Attorney General Bonta Announces Largest CCPA Settlement to Date, Secures $1.55 Million from Healthline.com

Action represents fourth settlement, continued enforcement priority under the California Consumer Privacy Act

OAKLAND — California Attorney General Rob Bonta today announced a settlement pending court approval with website publisher Healthline Media LLC (Healthline), resolving allegations that its use of online tracking technology on its health information website, Healthline.com, violated the California Consumer Privacy Act (CCPA). An investigation by the California Department of Justice (DOJ) found that Healthline failed to allow consumers to opt out of targeted advertising and shared data with third parties without CCPA-mandated privacy protections — including data suggesting that a person may have a serious health condition. The proposed settlement, pending final approval from the court, includes $1.55 million in civil penalties and strong injunctive terms, including a novel term that prohibits Healthline from sharing article titles that reveal that a consumer may have already been diagnosed with a medical condition — banning the company from engaging in these types of data transmissions.

“Our settlement with Healthline underscores that Californians have critical privacy rights under the CCPA to fight online surveillance — including by website publishers. Healthline shared data with third parties that could have revealed consumers’ private medical diagnoses, and while doing so, disregarded consumer’s rights to opt-out of the sale and sharing of this data,” said Attorney General Bonta. “California continues to lead the nation in enforcing our robust privacy protection law, and businesses that collect consumer data must honor consumers’ privacy rights. My office is committed to the continued enforcement of the CCPA — every Californian has the right to their online privacy.” 

Healthline.com is a health and wellness information website that is one of the top 40 most visited websites in the world. Healthline generates revenue by showing ads — some of which are personally targeted at the reader. To maximize ad revenue, Healthline allows online trackers, like cookies and pixels, to communicate data about readers to advertisers and other third parties. Healthline shared data that could uniquely identify the consumer, in addition to the title of the article they were reading. Some titles indicated that the reader may have already been diagnosed with a serious illness, such as “You’ve Been Newly Diagnosed with MS. What’s Next?” And because these online trackers run invisibly in the background in the first milliseconds when a webpage loads, consumers often have no idea how many online trackers might be running. In Healthline’s case, dozens of trackers were sharing consumer data with numerous third parties.

The complaint filed today alleges Healthline violated the CCPA and the Unfair Competition Law by:

• Failing to opt consumers out of the sharing of their personal information for targeted advertising. The CCPA gives consumers the right to opt-out of the sale or sharing of their personal information for certain targeted advertising. Businesses and website publishers must honor these requests, including requests submitted through the Global Privacy Control. Healthline continued to share data with some third parties involved in advertising, even for consumer who exercised their right to opt -out.  

• Violating the Purpose Limitation Principle. Under the CCPA, a business’s use of personal information is limited to the purposes for which the personal information was collected or processed or another disclosed, compatible purpose. Healthline violated this principle by sharing article titles suggesting a consumer may have already been diagnosed with a specific medical condition to target advertising at the consumer.   

• Failing to maintain CCPA-required contracts. Healthline had not ensured its advertising contracts contain privacy protections for readers’ data required by the CCPA. Instead, Healthline had assumed, but not verified, that the third parties had agreed to abide by an industry contractual framework. 

• Deceiving consumers about privacy practices. The Unfair Competition Law prohibits deceptive business practices. Healthline.com featured a “consent banner” that did not disable tracking cookies, despite purporting to do so if a consumer unchecked a box.   

Under the settlement today, Healthline is required to ensure that its opt-out mechanisms work correctly; must stop disclosing information that can link a specific consumer to a specific article title that suggests that consumers have been diagnosed with a disease; must maintain a CCPA compliance program that, among other things, mandates that Healthline audits its contracts for specific, required privacy terms or confirm that third parties have signed an industry contractual framework that includes those terms; and maintain accurate online disclosures and privacy policy. 

Today's settlement represents Attorney General Bonta's fourth enforcement action under the CCPA, and his continued priority to enforce California’s robust privacy laws:  

In June 2024, Attorney General Bonta and Los Angeles City Attorney Hydee Feldstein Soto announced a $500,000 settlement with Tilting Point Media LLC resolving allegations that the company violated the CCPA and federal law by collecting and sharing children’s data without parental consent in their popular mobile app game “SpongeBob: Krusty Cook-Off.”  In February 2024, Attorney General Bonta announced a settlement with DoorDash, resolving allegations that the company violated the CCPA and COPPA, by selling California customers’ personal information without providing notice or an opportunity to opt out of that sale.  In August 2022, the Attorney General announced a settlement with Sephora resolving allegations that it failed to disclose to consumers that it was selling their personal information and failed to process opt-out requests via user-enabled global privacy controls in violation of the CCPA. 

This March, as part of ongoing efforts to enforce the CCPA, Attorney General Bonta announced an investigative sweep into the location data industry, sending letters to advertising networks, mobile app providers, and data brokers that appear to be in violation of the CCPA. The risk posed by the widespread collection and sale of location data has become immediately and particularly relevant given federal threats to California's immigrant communities, and to reproductive and gender-affirming healthcare. Attorney General Bonta has previously conducted investigative sweeps related to streaming apps and devices and employee information.

For more information about the CCPA, visit oag.ca.gov/ccpa. To report a violation of the CCPA to the Attorney General, consumers can submit a complaint online at oag.ca.gov/report.

A copy of the complaint is available here, a copy of the proposed settlement is available here. The settlement is pending court approval.