On July 1, 2025, the California attorney general (AG) announced a $1.55 million settlement (pending court approval) with Healthline Media, LLC (Healthline), who publishes Healthline.com, a health information website. This settlement marks the regulator’s continued focus on online tracking technologies for targeted advertising and the effectiveness of consumer opt-out systems. Importantly, this is the first U.S. regulatory privacy enforcement action where a company is fined for disclosing inferred sensitive personal information, rather than sharing explicit health information.

Pursuant to the proposed final judgment, Healthline is also required to:

• Implement a program to monitor its processing of consumers’ requests to opt out of sale and sharing, as well as consumers’ requests to limit the use of their sensitive information. Healthline must publish an annual report describing any problems encountered with consumer opt-out and limiting requests and the steps taken to remediate such problems. 
   
• Conduct an annual review of its website and mobile app to determine third parties and service providers with whom it makes consumers’ personal information available through online tracking technologies. For the next three years, Healthline must publish a report providing details of the specific personal information shared and how it transmits opt-out signals to third parties to advise them to process such data as service providers. 

State investigators identified the following ways that Healthline’s data practices failed to comply with the California Consumer Privacy Act (CCPA).

Misconfiguring Opt-Out Mechanism and Ignoring Consumer Opt-Out Requests for Selling and Sharing Personal Information

Under the CCPA, consumers have the right to opt out of the sale or sharing of their personal information for targeted advertising. Websites must honor these requests, including universal opt-out signals like the Global Privacy Control (GPC) – to stop personal information from being shared with third-party advertisers. Healthline, however, continued transmitting consumers’ personal information to advertising partners even after these consumers opted out using automatic tools the company provided. Healthline’s opt-out mechanism was misconfigured and did not actually halt the downstream sharing of identifiers and browsing data for ad targeting. This practice effectively ignored consumers’ CCPA rights by permitting behavioral advertising to proceed after consumers exercised their opt-out rights.

Using Inferred Sensitive Health Data for Targeted Advertising

CCPA’s purpose limitation principle limits a business’s use of personal information to the purposes disclosed at collection or other compatible purposes. The California AG determined Healthline violated this principle by sharing the titles of articles that users read – some strongly suggesting a diagnosed medical condition – with third-party advertisers. The AG noted that Healthline’s privacy policy never mentioned sharing article titles, and that an average consumer would not expect such information to be shared when reading a health article. Thus, using such data to retarget ads goes beyond the scope of purposes, contravening the CCPA’s purpose limitation requirements.

Lacking Required Contractual Protections with Third Parties

The California AG also determined that Healthline failed to establish CCPA-required privacy protections in its contracts with the third-party advertising partners receiving consumer personal information. The CCPA mandates that if a business discloses personal information with service providers or other third parties, it must have a contract in place that includes specific provisions to safeguard the personal information (for example, limiting how the recipient can use or further disclose the information). Investigators found that Healthline had not put these mandated clauses in place. Instead, Healthline assumed that its advertising partners adhered to a standard industry privacy framework without verifying the partners’ data practices. By sharing consumer personal information without proper contractual restrictions, Healthline allowed third parties to use the data for their own purposes, effectively treating the data sharing as a sale and failing to protect consumers’ information as the law requires.

Deceptive and Misleading Consent Banner

In addition to CCPA violations, the California AG also noted that Healthline’s website interface misled consumers about their privacy choices by displaying a cookie consent banner suggesting that users could opt out of targeting online trackers that did not stop tracking technologies from running. The AG characterized this as a deceptive business practice in violation of California’s Unfair Competition Law by giving users a false sense of control over their personal information.

Potential Implications for Businesses

This enforcement action highlights the growing scrutiny of online tracking and adtech practices under the CCPA. Healthline’s case sends a message that setting up a cookie banner or assuming partners handle data appropriately is not enough. Companies must proactively align their external privacy interfaces with functional controls so consumers may easily exercise their choices and ensure their data flows and third-party data sharing agreements comply with the CCPA. In particular, businesses (especially in sensitive sectors like health-related industries) should be mindful of disclosing and processing personal information that reveals or infers information of a sensitive nature. Using personal information in a way consumers would not expect – such as sharing content that may reveal health conditions for advertising – might give rise to regulatory enforcement actions.