Largest CCPA Settlement: How Healthline’s Website Violated Privacy Law

On July 1st, 2025, the California Attorney General (AG), Rob Bonta, announced a settlement of $1.55 million with website publisher Healthline Media LLC (Healthline) for violating the California Consumer Privacy Act (CCPA) by sharing personal data for advertising purposes without proper consent.

Healthline is the third company to be fined in 2025 for their website violating CCPA, and $1.55 million represents the largest CCPA fine issued to date. With the two other fines issued in 2025 by the newly formed California Privacy Protection Agency (CPPA), California now has two enforcement arms focused on website privacy compliance. 

The California AG's announcement states “An investigation by the California Department of Justice (DOJ) found that Healthline failed to allow consumers to opt out of targeted advertising and shared data with third parties without CCPA-mandated privacy protections — including data suggesting that a person may have a serious health condition.”

Healthline.com ranks among the world's 40 most popular websites, publishing articles on health and wellness. The website generates revenue by displaying ads, including personalized ads based on user data. To maximize advertising revenue, the site employs digital trackers such as cookies and pixels that share user data with advertisers and other third parties. This data sharing included personally identifiable information along with specific article titles that users accessed. Certain article headlines revealed sensitive health conditions, including pieces like "You've Been Newly Diagnosed with MS. What's Next?". 

The complaint filed by California AG alleges Healthline violated CCPA and California’s Unfair Competition Law by: 

• Failing to honor user consent and continuing to share personal data with advertisers via cookies and pixels even after some users opted out of data sharing via Healthline.com’s opt-out form or the Global Privacy Control (GPC) universal opt-out mechanism
• Violating the CCPA’s “purpose limitation” principle by sharing sensitive health data with advertisers that was not disclosed to users  
• Failing to implement CCPA-mandated contracts with advertising third parties and establish privacy protections for users’ data

These violations from Healthline stem not from Healthline’s consent management platform (CMP), but from not having a solution designed to audit websites for privacy compliance. CMPs are designed to capture consent and limit data accordingly, but they lack capabilities to verify compliance.

To address this gap, Privado.ai offers the most comprehensive solution to scan websites and ensure consent banners, pixels, and data flows are always privacy compliant.  

Violation Summary

Broken Opt-Out Mechanisms

CCPA Requirements

• Honor user’s GPC browser setting to universally opt out of data sharing for advertising purposes  
• Provide a clear “Do Not Sell or Share My Personal Information” link and honor users’ requests to opt out of data sharing for advertising purposes  

Violations

• GPC setting not honored: When GPC setting was turned on, personal data was still shared with some advertising third parties 
• Opt-outs via “Do Not Sell or Share My Personal Information” link not honored: When users click the link at the bottom of the page and completed the form, personal data was still shared with some advertising third parties
• Opt-outs via form from consent banner not honored: When users clicked “More information” on the consent banner and unchecked the “Allow” box for “Targeting / Advertising cookies”, personal data, including cookies, was still shared with advertising third parties 

Even after opting via all three mechanisms, the complaint against Healthline states that investigators found that personal data was still shared with over 12 advertising third parties via at least 118 cookies and 82 pixels.

Prevention

• GPC Signal Auditing: Run regular website scans to verify no cookies or network requests are activated by advertising third parties when users opt out 
• Website Opt-out Consent Auditing: Run regular website scans that simulate consent banner and/or form opt outs and verify no cookies or network requests are activated by advertising third parties when users opt out 

Purpose Limitation

CCPA Requirement

Business may only use personal data for purposes compatible with that for which the information was collected, or for further incompatible purposes only if it provides a CCPA-compliant notice.

Violation

By sharing the titles of articles users had read with advertisers that would suggest a possible medical diagnosis, Healthline shared data of “a potentially highly intimate nature” in a way that consumers would not reasonably expect without a sufficiently detailed disclosure in its privacy policy or elsewhere.

Prevention

• Data Flow Mapping: Run regular website scans to identify and categorize each personal data element shared with each third party
• Sensitive Data Sharing Detection: Set workflows to automatically flag any data element shared that is categorized as sensitive 

Third Party Contracts

CCPA Requirement

Businesses must implement contracts with their advertising third parties to limit how they use personal data for advertising purposes.

Violation

Healthline was signed up to an online advertising industry contractual framework (possibly the Interactive Advertising Bureau’s (IAB) CCPA Compliance Framework); however, not all of Healthline’s advertising partners were signed up to the framework.

For Healthline’s third parties that had not signed the industry framework, investigators reviewed their contracts, and several were missing the CCPA-mandated terms. The complaint states: “For example, rather than list the limited and specified purposes for using personal information, one contract said that the recipient could use the data for “any business purpose.”

Prevention

• CCPA-Compliant Contracting Policies: Require third parties to agree to the IAB CCPA Compliance Framework and/or require all contracts to include CCPA-mandated terms
• Contract Auditing: Utilize a contract scanning solution to validate contracts meet internal policies and verify that actual data processing is in line with each contract

Key Takeaways

California privacy regulators are clamping down on non-compliant websites

All three CCPA fines issued in 2025 (Healthline, Todd Snyder, and Honda) were for websites that shared personal data without proper consent. With the newly formed CPPA issuing its first fines in 2025, the rate of fines is expected to increase. 

Mobile apps face a similar risk of privacy fines 

These three fines/lawsuits from the past two years were from mobile apps sharing personal data without proper consent.

• Tilting Point received CCPA fine from California AG in 2024
• All State sued by Texas Attorney General in 2025 for violating Texas Data Privacy and Security Act in first month of law’s enforcement
• Amazon hit with class-action lawsuit in 2025 for violating Washington state’s My Health My Data Act, which went into effect in 2024

Consent Management Platforms were not built to detect compliance risk

CMPs were designed to capture consent and limit data accordingly, but they lack capabilities to verify compliance.

CMPs might be configured in a compliant manner initially, but they quickly become out of compliance as data flows and third parties regularly change on websites and apps. 

Website and mobile app privacy auditing solutions are needed to ensure compliance

Privado.ai offers the most comprehensive solutions to find and fix privacy risks on websites and mobile apps. 

• Web Auditor: Scan your websites to ensure consent banners, pixels, and data flows are compliant with each regulation in each location. No technical implementation required.
• App Auditor: Scan app files to ensure consent banners, SDKs, and data flows are compliant with each regulation in each location. No technical implementation required.

How Privado.ai Web Auditor Prevents Privacy Violations

• GPC Signal Auditing: Verifies no cookies or network requests are activated by advertising third parties when users opt out 
• Website Opt-out Consent Auditing: Simulates consent banner and/or form opt outs and verify no cookies or network requests are activated by advertising third parties when users opt out 
• Website Opt-in Consent Auditing [GDPR Compliance]: Simulates consent banner actions and verify no cookies or network requests are activated by third parties when users opt out or take no action
• Data Flow Mapping: Identifies and categorizes each personal data element shared with each third party. Maps all third party cookie, script, and pixel activity by consent action. Flags cross-border data transfers
• Sensitive Data Sharing Detection: Flags any data element shared that is categorized as sensitive 
• Consent Banner Visibility: Scans banners to ensure they display properly with no privacy dark patterns
• Contract Scanning: Validates that contracts meet internal policies, verifies that actual data processing is in line with each contract, and automates compliance reporting

Request a free website audit and get ahead of regulators

• Scan your company’s websites and test for compliance in the US, Europe, Canada, and other countries
• Get a free report over email or review results with our team