California attorney general’s $1.55 million Healthline CCPA settlement continues cookie focus and signals increasing enforcement

Allegations

As described below, the AG alleged that Healthline’s use of cookies violated the CCPA and California’s Unfair Competition Law (UCL), particularly because the cookies allegedly disclosed sensitive health information. The complaint and proposed settlement reflect several aggressive AG positions, including:

• Broader view of sensitive health information: The AG asserted that a website visitor’s reading history could constitute health information subject to the CCPA’s “sensitive personal information” (SPI) requirements.
• More stringent vendor due diligence: The AG alleged Healthline could not rely on the CCPA’s safe harbor provision limiting a business’s liability for actions of its vendors because Healthline failed to conduct sufficient due diligence on cookie partners.
• Purpose limitation: The AG alleged that any secondary use of sensitive health information violated the CCPA’s purpose limitation requirement, calling into question the ability to use cookies for health marketing at all.
• Costly corrective action: The AG required both data disgorgement and a complete prohibition on selling certain health data (regardless of consent).

Specifically, the AG alleged that Healthline:

• Continued to sell/share consumers’ personal information (PI) after receiving opt-out requests because (a) Healthline’s cookie management tool was misconfigured, which in turn meant its cookie banner did not function as described, and (b) Healthline relied on a contract-based industry “opt out” standard but used cookie partners who were not signatories to such contract.[1]
• Failed to honor global privacy control (GPC) signals.
• Failed to disclose its collection and disclosure of SPI, such as when cookies process URLs suggesting a user has a particular health diagnosis (e.g., “Guide to Newly Diagnosed Diabetes: How to Make a Plan”).
• Failed to offer consumers a right to limit SPI processing.
• Failed to include required content in its contracts with advertising companies (e.g., rather than list the “limited and specified purposes” for using PI, as required by the CCPA, one contract said that the recipient could use the data for “any business purpose”).

Settlement terms

The proposed settlement, which still requires court approval, would require Healthline to pay a $1.55 million settlement, conduct extensive reporting to the California attorney general during a three-year corrective action plan, and implement numerous other corrective actions, such as:

• Updating all disclosures, providing consumers with all required DSR disclosures (including the right to limit SPI), and correctly processing all DSR requests, including GPC sale/sharing opt-out requests.
• Implementing a robust DSR governance program, including documenting errors/technical problems and remedial steps.
• Disgorging SPI collected before posting the notice of right to limit.
• Prohibiting all sales of personal information indicating a consumer viewed a specific “diagnosed medical condition article” (regardless of notice/consent).
• Conducting an annual review of its websites and apps to determine third parties/service providers to whom it discloses personal information via cookies.
• Executing CCPA-compliant contracts with third parties/service providers and implementing robust governance processes, such as auditing contracts to ensure they meet CCPA requirements, reviewing compliance with any industry contract-based standards, and identifying clear roles and responsibilities.

Our recent webinar provides a technical demonstration of how to conduct such audits and common pitfalls to avoid.

Action items

Companies should consider taking the following actions given the larger trend of enforcement and litigation related to website tracking:

• Review and test cookie practices and compliance status. This includes checking configuration settings and creating a categorized inventory of client-side technologies (such as cookies and pixels), server-side tools, and related data practices (like building custom or lookalike audiences using email lists). Once implemented, conduct routine audits to confirm ongoing compliance.
• Collect and translate often-inconsistent information. Gather and clarify the inconsistent information provided by internal stakeholders (marketing, IT, etc.) and external parties (such as marketing agencies and cookie providers).
• Provide practical advice and benchmarking. Help business stakeholders make key risk and compliance decisions, such as whether and how to use a cookie banner, how to address consumer rights, whether to enable geofencing, and whether to implement heightened controls when processing sensitive information.
• Implement reasonable vendor management controls. This includes executing contracts with all cookie partners (both “service providers” and other “businesses”) and configuring third-party cookie provider settings as necessary to comply with sale opt-outs. Consider implementing a robust vendor management program as well.
• Document key governance procedures. Establish and document technical and business-facing “standard operating procedures,” training, cookie change request processes, privacy impact assessments, and testing processes.