What can you learn from Healthline’s $1.55M CCPA settlement?

In a landmark case earlier this month, Healthline Media LLC (Healthline) agreed to a $1.55 million settlement with the California Attorney General for violating the California Consumer Privacy Act (CCPA).

‍

In this article, we examine this milestone enforcement for privacy regulations in the U.S. and review the details of the case, including where it went wrong for Healthline, why it matters for the privacy industry as a whole, and, critically, how other companies can prevent similar situations.

‍

Understanding the Healthline CCPA settlement

The California Attorney General (AG) Rob Bonta filed a complaint against Healthline in July 2025, highlighting several key areas where the organization failed to comply with the state’s privacy standards: 

• Unlawful sharing of health-related data: Healthline allowed third-party advertising companies to collect and use personally identifiable information about users, including titles of health-related articles they read, which could reveal sensitive medical conditions.
• CCPA Violations: The company violated the California Consumer Protection Act (CCPA) by continuing to share personal data even after users opted out via multiple available mechanisms (including Global Privacy Control signals), misconfigured opt-out tools, and failure to test them for functionality, and lacking contracts with third-party advertisers that met CCPA requirements, including data usage limitations and honoring consumer privacy signals.
• Misleading cookie banner: Healthline’s consent banner misled users by claiming to disable advertising cookies when, in fact, it did not.
• Unreasonable data use beyond user expectations: Sharing article titles for advertising was deemed a violation of the CCPA’s “purpose limitation” principle, which requires that data usage aligns with reasonable consumer expectations and is clearly disclosed.
• Weak contracts with advertisers: Healthline’s contracts with advertisers lacked specific limits on how data could be used, often allowed broad and vague usage, such as “any business purpose,” and did not guarantee that advertisers would honor user opt-outs, leaving Healthline liable for downstream misuse of personal data.

Investigators showed that after visiting Healthline pages on specific diseases, ads for related medications appeared on unrelated platforms (like streaming services), and a data broker profile tagged the user with conditions like IBS/Crohn’s disease.

‍

What has Healthline agreed to?

Under the proposed settlement with the California Attorney General, Healthline has agreed to:

• Pay $1.55 million in civil penalties.
• Ensure its opt-out mechanisms work correctly.
• Refrain from disclosing information that can link a specific consumer to an article title indicating a medical diagnosis.
• Maintain a CCPA compliance program that includes contract audits to ensure required privacy terms are included or confirm that third parties have signed an industry-standard contractual framework.
• Maintain accurate online disclosures and a privacy policy.

This case marks the fourth and largest CCPA settlement to date, as explained by the State of California and Attorney General Rob Bonta in a press release. It’s the latest sign that U.S. regulators are going beyond looking at what’s in your privacy policy: they’re checking whether your setup actually works.

‍

Under the settlement today, Healthline is required to ensure that its opt-out mechanisms work correctly; must stop disclosing information that can link a specific consumer to a specific article title that suggests that consumers have been diagnosed with a disease; must maintain a CCPA compliance program that, among other things, mandates that Healthline audits its contracts for specific, required privacy terms or confirm that third parties have signed an industry contractual framework that includes those terms; and maintain accurate online disclosures and privacy policy. 

- State of California Department of Justice (source: Attorney General Bonta Announces Largest CCPA Settlement to Date, Secures $1.55 Million from Healthline.com)

‍

How can companies avoid similar CCPA privacy failures?

Considering massive fines and settlements like this one, companies can sometimes feel that the risk of non-compliance is distant and that exemplary privacy practices are out of reach. But the Healthline case highlighted critical breakdowns that many organizations still face and can work to address. 

‍

Let’s examine four privacy pillars derived from the Healthline case that every company can learn from and improve upon.

‍

1. Implement opt-out mechanisms that actually work and are respected

As highlighted by the complaint from the California AG, Healthline’s opt-out mechanisms were offering multiple ways for users to opt out (including cookie banners and Global Privacy Control signals), but the company continued sharing personal data with third-party advertisers. 

‍

This can be prevented by implementing a Consent Management Platform (CMP) that ensures opt-out mechanisms actually work through:

• Real-time consent enforcement that immediately stops data sharing when users opt out.
• GPC signal recognition that automatically detects and honors privacy signals across all browsers.
• Multi-channel opt-out support including cookie banners, privacy preference centers, and automated privacy signals.
• Continuous testing and monitoring to verify that opt-out mechanisms function correctly across different devices and browsers.
• Server-side enforcement that prevents data sharing at the source, not just at the user interface level.

Didomi solutions provide transparency and accountability, ensuring that what is promised to users is actually delivered, while also allowing companies to track what happens on their web properties in case of a faulty implementation.

2. Carefully consider the categories of data collected, including sensitive personal data

Healthline collected and shared highly sensitive personal information without proper safeguards. By tracking which health articles users read and sharing these article titles with advertisers, they revealed users' medical conditions and health concerns, failing to recognize what constitutes sensitive personal data under CCPA requirements.

‍

The AG’s complaint puts a spotlight on the CCPA’s purpose limitation. It’s not enough to mention targeted advertising in a privacy policy. If data flows aren’t transparent or intuitive to consumers, regulators may conclude that the use exceeds their reasonable expectations.

The AG’s remedy banning Healthline from sharing article titles that imply health conditions with third parties makes clear that sensitive inferences can occur at the publisher level, based on the content shared and not just at the ad tech level based on sensitive segment titles and inferences made.

This may cause publishers to take a closer look at the nature of content shared with third parties.

- Julie Rubash, General Counsel and Chief Privacy Officer at Sourcepoint (source: adexchanger)

‍

The quality and size of a vendor database directly impact how easily CMPs can be updated based on a scan, and how well potential risks can be assessed for specific vendors.

‍

Didomi's vendor database is undergoing a significant expansion, and the most well-known vendors across the market will be automatically qualified. This includes adding vendors who are not part of the European TCF vendor list.

‍

Make sure your systems can detect, flag, and limit the exposure of sensitive data. Learn more about Sensitive Personal Information (SPI) and how Didomi can help:

3. Put in place solid control measures with third-party vendors 

Healthline's contracts with advertising partners lacked specific limitations on data usage and didn't guarantee that advertisers would honor user opt-outs, leaving the company vulnerable to downstream misuse of personal data, with no mechanisms to ensure third-party compliance with CCPA requirements.

‍

After the Sephora and Honda cases (among others), third-party contracts stand out as a central compliance pain point for businesses subject to the CCPA. However, this is not a concern exclusive to California or even the U.S. A case against Criteo in France last year resulted in the Ad Tech company specializing in retargeting being fined €40 million for failing to ensure that its publisher partners obtained user consent for the use of its retargeting cookie. 

‍

We recommend that organizations take a proactive approach by actively monitoring the activities of third-party vendors to ensure their ongoing compliance with data privacy regulations. 

‍

Take a look at our ACM solutions to learn how to do just that:

‍

{{learn-more-about-didomi's-advanced-compliance-monitoring}}

‍

4. Set up comprehensive consent management oversight practices

Healthline lacked meaningful oversight of its consent management practices, including the functioning of opt-out mechanisms and compliance with user preferences, and had no systems in place to verify that third-party partners were respecting consent decisions. 

‍

This lack of oversight allowed privacy violations to continue undetected, ultimately leading to the Attorney General's investigation and a massive settlement.

‍

Our objective is to provide a comprehensive approach to data privacy by empowering our clients to establish proper governance over their data flows:

• Real-time compliance dashboards that monitor consent collection and enforcement across all touchpoints
• Compliance reporting tools that provide audit trails and documentation for regulatory requirements
• Advanced compliance monitoring that tracks vendor behavior and ensures downstream consent respect

If you’re curious about assessing your current practices and how to avoid the oversight failures that led to Healthline's costly settlement, book some time with our team to discuss:

‍

{{talk-to-an-expert}}

CCPA/CPRA compliance checklist

What does the Healthline settlement mean for companies in California, and how can Didomi help?

The Healthline settlement confirms the continued commitment from California, its Attorney General, and the California Privacy Protection Agency (CPPA) to intensify enforcement in the state and lead the way for data privacy rights in the U.S.

‍

We have extensively covered the growing patchwork of data privacy regulations in the U.S. and focused our efforts on providing the best solutions to support region-specific consent models (opt-in vs. opt-out), server-side and client-side enforcement, privacy signals like GPC, and seamless integrations with the systems companies already use.

‍

At Didomi, our product roadmap is built around a single principle: helping our customers operationalize privacy. It’s not just about having a privacy policy or consent banner—it’s about ensuring those promises are actually delivered, whether it’s on web, mobile, CTV, or server-side.

In an enforcement landscape like California’s, it’s clear that regulators are looking past appearances and into how systems really function. That’s why our focus remains on building products that bring trust, transparency, and verifiable control into every layer of the consent experience.

- Jeffrey Wheeler, VP of Product at Didomi

‍

With our recent acquisition of Sourcepoint, we are strengthening our global position and deepening our presence in North America, offering U.S.-based support and expertise to companies operating under the CCPA/CPRA and other state laws, as well as a global product perspective, grounded in local compliance realities.

‍

Learn more about data privacy in the United States in our comprehensive guide on U.S. state laws:

‍

{{learn-more-about-data-privacy-in-the-us}}