On July 1, 2025, California Attorney General Bonta announced a $1.55 million settlement, pending court approval, related to allegations that Healthline.com, a website where consumers can read informational articles about medical and health topics, violated the California Consumer Privacy Act (“CCPA”) and the California Unfair Competition Law.

As summarized in the complaint and proposed settlement, the AG alleges Healthline committed the following violations:

  • Failed to Honor Consumer Opt-Outs of Sell or Share for Targeted Advertising. The AG alleges that even after Healthline readers exercised their right to opt out of the sale or sharing of their personal information for targeted advertising, Healthline continued to transmit identifying data to Healthline’s advertising partners for such purposes. The complaint alleges that Healthline misconfigured one opt-out mechanism and failed to test whether it worked. After being contacted by the AG, Healthline reported that its “privacy compliance vendor may not have properly identified and blocked all relevant online trackers after the vendor detected that a consumer had opted out.” Earlier this year, the AG’s Office published a press release reminding businesses and consumers about the right to opt out.
  • Violated the CCPA’s Purpose Limitation Principle. Under the CCPA’s purpose limitation principle, businesses are restricted to processing personal information for the purposes for which the data was collected (or for a compatible purpose). The AG alleges that Healthline violated this principle by disclosing article titles that suggested a possible medical diagnosis (e.g., “Newly Diagnosed with HIV? Important Things to Know.”) with advertisers and their vendors, which these recipients could add to their consumer profiles. The AG alleges that Healthline’s privacy policy did not indicate that Healthline would share article titles and that consumers would not reasonably expect that those titles were being shared.
  • Failed to Maintain Contracts with Third Parties that Contain CCPA-Required Terms. After reviewing Healthline’s contracts with advertising companies, the AG found that many of those contracts did not contain CCPA-mandated terms.
  • Deceived Consumers about their Ability to Disable Tracking Cookies. Healthline’s cookie banner allowed users to select a “more information” link where consumers could uncheck the box that allowed targeted/advertising cookies. However, the AG alleges that Healthline’s cookie banner deceived consumers because it purported to allow users to disable cookies but failed to do so in practice.

Under the terms of the proposed settlement, Healthline agrees to the following:

  • Process consumer requests to opt out of sales or sharing through an opt-out preference signal, including the Global Privacy Control;
  • Stop selling or sharing combinations of personal information that allows recipients to determine that a consumer is viewing a specified diagnosed medical condition article, except where the sales or sharing would fall under a CCPA exemption;
  • Implement a compliance program that includes testing of opt-out mechanisms, annual reviews of contracts with third parties, and reports to the AG for three years;
  • Provide appropriate notice to consumers regarding the sale and sharing of their personal information and their right to opt out; and
  • Pay $1.55 million in civil penalties.

This is the California AG’s fourth action against entities alleged to have violated the CCPA, indicating that the AG will continue to pursue cases independent from the California Privacy Protection Agency. We summarized two of the AG’s prior actions in blog posts here and here. The Healthline settlement suggests that regulators continue to scrutinize online tracking and advertising practices under the CCPA.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws.

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state laws, including the California Consumer Privacy Act, the Colorado AI Act, and other state laws. As part of her practice, she also regularly represents clients in strategic transactions involving personal data, cybersecurity, and artificial intelligence risk and represents clients in enforcement and litigation postures.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Chambers USA 2025 ranks Libbie in Band 3 Nationwide for both Privacy & Data Security: Privacy and Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Read more about Libbie Canter
Show more Show less
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager is a recognized leader in representing companies before federal and state regulators, and is renowned for advising on minor protection, AI, and state comprehensive privacy laws.

Lindsey chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their…

Lindsey Tonsager is a recognized leader in representing companies before federal and state regulators, and is renowned for advising on minor protection, AI, and state comprehensive privacy laws.

Lindsey chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and State Attorneys General on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence; data processing for robotics, autonomous vehicles, and other connected devices; biometrics; online advertising; the collection of personal information from children, teens, and students online; e-mail marketing; disclosures of video viewing information; and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Read more about Lindsey Tonsager
Show more Show less
Photo of Olivia Vega Olivia Vega

Olivia Vega advises global companies on a broad spectrum of privacy, healthcare, and technology matters, helping them navigate both established and emerging laws and regulations. Her practice includes helping clients comply with state privacy laws, such as the California Consumer Privacy Act and…

Olivia Vega advises global companies on a broad spectrum of privacy, healthcare, and technology matters, helping them navigate both established and emerging laws and regulations. Her practice includes helping clients comply with state privacy laws, such as the California Consumer Privacy Act and the Washington My Health My Data Act, as well as federal frameworks like HIPAA and the privacy standards established by the Federal Trade Commission.

As part of her practice, Olivia helps clients develop privacy notices and policies, negotiate privacy terms with third-party vendors, and design governance programs for new products and services. Olivia also represents clients in enforcement actions brought by the Federal Trade Commission, particularly in areas like data privacy, artificial intelligence, and marketing practices. In addition, she plays a key role in advancing clients’ advocacy efforts during regulatory rulemaking processes on issues related to data privacy, cybersecurity, and artificial intelligence.

Olivia maintains an active pro bono practice, including assisting small and nonprofit entities with data privacy topics.

Read more about Olivia Vega
Show more Show less
Photo of Natalie Maas Natalie Maas

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory…

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory and compliance issues.

Natalie also maintains an active pro bono practice, with a particular focus on health care and reproductive rights.

Read more about Natalie Maas
Show more Show less
Photo of Bryan Ramirez Bryan Ramirez

Bryan Ramirez is an associate in the firm’s San Francisco office and is a member of the Data Privacy and Cybersecurity Practice Group. He advises clients on a range of regulatory and compliance issues, including compliance with state privacy laws. Bryan also maintains…

Bryan Ramirez is an associate in the firm’s San Francisco office and is a member of the Data Privacy and Cybersecurity Practice Group. He advises clients on a range of regulatory and compliance issues, including compliance with state privacy laws. Bryan also maintains an active pro bono practice.

Read more about Bryan Ramirez
Show more Show less