Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher

Key Takeaways

• This settlement underscores the importance of validating that opt-out mechanisms truly work as intended. This requires testing and coordination with various stakeholders to ensure that data flows to the third parties engaging in behavioral advertising actually cease after the opt-out. This settlement emphasized that improper functionality resulting in false representations could be framed as deceptive practices.
• Healthcare and wellness entities that collect and share sensitive information continue to be under scrutiny. Website operators in this industry should take special care in establishing a cookie governance program and evaluate what sensitive data may be collected and shared with third-party advertising vendors.
• Businesses must evaluate whether their data sharing would be consistent with a consumer’s reasonable expectations. And even if a business provides detailed disclosures in a privacy notice, their personal data sharing practices could still violate the purpose limitation principle if the disclosed purposes would be unexpected based on a consumer’s reasonable expectations.
• It is imperative to undertake due diligence efforts and validate data flows and vendor relationships to ensure that specific, CCPA-required contractual requirements are actually in place.

On July 1, the California attorney general (CA AG) announced the largest CCPA settlement to date, $1.55 million, and the first settlement against a website publisher, Healthline Media LLC (Healthline). The settlement (pending court approval) resolves allegations against Healthline, a health and wellness information website, for violating the California Consumer Privacy Act (CCPA) and the California Unfair Competition Law (UCL) and would involve novel injunctive requirements. This is the first CCPA enforcement action focused on health-related data, following years of heightened federal enforcement trends triggered by healthcare entities’ treatment and disclosure of this category of sensitive personal information.

The California Department of Justice (DOJ) investigation into Healthline was triggered by a finding that the opt-out functionality on its website was not functioning as required under the CCPA, namely that consumers could not effectively opt out of numerous behavioral advertising cookies that were allegedly used to transmit health information to third-party advertising vendors. In CA AG Rob Bonta’s press release accompanying this settlement, Bonta emphasized the DOJ’s authority under the CCPA to “fight online surveillance,” as well as the sensitive nature of the underlying data, which “could have revealed consumers’ private medical diagnosis.”

The Complaint

The CA AG’s complaint described the following areas of noncompliance:

1. Selling and sharing consumer personal information to third parties, even after receiving opt-outs from consumers.
2. Collecting and selling consumer personal information without appropriate contractual agreements in place with vendors.
3. Violating the CCPA’s “purpose limitation principle” by engaging in data-sharing with third parties that would not have been reasonably expected by the consumer (in this case, sharing article titles that could be used to infer an underlying health condition of the consumer).
4. Deceptive practices, including offering a cookie banner purporting to allow website visitors to disable targeting/advertising cookies but failing to effectively disable those cookies.

The Settlement

The settlement contains the following key provisions and requirements:

1. Comply with the CCPA. This will include providing consumers with legally required privacy notices regarding the sale and sharing of personal information as well as the right to opt out of all sales and sharing.
2. Properly process consumer requests to opt out of sales or sharing, including requests made via an opt-out preference signal such as the Global Privacy Control.
3. Do not sell or share personal information combined with information that allows the recipient to determine that a website visitor has been recently diagnosed. This includes transmitting the title of an article or the URL of a web page that may reveal that the consumer visiting the web page has already been diagnosed with a medical condition.
4. Implement and maintain a privacy compliance program to assess and monitor the efficacy of Healthline’s privacy compliance measures. This includes testing opt-out mechanisms and an annual reporting requirement.
5. Enter CCPA-compliant vendor contracts. Additionally, conduct an annual review to ensure that the appropriate contracts are in place.

[View source.]