California AG Issues Largest Monetary Penalty in Most Recent CCPA Enforcement Action

On July 1, the California Attorney General (CA AG) announced a $1.55 million settlement – the largest penalty issued under the California Consumer Privacy Act (CCPA) to date – with Healthline, an online health and wellness knowledge platform. The settlement follows an investigation by the California Department of Justice, which found that Healthline violated the CCPA through its use of online tracking tools for targeted advertising purposes and its disclosure of sensitive health-related information to advertisers without complying with the CCPA’s requirements. The complaint also alleges that Healthline violated the CCPA’s purpose limitation principle by using consumers’ personal information in a manner that was inconsistent with the purposes for which it was collected and processed initially. The complaint further claims the company failed to include required privacy terms in contracts with third parties and misled users with a consent banner that did not actually disable tracking as promised.

In addition to the $1.55 million in civil penalties, Healthline will be required to implement injunctive relief, including a prohibition on sharing article titles that may reveal a diagnosis, improvements to its opt-out mechanisms, and the establishment of a CCPA compliance program with regular contract audits.

This settlement follows a series of notable enforcement actions by the CA AG’s office against Sephora, DoorDash, and Tilting Point Media. It also comes in the wake of broader CCPA investigative sweeps, including recent efforts focused on the location data industry. Collectively, these actions signal that CCPA compliance should continue to be an area of priority for companies, especially because two regulators have enforcement authority over the law. (The California Privacy Protection Agency also recently announced its first enforcement action under the CCPA and has been actively enforcing the state’s data broker registration law.) Companies that process sensitive data, such as health information, should be particularly focused on these developments.

In this post, we identify key takeaways from the California AG’s privacy settlement with Healthline. To stay up to date on the latest California privacy law developments, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.

KEY TAKEAWAYS

1. Purpose limitation requirement draws novel regulatory attention. Perhaps the most notable development from this enforcement action is that the CA AG cited a violation of the CCPA’s “purpose limitation” principle as part of this settlement. This is a meaningful shift from previous CCPA enforcement actions because the alleged violations here were not limited to procedural failures but also focused on substantive limitations associated with the company’s data processing activities. This is the first time that a state regulator has focused on this type of enforcement activity through their comprehensive privacy law, though it may not be the last, given that other states (such as Colorado and Maryland) have similar or even more restrictive requirements in this regard. Substantive limitations on data processing activities were also a focus of the Federal Trade Commission (FTC) during the last administration. While the current FTC may not be as focused on this issue, this enforcement action may be a signal that state regulators are willing to fill the enforcement void in this regard.
2. Health information faces heightened scrutiny. Health information has been an area of focus for regulators across the country, and this enforcement action is consistent with this trend. The allegations against Healthline revolve around its sharing of article titles and other data that could reveal health information about Healthline users. Companies that process health data (or information that can reasonably be associated with health data) that falls outside of the scope of the Health Insurance Portability and Accountability Act should be aware of the increased scrutiny they may face from state regulators.
3. Targeted advertising remains an area of concern. It should come as no surprise that this enforcement action focused on the disclosure of sensitive information for targeted advertising purposes. This has been a top enforcement priority for state regulators (and the FTC) in recent years, as well as an area for increased litigation. Companies should pay close attention to their data-sharing activities in relation to this practice, especially if they process information that could be reasonably associated with sensitive data.
4. Contractual oversight with third-party advertising partners is critical. One of the CA AG’s key findings was that Healthline failed to include CCPA-compliant language in its third-party contracts. Instead, the company assumed third parties adhered to industry standards, but it did not verify those protections. This is notable particularly because the CCPA is the only state comprehensive privacy law that requires specific contractual provisions in relation to disclosures of personal information to third parties (in addition to having such disclosures with service providers or contractors). Companies that may not have paid attention to this requirement should be aware that it is an enforcement priority in California.
5. Settlement represents the largest CCPA penalty to date. At $1.55 million, this is the highest publicly reported civil penalty secured under the CCPA yet, exceeding the previous record of $1.2 million paid by Sephora in 2022. The scale of the penalty signals that California regulators have a growing willingness to impose substantial fines for companies that fall short of their compliance obligations.

¹ Many thanks to Jessie Miller, a researcher in WilmerHale’s London office, for her support on this article.