
Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.
Thank you!
Please check your email to view the guide.

On July 1st, 2025, the California Attorney General (AG), Rob Bonta, announced a settlement of $1.55 million with website publisher Healthline Media LLC (Healthline) for violating the California Consumer Privacy Act (CCPA) by sharing personal data for advertising purposes without proper consent.
Healthline is the third company to be fined in 2025 for their website violating CCPA, and $1.55 million represents the largest CCPA fine issued to date. With the two other fines issued in 2025 by the newly formed California Privacy Protection Agency (CPPA), California now has two enforcement arms focused on website privacy compliance.
The California AG's announcement states “An investigation by the California Department of Justice (DOJ) found that Healthline failed to allow consumers to opt out of targeted advertising and shared data with third parties without CCPA-mandated privacy protections — including data suggesting that a person may have a serious health condition.”
Healthline.com ranks among the world's 40 most popular websites, publishing articles on health and wellness. The website generates revenue by displaying ads, including personalized ads based on user data. To maximize advertising revenue, the site employs digital trackers such as cookies and pixels that share user data with advertisers and other third parties. This data sharing included personally identifiable information along with specific article titles that users accessed. Certain article headlines revealed sensitive health conditions, including pieces like "You've Been Newly Diagnosed with MS. What's Next?".
The complaint filed by California AG alleges Healthline violated CCPA and California’s Unfair Competition Law by:
These violations from Healthline stem not from Healthline’s consent management platform (CMP), but from not having a solution designed to audit websites for privacy compliance. CMPs are designed to capture consent and limit data accordingly, but they lack capabilities to verify compliance.
To address this gap, Privado AI offers the most comprehensive solution to scan websites and ensure consent banners, pixels, and data flows are always privacy compliant.
Even after opting via all three mechanisms, the complaint against Healthline states that investigators found that personal data was still shared with over 12 advertising third parties via at least 118 cookies and 82 pixels.
Business may only use personal data for purposes compatible with that for which the information was collected, or for further incompatible purposes only if it provides a CCPA-compliant notice.
By sharing the titles of articles users had read with advertisers that would suggest a possible medical diagnosis, Healthline shared data of “a potentially highly intimate nature” in a way that consumers would not reasonably expect without a sufficiently detailed disclosure in its privacy policy or elsewhere.
Businesses must implement contracts with their advertising third parties to limit how they use personal data for advertising purposes.
Healthline was signed up to an online advertising industry contractual framework (possibly the Interactive Advertising Bureau’s (IAB) CCPA Compliance Framework); however, not all of Healthline’s advertising partners were signed up to the framework.
For Healthline’s third parties that had not signed the industry framework, investigators reviewed their contracts, and several were missing the CCPA-mandated terms. The complaint states: “For example, rather than list the limited and specified purposes for using personal information, one contract said that the recipient could use the data for “any business purpose.”
All three CCPA fines issued in 2025 (Healthline, Todd Snyder, and Honda) were for websites that shared personal data without proper consent. With the newly formed CPPA issuing its first fines in 2025, the rate of fines is expected to increase.
These three fines/lawsuits from the past two years were from mobile apps sharing personal data without proper consent.
CMPs were designed to capture consent and limit data accordingly, but they lack capabilities to verify compliance.
CMPs might be configured in a compliant manner initially, but they quickly become out of compliance as data flows and third parties regularly change on websites and apps.
Privado AI offers the most comprehensive solutions to find and fix privacy risks on websites and mobile apps.
Request a free website audit and get ahead of regulators