California handed a $1.5M penalty to Healthline for CCPA violations based on how it handled ad data. Find out what happened and how to avoid a similar fate.
In the third CCPA enforcement action so far in 2025, California Attorney General Rob Bonta announced a large settlement with Healthline Media, publisher of the popular health information website Healthline.com. The media company has agreed to pay $1,550,000 for alleged violations of the California Consumer Privacy Act and the state’s unfair competition law.
The result of an investigation going back as far as late 2023, the state’s allegations center around Healthline’s advertising practices, with specific attention paid to opt-outs. Notably, it is the first such case involving an ad publisher.
Here’s what we learned from the California AG’s case against Healthline Media.
Healthline.com is a popular website that publishes articles on medical, health, and wellness topics. It uses ad tech vendors to display ads to its visitors and also shares information with ad networks about the pages that consumers visited. These practices amounted to selling and/or sharing consumers’ personal information, triggering consumers’ right to opt-out.
Accordingly, Healthline included a “Do Not Sell or Share My Personal Information” link in its website footer, configured its site to detect the Global Privacy Control signal, and offered an opt-out cookie banner where users could disallow advertising and targeting cookies. Despite all this, the AG’s investigation found that even with all three opt-outs active, the website continued to send personal information to send information to ad networks, where it was later used to serve ads to the investigator’s devices.
Healthline appears to have been depending on the U.S. Privacy String to effectuate its opt-outs. This is a standard (now deprecated and replaced by the Global Privacy Platform) developed by the Internet Advertising Bureau that communicates the consumer’s opt-out to downstream recipients and instructs them to process the data as service providers. The problem is that Healthline assumed that all of its ad vendors had signed on to respect this system, but in reality many of them had not.
This should serve as a big wake-up call to businesses that rely exclusively on the U.S. Privacy String, Global Privacy Platform, or other frameworks for their opt-outs. They must confirm that all of their ad vendors have agreed in writing to respect the opt-out mechanism they are using. These agreements could be either a direct contract with the business or via industry frameworks such that offered by the IAB.
Businesses should also strongly consider blocking ad trackers altogether when they receive an opt-out request. Most importantly, whatever opt-out solution they use, businesses should confirm that they actually work, because they will be held responsible for it.
Healthline has various articles with titles like “Newly Diagnosed with [a disease], Now What?”, and the fact that a consumer has visited one of these pages strongly suggests that they may have been diagnosed with whichever disease they were reading about. These page titles were shared with advertising vendors, and the state’s investigator reported receiving advertisements related to a specific disease not long after reading an article about it on Healthline.com.
The Attorney General’s Office alleged that using this personal information for advertising purposes violated the CCPA’s “purpose limitation principle.” This principle states that businesses may only use personal information for disclosed purposes that are compatible with the context in which they were collected.
Healthline’s privacy policy did disclose that it used consumers’ browsing behavior for the purpose of targeted advertising. Owing to the potentially sensitive nature of this data, however, the state determined that the disclosure was not enough, and Healthline must cease this practice.
The proposed settlement states that if, in the future, Healthline uses consumers’ sensitive personal information for advertising purposes, it must offer them a way to request to limit the use and disclosure of that data. Presumably such limitation would mean no longer using the sensitive personal information for advertising.
The California Privacy Rights Act introduced a new contract requirement to the CCPA when it went into effect in 2023. Under section 1798.100(d) of the CCPA, businesses may only disclose data to service providers, contractors, and any third parties to whom they sell or share personal information if they have a written agreement that contains the following provisions:
The 100(d) contract requirements have not received much attention, but it’s clear from this case and the CPPA’s recent settlement with Honda that regulators are taking it seriously.
After years of ramping up, CCPA enforcement is in full swing and the days when businesses could say “Meh, they’re not really enforcing it” are over. We should all expect to see a steady supply of these cases going forward.
California regulators aren’t giving a lot of second chances, either, and as the Healthline case demonstrates, even businesses that have made an effort to be compliant can still be hit with huge fines. The time to get compliant is now.
TrueVault offers the tools to help businesses avoid the expense and reputational damage of being targeted for privacy enforcement. These tools include:
Contact our team to see how TrueVault can help your business get compliant quickly and affordably.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.