California Attorney General Rob Bonta secured a record-setting $1.55 million settlement with Healthline Media over alleged violations of the California Consumer Privacy Act involving health data sharing and targeted advertising.
What happened
The California attorney general reached a $1.55 million settlement with Healthline Media, LLC on July 1, 2025, pending court approval. This represents the largest penalty issued to date under the CCPA. Healthline operates one of the most widely visited health and wellness websites in the United States, serving more than 6.5 million California users monthly.
The complaint alleges Healthline continued sharing personal information for targeted advertising even after users opted out through mechanisms including the "Do Not Sell or Share My Personal Information" link, Global Privacy Control detection, and cookie banner. Healthline allegedly transmitted unique identifiers and article titles to dozens of third-party advertising partners despite consumer opt-out requests.
The attorney general also alleged that shared article titles inferred users' concerns about or diagnoses of potentially intimate health conditions such as HIV, Crohn's disease, and multiple sclerosis, violating the CCPA's purpose limitation rule.
Going deeper
The investigation revealed multiple compliance failures beyond the opt-out violations. Healthline failed to maintain proper contracts with many advertising vendors, with several contracts lacking required privacy protections for users' data under the CCPA. These contracts permitted broad or vague uses of personal information.
Healthline also failed to contractually require vendors receiving opt-out signals to limit their use of consumer data. The company assumed its advertising vendors followed an industry contractual framework supplementing contracts with CCPA-mandated terms but failed to verify this assumption. The California attorney general later found many vendors were not part of this framework.
The complaint specifically alleged that sharing article titles violated the CCPA's "purpose limitation rule," which requires businesses to limit their use of personal information to the purposes for which it was collected or processed, or another disclosed, compatible purpose.
What was said
The attorney general argued that "Healthline's sharing potentially health-related information violated the CCPA's 'purpose limitation rule' that requires a business' use of personal information be limited to the purposes for which the personal information was collected or processed or another disclosed, compatible purpose."
The settlement document notes that the investigation revealed "Healthline did not maintain proper contracts with many of its advertising vendors. Several contracts did not contain privacy protections for users' data as required under the CCPA and permitted broad or vague uses of personal information."
By the numbers
- $1.55 million settlement amount - the largest CCPA penalty to date
- 6.5 million California users access Healthline's website monthly
- Dozens of third-party advertising partners received user data
- Three-year compliance monitoring and reporting period required
- Annual audits required as part of the settlement
In the know
The California Consumer Privacy Act (CCPA) includes specific protections for sensitive personal information, including health data. The law's "purpose limitation rule" restricts how businesses can use personal information, requiring that use be limited to disclosed purposes or compatible purposes. Global Privacy Control is a browser signal that allows users to opt out of data sharing automatically across websites.
The CCPA requires businesses to honor opt-out requests and maintain specific contractual protections when sharing personal information with third parties. When users visit health-related content, even browsing data such as article titles can be considered sensitive personal information under California law.
Why it matters
This settlement marks a shift in CCPA enforcement from retailers and data brokers to publishers and content platforms, particularly those handling sensitive health information. The case demonstrates that even browsing data, such as visiting a page titled "Newly Diagnosed with HIV?" can be considered sensitive personal information under California law.
The enforcement action signals that health and wellness websites face heightened scrutiny when combining content with advertising technologies. Companies publishing condition-specific or personalized health content now face clear regulatory expectations to minimize disclosures of health status or diagnosis information to third parties.
The settlement's focus on contract compliance also establishes that businesses cannot simply assume their vendors follow industry frameworks - they must actively verify and maintain proper contractual protections for user data.
The bottom line
This record-setting settlement establishes new compliance standards for health content platforms using advertising technologies. Companies must actively verify that opt-out mechanisms work properly, maintain compliant vendor contracts, and prevent health data disclosures through browsing behavior. The multi-year monitoring requirements signal that privacy compliance requires ongoing verification, not just policy implementation.
FAQs
Does this settlement affect users outside of California?
The settlement specifically addresses California users under the CCPA, but Healthline's privacy practices may impact users nationwide.
Will Healthline have to pay additional damages to affected users?
The settlement only requires payment to the California Consumer Privacy Fund, not individual user compensation.
Are other health websites likely to face similar enforcement actions?
This case suggests California regulators are expanding CCPA enforcement to health content platforms beyond traditional retailers and data brokers.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
