On July 1, 2025, California Attorney General Bonta announced a $1.55 million settlement, pending court approval, related to allegations that Healthline.com, a website where consumers can read informational articles about medical and health topics, violated the California Consumer Privacy Act (“CCPA”) and the California Unfair Competition Law.

As summarized in the complaint and proposed settlement, the AG alleges Healthline committed the following violations:

• Failed to Honor Consumer Opt-Outs of Sell or Share for Targeted Advertising. The AG alleges that even after Healthline readers exercised their right to opt out of the sale or sharing of their personal information for targeted advertising, Healthline continued to transmit identifying data to Healthline’s advertising partners for such purposes. The complaint alleges that Healthline misconfigured one opt-out mechanism and failed to test whether it worked. After being contacted by the AG, Healthline reported that its “privacy compliance vendor may not have properly identified and blocked all relevant online trackers after the vendor detected that a consumer had opted out.” Earlier this year, the AG’s Office published a press release reminding businesses and consumers about the right to opt out.
• Violated the CCPA’s Purpose Limitation Principle. Under the CCPA’s purpose limitation principle, businesses are restricted to processing personal information for the purposes for which the data was collected (or for a compatible purpose). The AG alleges that Healthline violated this principle by disclosing article titles that suggested a possible medical diagnosis (e.g., “Newly Diagnosed with HIV? Important Things to Know.”) with advertisers and their vendors, which these recipients could add to their consumer profiles. The AG alleges that Healthline’s privacy policy did not indicate that Healthline would share article titles and that consumers would not reasonably expect that those titles were being shared.
• Failed to Maintain Contracts with Third Parties that Contain CCPA-Required Terms. After reviewing Healthline’s contracts with advertising companies, the AG found that many of those contracts did not contain CCPA-mandated terms.
• Deceived Consumers about their Ability to Disable Tracking Cookies. Healthline’s cookie banner allowed users to select a “more information” link where consumers could uncheck the box that allowed targeted/advertising cookies. However, the AG alleges that Healthline’s cookie banner deceived consumers because it purported to allow users to disable cookies but failed to do so in practice.

Under the terms of the proposed settlement, Healthline agrees to the following:

• Process consumer requests to opt out of sales or sharing through an opt-out preference signal, including the Global Privacy Control;
• Stop selling or sharing combinations of personal information that allows recipients to determine that a consumer is viewing a specified diagnosed medical condition article, except where the sales or sharing would fall under a CCPA exemption;
• Implement a compliance program that includes testing of opt-out mechanisms, annual reviews of contracts with third parties, and reports to the AG for three years;
• Provide appropriate notice to consumers regarding the sale and sharing of their personal information and their right to opt out; and
• Pay $1.55 million in civil penalties.

This is the California AG’s fourth action against entities alleged to have violated the CCPA, indicating that the AG will continue to pursue cases independent from the California Privacy Protection Agency. We summarized two of the AG’s prior actions in blog posts here and here. The Healthline settlement suggests that regulators continue to scrutinize online tracking and advertising practices under the CCPA.