Privacy
California Secures Record $1.55M CCPA Settlement Over Healthline’s Use of Tracking Technologies
Why This Alert Is Important
The Healthline Media settlement for CCPA violations signals a turning point in state-level privacy enforcement, highlighting growing scrutiny over the intersection of health data, advertising technologies, and contractual oversight with third parties.
Overview of the Enforcement Action
In the largest monetary penalty issued to date under the California Consumer Privacy Act (CCPA), Healthline Media LLC has agreed to a $1.55 million settlement with the California Attorney General. The action stems from allegations that Healthline used online tracking technologies to share sensitive health-related information for targeted advertising without proper consumer disclosures or opt-out mechanisms.
On July 1, 2025, California Attorney General Rob Bonta announced a settlement with Healthline, one of the world’s most visited health and wellness websites. The Department of Justice alleged that Healthline violated multiple provisions of the CCPA and the state’s Unfair Competition Law by:
- Failing to honor opt-out requests, including those submitted through Global Privacy Control signals, and continuing to share personal data with third-party advertisers.
- Sharing health-related data, including article titles indicating specific diagnoses (e.g., “You’ve Been Newly Diagnosed with MS”), in a manner inconsistent with the CCPA’s purpose limitation principle.
- Lacking proper contracts with third-party advertisers, failing to ensure CCPA-required privacy protections were in place.
- Using deceptive consent banners, which misled consumers into believing tracking was disabled when it was not.
As part of the settlement, Healthline must pay $1.55 million in civil penalties and comply with a range of injunctive relief measures, including disabling data transmissions that can link consumers to articles indicating specific health conditions, improving opt-out mechanisms, and implementing a formal CCPA compliance program with contract auditing and policy reviews.
Implications for Organizations
This enforcement action is a clear signal that regulators are expanding their focus beyond procedural lapses to include substantive violations of privacy principles, such as purpose limitation. It also reaffirms that targeted advertising and the use of online trackers remain top priorities for enforcement—especially when sensitive data like health information is involved. Additionally, the case draws attention to the importance of verifiable contractual protections with third-party partners and service providers, an area where many companies continue to fall short.
With this case now setting a new enforcement precedent in California, organizations that collect or share sensitive data should take immediate steps to evaluate their privacy notices, consent mechanisms, contract terms, and data-sharing practices—especially when leveraging ad tech or AI-based personalization tools.
The Healthline settlement is a timely reminder that regulators are no longer tolerating half-measures when it comes to cookie compliance. For in-house legal teams, the message is clear: it’s not enough to have a cookie banner or a well-drafted privacy policy—your technical implementation has to deliver on what you’re telling users. It’s a good moment to take a fresh look at your cookie consent tools, confirm that opt-outs are working as intended, and ensure your contracts with ad tech vendors meet the statutory requirements. This kind of proactive housekeeping can go a long way in avoiding regulatory headaches down the line.
Data Privacy Tip
Exterro Automated Data Mapping can classify sensitive data, trace its flow across internal and external systems, and tie usage to purpose and consent, helping prevent exactly the kinds of failures seen in this case. Download this whitepaper to know how to identify risks hiding in your data and how to prevent costly compliance failures with Exterro Automated Data Mapping.