensure that its contracts required this transition or documented the signal that would trigger it.
- Identification of the person responsible for contract review reflects the broader trend toward individual accountability. This is consistent with other developments in privacy law that emphasize role-based responsibility. For example, Minnesota’s new consumer privacy law requires businesses to designate an individual to oversee privacy compliance. Expect more statutes and regulators to follow suit.
Summary of Allegations and Settlement Terms
Background
Healthline owns and operates Healthline.com, a medical information site with health and wellness articles. Some articles are directed at individuals who have already been diagnosed with a condition, based on their title or URL. For example, “The Ultimate Guide to MS for the Newly Diagnosed” or “How to talk to others about your MS Diagnosis.” The AG’s office refers to these as “diagnosed medical condition articles.” Although Healthline publishes health-related content, it is not a healthcare provider is not subject to HIPAA. It is a publisher, meaning it generates revenue by displaying ads on its site.
Allegations
According to the complaint, Healthline violated the CCPA and UCL in the following ways:
- Selling and sharing personal information despite opt-outs. The AG’s office, using an investigator, found that Healthline deployed more than 118 cookies and pixels on its website associated with third party advertising companies. Healthline sold and shared personal information of California consumers through these cookies and pixels, which it disclosed in its privacy policy. Healthline offered several opt-out mechanisms: a webform, a cookie manager, and support for Global Privacy Control (GPC) signals. However, none of these opt-outs functioned as intended. Even when consumers used all three mechanisms, the site continued transmitting data to third parties, and the cookies and pixels remained active. The failure appears to stem from misconfigured opt-out tools and a lack of testing.
- Processing personal information in violation of the purpose limitation principle. Healthline collected and shared personal information about California consumers along with the diagnosed medical condition articles they were reading through cookies and pixels. The AG’s office characterized this data as sensitive. Consumers were neither clearly informed nor would they reasonably expect their health-related data would be shared for advertising purposes or used by data brokers to build inferences. And because the opt-outs were ineffective, consumers had no meaningful way to limit this processing.
- Selling and sharing personal information with third parties without CCPA compliant contracts. Healthline participated in a contractual framework offered by the advertising industry that binds participants to CCPA contractual requirements. However, Healthline worked with some third party advertising companies that were not signatories to the framework and therefore not bound by the framework. As a result, Healthline’s contracts with those companies did not include the CCPA-required terms, and Healthline did not verify participation or include alternative CCPA-compliant language.
- Deceptive cookie banner. Healthline displayed a cookie banner that claimed consumers could disable advertising cookies. That function did not work, again due to misconfiguration.
Settlement
The AG’s office announced a settlement with Healthline that includes the following requirements:
- Payment of $1.55 million penalty within 30 days
- A prohibition on selling or sharing personal information in combination with information that allows the recipient to determine the consumer is viewing a specific diagnosed medical condition article.
- Before selling or sharing sensitive personal information for advertising purposes, the business must provide notice and offer the right to limit use or disclosure of such information as required by the CCPA. The business is also prohibited from using or disclose sensitive personal information collected prior to offering this right.
- Implementation and maintenance of a program to assess whether opt-out mechanisms function properly, with results documented in an annual report.
- Annual review of its websites and mobile apps to determine third parties and service providers that receive personal information through tracking technologies, with findings included in an annual report.
- Annual review of contracts with service providers, third parties, and third parties that become service providers upon receiving an opt-out request. Contracts must comply with CCPA requirements.
- For third party contracts, the business must verify that the business does not sell or share the personal information of consumers who have opted out.
- For third parties that become service providers, the business must confirm in writing the signal that triggers the role change.
- If the business relies on an industry contractual framework, it must annually review the list of signatories to verify participation.
- Identification by position of the persons(s) responsible for reviewing contracts.