By Andrew Moon
July 2, 2025•3 min read
On July 1, 2025, California Attorney General Rob Bonta announced a record $1.55 million settlement with Healthline Media LLC for violating the California Consumer Privacy Act (CCPA). This marks the largest CCPA enforcement action to date, and notably the first targeting a publisher for improper use of online tracking technologies involving health-related data.
While this settlement focused on a health publisher, its lessons extend far beyond the publishing world. From e-commerce to healthcare marketing, any business that collects personal data and uses it for advertising or personalization can take away critical compliance guidance from this case.
The message from California is clear: privacy requires technically robust and verifiable solutions, opt-out tools must work, and sensitive health data deserves heightened protection.
Keep reading for why the Attorney General took action, what this means for businesses, and how Transcend can help.
The complaint against Healthline outlines multiple CCPA and Unfair Competition Law (UCL) violations uncovered during the agency's technical investigation. These included:
1. Broken opt-out mechanisms
Healthline offered a range of opt-out options, including a webform, a cookie banner, and support for the Global Privacy Control (GPC). Yet these tools didn't worked as intended. Even after consumers exercised their opt-out rights, Healthline continued transmitting personal data to dozens of advertising partners, in direct violation of the CCPA.
2. Sharing sensitive health-related data
The AG’s office discovered that Healthline shared not just basic visitor data, but article titles that strongly indicated a consumer’s possible diagnosis, such as “The Ultimate Guide to MS for the Newly Diagnosed.” This information, linked to a unique cookie, could allow third parties to build extremely sensitive profiles about site visitors, in violation of the CCPA’s purpose limitation principle.
3. Missing or inadequate contracts
The settlement notes that Healthline relied on industry frameworks to manage data privacy agreements with advertising vendors. But some third parties had no contracts in place that satisfied CCPA requirements, and existing contracts included vague permissions like “any business purpose,” leaving consumers’ personal data broadly exposed.
4. Deceptive cookie banner
Healthline’s consent banner told consumers they could disable advertising cookies, but the feature didn’t work, allowing trackers to continue collecting personal information. The AG called this a deceptive business practice under the Unfair Competition Law.
Read the full text of the complaint.
Under the settlement terms, Healthline agreed to a sweeping set of corrective measures designed to rebuild trust and protect consumer privacy, including:
The AG noted Healthline had already started to cooperate by making fixes before the settlement was finalized, likely helping to reduce the overall penalty.
The Healthline case is the first CCPA enforcement against a publisher for ad tech violations, and it likely won't be the last.
According to Daniel Goldberg, Partner at Frankfurt Kurnit Klein & Selz.
“This case sends a strong message: publishers are equally responsible as advertisers for ad tech compliance, and the AG is looking beyond privacy policies to real-world data flows.”
Several important lessons emerge for companies when reviewing the Attorney General's settlement with Healthline, and the implications:
"The Healthline enforcement makes it plain: privacy compliance is now judged by what your code does, not what your policy says. CPOs who align legal, engineering, and product to build privacy into the tech stack will be the ones who avoid fines, and earn user trust.”
Transcend Field Chief Privacy Officer Ron De Jesus
If your business is working to avoid Healthline’s mistakes, Transcend can help you move from reactive to proactive compliance with scalable, automated, and technically robust privacy infrastructure.
1. Comprehensive consent coverage: Transcend Consent Management replaces legacy consent banners and fragmented tools with a unified, enterprise-grade platform that captures and honors consent and opt-out signals, including GPC, across all domains, devices, and applications.
2. Truly automated data subject request fulfillment: Our DSR Automation fulfills opt-out, deletion, or access requests end-to-end across your entire tech stack, eliminating the manual processes and human errors that can lead to compliance failures.
3. Visibility and reporting at scale: Transcend delivers detailed consent records, data flow logs, and contract oversight reporting, giving you the confidence to manage your privacy program across hundreds of vendors and data processors.
Whether you’re solidifying and simplifying your opt-out process, ensuring accurate data flows and labeling, or wholesale maturing your privacy program, Transcend’s automated platform helps you maintain compliance, reduce operational risk, and build trust with your customers.
Reach out today to learn how Transcend supports confident compliance with CCPA.
Contact usBy Andrew Moon