News

CCPA compliance in the health sector: Lessons from the Healthline enforcement action

image
image

The California Attorney General announced a $1.55 million settlement with Healthline Media, LLC in connection with cross-context behavioral advertising resulting from the purported failure of opt-out mechanisms, improper sharing of health-related data with third parties, and inadequate third-party data-sharing contracts. In addition to the monetary penalty, the settlement requires Healthline to provide clear consumer notices, confirm it is honoring opt-out requests, and limit its sharing of health information. This case signals increased regulatory scrutiny of digital health platforms and publishers of health-related content, a broader interpretation of health-related data under the California Consumer Privacy Act (CCPA), and a growing emphasis on vendor accountability and the functionality of consent tools.

California Attorney General Rob Bonta (“AG”) announced a $1.55 million settlement with Healthline Media, LLC (“Healthline”) on July 1, 2025. Healthline is a digital health and wellness publisher that provides health content and lifestyle guidance through various platforms such as Healthline.com. This marks the largest fine to date under the CCPA and underscores the heightened regulator focus on the data handling practices of digital health platforms and health-related publishers. The main allegations against Healthline were:

  1. Ineffective Opt-Out Mechanisms: Healthline offered multiple opt-out options, such as a “Do Not Sell or Share My Personal Information” link, Global Privacy Control (GPC) detection, and a cookie-consent banner, but allegedly misconfigured, and failed to test, one of them. This resulted in Healthline providing personal information, including unique identifiers and browsing data, to over a dozen third parties even after users opted out.
  2. Improper Disclosure of Health Diagnosis Information: Healthline, in violation of the CCPA’s purpose limitation principle, shared article titles that the AG indicated could be used to infer a user’s health diagnosis to target advertising to the consumer. Examples of such titles were “The Ultimate Guide to MS for the Newly Diagnosed” and “Newly Diagnosed with HIV? Important Things to Know.” The AG concluded that these disclosures went beyond user expectations or awareness, despite arguably being covered by high-level descriptions in Healthline’s privacy policy. The AG distinguishes these from general interest articles that are not necessarily indicative of the user having been diagnosed with a particular condition.
  3. Failure to Maintain Sufficient Contracts Required by the CCPA: The AG also concluded that Healthline did not ensure that its advertising contracts had required privacy protections for “sales” or “sharing” of personal information required under the CCPA. Additionally, rather than verifying compliance, the company apparently assumed recipients adhered to standard industry frameworks and failed to confirm or enforce required contractual safeguards.
  4. Deceptive Privacy Controls: The AG asserted that Healthline’s cookie-consent banner misled users by suggesting that opting out would disable behavior-tracking cookies when, in reality, such tools remained active. The California AG stated that users were given a false impression of control while their data continued to be collected and shared.

In addition to the landmark fine, the settlement agreement imposed the following injunctive provisions: (1) Healthline must notify consumers when it sells or shares their personal information—such as through online tracking—and must honor opt-out requests; (2) Healthline may not sell or share personal information in a way that reveals a consumer is viewing a specific article about a diagnosed medical condition, unless an exemption under the CCPA applies; and (3) if Healthline uses or discloses consumers’ sensitive personal information for advertising, it must provide clear notice of this use, inform consumers of their right to limit such use, and may not use sensitive data for such purposes before that notice has been provided—unless permitted by law—and offer required opt-out links.

It’s noteworthy that the last of these provisions focuses on sensitive personal information despite the AG never explicitly calling the health-related browsing data at issue sensitive personal information. This settlement may indicate that the California AG is starting to view health-related information with additional sensitivity under the CCPA, even if it does not satisfy the definition of “sensitive personal information” under the CCPA (which would trigger specific rights and compliance obligations). It is unclear if this will lead to a broader interpretation of this type of health-related data as sensitive personal information, potentially to include a visit to a health diagnosis-related webpage, similar to Washington’s My Health My Data Act, or if the CA AG’s approach is limited to the facts of this case. What seems more clear is that this settlement is part of a trend in regulator focus on health-related sites and services, including their sharing of consumer data for advertising and the effectiveness of privacy controls such as opt-out mechanisms and cookie banners.

In light of these developments, companies with health-related websites may consider the following practices going forward:

  1. Audit and Test Opt-Out Mechanisms: Regularly verify that opt-out features, including cookie banners, are functioning correctly.
  2. Disclose Data Sales and Sharing Transparently: Clearly notify users if their personal information is being sold or shared (e.g., through online tracking technologies like pixels or cookies), with an appropriate level of detail, and include a prominent statement that consumers have the right to opt out of such sales or sharing that includes required links and opt-out mechanisms.
  3. Provide Specific Controls for Sensitive Personal Information: If sensitive personal data, as defined by the CCPA, will be disclosed or used for advertising, clearly notify consumers before the data is used or shared for such purposes. In addition, explicitly inform consumers of their right to limit how sensitive personal data is used, and clearly post required links and opt-out processes.
  4. Consider additional disclosures & controls for health-related information: Where the business’s website provides health-related information, particularly webpages relating to diagnoses, provide consumers with additional context around how webpage information or titles may be shared, and consider obtaining affirmative consent to mitigate the risk of sharing data in a manner that consumers would not expect.
  5. Ensuring Accountability with Vendors and Third Parties: Confirm that engagements with third-party compliance vendors are consistent with applicable privacy laws and that vendor tools function as intended. Additionally, confirm contracts with recipients of sales or sharing meet applicable legal requirements, including appropriate limitations on use and sharing.


Authored by Melissa Bianchi, Melissa Levine, Donald DePass, Aaron Lariviere, Paige Dunn, and Surya Swaroop. 

View more insights and analysis

Register now to receive personalized content and more!