On July 1, 2025, the California Attorney General, Rob Bonta, announced that the California Privacy Protection Agency (CPPA) entered into a settlement with Healthline Media LLC (Healthline), which included a fine of $1,550,000, the largest fine by the CPPA to date, for various alleged violations of the California Consumer Privacy Act (CCPA). This settlement and fine follow the CCPA’s $632,500 fine against American Honda Motor Co. in March of this year. These actions continue to show California’s increased focus on CCPA enforcement.
Per the announcement, Healthline.com is a health and wellness information website that is one of the top 40 most visited websites in the world and generates revenue by showing advertisements on the website.
The settlement, which is pending court approval, includes the following allegations that Healthline:
- Failed to opt consumers out of targeted advertising. The CPPA alleged that Healthline disclosed consumer data with third-party advertisers, even after consumers exercised their right to opt-out through global privacy controls as required under the CCPA.
- Used consumer data outside of the original purpose for collecting their data. The CPPA alleged that Healthline used consumer data for purposes outside the original scope for why the data was collected. Specifically, due to the use of cookies and other technologies on the website, article titles that consumers viewed on the website were disclosed to third-party service providers. This resulted in third parties accessing article titles that suggested consumers may have been diagnosed with specific medical conditions.
- Failed to maintain CCPA compliant contracts. Healthline maintained contracts with third-party advertisers that did not contain the required CCPA contract language, including privacy protection requirements.
- Deceived consumers through its cookie consent banner. While Healthline maintained a consent banner on its website, the CPPA alleged that the banner did not actually disable any tracking cookies when a consumer unchecked the consent box.
As part of the settlement, Healthline will face injunctive terms. This includes a first-of-its-kind prohibition on sharing article titles to third parties that may suggest a consumer’s medical diagnosis or condition.
Taft’s Privacy & Data Security team has extensive experience counseling clients on consumer data privacy laws, data minimization strategies, and data governance program development. For more data privacy & security-related updates, please visit Taft’s Privacy & Data Security Insights blog and our LinkedIn page.