On July 1, 2025, the California Attorney General’s (AG) Office announced a record-setting $1.55 million settlement with Healthline Media, a prominent provider of health and wellness information and operator of Healthline.com – reportedly one of the 40 most visited websites globally. The enforcement action centered on violations of the California Consumer Privacy Act (CCPA), marking the first major privacy enforcement in the healthcare space to focus on the law’s purpose-limitation requirement.
According to the AG’s allegations, Healthline unlawfully shared consumers’ personal information, including sensitive data related to medical conditions, with third parties via tracking technologies such as cookies and pixels. The AG alleged multiple violations of the CCPA, including:
- Failing to restrict the use of personal information to the purposes for which it was originally collected;
- Allowing third-party data sharing and targeted advertising without obtaining valid consumer consent;
- Implementing deceptive and non-functional opt-out mechanisms;
- Failing to maintain CCPA-compliant contracts with third parties such as advertisers.
Under the terms of the settlement, Healthline agreed to pay $1.55 million in civil penalties and committed to a series of corrective measures, including:
- Ensuring all opt-out mechanisms function as required under the CCPA;
- Ceasing unauthorized disclosure of information that could reveal consumers’ medical conditions;
- Updating its privacy policy to accurately reflect its data practices and maintain CCPA-compliant contracts with third parties.
This case is significant for several reasons. It marks the AG’s first major enforcement action in the healthcare sector and the first to spotlight the CCPA’s purpose-limitation rule. The technical sophistication of the AG’s investigation signals a more aggressive and detailed approach to privacy enforcement going forward.
While the use of tracking technologies is common, businesses must ensure that such tools are deployed in full compliance with applicable privacy laws. This includes:
- Regularly auditing and updating privacy policies and practices;
- Ensuring opt-out mechanisms function properly and as advertised;
- Maintaining proper contracts with third parties that handle consumer data.
The Healthline settlement highlights the growing importance of privacy compliance and serves as a reminder that businesses should take proactive steps to align their data practices with evolving regulatory expectations.
