[co-author: Stephanie Kozol]*
On July 1, California Attorney General (AG) Rob Bonta announced a significant proposed settlement with Healthline Media LLC (Healthline) — a prominent website publisher of health information and wellness articles. The proposed settlement follows allegations that Healthline’s use of online tracking technology violated the California Consumer Privacy Act (CCPA). This is the third action under the CCPA announced by Bonta this year.
Healthline generates revenue by selling ad space to businesses that offer targeted advertising to website visitors. Per the California AG, Healthline’s website is among the top 40 most visited websites in the world, and according to its complaint, it is estimated that as many as 6.5 million consumers located in California visit Healthline each month. Healthline’s website employs dozens of online trackers, such as cookies, to relay consumer data to third parties, including advertisers. This data includes unique identifiers and article titles, some of which allegedly disclosed consumers’ medical diagnoses or private health concerns based on their searches and viewed articles. Presumably, this personal information was made available to various third parties that used it to push targeted advertisements to consumers based on search history.
The California Department of Justice’s investigation focused on the website’s mechanisms for users to opt out of “sales” and “sharing” as defined under the CCPA. Regulators allege that Healthline continued to transfer personal information to advertising businesses through trackers even after consumers opted out of such transfers through the mechanisms provided on its website. Transfers via tracking technologies allegedly persisted even after a consumer disabled tracking cookies through their website browser.
The complaint against Healthline outlines several violations of the CCPA and the Unfair Competition Law (UCL). Specifically, Bonta alleged that Healthline failed to honor consumers’ opt-out requests regarding the selling and sharing of personal information for targeted advertising, a right protected under the CCPA. See Civil Code § 1798.120(a), (d) and § 1798.135(a), (c)(4). Healthline allegedly breached the “purpose limitation principle” by using personal information for purposes beyond those disclosed in its privacy policy, including in a manner that was not reasonably necessary or proportionate to achieve the purposes for which it was collected in violation of Civil Code § 1798.100(c), (d). Healthline also allegedly neglected to maintain CCPA-required contractual obligations with third parties buying or receiving personal information through the trackers in violation of Civil Code § 1798.100(d) (including contract terms that mandate certain privacy protections limiting third party use of personal information they receive). Further, Bonta alleged Healthline misled consumers by displaying a cookie banner that purported to allow consumers to disable advertising cookies but failed to do so. Bonta alleged, inter alia, these violations of the CCPA also violated the UCL, Business and Professions Code § 17200 et seq.
The proposed settlement requires Healthline to: (1) pay $1.55 million in civil penalties; (2) implement a CCPA compliance program; (3) cease sharing and/or selling personal information combined with information that allows the recipient to determine what specific diagnosed medical condition information a consumer is viewing (with certain exemptions under the CCPA); (4) provide a CCPA-compliant notice concerning its disclosure of consumers’ personal information is disclosed for advertising purposes; and (5) timely process opt-out requests.
Our Take
The California AG’s investigation is notable because it demonstrates the evolution of the California regulatory regime under the CCPA. Superficial compliance is no longer sufficient. Instead, regulators are looking beyond the cookie banners and digging into the complexities of processing activity and how businesses are actually using consumer data.
One intriguing aspect of the California AG’s investigation is the application of consumers’ reasonable privacy expectations to allege a violation of the “purpose limitation principle.” Bonta appears to view the sale of consumers’ health-related searches and viewing history to third parties as problematic — independent of Healthline’s alleged failure to hone consumer opt-out choices.
This proposed settlement serves as a critical reminder for businesses to carefully consider their personal information processing practices with an eye toward consumers’ reasonable expectations. Moreover, simply having a mechanism to effectuate consumer choices and data subject rights is not adequate if the mechanisms do not work properly. “Set it and forget it” appears inadequate if privacy controls aren’t functioning the way they are supposed to, or changes make previously operational controls inoperable. Regulators are happy to “look under the hood” and can do so without interacting with or seeking permission from website owners.
Ultimately, businesses should consider running scans and assessments to understand their data flows and test the efficacy of their data subject rights processes. Privacy notices, cookie policies, and other disclosures and interfaces should be regularly verified to confirm accuracy and to avoid allegations of misrepresentation or deceptive trade practices. Businesses must balance compliance (and the risk of regulatory scrutiny) with the potential negative impact of mechanisms that limit transfers through business-critical trackers.
*Senior Government Relations Manager
