On July 1, 2025, California Attorney General Rob Bonta announced a settlement with Healthline Media LLC stemming from alleged violations of the state’s consumer privacy law, the California Consumer Privacy Act (CCPA). According to the complaint, Healthline’s privacy practices failed to comply with several core CCPA requirements.

Opt-Out Mechanisms

Under the CCPA, California residents have the right to opt out of the sale or sharing of their personal information for targeted advertising. However, according to the complaint, when the California Attorney General’s office tested the Healthline website’s opt-out mechanisms in 2023, the mechanisms failed to prevent data from being transmitted to third parties. Even after visitors opted out through the site’s cookie preference center, the site allegedly still placed over 100 cookies tied to third-party advertisers.

The Purpose Limitation Principle

The complaint further raises concerns under the CCPA’s purpose limitation principle, which prohibits businesses from using personal data for purposes beyond what a consumer provides that information for and the use they would reasonably expect. In this case, the Attorney General argues that users visiting Healthline for medical information did not reasonably expect their health-related activity, such as reading about Crohn’s disease, would be shared with advertisers.

The complaint asserts that Healthline transmitted information including article titles and cookie identifiers to third parties. Healthline’s privacy policy reportedly did not disclose this type of sharing. One investigator for the Attorney General reportedly began receiving ads for Crohn’s disease and IBS-related medications after viewing a Crohn’s disease page. When that same individual later requested his consumer data from a data broker, his profile allegedly included references to Crohn’s disease. The Attorney General suggests that article titles that are shared with third party advertisers, particularly those about specific diagnoses, could effectively reveal sensitive health information about an individual, especially when paired with cookie identifiers.

The stipulated judgment in the settlement defines a “diagnosed medical condition article” as “an article with a title or URL that indicates the consumer visiting the article has already been diagnosed with a medical condition.” This language echoes reasoning from the now-invalidated December 2022 Department of Health and Human Services (HHS) Guidance Bulletin, which asserted that IP addresses collected on health-related websites could constitute individually identifiable health information (IIHI). Although a Texas federal district court ruled in June 2024, in American Hospital Association v. Becerra, that HHS exceeded its authority in adopting that definition of IIHI, the California Attorney General’s complaint appears to embrace a similar rationale in its own definition of covered articles under this settlement.

Contractual Provisions

The CCPA also requires that businesses entering into contracts involving the sale or sharing of personal information for targeted advertising must have a written contract in place with the third party. These contracts must list the limited and specific purposes for which the data may be used. According to the complaint, Healthline’s agreements with third-party recipients of advertising data used broad terms like “any business purpose” and “internal use,” which the Attorney General alleges fall short of statutory requirements.

This settlement sends a clear message: digital tracking and ad tech practices must align with CCPA’s evolving interpretation, especially where sensitive information like health data is involved.

Key Takeaways

1. Validate and Monitor Opt-Out Mechanisms: Conduct regular testing of your website’s cookie banners and opt-out tools to confirm that no personal data, including cookie IDs, is transmitted to third parties after users opt out.

2. Re-Evaluate How You Handle Sensitive Web Activity: Treat content consumption related to health, finances, or personal conditions as potentially sensitive, even if the data doesn’t squarely fit under a particular law or regulation. 

3. Review Purpose Limitation Compliance: Align all data collection and sharing practices with what consumers would reasonably expect based on their interaction with your platform.

4. Tighten Contractual Language with Ad Tech Vendors: Make sure that contracts with third parties specify limited, explicit purposes for data use and contain CCPA-required terms, including obligations around deletion, access, and use restrictions.

Conclusion

This enforcement action underscores CCPA’s reach into digital health privacy and ad tech practices. It also signals a continued regulatory interest in treating certain combinations of web activity and metadata as health data, even in the absence of traditional medical records. For businesses—particularly those handling sensitive categories of data—it’s a timely reminder to conduct their “preventative care” for CCPA compliance, including auditing opt-out functionality, drafting accurate privacy policies, and reviewing contracts with vendors for privacy measures.