On July 1, 2025, the California Attorney General announced the largest California Consumer Privacy Act (CCPA) settlement to date. Similar to DoorDash in 2024, Sephora in 2022, and countless others, Healthline is accused of failing to honor consumer’s right to opt out of targeted advertising and shared data with third parties. As the self-described #1 health information publisher reaching over 75 million people a month, Healthline’s settlement will have broad-reaching implications.

This landmark legal action brings greater urgency to a number of privacy issues including opt-out mechanisms, sensitive data controls, contractual requirements, and the risks of non-compliance. 

Your opt-out cannot be a facade. 

While Healthline displayed a consent banner appearing to offer consumers the ability to exercise their right to opt out of targeted advertising and third party data sharing, the banner did not actually disable tracking cookies. The complaint alleged this not only violated the CCPA by failing to provide consumers with the ability to exercise their right to opt out, but also constituted a deceptive business practice.

Our 2025 Privacy Trends Report found that, like Healthline, nearly 70% of consent banners simply do not work. This is not tenable. Healthline’s settlement proves that displaying a banner is not enough. While Healthline had a privacy policy and consent management platform in place, they were nonetheless responsible for its failure to operate in compliance. The Attorney General’s office performed code-level audits, tracing pixels and cookie-sync calls all the way back to data broker profiles. Business leaders must ensure that scripts are continuously monitored, legitimately managed, and reflect the behavior described in their privacy policy to ensure compliance and avoid similar CCPA action. 

The time to respect global privacy controls is now.

While not every state law requires companies to honor a Global Privacy Control (GPC), the settlement shows that states like California can and will pursue any company that fails to comply with a universal opt-out mechanism. In addition to not responding to user consent selections in the banner, Healthline also did not honor opt-out preferences signaled by GPCs. As a result, Healthline faces even higher fines. 

Your data may be more sensitive than you realize.

As a health information website, Healthline user browsing data is considered sensitive. By sharing the titles of articles users viewed with third parties, Healthline implied consumer’s serious medical diagnoses. Although Healthline disclosed to consumers that they shared data with third parties, they did not disclose the sensitive nature of the data shared or request an opt-in to this practice. 

Even though Healthline didn’t share explicit medical diagnoses (e.g. “John Smith, HPV”) with third parties, the California Attorney General found that even sharing data that could be used to imply a diagnosis was sufficient to violate the Purpose Limitation Principle of the CCPA. 

Brands need to think carefully about whether their data can be construed as sensitive, even indirectly. 

You aren’t guaranteed safe harbor.

The CCPA limits a business’ liability if it communicates a consumer opt-out to a third party and the third party does not respond. However, this safe harbor requires clear contract language to ensure the third party’s responsibility to honor an opt-out. The Attorney General found Healthline’s contract language with third parties to be insufficient to grant them the safe harbor, significantly amplifying the total cost of the settlement for Healthline. 

Business impact goes beyond fines. 

Healthline’s settlement isn’t just the largest dollar value to date, it also introduces new constraints on their business practices. Under the terms of the proposed settlement, Healthline must also:

• Stop disclosing information that could link specific consumers to medical conditions
• More accurately convey the sensitivity of collected data to consumers, and,
• Transition to an opt-in model for the sharing of certain data. 

As a publishing company, most consumers use Healthline passively, without an account, and putting these steps into motion could necessitate a major change in Healthline’s operations and advertising business. Healthline could have strategically implemented improvements to their privacy practice with much greater flexibility had other aspects of their privacy model (i.e. honoring consumer opt-outs) been in a better place and not attracted the attention of the California Department of Justice. 

Even if Healthline rectifies these flaws quickly, the public settlement could seriously injure consumer confidence using Healthline in the future, reducing ad traffic and revenue. Healthline faces not just a $1.55 million dollar settlement, but serious damage to their brand and a potential major change to their revenue model. 

Our data privacy experts can help.

In the coming months, we expect increasing scrutiny on health data in particular, as laws like the Illinois Biometric Information Privacy Act result in extremely expensive damages and studies show 48% of telehealth apps break at least one health data privacy law. The Healthline settlement is also the first CCPA action against a publisher, reflecting the CCPA’s resourcing to pursue a wider variety of offences. Every company relying on ad tech should treat this case as an industry‑wide red flag.

Even with great intentions, maintaining privacy compliance is increasingly complicated on both a technical and legal level. Whether you’re a DataGrail customer now or in the future, we’re here to help.

Next steps:

• Review our Do Not Sell or Share Opt-Out Guide to assess your current compliance.
  
• Use the free Privacy Inspector Chrome extension to verify your opt-out mechanisms are working as expected.
• Brush up on compliance expectations for all U.S. state privacy laws.
  
• Implement DataGrail Consent to protect your brand with fully automated and proactive consent management, including GPC compliance.
  
• Use DataGrail Live Data Map and Responsible Data Discovery to review your third party applications and mitigate your company’s use of sensitive data.