On July 1, 2025, California Attorney General Rob Bonta announced a $1.55 million proposed settlement order with Healthline Media – the largest California Consumer Privacy Act (CCPA) settlement to date. The proposed settlement resolves allegations that Healthline violated the CCPA by 1) failing to honor consumer requests to opt-out of the sale and sharing of personal information, 2) violating the CCPA's purpose limitation principle, and 3) failing to include required data protection provisions in contracts with service providers and third parties.
The announcement follows two settlements secured by the California Privacy Protection Agency (CPPA) against Honda and Todd Snyder earlier this year, which addressed similar concerns about responses to consumer privacy rights requests and contract provisions. (We posted previously about Honda and Todd Snyder.) In this article, we break down what Healthline settlement has to say about three important CCPA compliance topics: opt-outs, adtech vendor contracts, and transparency.
About Healthline Media
Healthline Media owns and operates Healthline.com, a medical information website that publishes health and wellness-related articles. Some of the articles available on the Healthline website relate to general health and wellness topics (e.g., "12 High Carb Foods That Are Incredibly Healthy"), while others address specific medical conditions and diagnoses (e.g., "Newly Diagnosed with HIV? Important Things to Know"). Healthline earns revenue by displaying ads, including some that are targeted to individual users, next to its articles. Healthline employs third-party technologies to facilitate the solicitation and personalization of these advertisements.
Allegations and Settlement
The CA AG's complaint alleges Healthline violated the CCPA in a few ways:
Failure to honor opt-out requests
Investigators with the CA AG's office tested the opt-out mechanisms available to consumers on the Healthline.com website, and found that even after opting out in three separate ways (i.e., through the "do not sell my personal information" link in the website footer, the cookie consent banner, and Global Privacy Control), Healthline continued to set targeting cookies and sell personal information to third parties, including the title of the articles read by consumers. The complaint alleges that, after this "triple opt out," investigators observed that 82 pixels or other tags associated with advertising companies still fired on the Healthline.com website.
The complaint notes that Healthline "began remedial measures," including working with its privacy vendor to address these issues, after notification of the CA AG's inquiry. However, the AG's inquiry expanded to a "more in-depth" investigation into the company's practices.
Contracts missing CCPA-required terms
As part of its further investigation, the AG's office reviewed Healthline's contracts with adtech vendors. The complaint alleges that many of these contracts were missing terms expressly required by the CCPA, such as the limited and specified purposes for which the information could be used by the recipient. The complaint also alleges that some of the contracts permitted Healthline's partners to use health-related information, such as the titles of articles read by the consumer, for unspecified "internal uses" – a particular concern for the CA AG because some article titles name health conditions, as further discussed below.
Additionally, some contracts did not address Healthline's partners' obligations to honor consumer opt-outs passed on by the company. The CCPA provides that a business that transmits a consumer's opt-out request to a downstream recipient is not liable for the partner's CCPA violations, provided that the business does not know or have reason to believe that the recipient intends to violate the CCPA (Cal. Civ. Code § 1798.135 (g)). However, the CA AG asserted that, because Healthline lacked sufficient contract terms and due diligence practices, it was not only ineligible for this protection but also was liable for the additional misuse of the information by downstream recipients.
Use and disclosure of personal information exceeded the reasonable expectations of consumers.
The CA AG took issue with Healthline's alleged disclosure of "data of a potentially highly intimate nature" to advertising partners and vendors outside of consumers' reasonable expectations. Pursuant to the CCPA's purpose limitation principle (Civ. Code § 1798.100(c)), which provides that businesses are limited to using personal information for "the purposes for which the [data] was collected" or "for another disclosed purpose that is compatible with the context in which [the data] was collected[,]" the CA AG asserted that Healthline's disclosure of this personal information for advertising, including article titles suggesting possible medical diagnoses, was contrary to consumers' reasonable expectations.
The complaint acknowledges that Healthline's privacy policy disclosed that the company used website visitor data for targeted advertising. However, because of the intimate nature of the information being shared (i.e., the article titles revealing potential medical diagnoses), the CA AG asserted that Healthline's privacy policy should have been clearer and more direct about how downstream recipients could use this information.
While the complaint does not specifically allege that the titles of health-related blog posts "sensitive" under the law, the settlement order requires the company to amend its privacy policy and offer consumers the right to limit the use of sensitive personal information if the company discloses sensitive personal information for advertising purposes in the future.
Top Takeaways for Businesses
Viewed alongside the CPPA's enforcement actions against Honda and Todd Snyder, Healthline illustrates a few clear lessons for businesses operating in California:
- Consistently test compliance tools and privacy vendor integrations. California regulators expect businesses to test their privacy rights requests processes and other compliance measures to ensure that they are working properly. Taking a "set it and forget it" approach is unlikely to be sufficient. As is apparent from the CA AG's complaint, regulators are regularly testing privacy rights request mechanisms, and failure to pass these tests may lead to a more in-depth investigation of a business's practices. See our team's recent blog post for additional tips on managing opt-outs.
- Ensure contracts with third parties contain all required provisions. The CA AG faulted Healthline for allegedly assuming, without verifying, that third parties receiving consumer data agreed to abide by California privacy standards, and for relying on vague contractual terms related to data protection and use. Similar issues surfaced in Honda and Todd Snyder, highlighting that contract provisions governing personal information flows and privacy compliance are areas of top priority for regulators. Identifying and amending agreements that do not meet the CCPA's requirements for specificity can help mitigate enforcement risks in this area.
- Consider the consumer's "reasonable expectations". The Healthline complaint and settlement marks the first time a business has been faulted under the CCPA for collecting and processing personal information outside of the reasonable expectations of consumers. Particularly when processing novel or potentially sensitive categories of personal information for targeted advertising, the complaint suggests businesses should consider 1) the nature of the personal information at issue, 2) the "specificity, explicitness, prominence, and clarity of disclosures," and 3) and the "degree to which the involvement of service providers, contractors, third parties, or other entities in the collecting or processing of [the data] is apparent to the consumer[,]" and adjust their practices and disclosures accordingly to accurately describe the way the personal information will be processed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
