As the 2025 summer heat continues and as state privacy laws continue to mature, enforcement actions are beginning to shape the compliance landscape for businesses nationwide—from the coast of California to the shores of Connecticut.
In early July 2025, the attorneys general of California and Connecticut announced significant settlements under their respective privacy statutes, signaling an expanding era of state privacy enforcement. These developments underscore the importance of privacy compliance programs and offer valuable guidance for companies subject to the California Consumer Privacy Act (CCPA), the Connecticut Data Privacy Act (CTDPA), and similar state laws.
California Secures Record CCPA Settlement
On July 1, 2025, California Attorney General Rob Bonta announced a $1.55 million settlement with Healthline Media LLC—the largest CCPA settlement to date. The complaint makes the following allegations about Healthline, which operates Healthline.com, a health and wellness information website:
- Healthline failed to honor consumer opt-out requests made via one of Healthline’s several opt-out mechanisms when it continued to transmit personal information to third-party advertising companies, as required by the CCPA (see Cal. Civ. Code § 1798.120) and the California Unfair Competition Law (see Cal. Bus. & Prof. Code § 17200);
- Healthline collected and sold or shared personal information with advertising companies without the necessary contractual terms for such transfers of data to third parties, in violation of the CCPA, (see Cal. Civ. Code § 1798.100(d); see also Cal. Civ. Code § 1798.140(ad), (ae));
- Heathline.com's “consent banner” claimed to disable tracking cookies but failed to do so and thus was a deceptive practice under the California Unfair Competition Law (see Cal. Bus. & Prof. Code § 17200); and
- Along with tracking technologies like cookies or pixels, Healthline had transmitted article titles (e.g., “Newly Diagnosed with HIV? Important Things to Know”) that “strongly suggested” that a person had “already been diagnosed with a serious disease” to third-party advertisers, potentially revealing health-related information about readers to third parties. This processing of personal information was not reasonably necessary or proportionate for the purposes for which it was collected or processed or for another disclosed purpose that is compatible with the context in which the data was collected and so violated the CCPA’s purpose limitation principle (see Cal. Civ. Code § 1798.100(c)).
With respect to the latter allegation, the attorney general’s complaint alleged that by divulging article titles and other information, a data broker could “update a consumer profile to reflect that a reader had viewed an article about being diagnosed with Crohn’s disease, leading to that reader later seeing ads for Crohn’s treatments while streaming a TV show” or “that data broker could sell that inference of a Crohn’s diagnosis to third parties.” According to the attorney general, this violated the CCPA’s purpose limitation principle, since it permitted disclosure of health-related data for two unexpected uses: “targeted advertising and third-party inferences based on what a consumer was reading.”
As part of the proposed order, Healthline agreed to implement a suite of remedial measures, including functioning opt-out mechanisms, maintaining audit records of its contracts with service providers and third parties confirming their compliance with required privacy terms under the CCPA, and verifying and documenting that Healthine does not sell or share personal information of opted-out consumers to third parties. Healthline also agreed not to sell or share personal information that allows the recipient to determine that a specific consumer is viewing an article with a title or URL that indicates the consumer has already been diagnosed with a medical condition. Further, if Healthline discloses sensitive personal information for advertising purposes, it must provide notice of this to consumers and of their right to limit its use of sensitive personal information.
This settlement marks a significant milestone in CCPA enforcement. It not only sets a new benchmark for monetary penalties but is also the first case involving the enforcement of the CCPA’s purpose limitation principle. The attorney general’s office emphasized that businesses must ensure their privacy practices accurately align with their disclosures, that opt-out mechanisms work consistently, and—most notably—that any secondary use of personal data must align with the “reasonable expectations of the consumer” to satisfy the CCPA’s purpose limitation requirement.
Connecticut’s First CTDPA Enforcement Action
On July 8, Connecticut Attorney General William Tong announced an $85,000 settlement with TicketNetwork, Inc. for alleged violations of the CTDPA. This action is notable because it is the attorney general’s first reported enforcement action under the CTDPA. The attorney general’s office first sent a “cure notice” to TicketNetwork on November 9, 2023, to notify the company that its “privacy notice was largely unreadable, missing key data rights, and contained rights mechanisms that were misconfigured or inoperable.” According to the attorney general, TicketNation failed to address these deficiencies “well beyond” the statutory 60-day “cure period,” repeatedly represented it had resolved deficiencies when it had not, and failed to timely respond to follow-up correspondence.
Under the settlement, in addition to the payment of $85,000, TicketNetwork has agreed to (1) comply with the requirements of the CTDPA, (2) maintain detailed metrics regarding consumer rights requests, and (3) report these metrics to the attorney general. The Connecticut attorney general’s office explained that, since the CTDPA’s cure period provision expired on January 1, 2025, the attorney general’s office has begun issuing Notices of Violations and will continue to expand its enforcement efforts. This echoes the 2025 Enforcement Report released by the Connecticut attorney general’s office, which revealed that the Connecticut attorney general had issued “dozens of notices of violation . . . as well as a number of broader information requests” beginning in 2024. Additionally, the report discloses that the Connecticut attorney general conducted three “privacy notice sweeps” targeting noncompliance within an entity’s privacy notice, including privacy notices that “mislead Connecticut residents about their data rights,” and stressing that companies must “prioritize consumer rights requests.” TicketNetwork allegedly failed to heed these enforcement warnings.
Practical Implications for Businesses
These settlements offer several important takeaways for companies operating under state privacy laws. First, enforcement agencies are paying attention to the details and have the technical capabilities to do so. In the California Healthline enforcement action, the attorney general’s office “tested Healthline’s opt-out mechanisms” to explore whether targeted ads were shown to investigators after they opted out via Healthline’s controls. Similarly, TicketNetwork was taken to task for its consumer rights mechanisms being “misconfigured or inoperable,” suggesting that the Connecticut attorney general tested those mechanisms, or requested technical evidence about their configurations and operation. Businesses should ensure that their consumer rights and opt-out mechanisms are operating as expected and described in their privacy disclosures. This applies even if, as was apparently the case with Healthline, an opt-out or other consumer rights mechanism is supported by a vendor.
Second, the California and Connecticut actions both focused on privacy notice compliance obligations under their respective state laws. Among other issues, the Connecticut attorney general’s office signaled that it is prioritizing compliance with the specific transparency requirements of the CTDPA, and compliance with other states’ privacy notice requirements will not necessarily satisfy the Connecticut requirements. The California attorney general also stressed the importance for businesses to maintain online privacy policies to accurately reflect privacy practices and disclosures. Businesses should review their privacy notices to ensure they are comprehensive and accurate, as well as to confirm that the tools used by the business and its vendors—including privacy compliance vendors–will appropriately honor rights requests.
Third, as these enforcement actions make clear, regulators are not focused only on Big Tech or a conventional higher-risk actor like a data broker. Instead, they are evaluating whether businesses of all types are engaging in meaningful, ongoing compliance efforts.
Finally, the Healthline settlement reflects regulators’ recent focus on the disclosure of health data in connection with targeted advertising and their willingness to use their legal authority in novel ways to reach such disclosures. By alleging for the first time that Healthline’s sharing of article titles that could reveal specific medical diagnoses with third parties for advertising purposes was not something a consumer would “reasonably expect,” the California attorney general has opened the door to a new avenue for enforcement. We may see other state attorneys general deploy the purpose limitation provisions in their privacy laws in similar ways.
[View source.]
