Over a year after his office’s last privacy enforcement action, on July 1, 2025, California Attorney General Rob Bonta (AG) announced a new California Consumer Privacy Act (CCPA) settlement with Healthline Media LLC (Healthline), a health-focused digital publisher. The $1.55 million settlement highlights how vendor configuration errors, incomplete contracting, and reliance on technical signaling can result in costly CCPA violations for publishers that engage in ad targeting activities. Businesses can readily avoid such exposure through regular assessment and monitoring, as discussed below.
The Healthline settlement follows a series of enforcement actions by the California Privacy Protection Agency (CPPA), which shares CCPA enforcement authority with the AG. Like these other recent CPPA enforcement actions, the Healthline settlement reflects a focus on targeted advertising and related opt-out rights under the CCPA. Relatedly, the Healthline settlement emphasizes the need to ensure that contracts with third-party adtech partners fully satisfy CCPA standards and that those partners honor their obligations, and indicates that the AG expects heightened disclosures when sharing certain data for advertising.
Confirm opt-out mechanisms work as intended.
The AG asserted that Healthline violated the CCPA by continuing to sell and share personal information after consumers opted out. Specifically, although Healthline offered an opt-out webform and used a tool that purportedly recognized Global Privacy Control (GPC) signals, the tool was misconfigured, and allegedly personal information continued to be shared with some advertising companies through cookies and similar technologies after consumers opted out.
The AG also asserted that Healthline’s cookie consent banner violated California’s Unfair Competition Law, which prohibits deceptive business practices. The complaint recognized that Healthline’s cookie consent banner was not used as an opt-out mechanism under the CCPA. However, the AG alleged that the banner was deceptive, as it did not disable ad-targeting cookies, despite representing that it did.
Ensure contracts with third parties are compliant and review partner compliance.
The AG determined that some of Healthline’s contracts with advertising companies did not meet the CCPA’s requirement to identify the “limited and specified purposes” for which personal information may be used, and that Healthline additionally “should have confirmed in clear contractual language, and not merely assumed, that third parties it provided opted-out consumers’ data to would honor the privacy string and abide by [the CCPA] by not further selling or using opted-out consumer data.” The AG asserted that, even when using industry contractual frameworks, Healthline needed to ensure that its partners agreed to and honored those or similar terms. The AG stated that Healthline could not avail itself of the CCPA’s safe harbor for data transfers where it had “reason to believe” that third parties were not honoring opt-out signals because of a lack of clear contractual commitments to honor those signals.
Under the proposed settlement agreement, Healthline is required to audit its contracts and verify that they are compliant with the CCPA and that it does not sell or share personal information of opted-out consumers to third parties. For each party that agrees to act as a service provider when receiving an opt-out signal from Healthline, Healthline is required to “confirm in writing or download documentation...that clearly reflects what the signal is that tells” the partner to act as a service provider. Additionally, if Healthline relies on industry contractual frameworks for its contracts with some partners, it is required to “annually review any applicable signatory list or partner certification to verify” the partner’s participation in the contractual framework.
General privacy policy disclosures may be insufficient for health ad targeting.
According to the complaint, Healthline’s website included articles that could suggest a person’s disease diagnosis, and those article titles were transmitted to third parties. Although Healthline’s privacy policy mentioned targeted advertising, according to the AG, Healthline’s sharing of “potentially health-related information” for targeted advertising warranted heightened disclosures.
The AG specifically alleged that sharing article titles revealing potential diagnosis violated the CCPA’s “purpose limitation principle,” which limits a business’s use of personal information to “the purposes for which the [data] was collected” or other disclosed and compatible purposes. The AG explained that such purposes should be consistent with the “reasonable expectations of the consumer.” According to the AG, sharing of “diagnosis” article titles with advertisers was likely beyond consumer expectations (as the titles were of an “intimate” nature), absent further disclosures beyond the privacy policy references to targeted advertising. Under the settlement terms, Healthline is generally prohibited from selling or sharing for targeted advertising article titles that suggest a person’s disease diagnosis.
What does this mean for businesses?
As California regulators continue to vigorously enforce the CCPA, including by coordinating with other state regulators, businesses should assess the “health” of their compliance programs, including by:
- Testing and validating opt-out request methods, including webforms and cookie preference tools, to ensure opt-out requests and consumer preferences are properly effectuated and recorded
- Confirming that all partners receiving personal information from the business have compliant contracts in place
- Reviewing existing and template contracts to confirm that all permitted uses of personal information are described with specificity
- Reviewing existing and template contracts to ensure third parties are required to honor opt-out signals, along with confirming other legally required terms
- Considering whether any data shared with third parties may require heightened disclosures to align with the CCPA’s “purpose limitation principle,” even if the data is not “sensitive” as defined by the law
For state privacy law compliance assistance, including information about our in-depth assessment and testing options, contact the authors or visit Venable's Privacy and Data Security center.