On July 1, 2025, the California Office of the Attorney General (“AG”) announced that the AG had reached a proposed settlement with Healthline Media LLC (“Healthline”), the publisher of a website that provides medical and health-related information, over alleged violations of the California Consumer Privacy Act (“CCPA”). Under the largest CCPA settlement to date, Healthline will be required to pay a record $1.55 million in penalties and implement a CCPA compliance program, among other requirements.

The AG’s complaint alleged that Healthline violated the CCPA and the California Unfair Competition Law (“UCL”) by:

• Opt-Out of Sale/Sharing: Failing to honor consumer requests to opt out of the “sale” or “sharing” of their personal information by continuing to disclose personal information of such consumers to third parties for targeted advertising purposes.
• Purpose Limitation Principle: Violating the CCPA’s purpose limitation principle, which requires businesses to use personal information solely for the purposes for which the personal information was collected or for another disclosed, compatible purpose. The AG alleged that Healthline shared with third parties the titles of health and wellness-related articles viewed by consumers that could suggest a particular consumer has been diagnosed with a particular disease or medical condition. The AG alleged that Healthline violated the CCPA’s purpose limitation principle by disclosing this information for “two unexpected uses – targeted advertising and third-party inferences based on what a consumer was reading.” The AG alleged that Healthline continued to share such information even for consumers who had opted out of the sale/sharing of their personal information.
• Third-Party Contracts: Failing to include required CCPA contract provisions in its agreements with third-party advertising partners.
• Cookie Consent Banner: Displaying a cookie consent banner that did not disable targeting or advertising cookies in response to a consumer’s preference settings.

The proposed settlement will require Healthline to do the following:

• Honor opt-out of sale/sharing requests, including by ensuring its opt-out of sale/sharing mechanisms work correctly.
• Stop sharing certain health inference data with third parties. The settlement requires Healthline to cease the disclosure of information that can link a consumer to article titles that suggest the consumer has been diagnosed with a disease or medical condition.
• Implement and maintain a three-year comprehensive CCPA compliance program that requires Healthline to do the following:
  • Assess whether the company effectively processes consumers’ opt-out of sale/sharing requests, which assessment must be shared with the AG in an annual report.
  • Conduct an annual review of its website and mobile apps to determine the third parties and service providers with whom it makes available personal information collected through online tracking technologies and document and share the results of the assessment with the AG in an annual report. In connection with this assessment, Healthline also must:
    • enter into CCPA-compliant contracts with such third parties and service providers;
    • for third parties, maintain audit records confirming the required contract language is in place and verifying Healthline does not sell or share the personal information of opted-out consumers to or with such third parties;
    • for third parties that operate as service providers upon receipt of a signal, document details about the signal;
    • describe any sensitive personal information collected through its websites and mobile apps and the purposes for which such information is used and disclosed, and the categories of recipients of the information; and
    • identify, by position, the personnel responsible for reviewing the contracts for compliance.
  • Maintain an accurate privacy policy and online privacy disclosures.

The settlement is pending court approval.