Healthline settles largest CCPA violation case for $1.55 million

California Attorney General Rob Bonta announced on July 1, 2025 a $1.55 million settlement with Healthline Media LLC, marking the largest monetary penalty under the California Consumer Privacy Act to date. According to the state's Department of Justice investigation, the health information website violated consumer privacy rights by continuing to share personal data with advertisers even after users opted out of targeted advertising.

The settlement stems from violations discovered through Attorney General testing of Healthline.com's opt-out mechanisms in fall 2023. Investigators found that despite implementing multiple consent mechanisms including Global Privacy Control signals, the website continued transmitting user data to dozens of advertising companies. The data included unique identifiers and article titles that could reveal sensitive medical information about readers.

Summary

Who: California Attorney General Rob Bonta and Healthline Media LLC, with Healthline operating one of the world's top 40 most visited websites serving 6.5 million California residents monthly.

What: $1.55 million settlement resolving allegations that Healthline violated the California Consumer Privacy Act by sharing personal data with third parties despite user opt-outs and transmitting article titles revealing potential medical diagnoses.

When: Settlement announced July 1, 2025, following California Department of Justice investigation beginning in fall 2023, with violations occurring throughout 2023.

Where: California Superior Court for San Francisco, with Healthline.com serving global audiences while maintaining significant California operations and user base.

Why: Healthline failed to honor consumer opt-out requests, shared sensitive health-related information with advertisers, and lacked proper contractual protections for consumer data as required under California privacy law.

Healthline.com operates as one of the world's top 40 most visited websites, serving approximately 6.5 million California residents monthly. The platform generates revenue through personalized advertising, utilizing online tracking technologies to share reader data with third parties. According to the complaint filed with San Francisco Superior Court, approximately 65,000 Californians had opted out of data sharing through various mechanisms.

The California Department of Justice investigation revealed multiple systemic failures in Healthline's privacy compliance. Even after users activated the "triple opt-out" through cookie banners, privacy links, and Global Privacy Control, investigators observed 118 cookies from advertising companies still being placed. The tracking continued to send data transmissions to dozens of advertising firms, including unique identifier cookies and sensitive article titles.

According to the complaint, Healthline shared article titles like "You've Been Newly Diagnosed with MS. What's Next?" and "Newly Diagnosed with HIV? Important Things to Know" with advertising networks. This practice violated the CCPA's purpose limitation principle, which restricts businesses to using personal information only for disclosed purposes that align with consumer expectations.

One investigator testing the system viewed Crohn's disease content and subsequently received targeted streaming television advertisements for Crohn's treatments. A data broker profile later showed an entry for "IBS/Crohn's Disease" associated with the investigator's digital footprint. While causation cannot be definitively established, the incident demonstrated the practical consequences of Healthline's data sharing practices.

The Attorney General's investigation uncovered additional contractual violations under CCPA requirements. Healthline failed to ensure third-party advertising contracts contained mandatory privacy protections for consumer data. Instead of verifying compliance terms, the company assumed advertising partners adhered to industry frameworks without proper verification.

Several contracts reviewed by investigators contained problematic language. One agreement allowed data use for "any business purpose," while another permitted "internal use" benefiting the recipient directly. These broad permissions violated CCPA requirements for limited and specified data use purposes.

The settlement requires Healthline to implement comprehensive compliance measures extending three years from the effective date. The company must ensure opt-out mechanisms function correctly and prohibit sharing information linking consumers to medical diagnosis articles. Additionally, Healthline must maintain a CCPA compliance program including contract audits and annual reporting to the state.

Under the agreement, Healthline cannot share article titles suggesting medical diagnoses with third parties, representing a novel enforcement mechanism in privacy law. The company must also verify that advertising partners either maintain CCPA-compliant contracts or participate in certified industry frameworks.

This enforcement action represents Attorney General Bonta's fourth major CCPA settlement, following previous actions against Sephora ($1.2 million in 2022), DoorDash ($375,000 in 2024), and Tilting Point Media ($500,000 in 2024). The escalating penalty amounts signal intensifying state enforcement efforts.

Legal experts note the settlement's significance extends beyond monetary penalties. According to WilmerHale's Kirk Nahra and Ali Jessani, this marks the first time a state regulator has focused enforcement on CCPA's purpose limitation principle rather than purely procedural failures. The action signals potential expansion of substantive privacy enforcement beyond traditional compliance violations.

The health information industry faces particular scrutiny under evolving privacy regulations. Companies processing health-related data outside HIPAA coverage must navigate increasingly complex state privacy requirements. Healthline's settlement demonstrates regulators will apply heightened standards to businesses handling potentially sensitive medical information.

Attorney General Bonta emphasized California's leadership in privacy enforcement. "California continues to lead the nation in enforcing our robust privacy protection law, and businesses that collect consumer data must honor consumers' privacy rights," he stated in the July 1 announcement.

The marketing industry faces growing compliance challenges as state privacy laws expand nationally. Current privacy enforcement activities demonstrate international regulatory coordination, while emerging AI-powered targeting technologies attempt to balance personalization with privacy requirements.

Healthline's comprehensive compliance program requirements reflect industry-wide shifts toward privacy-preserving advertising technologies. The settlement occurred amid broader regulatory scrutiny, including the Attorney General's March 2025 investigative sweep into location data practices targeting advertising networks and data brokers.

The case highlights fundamental questions about health information privacy in digital advertising. While Healthline doesn't collect medical information directly like healthcare providers, the inference capabilities of modern data analytics enable detailed health profiling through content consumption patterns.

Digital advertising technology enables cross-platform tracking that can reveal sensitive personal information through seemingly innocuous data points. The combination of article titles, unique identifiers, and advertising network data sharing creates detailed consumer profiles extending far beyond website visit information.

Timeline

• August 2022: Attorney General Bonta announces settlement with Sephora resolving allegations that it failed to disclose to consumers that it was selling their personal information and failed to process opt-out requests via user-enabled global privacy controls in violation of the CCPA
• 2023: CCPA gives Healthline.com readers the right to opt out of sharing their personal information for personally targeted advertising, augmenting their earlier right to opt out of sales of that same data
• Fall 2023: California Department of Justice tests Healthline's opt-out mechanisms and finds they do not work correctly - even after readers opted out, the website continued to transmit identifying data about those readers to advertising companies for use in targeted advertising
• Fall 2023: Investigators observe Healthline continuing to provide personal information to over a dozen third parties involved in online advertising, including the title of the article being read, and continued to set cookies used in targeted advertising despite "triple opt-out"
• Fall 2023: Investigators find online trackers still placed 118 cookies associated with third-party advertising companies, including cookies used to track a person across websites, even after the "triple opt-out"
• February 2024: Attorney General Bonta announces settlement with DoorDash, resolving allegations that the company violated the CCPA and COPPA, by selling California customers' personal information without providing notice or an opportunity to opt out of that sale
• June 2024: Attorney General Bonta and Los Angeles City Attorney Hydee Feldstein Soto announce a $500,000 settlement with Tilting Point Media LLC resolving allegations that the company violated the CCPA and federal law by collecting and sharing children's data without parental consent in their popular mobile app game "SpongeBob: Krusty Cook-Of"
• During investigation: One investigator tested a Crohn's disease webpage and then received ads for drugs that treat Crohn's disease, including streaming TV ads with voiceovers stating the drug is "Now approved for Crohn's disease"
• During investigation: Same investigator submitted a request to access personal information held by a data broker known to be involved in advertising and found that his consumer profile included an entry for "IBS/Crohn's Disease"
• During investigation: Attorney General reviewed Healthline's contracts with advertising companies and found several that were not signatories to industry contractual frameworks, with some contracts allowing data use for "any business purpose" or "internal use" rather than limited specified purposes required by CCPA
• After Attorney General contact: Healthline began remedial measures, found a misconfigured opt-out mechanism, and reported that a privacy compliance vendor may not have properly identified and blocked all relevant online trackers after detecting consumer opt-outs
• March 2025: As part of ongoing efforts to enforce the CCPA, Attorney General Bonta announces investigative sweep into location data industry, sending letters to advertising networks, mobile app providers, and data brokers that appear to be in violation of the CCPA
• July 1, 2025: California Attorney General Rob Bonta announces settlement pending court approval with Healthline Media LLC for $1.55 million in civil penalties - the largest CCPA settlement to date
• July 1, 2025: Complaint filed in Superior Court of California for San Francisco County alleging violations of CCPA and Unfair Competition Law by failing to opt consumers out of sharing personal information, violating purpose limitation principle, failing to maintain required contracts, and deceiving consumers about privacy practices
• July 1, 2025: Proposed Final Judgment and Permanent Injunction filed requiring Healthline to comply with comprehensive injunctive terms including prohibition on sharing medical diagnosis article titles, implementing CCPA compliance program, and conducting annual audits and reporting for three years
• July 8, 2025: WilmerHale publishes analysis noting this is the first time a state regulator has focused on CCPA's "purpose limitation" principle as part of enforcement action, marking shift from previous enforcement actions that focused on procedural failures