What the Latest CCPA Settlement Means for Your Compliance Strategy

Anna Booth, Thora Johnson, Shannon Yavorsky
Orrick, Herrington & Sutcliffe LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Orrick, Herrington & Sutcliffe LLP

On July 1, 2025 the California Attorney General announced the largest CCPA settlement to date, totaling $1.55 million. The settlement, which is awaiting court approval, was the result of an investigation by the California Department of Justice into Healthline.com’s targeted advertising and data sharing practices.

This action is the most recent in a pattern of enforcement actions taken by state attorneys general to protect consumer privacy rights. In California, the use of AdTech and tracking technologies has been a particular focus, with the Attorney General recently settling with Todd Snyder for failing to properly process opt-out requests. In this latest Complaint, the California Attorney General positions the action against Healthline as an extension of the Sephora settlement and potentially part of a broader investigation into online advertising.

Given the California Attorney General’s apparent focus on AdTech practices, businesses should anticipate increased enforcement in this area.

Here’s a closer look at the key lessons from the settlement:

Recognize the many forms health data can take.

  • Healthline.com is a medical information website with health and wellness articles. While it does not solicit health information from visitors, and visitors do not have to log in to read the articles, the Attorney General alleged that it tracks the articles visitors access and shares this data with third-party AdTech services.
  • In the Complaint, the California Attorney General stated that some of the article titles or descriptions strongly suggested that the reader had been diagnosed with a health condition, and therefore the sharing of this data with third parties enables the building of a consumer profile that includes that diagnosis. The Complaint alleged that this violated the CCPA’s purpose limitation principle. Under this principle, businesses are restricted to using personal information only for the specific reason it was originally collected, or for another purpose that is both clearly disclosed and consistent with the original context in which the data was gathered.
  • In the Proposed Order, Healthline is prohibited from selling or sharing personal information combined with article titles or URLs that indicate the consumer has been diagnosed with a medical condition. This prohibition does not include general interest health or medical articles that do not suggest specific diagnoses, though this line is not black and white. Healthline must also provide notice to consumers that it uses and discloses consumer sensitive personal information for advertising purposes and provide the right to limit the use of this information.

Be transparent with consumers.

  • While Healthline generally disclosed in its privacy policy that it provided consumer information to advertising providers for targeted advertising purposes, and explained that this could constitute a “sale,” or “sharing” of the data, it did not explain that it shared the articles visitors had viewed.
  • The privacy notice was therefore not sufficient to put the consumer on notice that data of a more intimate nature, such as accessing articles relating to diagnoses, would be invisibly shared with third parties, and this sharing could not be within the consumers’ reasonable expectations.
  • Businesses should therefore review their privacy notices to ensure they accurately reflect their targeted advertising practices, including the types of consumer personal information they share.

Monitor compliance with opt-out signals.

  • Healthline purported to have three ways in which consumers could exercise their CCPA rights to opt out of sale and sharing of their personal information: the first was by clicking on a link at the bottom of the Healthline website titled “Do Not Sell or Share My Personal Information;” the second was by using a tool to detect the Global Privacy Control opt-out signal; and the third was via a cookie banner that allowed consumers to uncheck a box if they did not wish to allow targeted advertising cookies.
  • The Complaint stated that, even after exercising opt-out rights via all three options, investigators found that Healthline continued to share personal information with dozens of third parties. This failure ultimately led the Attorney General to launch a more thorough investigation.
  • Businesses should therefore not only implement opt-out mechanisms but also test them regularly to ensure they actually work. Failure to do so could lead to significant enforcement action.

Use CCPA-compliant contracts with vendors.

  • Investigators reviewed the contracts Healthline had in place with its AdTech vendors. The Complaint states that several of the contracts were not compliant with the CCPA because they provided for the data to be used for “any business purpose,” for “internal use,” or for the “purposes contemplated” rather than specifying specific and limited purposes for which the shared data could be used.
  • In addition, several of the contracts did not require vendors to comply with consumer opt-outs, including addressing the use of “U.S. Privacy String” to communicate the opt-out when sending data to third parties.
  • Businesses should ensure that their contracts are compliant with the requirements of applicable privacy laws when engaging third-party vendors. They should also monitor third-party compliance with opt-out signals to ensure that consumers’ privacy rights are respected.

Prepare for the onerous obligations of enforcement actions.

  • As well as the significant fine, the Proposed Order also imposes extensive ongoing obligations on Healthline. In addition to implementing corrective measures to bring its privacy practices in line with CCPA requirements, Healthline must, for a period of three years, implement a CCPA compliance program, including:
    • Assessing and monitoring whether it effectively processes opt-out requests and requests to limit the use of sensitive personal information;
    • Conducting annual reviews of its website and apps to determine which third parties and service providers it shares personal information with and ensuring compliant contracts are in place;
    • Providing annual reports setting out its monitoring and audit activities, any errors and technical issues encountered, and steps taken to mitigate identified risks.
  • Businesses should therefore be mindful of the significant cost — beyond the financial penalties —that may be incurred as a result of an investigation into CCPA non-compliance and should undertake regular review of their privacy notice, opt-out process, cookie compliance platform, and vendor agreements.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Orrick, Herrington & Sutcliffe LLP

Written by:

Orrick, Herrington & Sutcliffe LLP
Orrick, Herrington & Sutcliffe LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Orrick, Herrington & Sutcliffe LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide