On July 1, 2025, California Attorney General Rob Bonta announced the largest settlement to date under the California Consumer Privacy Act (CCPA). This settles the case of People of the State of California v. Healthline Media, LLC (Case No. CGC-25-626794), and represents the second major CCPA enforcement action by the Attorney General’s office, following the landmark Sephora case. It also signals an expansion of privacy enforcement beyond the CCPA to CA Unfair Competition Law (UCL)/UDAP.
This action specifically targeted alleged failures in website opt-out mechanisms, vendor contractual compliance, and the sharing of potentially sensitive information with third party marketing companies , and it establishes important precedents for how CA businesses must handle consumer privacy rights in the context of cross-context behavioral advertising.
Automobile dealers, who often rely heavily on targeted digital advertising and website analytics, should pay close attention to this landmark CCPA enforcement action. The enforcement action and settlement emphasize the importance of having functional and compliant cookie banners and is indicative of increased enforcement scrutiny on privacy practices across the entire retail sector.
Healthline operates Healthline.com, a medical information website that attracts approximately 6.5 million California visitors monthly. The Attorney General’s investigation, conducted in fall 2023, revealed alleged systematic violations of CCPA requirements. Despite implementing multiple opt-out mechanisms—including a standard “Do Not Sell or Share My Personal Information” link, Global Privacy Control (GPC) support, and a cookie consent banner—investigators discovered that approximately 65,000 California consumers who had opted out continued to have their personal information shared with advertising networks.
The investigation employed sophisticated technical analysis, revealing that even after consumers exercised their opt-out rights through all available mechanisms (termed a “triple opt-out”), Healthline continued to place 118 third-party advertising cookies and transmitted personal information to dozens of advertising companies.
The complaint alleges multiple violations of California privacy law, structured around three primary legal theories. First, under the CCPA (Civil Code Sections 1798.120 and 1798.135), Healthline failed to honor consumer opt-out requests, continuing to sell and share personal information despite clear consumer directives.
Second, the complaint alleges violations of CCPA Section 1798.100(d), which requires businesses to maintain written contracts with third parties that receive personal information. These contracts must specify limited and defined purposes for data use and include mandatory consumer protection provisions. The Attorney General’s investigation revealed that Healthline failed to properly ensure that vendors signed adequate contractual agreements, and in some cases maintained agreements with overly broad language permitting data use for “any business purpose” or “internal use.”
Third, the complaint alleged a violation of the CCPA’s “purpose limitation principle” under Civil Code Section 1798.100(c). This principle requires that personal information be used only for disclosed purposes that are compatible with the context of collection and consistent with reasonable consumer expectations. The sharing of article titles suggesting medical diagnoses for advertising purposes allegedly violates this principle, as consumers would not reasonably expect such potentially sensitive health-related inferences to be shared with advertising networks.
The case reveals critical gaps between privacy policy representations and technical implementation. Healthline’s opt-out mechanisms suffered from multiple failure points: a misconfigured technical system that failed to properly disable tracking, inadequate testing of privacy controls, and over-reliance on third-party vendors without sufficient oversight. The company’s privacy compliance vendor failed to identify and block all relevant tracking technologies, necessitating extensive manual review by Healthline’s engineering team.
The complaint details sophisticated tracking methodologies that continued post-opt-out, including traditional cookies, local storage identifiers described as “next-generation universal identifiers,” and cookie synchronization pixels designed to match user identifiers across multiple advertising platforms. This technical complexity underscores the challenges in ensuring comprehensive compliance with CA privacy regulations.
A particularly noteworthy aspect of the enforcement action involves Healthline’s allegedly deceptive cookie consent banner practices. The complaint reveals that Healthline employed a cookie consent banner that ostensibly allowed consumers to control “Targeting / Advertising cookies” by providing an option to uncheck a box that would disable such cookies. The banner informed users that these cookies “gather information about your use of our [website] so we may improve your experience and provide you with more relevant content and advertising.”
However, investigators discovered that this consent mechanism was fundamentally deceptive—even when consumers actively unchecked the advertising cookie option, the banner failed to actually disable the tracking technologies.
The AG alleged that the failure of the banner mechanism to work as described was a violation of the California Unfair Competition Law under Business and Professions Code Section 17200, as it constituted a fraudulent practice that misled consumers about their ability to control data collection. While this connection between banner functionality and UDAP has been clear at the federal and state level for some time (based on recent FTC enforcement actions, as well as guidance such as the 2024 NY AG Guidance), this is the first time we are aware that a state agency has brought a direct claim against a company under this broad theory. This represents a fundamental shift in the way that dealers (and other businesses) should think about their cookie banners because a failure of the banner’s functionality or deceptive claims about its actual technical implementation can potentially expose dealers to both privacy law violations and broader consumer protection enforcement actions.
The case was resolved through a comprehensive settlement agreement resulting in a Final Judgment and Permanent Injunction announced on July 1, 2025, that required Healthline to pay $1.55 million to the California Attorney General’s Office.
In addition, the settlement includes extensive injunctive relief addressing the core violations identified in the complaint and mandates implementation of a comprehensive CCPA compliance program, requiring Healthline to conduct annual assessments and monitoring of its opt-out processing mechanisms for a three-year period. The company must provide detailed annual reports to the Attorney General documenting testing procedures, technical problems encountered, and remediation efforts. Additionally, Healthline must conduct regular reviews of third-party relationships to ensure all advertising partners maintain proper contractual protections required by the CCPA.
The Healthline enforcement action represents a critical change in focus and expansion of CCPA enforcement and compliance, moving beyond the (already complicated) requirements of the CCPA itself to now include broad UDAP risks related to CCPA-adjacent tools like cookie banners.
Bottom line – dealers must not only ensure they are meeting the explicit requirements of the CCPA in terms of consumer requests, opt-outs, and vendor management – you MUST HAVE A COOKIE BANNER THAT FUNCTIONS AS INTENDED. Unfortunately, this can be complicated, and as these settlements show, many vendors simply do not provide banner functionality that matches the promises to consumers.
However, if you are working with ComplyAuto, you will be able to not only meet the complex requirements of the CCPA, but that you also have a cookie banner that functions as described.
If you are not already working with ComplyAuto, please reach out today. We handle it all for you – from consumer privacy requests, to online opt-outs, vendor contract management AND a functioning cookie banner. We take the complex and make it simple for you. Contact ComplyAuto today.
1See, e.g., FTC Section 5 claims such as https://www.ftc.gov/news-events/news/press-releases/2023/03/ftc-ban-betterhelp-revealing-consumers-data-including-sensitive-mental-health-information-facebook; and https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising; 2See https://ag.ny.gov/resources/organizations/business-guidance/website-privacy-controls
Author: Brad Miller, Chief Compliance/Regulatory Officer, ComplyAuto
The original article is available here.