The California Attorney General (AG) has announced a landmark $1.55 million settlement with Healthline Media LLC (Healthline), which operates a health information website. The settlement marks the largest fine to date in an enforcement action brought under the California Consumer Privacy Act (CCPA).

Key Takeaways:

• Businesses must do more than simply implement cookie banners, Global Privacy Control (GPC) signal recognition and other opt-out mechanisms. They must confirm that these mechanisms actually work. Misconfigured cookie banners, ineffective opt-out buttons or non-functional GPC detection tools can lead to liability.
• The AG is taking the principle of “purpose limitation” seriously, particularly where health-related information is at issue. Disclosing personal information for purposes that are not clearly explained to or reasonably expected by consumers may violate the purpose limitation principle of the CCPA. See Cal. Civ. Code § 1798.100(c). Vague or incomplete privacy policies may invite scrutiny from enforcement bodies. Collection and disclosure of health data or other sensitive categories of data may also invite such heightened scrutiny.
• Regulators are laser-focused on the contracting practices of businesses. Raising similar concerns as the California Privacy Protection Agency’s recent action against American Honda Motor Co., Inc., the AG faulted Healthline for failing to enter into CCPA-compliant agreements with advertisers. Businesses can mitigate against the attendant risk by (1) understanding and documenting the third-party recipients of personal information and (2) ensuring compliant contracts are in place.

In the complaint, the AG alleged that Healthline unlawfully disclosed personal information to advertisers without honoring consumers’ opt-out requests. The AG’s investigation revealed that although Healthline had implemented three opt-out mechanisms (a “Do Not Sell or Share My Personal Information” link, a cookie banner and GPC signal detection), these mechanisms were misconfigured and ineffective. Even after consumers exercised all three opt-out options, Healthline continued to disclose personal information to third parties for targeted advertising. Additionally, the AG alleged that Healthline failed to enter into or maintain CCPA-mandated contractual provisions with third-party advertisers. Rather, the AG alleged, “Healthline had assumed, but not verified, that the third parties had agreed to abide by an industry contractual framework.”

Alongside typical personal identifiers such as those contained in cookies, Healthline allegedly disclosed to advertisers the titles of health-related articles indicating consumers’ diagnosed health conditions (e.g., “The Ultimate Guide to MS for the Newly Diagnosed” or “Newly Diagnosed with HIV? Important Things to Know”). While Healthline’s privacy policy included a general disclosure that users’ information would be used for targeted advertising, it failed to specify that the article titles revealing health information would be disclosed to and used for these purposes. The AG alleged that this violated the CCPA’s “purpose limitation” principle, which limits businesses’ use of personal information only for purposes for which it was collected, or for other purposes that are consistent with consumers’ reasonably expectations. According to the complaint, consumers could not reasonably anticipate sensitive, health-related personal information being shared with third parties for targeted advertising.

Along with the monetary penalty, Healthline must stop selling or “sharing” information that links consumers to articles indicating a diagnosed medical condition. Healthline must also implement a compliance program to monitor opt-out functionality and audit contracts to ensure they include CCPA-mandated privacy protections. The company is also required to submit annual reports to the AG’s office for three years.