On July 1, 2025, California Attorney General Rob Bonta announced a $1.55 million settlement with Healthline Media LLC, resolving alleged violations of the California Consumer Privacy Act (CCPA) and the Unfair Competition Law caused by use of tracking technology on its website, Healthline.com. Currently pending court approval, this settlement is poised to be the largest CCPA enforcement penalty to date, surpassing the $1.2 million Sephora settlement in 2022.

But even more significant than the monetary penalty is the broader message this settlement sends: website publishers, especially those operating in sensitive verticals like healthcare, are now firmly in the privacy enforcement spotlight.

Notably, Healthline does not solicit diagnostic or medical information from consumers and is not a “healthcare provider” subject to specific medical privacy laws. Instead, Healthline earns revenue by featuring advertisements, including targeted ads, on its website next to informational health and wellness articles. In its privacy policy, Healthline discloses its use of third-party trackers to process personal information for targeted advertising.

What Healthline Did Wrong

1. Ignoring Consumer Opt-Outs

The CCPA gives consumers the right to opt-out of the sale or sharing of their personal information for targeted advertising, including by enabling an Opt-Out Preference Signal, such as the Global Privacy Control (GPC), to exercise their opt-out rights.

Healthline implemented several mechanisms that purported to allow consumers to exercise their opt-out rights, including a link at the bottom of their website titled “Do No Sell or Share My Personal Information,

Healthline also used a “cookie banner” to ask consumers to “accept” Healthline’s privacy policy.

If a consumer clicked the “More information” link, Healthline showed them the following screen regarding “Targeting / Advertising cookies,” which allowed consumers to uncheck a box that allowed the targeted/advertising cookies.

According to Healthline, approximately 65,000 Californians opted out, primarily through the GPC. But, as per the Complaint, even after the “triple opt-out” with all three mechanisms described above, Healthline continuing to provide personal information to over a dozen third parties involved in online advertising, including by placing 118 cookies and 82 pixels or other tags associated with third-party advertisers on its website.

2. Violating the “Purpose Limitation” Principle

Under the CCPA, a business’s use of personal information is limited to the purposes for which the information was collected or processed, or another disclosed, compatible purpose that is consistent with reasonable expectations of the consumer.

The Complaint alleges that Healthline shared highly sensitive consumer data, including article titles suggesting a possible medical diagnosis, with unseen advertisers and their vendors. For example, one State investigator tested a Crohn’s disease webpage and then received ads for drugs that treat Crohn’s disease. Similarly, article titles or descriptions on Healthline’s website suggested that a person had already been diagnosed with a serious disease, including titles like “The Ultimate Guide to MS for the Newly Diagnosed” and “Newly Diagnosed with HIV? Important Things to Know.”

Although Healthline’s privacy policy mentioned targeted advertising briefly, it did not specifically mention sharing article titles. According to the Complaint, Healthline could not establish that consumers reasonably expected that Healthline would share potentially health-related data.

3. Inadequate Vendor Contracts and Oversight

The CCPA requires businesses that sell personal information or share it for certain personalized advertising purposes to have a written contract with the recipient that lists the “limited and specified purposes” for which the data may be used, and the contract must impose other protections for consumers’ data required by the law.

The Complaint alleges that several online advertising companies that received personal information from Healthline did not have the requisite contracts in place. Additionally, the contracts that were in place did not contain CCPA-mandated terms, such as one contract that said the recipient could use data for “any business purpose,” rather than listing the limited and specified purposes for using personal information.

Under the CCPA, Healthline can be liable for advertising companies’ later sales or improper uses of personal information, even when it communicated that a consumer had opted out of sales or sharing. A recipient of opted-out consumer’s data is prohibited from later selling that data and can only use it for certain limited purposes. However, Healthline’s contracts with advertising companies failed to effectively address this requirement.

Given the lack of concrete contractual terms, the Complaint also states Healthline should not be able to rely on the CCPA’s safe harbor provision, which limits a business’s liability when it communicates a consumer’s opt out. This is because a business must not have a “reason to believe” that a recipient will further sell data or use it for an improper purpose. But in Healthline’s case, certain contracts expressly allowed the recipient to sell or share consumers’ data or use it for nearly any purpose.

4. Deceptive Privacy Practices

The Unfair Competition Law prohibits deceptive business practices. The Complaint alleges that Healthline deceived website visitors by offering a cookie banner that purported to allow them to disable advertising cookies but failed to do so.

Proposed Settlement

The proposed settlement includes not only a civil penalty of $1.55 million, but also injunctive relief aimed at long-term structural changes. If approved, Healthline will be required to ensure compliance with opt-out mechanisms, refrain from transmitting data that allows the recipient to determine if a consumer has already been diagnosed with a medical condition, and review and update all contracts to explicitly restrict data use in line with CCPA requirements.

The settlement envisions a 3-year program to assess and monitor whether Healthline is complying with its data privacy obligations, with annual reports to document its implementation of the settlement terms.

Key Takeaways for Website Publishers

• Test and verify opt-out functionality regularly. It’s not enough to offer a “Do Not Sell/Share” link or claim GPC support. Regulators are looking beyond the language of privacy policies or disclosures and running sophisticated technical reviews.

• Review what metadata you’re transmitting. If your site collects and/or shares health, finance, or other sensitive data, pay close attention to whether URLs or page titles contain protected personal information – and whether that data is visible to third parties.

• Fix broken cookie banners. If a user clicks “Reject” or “Opt Out,” tracking technologies should actually stop firing. Any mismatch between banner language and actual behavior creates enforcement risk.

• Update and enforce vendor agreements. Contracts must explicitly require CCPA compliance, including honoring GPC and limiting data use to specific purposes. Publishers should also conduct periodic audits of vendor behavior.

This action underscores that businesses cannot simply rely on third-party vendors to fulfill privacy obligations. Instead, they must implement their own guardrails and regularly verify that those systems are working in practice. As the Complaint summarizes:

“Businesses’ over-reliance on vendors, outdated boilerplate contracts, and deprecated privacy signals can result in violations of the law, leading to substantial penalties. Borrowing the old phrase, businesses should trust—but verify—that their privacy compliance measures work as intended.” 

Businesses would be wise to move beyond checkbox compliance and treat technical enforcement as a core privacy obligation.