Libbie Canter, Lindsey Tonsager, Olivia Vega, Natalie Maas, and Bryan Ramirez of Covington and Burling write:
On July 1, 2025, California Attorney General Bonta announced a $1.55 million settlement, pending court approval, related to allegations that Healthline.com, a website where consumers can read informational articles about medical and health topics, violated the California Consumer Privacy Act (“CCPA”) and the California Unfair Competition Law.
As summarized in the complaint and proposed settlement, the AG alleges Healthline committed the following violations:
- Failed to Honor Consumer Opt-Outs of Sell or Share for Targeted Advertising. The AG alleges that even after Healthline readers exercised their right to opt out of the sale or sharing of their personal information for targeted advertising, Healthline continued to transmit identifying data to Healthline’s advertising partners for such purposes. The complaint alleges that Healthline misconfigured one opt-out mechanism and failed to test whether it worked. After being contacted by the AG, Healthline reported that its “privacy compliance vendor may not have properly identified and blocked all relevant online trackers after the vendor detected that a consumer had opted out.” Earlier this year, the AG’s Office published a press release reminding businesses and consumers about the right to opt out.
- Violated the CCPA’s Purpose Limitation Principle. Under the CCPA’s purpose limitation principle, businesses are restricted to processing personal information for the purposes for which the data was collected (or for a compatible purpose). The AG alleges that Healthline violated this principle by disclosing article titles that suggested a possible medical diagnosis (e.g., “Newly Diagnosed with HIV? Important Things to Know.”) with advertisers and their vendors, which these recipients could add to their consumer profiles. The AG alleges that Healthline’s privacy policy did not indicate that Healthline would share article titles and that consumers would not reasonably expect that those titles were being shared.
- Failed to Maintain Contracts with Third Parties that Contain CCPA-Required Terms. After reviewing Healthline’s contracts with advertising companies, the AG found that many of those contracts did not contain CCPA-mandated terms.
- Deceived Consumers about their Ability to Disable Tracking Cookies. Healthline’s cookie banner allowed users to select a “more information” link where consumers could uncheck the box that allowed targeted/advertising cookies. However, the AG alleges that Healthline’s cookie banner deceived consumers because it purported to allow users to disable cookies but failed to do so in practice.
Read more at Inside Privacy.