In another settlement of a cookie-related state consumer privacy law enforcement action, California reinforces contract requirements for making personal information available and raises questions about the scope of purpose limitation requirements, especially where the nature of the data and/or its use could run counter to consumer expectations. 

On July 1, 2025, the California Office of the Attorney General (OAG) announced a settlement against Healthline, which included the largest CCPA settlement to date – $1.55 million – and many “firsts” for public CCPA enforcement: the first involving a publisher, the first health information-related enforcement action, and the first time the purpose limitation principle has been invoked by California’s (or any other state’s) regulators in a public regulatory enforcement context. This enforcement action came just a week before Connecticut’s attorney general announced an $85,000 settlement under the Connecticut state privacy law explored in more detail here.

While the high settlement amount and these “firsts” are notable, what is perhaps most notable is that non-compliant cookie management, privacy rights, and contracting practices continue to be low-hanging fruit and a keen focus of regulators, and clearly present risk of regulatory enforcement, reputational harm, and monetary penalties. It is also notable that this case marks a significant increase in monetary penalties as compared to recent enforcement cases against clothing retailer Todd Snyder ($345,178) and a global vehicle manufacturer ($632,500), which also focused on similar areas of technical non-compliance. As a result, this settlement should be a call to action for all companies to review and, if necessary, update their cookie management, privacy rights, and contracting practices, and other areas of technical compliance with the CCPA and state consumer privacy laws (CPLs) – especially as they relate to advertising practices.

Immediately below, we summarize the issues raised by the OAG in the Healthline case, and provide practical takeaways for in-house counsel and privacy professionals to address the issues raised by the OAG. Further below, we provide more details on the factual allegations and alleged violations, and provide insights on what we think can be gleaned from the complaint and the terms of the settlement.

Part I: Practical Takeaways

AG Bonta highlighted four main violations of the CCPA:

1. Failing to opt consumers out of the sharing of their personal information for targeted advertising as a result of both misconfiguring an opt-out mechanism and failing to test whether it worked.

Takeaways:

• Properly categorize cookies and other tracking technologies to ensure they are properly acted upon by your consent management platform (CMP) vendor following an opt-out request. While opt-out rights would typically extend to many advertising vendors, sale and sharing under the CCPA are generally implicated by any vendor or partner that receives or collects data from your online property and that does not qualify as a “service provider.” Unlike in Europe, it is not primarily about purpose, but also about controllership. The analysis is slightly different as between CCPA and under non-CCPA state laws, but disclosures to vendors that provide targeted advertising services or that do not qualify as “processors” often implicate “sale” and/or “targeted advertising” opt-outs.
• Ensure that GPC signals are honored. As of the date of this post, twelve states’ privacy laws require, or will require, companies to honor opt-out preference signals or universal opt-out mechanisms, including the CCPA. Also, do not forget that states like California and Colorado require extending GPC opt-outs to “offline” profiles for known consumers, and have other operational requirements.
• Addressing opt-outs with respect to cookies may not be enough. Third parties collect data on online properties through other technologies and mechanisms such as JavaScripts, APIs, and SDKs, and addressing this data collection in order to effectuate opt-outs as to these activities often requires additional back-end technical work beyond properly categorizing cookies. Of course, companies must also address opt-out rights with respect to “offline” information (that is not collected automatically via tracking technologies) such as email addresses and other information that is shared for advertising and other purposes that implicate sale, sharing, or targeted advertising, a common practice. 
• The categorization of a technology by your CMP as “first party” (as opposed to “third party”) is often irrelevant to the categorization analysis. Cookies can be listed as “first party” yet still result in collection by, or sharing with, third parties. Opt-outs need to be applied appropriately to any tools that result in sharing with or collection by third parties, even if they are categorized by your CMP as “first party.” Also, you cannot rely solely on the CMP vendor’s categorization. Even with proper categorization, such that opt-outs are properly applied to vendors implicating sale/sharing/targeted advertising, regulators expect you to have proof of contracts with tech vendors that establish qualification as a service provider / processor or third party, as appropriate (see Takeaway #2 below).
• Test and maintain! “Set it and forget it” does not apply to your privacy compliance program. This is especially true with respect to your CMP and other privacy rights mechanisms. Testing after configuring your CMP, and on a regular cadence thereafter, to ensure that your company is effectuating rights properly is absolutely necessary to avoid non-compliance with privacy laws. There are vendors that provide ongoing testing and potential issue reporting. Testing and maintenance should also include a process for ensuring that new tracking technologies added to your online properties (whether by your company, an agency, or a vendor) are accounted for by your privacy rights mechanisms, as well as scrubbing non-active technologies from your properties. The draft CCPA cybersecurity regulations propose to require this.

2. Failing to maintain CCPA-required contracts with recipients of personal information.

Takeaways:

• Slapping a data processing addendum onto a vendor agreement and calling it a day is not sufficient. Companies’ vendor assessment and/or procurement processes need to assess and account for the vendor’s data processing role and paper it accordingly. Contracts with vendors that qualify as service providers or processors must include language required by the applicable state privacy laws for such data processing roles. Contracts with vendors that qualify as “third parties” under the CCPA must include specific language set forth in Section 7053 of the CCPA regulations, including purpose and use limitations. And, in California, contract inadequacies are more than a violation, they disqualify a vendor from being a service provider or contractor, triggering opt-out rights.
• For companies in the digital advertising ecosystem, the IAB Multi-State Privacy Agreement (MSPA) – which the OAG appears to adopt in the settlement as sufficient for companies meeting their CCPA contracting obligations in advertising technology data transactions, if properly implemented – may be an option. In short, the IAB MSPA helps companies satisfy state privacy law contracting obligations, at least to the extent that the company disclosing personal information and the company receiving personal information are signatories to the IAB MSPA (though, as we discuss further below, the OAG did not discuss the possibility of the IAB Framework’s signal system aiding in compliance following opt-out requests). The complaint and settlement specifically call out Healthline’s relationships with parties that were not MSPA signatories and Healthline’s failure to properly contract with such parties (see above bullet).
• Companies relying on the IAB Framework should check their vendor list against the list of IAB Framework signatories and ensure proper contracting with and treatment of opt-out signals (if applicable) by non-signatories.

3. Violating the Purpose Limitation Principle by sharing sensitive health information with third parties.

Takeaways:

• Publishers that post articles regarding health conditions or that otherwise potentially implicate other sensitive information – such as race/ethnicity, religious beliefs, sex life, sexual orientation, and so on, particularly those that are strongly indicative of sensitive traits (such as the “recently diagnosed” articles implicated in the Healthline case) – should either avoid passing URLs or titles that indicate such potentially sensitive information to third parties or provide consumers with clearer disclosures regarding these practices along with information regarding the applicable privacy rights, which under some state laws may require obtaining consent. Avoiding sending such information may be difficult from a technical and administrative perspective as it may require changing URL or titular nomenclature and/or practices and in some cases, depending on the potential sensitivity of the article or its contents, avoiding certain tracking technologies on certain pages or articles altogether. So, for publishers, titles matter because they get shared to the ad ecosystem. Editorial guidelines could be a way to solve for this problem. Other risk and compliance approaches are available.
• Similarly, advertisers, brands, and retailers may inadvertently (or purposely) collect and/or transmit similar information to third parties, such as information regarding interest in or purchases of health products. Advertisers, brands, and retailers likewise need to implement and maintain defensible processes to prevent the sharing of sensitive information with third parties or, alternatively, to enhance their compliance by beefing up notices regarding the practices and providing appropriate rights which, for some states (e.g., Washington), is challenging or potentially outright prohibited.

4. Deceiving consumers about privacy practices by offering a cookie banner that purported to allow them to disable advertising cookies, but failed to do so.

Takeaways: See #1 above.

Part II: Further Details and Insights

1. Failing to opt consumers out of the sharing of their personal information for targeted advertising

According to the OAG, Healthline implemented what the OAG referred to as the “triple opt-out option”: (1) a webform that users were taken to after clicking “Do Not Sell or Share My Personal Information” that allowed users to “register and exercise their opt-out right”; (2) a tool that “purported to detect when a consumer was signaling the GPC [Global Privacy Control]”; and (3) a consent management platform that allowed users to uncheck a box that allowed targeted/advertising cookies (i.e., opt-out).

During an initial investigation, Healthline provided information to the OAG indicating that approximately 65,000 Californians had opted out, primarily through the use of GPC. The OAG commenced a “more in-depth investigation” after it observed that Healthline continued “to provide personal information to over a dozen third parties involved in online advertising, including the title of the article being read, and continued to set cookies used in targeted advertising” even following the “triple opt-out.”

The OAG’s investigation dove deeper into the advertising and data-sharing practices of Healthline:

• Even after the “triple opt-out,” investigators found online trackers still placed 118 cookies associated with third-party advertising companies, including cookies used to track a person across websites. They also saw internet transmissions to dozens of advertising companies, including transmission of unique identifier cookies. Some of those transmissions included the article title being viewed, such as a webpage for Crohn’s disease treatments, along with the cookie identifier.
• Investigators then reviewed the publicly available documentation for the cookies to confirm their use in targeted advertising. For example, documentation for one cookie explained that it is used “to distinguish between browsers and devices,” helps match the website visitor to “advertising interest segments,” and “help[s] deliver ads to people who have previously visited [our clients’] websites.” This is all cross-context behavioral advertising.
• Investigators also checked the “local storage” of the browser, finding an identifier described as “a next-generation universal identifier that publishers, advertisers, and … platforms can use to recognize users and deliver campaign objectives across different types of devices without relying on traditional identification methods (e.g., third-party cookies and MAIDs).
• Investigators looked at the online trackers themselves, often referred to as pixels or tags. On one page, they found 82 pixels or other tags associated with advertising companies, even after the triple opt-out. On another page, they found a “cookie sync” pixel, which documentation described as “enabl[ing]” the advertising company “to match your cookies to other partner cookies, mobile devices, [and] proprietary platform IDs,” all to “build a large pool of shared [identifiers].” Again, all this online tracking occurred despite the triple opt-out.

As a result of this fact-finding process – which perhaps should be used by technical and marketing teams as a playbook for understanding what regulators will be looking for – the OAG alleged that Healthline violated the CCPA by “selling and sharing a consumer’s personal information to third parties despite receiving direction from the consumer not to sell or share the data.”

This aspect of the enforcement action demonstrates the importance of doing more than just providing an opt-out option. Businesses must ensure that their cookie management and opt-out processes are configured and function correctly at all times. For more, see the takeaways under #1 above at the top of this blog post.

2. Violating the Purpose Limitation Principle

The CCPA, like many CPLs, requires that businesses limit the use of personal information to the purpose for which the information was collected or processed, or other disclosed, compatible purposes. (Note: some states, like Maryland, are even stricter.) More specifically, Section 7002 of the CCPA regulations states that the purposes “shall be consistent with the reasonable expectations of the consumer,” which are assessed by factors including the “nature” of the information, the “specificity, explicitness, prominence, and clarity of disclosures,” and the “degree to which the involvement of service providers, contractors, third parties, or other entities in the collecting or processing of [the data] is apparent to the consumer.”

The OAG’s Complaint alleges that the Company’s sharing of article titles constituted “data of a potentially highly intimate nature—article titles suggesting a possible medical diagnosis.” (Emphasis added.) Additionally, according to the OAG, the Company’s privacy policy failed to mention the sharing of these article titles, which prevented the Company from establishing that consumers reasonably expected potential health-related data, particularly diagnosis inferences, could be shared with advertisers.

This marks the first enforcement action based in part on the CCPA’s Purpose Limitation Principle and demonstrates that businesses should ensure they include sufficient disclosures to explain what information is shared. Notably, though the AG noted that even detailed disclosures may still violate the principle if the purpose differs significantly from the consumer’s expectations, the Complaint did not state whether the use of a sufficient disclosure in this case would have avoided the OAG’s action in relation to this issue.

Notably, the OAG did not classify the article titles and URLs – which the OAG ascribed a term “Diagnosed Medical Condition Article,” “indicates the CONSUMER visiting the article has already been diagnosed with a medical condition” – as sensitive personal information in the complaint or the settlement, nor did the OAG specifically allege failure to provide consumers with the “Right to Limit” use and disclosure of sensitive personal information with respect to the article titles and URLs.

The terms of the settlement suggest, however, the “Diagnosed Medical Condition Articles” are so sensitive – or “intimate,” as put by the OAG – that, to the extent that the OAG considers this information sensitive PI, applying the right to limit sensitive personal information to prior-collected Diagnosed Medical Condition Articles or those collected in the future would not be a sufficient approach. As such, the settlement forbids the Company from selling or sharing personal information “combined with information that allows the recipient to determine that the consumer is viewing a specific DIAGNOSED MEDICAL CONDITION ARTICLE, such as by including the title or URL of the article in the disclosure.” This remedy is provided alongside requirements to (1) disclose in its notice at collection that the Company uses and discloses sensitive personal information for advertising purposes, and provides notice of the right to limit with respect to the same, and (2) not use or disclose any sensitive personal information collected prior to providing a notice of right to limit except as permitted pursuant to Section 7027(m) of the CCPA regulations.

As mentioned above, this is notable for publishers, as well as advertisers, brands, and retailers, that may be transferring potentially sensitive information, or so-called “intimate” information, to third parties for advertising or other purposes, depending on the state law that applies. See the takeaways under #3 above.

3. Failing to maintain CCPA-required contracts

As we have previously highlighted, the CCPA’s third-party contracting requirements have been a focus area for California’s two privacy regulators. This is because the CCPA requires businesses to maintain written contracts that meet specific requirements with recipients who constitute service providers, contractors, or third parties to the business (with differing requirements for each type of recipient). While we understand that many vendors are engaged through insertion orders and click wraps based on standard online terms that are said to be non-negotiable, and which may lack the legally necessary provisions, the CPPA and OAG are unsympathetic and have been very clear about this going back to the first OAG enforcement action resulting in civil penalties (notably also addressing cookie vendors) in 2022, and even before that in inquiries that were quietly quelled. Businesses should be prepared to present a list of service providers / processors and third parties, along with supporting contractual documentation, to regulators upon request. Having this information on hand is also necessary for compliance with obligations under other state laws, such as requirements to provide consumer-specific third-party lists to Oregon and Minnesota consumers upon request.

One of the more notable aspects of the complaint and settlement is that the OAG highlighted the Company’s participation in “a contractual framework” developed by “the online advertising industry.” This is most likely the Interactive Advertising Bureau’s (IAB) CCPA Framework and its Multi-State Privacy Agreement (MSPA). In short, the OAG appeared to endorse the Company’s use of both aspects of the IAB Framework, the signal system and MSPA, for meeting obligations to pass opt-outs to sale/sharing recipients and the CCPA’s contracting requirements with respect to recipients that were signatories to the Framework, respectively.

As to non-signatories of the IAB CCPA Framework, the Company was able to proffer the OAG with copies of contracts with advertising technology companies. However, according to the OAG, the contracts did not sufficiently address CCPA requirements. Though other states’ regulators could come to different conclusions regarding this industry solution, the OAG’s complaint and settlement suggest that companies in the digital advertising ecosystem should strongly consider becoming a signatory to and participating in the IAB CCPA Framework. Look for the IAB to offer a simplified MSPA option in 2026, which may increase participation.

4. Deceiving consumers about privacy practices

Finally, the Complaint characterized the Company’s faulty cookie banner as a deceptive trade practice under California’s Unfair Competition Law (UCL). According to the OAG, though the cookie banner purported to provide consumers with an option to disable tracking cookies, the banner’s functionality issues did not actually effectuate such opt-outs. Accordingly, the representations made in the cookie management banner constituted deceptive trade practices, subject to additional civil penalties and equitable relief, including disgorgement.

According to the OAG’s complaint, not only were the cookie banner and CMP problems unfair and deceptive practices, but each and every CCPA violation of Cal. Civ. Code §§ 1798.100 (disclosure requirements), 1798.120 (opt-out rights), and 1798.135 (limitation of sale/share) operated as separate and independent unfair and deceptive practices, essentially a civil penalty multiplier. Because the UAG sought statutory damages under the CCPA in addition to damages for violations of those same provisions under the UCL, the UAG’s complaint sought to “double dip” the damages calculations—which already provide damages on a per-violation basis. Plus, the complaint sought disgorgement of, presumably, all related advertising and other revenues related to the violations. This approach to damages shows that the gloves are off and the OAG can, and will, use all of its tools to gain maximum leverage. 

It remains to be seen if the CPPA could bring similar UCL claims against businesses in agency enforcement actions. Although California courts have recently approved of associational standing to bring such claims, governmental enforcement authority is derived from a separate part of the statute, which, until courts say otherwise, appears limited to the Attorney General, district attorneys, or county counsels authorized by district attorneys to enforce county ordinances. Though the law does contemplate actions by prosecutors “upon the complaint of a board…” which may include the CPPA board.

As noted, the OAG also sought disgorgement penalties under its authority under Cal. Gov’t Code § 12527.6. Though the Complaint does not specify what profits are subject to such disgorgement remedies, if the OAG can seek disgorgement of advertising revenues, businesses risk significant penalties for purported violations of the UCL. This is a game-changing move and should cause companies that have concluded dealing with enforcement is less burdensome than investing in robust compliance to recalculate the cost-benefit analysis associated with privacy compliance.

The OAG also sought to recover the costs of the suit, presumably under California’s fee-shifting statute, Cal. Code Civ. P. § 1032. More leverage for settlement.

While these types of requested penalties have not appeared in every privacy enforcement action instituted by the OAG, some high-profile CCPA enforcements have included the proposed remedies. The point, however, is California has the ability to extract GDPR-sized privacy penalties. As do other states as demonstrated by Texas with jaw-dropping privacy settlements with big tech: more detail here and here.

Conclusion

This case demonstrates the need for businesses to review the functionality of their consent management platforms, and other consumer rights request programs, and ensure they are working according to state privacy law requirements, and as intended. Additionally, businesses must make sure their privacy policies contain disclosures that sufficiently explain how personal information may be used and should even consider more robust “just-in-time” notices regarding processing of personal information that may not be expected by consumers. Finally, companies must be aware that contracting requirements remain an important focus area for CCPA enforcement and that applying data protection addenda blindly without considering the role or processing activities of the vendor or data recipient presents material risk. Also notably, it appears that the OAG has tacitly approved the IAB MSPA for companies in the digital advertising ecosystem that are signatories, and companies that have been waiting for such a signal should now consider participation. The IAB also has an adtech vendor due diligence platform that is gaining traction and can be a useful tool to aid compliance efforts.