July 2, 2025
Healthline.com Slammed with Biggest CCPA Fine to Date
California handed a $1.5M penalty to Healthline for CCPA violations based on how it handled ad data. Find out what happened and how to avoid a similar fate.
With the current patchwork of state privacy laws, it was just a matter of time before state regulators teamed up to tackle privacy enforcement on a broader basis. That moment seems to have arrived, as attorneys general from California, Colorado, and Connecticut, plus the California Privacy Protection Agency, announced a joint investigative sweep.
According to the announcement, the states will be focusing on how businesses handle browser-based opt-outs in response to the Global Privacy Control (GPC) signal.
Global Privacy Control is a browser signal that allows consumers to automatically submit a request to opt-out under data privacy laws. When a website detects the GPC signal, it should opt the consumer out of any data selling and/or targeted advertising, to the extent those activities are associated with a particular browser or device. This is most commonly accomplished by setting a privacy string in accordance with standards like the Global Privacy Platform.
A growing number of states (including CA, CO, and CT) require businesses to respect the GPC signal as part of their privacy compliance. This requirement has already played a part in CCPA enforcement cases against Sephora, Todd Snyder, and Healthline.
Businesses may be forgiven for dragging their feet on privacy compliance for the first year or two since U.S. states began passing data privacy laws; enforcement was rare, and in many cases they were allowed a 30-day cure period. That is no longer the case.
In 2025 alone, California authorities have handed out over $2,500,000 in privacy fines for violations of the CCPA. There were no cure periods granted. It should also be noted that each of those businesses already had a privacy compliance strategy in place and were fined anyway for not meeting the state’s exacting standards. Connecticut has also joined in on the enforcement game.
At this point, several years on, companies that have made only a minimal effort or no effort at all to be privacy compliant (failing to implement GPC opt-outs, for example) should expect no leniency from regulators.
Even as enforcement ramps up, privacy compliance is becoming more and more complicated. New states pass their own laws, and existing statutes are being amended regularly. Keeping up with it all is a full-time job, and many businesses don’t have the resources or expertise to manage it in-house.
TrueVault helps businesses of all sizes get privacy compliant in as little as a few days, and stay that way for years to come. Using our guided workflows and automated integrations, you can quickly create a data map, publish privacy notices, be prepared to handle consumer requests, and more. Anyone can do it—no legal background required. Best of all, as new state laws are passed or old laws are amended, those changes are incorporated into your privacy dashboard at no extra cost!
Contact our team today to learn how TrueVault can help your business get compliant.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
