California Announces Largest Settlement to Date for Alleged CCPA Violations

Alert
|
5 min read
F. Paul Pittman |
Hope Anderson |
Yuhan Wang

California Attorney General Rob Bonta ("Cal AG") has announced a record $1.55 million settlement with Healthline Media LLC. (Healthline) for alleged violations of the California Consumer Privacy Act (CCPA). A California Department of Justice investigation found that Healthline's website, healthline.com, had failed to allow consumers to opt out of targeted advertising, despite having an opt-out feature on the website, and had improperly shared data with third parties, including details of articles consumers accessed that could suggest the person had been diagnosed with a serious medical condition. In addition to the monetary penalty, the largest to date for a violation of the CCPA, the settlement imposes injunctive measures on Healthline, including prohibiting the site from sharing the titles of any articles accessed by consumers that could imply they had received a specific medical diagnosis.

Background and Allegations

Healthline operates healthline.com, a website that offers free health and wellness articles to the public. Healthline.com generates revenue by soliciting ads that are displayed alongside the articles. This includes personally targeted advertising that can access an individual's personal data to enable the site to display ads that relate to the information that individual has accessed previously ("cross-context behavioral advertising").

Under the CCPA, businesses are required to allow consumers to opt out of their personal information being shared for targeted advertising purposes. According to the complaint against Healthline, the Cal AG tested the opt-out mechanisms on healthline.com, and they did not work. The website continued to transmit detailed data to advertisers about the articles consumers accessed, including titles of articles that could, in some cases, suggest the consumer had recently been diagnosed with a medical condition, such as "Newly Diagnosed with HIV? Important Things to Know" and "The Ultimate Guide to MS for the Newly Diagnosed."

The specific allegations the Cal AG brought against Healthline for violation of the CCPA were:

  1. Failure to Implement Functioning Opt-Outs. The complaint alleges healthline.com continued selling and sharing consumers' personal data to third parties, despite the consumer having opted out of data sharing. Consumers could choose to opt out (1) using a "Do Not Sell or Share My Personal Information" button on the healthline.com website; (2) using an Opt-Out Preference Signal such as the Global Privacy Control; or (3) by clicking on the website's "cookie banner" and managing privacy settings there. After a "triple opt-out," using all three methods, the investigation still revealed 118 cookies tied to third-party advertisers and transmission of unique identifiers and details of articles accessed.
  2. Selling or Sharing Personal Data without CCPA-required Third-Party Agreements. The Cal AG investigation found that several of Healthline's contracts with third parties allowed for broad use of personal data "for any purpose" rather than listing the mandated uses of personal information.
  3. Violation of the CCPA's Purpose Limitation. The complaint alleged that Healthline was collecting, using, retaining and sharing personal information in a manner that was not reasonable or proportionate with the reason it was collected. This relates in particular to sharing details of those articles focused on diagnoses of serious medical conditions, which "violated the CCPA's purpose limitation by disclosing health-related data for two unexpected uses – targeted advertising and third-party inferences based on what a party was reading."

The Complaint also brought a second cause of action for alleged violations of California's Unfair Competition Law for "unlawful, unfair, or fraudulent acts or practices."

Settlement Terms

The proposed settlement with Healthline, which is pending court approval, includes damages of $1,550,000 — the largest monetary penalty to date under the CCPA. The injunctive provisions of the settlement:

  1. Prohibit Healthline from selling or sharing personal data together with any information that would allow the recipient to determine that the individual has accessed a so-called "Diagnosed Medical Condition Article." These articles are ones that have a title or URL that "indicates the consumer visiting the article has already been diagnosed with a medical condition," such as advice for those "newly diagnosed with" or "navigating life with" a condition.
  2. Require Healthline to disclose use of consumers' sensitive personal information and allow consumers to limit the use of their sensitive personal information.
  3. Require general compliance with the CCPA, including providing notice that it sells or shares personal information and processing consumer requests to opt out of such sales or sharing.

Three-Year Compliance Program. The settlement also requires Healthline to put a compliance program in place and maintain it for three years, submitting annual reports to the Cal AG. Healthline must (1) monitor whether it is effectively processing consumers' opt-out requests and (2) review its contracts and other documentation with third parties and service providers with whom it shares personal information collected online.

Key Takeaways

This settlement follows two decisions by the California Privacy Protection Agency in 2025 imposing six-figure penalties on the automobile manufacturer Honda and clothing retailer Todd Snyder for their deficient consumer opt-out processes. Those enforcement actions and the Cal AG's focus on the technical functioning of opt-out mechanisms and scrutiny of legal agreements in the Healthline case highlight the need for businesses to (1) test their technical opt-out functionality and (2) audit their contracts with general oversight over relationships with third parties with whom they share data.

Interestingly, the Healthline complaint and settlement do not categorize the "diagnosed medical condition articles" as "sensitive personal information" that consumers have the right to limit the use of under the CCPA. Instead, the settlement outright prohibits Healthline from sharing or selling any personal information combined with information that the consumer has viewed a "diagnosed medical condition article." While this specific provision may not apply to many other businesses, it is worth noting as an example of how the Cal AG may craft unique remedies relevant to a particular business model.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2025 White & Case LLP

Contacts

F. Paul Pittman
F. Paul Pittman
Partner|Washington, DC
Services
Data, Privacy & Cybersecurity, Fintech, Technology, Mergers & Acquisitions, Life Sciences and Healthcare, Privacy Advisory and Compliance
Hope Anderson
Hope Anderson
Partner|Los Angeles
Services
Data, Privacy & Cybersecurity, Technology, Artificial Intelligence (AI), Privacy Advisory and Compliance, AI Regulatory, Content and non-privacy data regulation
Yuhan Wang
Associate|Silicon Valley
Services
Intellectual Property, Technology, Data, Privacy & Cybersecurity, Litigation, Mergers & Acquisitions

Service areas

Top