Healthline Fined $1.55 Million for CCPA Violations

On July 1^st, 2025, California Attorney General Rob Bonta announced the largest settlement to date under the CCPA for $1.55 million against Healthline Media. Healthline is the owner and operator of healthline.com. A California Department of Justice investigation determined that Healthline did not allow consumers to opt out of targeted advertising. The investigation also found Healthline CCPA violations included sharing data, including data that suggested the consumer could have had a health condition, with third parties without proper privacy protections. The settlement is still pending court approval.

Healthline.com Privacy Functionality

Healthline.com is a website with health and wellness articles. The site generates revenue by displaying ads, including some targeted ads, within its articles. Healthline uses third-party trackers for the solicitation and personalization of the ads. The company disclosed to its tracker vendors which articles visitors read to facilitate cross-context advertising.

The CCPA requires businesses to give consumers the ability to opt out of the sale or sharing of their data. A “Do Not Sell or Share My Personal Information” link appeared at the bottom of healthline.com. The website had a Global Privacy Control tool to recognize an opt-out preference signal and a banner (seen below) that asked consumers to accept the company’s privacy policy, creating a “triple opt-out.” The banner informed site visitors that Healthline “uses cookies to improve [their] experience” and allowed them to click a link for “More information.”

When visitors clicked the “More information” link, they were shown the screen below with the following information about cookies: “These cookies gather information about your use of our [website] so we may improve your experience and provide you with more relevant content and advertising.” On this screen, visitors could uncheck a box that allowed the targeted/advertising cookies.

Healthline CCPA Violations Found in the Investigation

Healthline said approximately 65,000 Californians opted out. According to the case files, investigators observed Healthline continuing to provide personal information to over a dozen third parties involved in online advertising and setting cookies used in targeted advertising even after the “triple opt-out.” Healthline failed to honor the opt-outs, and its consent banner did not disable tracking cookies, despite claiming to if a consumer unchecked a box.  

The data being shared included the title of the article being read. Examples of articles on the website include “The Ultimate Guide to MS for the Newly Diagnosed” and “Newly Diagnosed with HIV? Important Things to Know.” The CPPA argued that sharing the article titles suggested a medical diagnosis that data brokers could add to a consumer’s profile. By sharing the potentially sensitive medical data, Healthline violated the CCPA’s “purpose limitation principle,’ which limits using personal information to only the purposes for which it was collected. Healthline’s privacy policy did not mention sharing article titles, and consumers did not see those titles being shared in the digital background.

The CCPA requires businesses that sell personal information to have a written contract with the recipients of the data that lists the limited and specific purposes for which the data may be used. Investigators found that several of Healthline’s contracts did not meet CCPA requirements. Examples of noncompliant contracts include one that said the recipient could use the data for “any business purpose,” another stated the recipient could use the data for any “internal use” for the recipient’s “direct benefit.”

After being contacted by the Attorney General, Healthline began remediating issues found in the investigation. Healthline found a misconfigured opt-out mechanism and claimed that certain pixels and other tags observed by the AG were installed by advertising vendors who facilitate advertising on the website. The company also reported that a privacy compliance vendor may not have properly identified and blocked all relevant online trackers after a consumer opt-out was detected. Healthline’s engineers undertook an extensive manual review, and the company reported that it now disables trackers directly in response to a consumer’s opt-out request. Healthline disabled all sales and sharing through online trackers to third parties that did not have contracts that complied with the CCPA’s requirements.

Additional Aspects of the Settlement

On top of the financial penalty, Healthline agreed to the following actions as part of the settlement:

• Ensure its opt-out mechanisms work correctly
• Stop disclosing information that can link a consumer to a specific article title that suggests a disease diagnosis
• Audit contracts for specific, required privacy terms, or confirm that third parties have signed an industry contractual framework that includes those terms
• Maintain accurate online disclosures and privacy policy

Previous CCPA Enforcements

The Healthline penalty is not the first CCPA enforcement in 2025 related to website privacy and consent functionality. In March, Honda was fined $632,500 for the following violations:

• Requiring excessive personal information to exercise privacy rights
• A longer opt-out process than opting-in
• Creating barriers for consumers using Authorized Agents
• Failure to produce contracts with advertising technology vendors

In May 2025, clothing retailer Todd Snyder was fined $345,178 for the following CCPA violations:

• Not honoring opt-out requests for forty days
• Requiring consumers to verify their identity to opt out of sale/sharing

CompliancePoint offers a suite of services that help organizations comply with the privacy requirements found in the CCPA, GDPR, and other state laws. Contact us at connect@compliancepoint.com to learn more about how we can help.