Healthline CCPA settlement signals increasing enforcement
MWE Logo
|

California attorney general’s $1.55 million Healthline CCPA settlement continues cookie focus and signals increasing enforcement

| | | |
  1. HOME
  2. INSIGHTS

Overview

The California attorney general’s (AG) July 1, 2025, proposed settlement with Healthline Media LLC (Healthline) marks the third cookie-related California Consumer Privacy Act (CCPA) settlement in as many months (alongside the California Privacy Protection Agency’s recent Honda and Todd Snyder settlements). Together, these actions demonstrate that (a) regulators are hyper-focused on how companies process CCPA data subject rights (DSR) and disclose key information, particularly related to cookies, pixels, and other tracking technologies (collectively, cookies), (b) enforcement is increasing rapidly, and (c) regulators are willing to impose draconian settlement terms such as data disgorgement and prohibiting certain data “sales” altogether. Given the regulator focus on website-related CCPA compliance, companies should consider taking immediate steps to (a) technically test that cookie consent management tools work as intended, (b) confirm DSR requests are honored, (c) implement robust cookie governance processes, (d) execute contracts with all cookie providers, and (e) update privacy notices to accurately reflect cookie use and DSR rights. For more information about how McDermott can assist with these tasks, contact the authors or your regular McDermott lawyer.

In Depth

Allegations

As described below, the AG alleged that Healthline’s use of cookies violated the CCPA and California’s Unfair Competition Law (UCL), particularly because the cookies allegedly disclosed sensitive health information. The complaint and proposed settlement reflect several aggressive AG positions, including:

  • Broader view of sensitive health information: The AG asserted that a website visitor’s reading history could constitute health information subject to the CCPA’s “sensitive personal information” (SPI) requirements.
  • More stringent vendor due diligence: The AG alleged Healthline could not rely on the CCPA’s safe harbor provision limiting a business’s liability for actions of its vendors because Healthline failed to conduct sufficient due diligence on cookie partners.
  • Purpose limitation: The AG alleged that any secondary use of sensitive health information violated the CCPA’s purpose limitation requirement, calling into question the ability to use cookies for health marketing at all.
  • Costly corrective action: The AG required both data disgorgement and a complete prohibition on selling certain health data (regardless of consent).

Specifically, the AG alleged that Healthline:

  • Continued to sell/share consumers’ personal information (PI) after receiving opt-out requests because (a) Healthline’s cookie management tool was misconfigured, which in turn meant its cookie banner did not function as described, and (b) Healthline relied on a contract-based industry “opt out” standard but used cookie partners who were not signatories to such contract.[1]
  • Failed to honor global privacy control (GPC) signals.
  • Failed to disclose its collection and disclosure of SPI, such as when cookies process URLs suggesting a user has a particular health diagnosis (e.g., “Guide to Newly Diagnosed Diabetes: How to Make a Plan”).
  • Failed to offer consumers a right to limit SPI processing.
  • Failed to include required content in its contracts with advertising companies (e.g., rather than list the “limited and specified purposes” for using PI, as required by the CCPA, one contract said that the recipient could use the data for “any business purpose”).

Settlement terms

The proposed settlement, which still requires court approval, would require Healthline to pay a $1.55 million settlement, conduct extensive reporting to the California attorney general during a three-year corrective action plan, and implement numerous other corrective actions, such as:

  • Updating all disclosures, providing consumers with all required DSR disclosures (including the right to limit SPI), and correctly processing all DSR requests, including GPC sale/sharing opt-out requests.
  • Implementing a robust DSR governance program, including documenting errors/technical problems and remedial steps.
  • Disgorging SPI collected before posting the notice of right to limit.
  • Prohibiting all sales of personal information indicating a consumer viewed a specific “diagnosed medical condition article” (regardless of notice/consent).
  • Conducting an annual review of its websites and apps to determine third parties/service providers to whom it discloses personal information via cookies.
  • Executing CCPA-compliant contracts with third parties/service providers and implementing robust governance processes, such as auditing contracts to ensure they meet CCPA requirements, reviewing compliance with any industry contract-based standards, and identifying clear roles and responsibilities.

Our recent webinar provides a technical demonstration of how to conduct such audits and common pitfalls to avoid.

Action items

Companies should consider taking the following actions given the larger trend of enforcement and litigation related to website tracking:

  • Review and test cookie practices and compliance status. This includes checking configuration settings and creating a categorized inventory of client-side technologies (such as cookies and pixels), server-side tools, and related data practices (like building custom or lookalike audiences using email lists). Once implemented, conduct routine audits to confirm ongoing compliance.
  • Collect and translate often-inconsistent information. Gather and clarify the inconsistent information provided by internal stakeholders (marketing, IT, etc.) and external parties (such as marketing agencies and cookie providers).
  • Provide practical advice and benchmarking. Help business stakeholders make key risk and compliance decisions, such as whether and how to use a cookie banner, how to address consumer rights, whether to enable geofencing, and whether to implement heightened controls when processing sensitive information.
  • Implement reasonable vendor management controls. This includes executing contracts with all cookie partners (both “service providers” and other “businesses”) and configuring third-party cookie provider settings as necessary to comply with sale opt-outs. Consider implementing a robust vendor management program as well.
  • Document key governance procedures. Establish and document technical and business-facing “standard operating procedures,” training, cookie change request processes, privacy impact assessments, and testing processes.

Stay Connected

Subscribe Follow Us on LinkedIn Get in Touch

Authors

Elliot R. Golding
Partner | Washington, DC
/ +1 202 756 8185
View Profile MWE Icon

Samantha Smart
Associate | New York
/ +1 212 547 5326
View Profile MWE Icon

David P. Saunders
Partner | Chicago
/ +1 312 803 8305
View Profile MWE Icon

Jonathan Ende
Partner | Washington, DC
/ +1 202 756 8768
View Profile MWE Icon

Endnotes

[1]The AG’s complaint is likely referring to the Interactive Advertising Bureau (IAB) Multi-State Privacy Agreement (MSPA), although it does not name the standard directly. MSPA signatories agree to pass a “string” within the cookie information to signal whether an individual has opted out of sale/sharing. If the string is present, recipients agree to honor the string by acting solely as a “service provider” with respect to that data.