Our Insights
Publications
California AG Secures Record $1.55M CCPA Settlement Against Healthline Over Targeted Ads and Health Data Sharing
Our Insights
Publications
California AG Secures Record $1.55M CCPA Settlement Against Healthline Over Targeted Ads and Health Data Sharing

California AG Secures Record $1.55M CCPA Settlement Against Healthline Over Targeted Ads and Health Data Sharing

By: Ana Razmazma , Sari Heller Ratican , Kayla Tanaka

What You Need To Know

  • The California attorney general reached a record-setting $1.55 million California Consumer Privacy Act (CCPA) settlement with Healthline Media over alleged data privacy violations.
  • Healthline allegedly continued to share personal information for targeted advertising, even after users opted out using mechanisms like the Global Privacy Control.
  • Healthline also shared article titles with third-party advertisers that inferred users’ concerns about—or diagnoses of—potentially intimate health conditions, such as HIV, Crohn’s, and multiple sclerosis. This raised concerns under the CCPA’s sensitive data and purpose limitation provisions.
  • The settlement imposes a permanent injunction requiring implementation of a CCPA compliance program, ensuring that opt-out mechanisms work properly, reviewing contracts with third parties to ensure inclusion of all CCPA-mandated terms, and reporting annually to the attorney general for three years.
  • The action reinforces that publishers and their advertising partners must actively validate privacy compliance, particularly when handling sensitive health-related content.

Background

On July 1, 2025, California Attorney General Rob Bonta announced a $1.55 million settlement, pending court approval, with Healthline Media, LLC. This settlement is the largest penalty issued to date under the CCPA, as amended. Healthline operates one of the most widely visited health and wellness websites in the United States, with more than 6.5 million California users accessing the website per month.

Allegations Against Healthline

The complaint outlines several alleged violations. First, the complaint alleges Healthline failed to honor consumer opt-out signals in violation of the CCPA and the Unfair Competition Law when it continued to transmit unique identifiers and article titles to dozens of third-party advertising partners despite consumers’ opt-out requests submitted through one or more of Healthline’s multiple opt-out tools, including its “Do Not Sell or Share My Personal Information” link, Global Privacy Control detection, and cookie banner.

Second, the complaint alleges the shared article titles inferred users’ concerns about or diagnoses of potentially intimate health conditions such as HIV, Crohn’s disease, or multiple sclerosis. The attorney general argued Healthline’s sharing potentially health-related information violated the CCPA’s “purpose limitation rule” that requires a business’ use of personal information be limited to the purposes for which the personal information was collected or processed or another disclosed, compatible purpose.

The investigation also revealed Healthline did not maintain proper contracts with many of its advertising vendors. Several contracts did not contain privacy protections for users’ data as required under the CCPA and permitted broad or vague uses of personal information. In addition, Healthline allegedly failed to contractually require vendors receiving opt-out signals to limit their use of consumer data. Moreover, Healthline assumed its advertising vendors followed an industry contractual framework supplementing contracts with CCPA-mandated terms but failed to verify this. The California attorney general later found many vendors were not part of this framework.

Settlement and Injunction Terms

Under the settlement, Healthline agreed to pay $1.55 million to the California Consumer Privacy Fund. Healthline is also subject to a permanent injunction requiring significant updates to its data privacy practices. These updates include ensuring that Healthline’s opt-out mechanisms work properly, ceasing the sale or sharing of personal information when a consumer views an article suggesting a medical diagnosis, and clearly notifying users when sensitive personal information is used for advertising purposes.

Healthline must also implement and maintain a CCPA compliance program with annual audits and reporting for a three-year period. Healthline is required to review and update contracts with all third parties to ensure inclusion of all CCPA-mandated terms. The annual audit report must include details on technical testing describing measures Healthline has taken to assess and monitor its processing of user requests and any remediation steps taken in response to identified issues.

Key Settlement Takeaways for Tech and Life Science Companies

  • Regularly audit tracking technologies and consent tools. Many tech and life sciences companies rely on online content, patient resources, or educational platforms to engage users. If your company’s website includes third-party advertising or analytics tools, confirm that opt-out signals, such as the Global Privacy Control, are properly detected and honored. The Healthline settlement confirms platforms can face liability when trackers remain active after consumers opt out.
  • Review contracts with adtech and analytics vendors. Life science and tech firms often partner with platforms to target niche audiences such as patients, clinicians, or developers. Contracts with these vendors must contain CCPA-required terms including limitations on the use of personal information and obligations to honor opt-out signals. Vendor contracts should list the limited and specified purposes for using personal information and avoid using vague terms like “internal use” or “any business purpose.”
  • Avoid unintended disclosures of sensitive information. The Healthline settlement demonstrates that even browsing data, such as visiting a page titled “Newly Diagnosed with HIV?” can be considered sensitive personal information under California law. Tech and life science companies publishing condition-specific or personalized content should minimize the risk of such data being shared with third parties. Companies should ensure data being shared does not inadvertently reveal or infer health status, diagnosis, or other sensitive health information.
  • Establish and maintain a long-term compliance program. The Healthline settlement requires multi-year compliance monitoring and reporting to the attorney general. Tech and life science companies should similarly adopt ongoing processes for testing opt-out functionality, reviewing vendor contracts, and documenting their privacy safeguards. This is especially critical if the company’s business model involves patient-facing technologies, behavioral analytics, or condition-specific outreach.

Looking Ahead

This enforcement action and resulting settlement represent a shift in how California regulators are applying the CCPA. While earlier cases focused on retailers and data brokers, the Healthline settlement makes clear that publishers and content platforms are also subject to scrutiny, particularly when sensitive health information is involved. Companies using embedded tracking technologies must ensure their privacy disclosures, opt-out tools, and vendor contracts align with consumer expectations and legal obligations.

To avoid similar enforcement actions, companies can take a proactive approach. This includes reviewing how personal information flows through their systems, testing compliance mechanisms, confirming that third-party service providers uphold CCPA standards, and verifying whether third-party service providers have agreed to abide by an industry contractual framework. The Healthline case is a strong reminder that privacy compliance is not simply about having policies in place, but also about verifying such policies work in practice and reflect the evolving expectations of regulators and consumers alike.

Related Insights

View more related insights