On July 1, 2025, California Attorney General Rob Bonta announced the largest CCPA settlement to date, which included a $1.55 million penalty against Healthline Media LLC. This settlement sends a clear message to businesses that California Consumer Privacy Act (CCPA) enforcement is ramping up, and health-related data is in scope.

According to the complaint filed against Healthline, a popular health information website, the state alleged Healthline:

  • Shared sensitive health-related data with third parties without adequate user consent.
  • Failed to provide a clear opt-out mechanism for targeted advertising.
  • Lacked CCPA-compliant contracts with third parties, and assumed, but did not verify, that the third parties had agreed to abide by an industry contractual framework.
  • Transmitted article titles (e.g., “You’ve Been Newly Diagnosed with MS”) that could reveal a user’s medical condition, effectively disclosing personal health information.

This case marks the first time the California Department of Justice has enforced the CCPA’s protections around sensitive personal information.

Operating one of the top 40 most visited websites in the world, Healthline is a media company engaged in the use of use of online tracking technology on its website. The online trackers used on Healthline’s website, like cookies and pixels, communicate data about readers to advertisers and other third parties in order to maximize ad revenue. That data uniquely identified consumers along with, for example, titles of articles they were reading. Some titles indicated that the reader may have already been diagnosed with a serious illness, such as “You’ve Been Newly Diagnosed with MS. What’s Next?” In some cases, according to the allegation, consumers often had no idea how many online trackers might be running.

The settlement includes strict injunctive terms, such as:

  • A ban on sharing article titles that could imply a diagnosis.
  • Enhanced user opt-out mechanisms for data sharing.
  • Stronger contractual safeguards with service providers and third-party advertisers.

Key Takeaways for Business

For businesses that collect or share consumer data, especially when using online tracking technologies that share sensitive categories like health information, this case is just another reminder about the potential compliance and litigation risks. Here are some best practices for businesses subject to the CCPA.

  1. Audit data practices, including identifying what personal information, as well as sensitive personal information, the business is collecting and how it is being used and shared.
  2. Be familiar with what tracking technologies are being used on your websites, including what information they collect and share.
  3. Strengthen opt-out mechanisms, including ensuring that the “Do Not Sell or Share My Personal Information” link is prominent and functional.
  4. Review third-party contracts with advertisers and analytics providers, including CCPA-compliant data use restrictions.
  5. Avoid inadvertent disclosure by being cautious about URLs, article titles, or metadata that could reveal personal information.

Conducting an annual review of CCPA compliance, as required under the CCPA, is an obvious step to help ensure ongoing compliance.