Healthline Pays Record $1.55 Million Settlement Under CCPA: The Key Takeaways

On July 1, 2025, California Attorney General Rob Bonta announced a record $1.55 million settlement with Healthline Media LLC for violating the California Consumer Privacy Act (CCPA). This marks the largest CCPA enforcement action to date, and notably the first targeting a publisher for improper use of online tracking technologies involving health-related data.

While this settlement focused on a health publisher, its lessons extend far beyond the publishing world. From e-commerce to healthcare marketing, any business that collects personal data and uses it for advertising or personalization can take away critical compliance guidance from this case.

The message from California is clear: privacy requires technically robust and verifiable solutions, opt-out tools must work, and sensitive health data deserves heightened protection.

Keep reading for why the Attorney General took action, what this means for businesses, and how Transcend can help.

Why did the California AG fine Healthline $1.55 million?

The complaint against Healthline outlines multiple CCPA and Unfair Competition Law (UCL) violations uncovered during the agency's technical investigation. These included:

1. Broken opt-out mechanisms

Healthline offered a range of opt-out options, including a webform, a cookie banner, and support for the Global Privacy Control (GPC). Yet these tools didn't worked as intended. Even after consumers exercised their opt-out rights, Healthline continued transmitting personal data to dozens of advertising partners, in direct violation of the CCPA.

2. Sharing sensitive health-related data

The AG’s office discovered that Healthline shared not just basic visitor data, but article titles that strongly indicated a consumer’s possible diagnosis, such as “The Ultimate Guide to MS for the Newly Diagnosed.” This information, linked to a unique cookie, could allow third parties to build extremely sensitive profiles about site visitors, in violation of the CCPA’s purpose limitation principle.

3. Missing or inadequate contracts

The settlement notes that Healthline relied on industry frameworks to manage data privacy agreements with advertising vendors. But some third parties had no contracts in place that satisfied CCPA requirements, and existing contracts included vague permissions like “any business purpose,” leaving consumers’ personal data broadly exposed.

4. Deceptive cookie banner

Healthline’s consent banner told consumers they could disable advertising cookies, but the feature didn’t work, allowing trackers to continue collecting personal information. The AG called this a deceptive business practice under the Unfair Competition Law.

Read the full text of the complaint.

A record penalty for violating CCPA

Under the settlement terms, Healthline agreed to a sweeping set of corrective measures designed to rebuild trust and protect consumer privacy, including:

• Payment of a $1.55 million civil penalty within 30 days
• An outright ban on selling or sharing information tied to diagnosed medical condition articles
• Requiring clear notices and opt-out rights before any sale or sharing of other sensitive personal information
• Annual audits of opt-out mechanisms to confirm they function correctly, with results documented in an annual report
• Annual review of all contracts with third parties and service providers, including explicit verification of any third party’s role-switching from a data recipient to a service provider upon receiving an opt-out signal
• Identification of the specific person or role at Healthline responsible for contract oversight

The AG noted Healthline had already started to cooperate by making fixes before the settlement was finalized, likely helping to reduce the overall penalty.

Lessons for publishers and companies

The Healthline case is the first CCPA enforcement against a publisher for ad tech violations, and it likely won't be the last.

According to Daniel Goldberg, Partner at Frankfurt Kurnit Klein & Selz.

Several important lessons emerge for companies when reviewing the Attorney General's settlement with Healthline, and the implications:

• Test your opt-outs, regularly. If a consumer opts out, whether through GPC, a cookie banner, or another mechanism, that signal must be honored. Ensure your privacy vendor is not only honoring this within your own system, but downstream to third parties.
• Expect more aggressive, more technical enforcement. This is the largest CCPA penalty yet, and the AG specifically connected it to prior actions against Sephora and DoorDash. California regulators are showing they will continue to scrutinize far beyond a company’s privacy policy, forensically interrogating online advertising, cookie tracking, and health data flows, with meaningful penalties for violations.
• “Trust—but verify” vendor compliance. Along these same lines, the AG made clear that using third-party frameworks or privacy platforms does not absolve a business from ensuring compliance. Noting in reference to an earlier settlement against Sephora, that “both cases underscore that businesses that place or display online advertising must carefully review that their systems operate as intended and comply with California’s privacy laws.”
• Get contracts right. The settlement highlights that vague or boilerplate language (“any business purpose”) is insufficient. Contracts must be precise, identify data-sharing limits, and clarify what happens if a consumer opts out.
• Purpose limitation matters. The AG’s complaint cited Section 7002 of the CCPA regulations, which requires that data use aligns with reasonable consumer expectations. That principle is here to stay, and regulators will enforce it.
  

How Transcend can help

If your business is working to avoid Healthline’s mistakes, Transcend can help you move from reactive to proactive compliance with scalable, automated, and technically robust privacy infrastructure.

1. Comprehensive consent coverage: Transcend Consent Management replaces legacy consent banners and fragmented tools with a unified, enterprise-grade platform that captures and honors consent and opt-out signals, including GPC, across all domains, devices, and applications.

2. Truly automated data subject request fulfillment: Our DSR Automation fulfills opt-out, deletion, or access requests end-to-end across your entire tech stack, eliminating the manual processes and human errors that can lead to compliance failures.

3. Visibility and reporting at scale: Transcend delivers detailed consent records, data flow logs, and contract oversight reporting, giving you the confidence to manage your privacy program across hundreds of vendors and data processors.

Whether you’re solidifying and simplifying your opt-out process, ensuring accurate data flows and labeling, or wholesale maturing your privacy program, Transcend’s automated platform helps you maintain compliance, reduce operational risk, and build trust with your customers.