You know that feeling when you visit the doctor and they ask you whether you’ve been exercising and you haven’t, but you know you really should be because it’s the healthy thing to do?
Well, getting consent – especially for sensitive data – is the healthy thing to do, and businesses should really know that by now.
The California attorney general has made this very clear through recent enforcement actions under the California Consumer Privacy Act (CCPA):
- Sephora paid a $1.2 million fine in 2022 for not disclosing the sale of user data and not honoring Global Privacy Control (GPC) opt-outs.
- In 2024, DoorDash was fined $375,000 for selling personal information without the proper notice or opt-out options.
- That same year, mobile gaming studio Tilting Point Media paid $500,000 to settle allegations that it collected and shared children’s data without parental consent.
- And in May, clothing retailer Todd Snyder was fined a very precise $345,178 for not properly processing opt-out requests and requiring consumers to provide excessive personal information to exercise their privacy rights.
Now add Healthline to the list, a digital media company specializing in health and wellness information. In early July, Healthline gained the dubious double honor of becoming the first publisher to get hit with a violation under the CCPA – and it also got hit with the largest fine to date for an enforcement action under that law.
Not feeling so fine
Healthline agreed to pay $1.55 million to settle the California AG’s allegations, which include ignoring consumer opt-out requests for targeted advertising, not giving clear disclosures about its data sharing practices and sharing health information with third parties without getting proper consent.
(You can read the complaint here and the settlement here.)
According to the complaint, Healthline used tracking pixels and cookies across its network of sites that would automatically send the titles of articles to third parties when those pages loaded.
In many cases, the titles were considered to be sensitive data because they could directly or indirectly broadcast a person’s specific medical diagnosis or health condition through inference without their consent or their reasonable expectation.
For example, if someone’s reading an article with the title “You’ve Been Newly Diagnosed with MS. What’s Next?” or “The Ultimate Guide to MS for the Newly Diagnosed” – both real Healthline headlines – then it’s reasonable to assume that the cookie ID associated with that reader corresponds to someone who either has MS or is close to someone who does.
Arguably, being able to make such obvious connections between content consumption and a person’s likely medical history casts the whole idea that contextual ad targeting is inherently privacy-safe in an unflattering light.
Other headlines are equally revealing:
- Newly Diagnosed with Ulcerative Colitis? Here’s What to Know
- Chronic Kidney Disease – Your guide to navigating early-stage kidney disease
- Guide to Newly Diagnosed Diabetes: How to Make a Plan
- Dating with Hepatitis C: Newly Diagnosed, During Treatment, and More
In one case, an investigator in the attorney general’s office clicked on an article about Crohn’s disease and was targeted shortly thereafter with a streaming ad for a drug that treats Crohn’s. This happened despite the investigator triple opting out via a cookie consent banner, a “do not sell or share my personal information” link and a GPC mechanism.
An ounce of prevention
That’s not a good look.
As part of its settlement, Healthline agreed to stop sharing article titles with third parties when those titles could give away a person’s health condition. It also promised to honor GPC signals, maintain a CCPA compliance program and update its privacy policy and online disclosures to accurately reflect its data practices.
But what should publishers and their ad tech partners take away from all this? I asked a few people in my proverbial Rolodex to share their thoughts, but here’s the TL;DR: “Get your sh*t together.”
Max Anderson, founder & head of product, Ketch:
To me, this signals three things. One, no sector is exempt from enforcement. This isn’t about expanding into “sensitive” areas – sensitive data has always been in scope. It’s about ensuring that every sector is accountable for respecting user choices.
Two, regulators are scrutinizing actual data practices. This isn’t just about whether an opt-out toggle exists or if privacy UX meets expectations. Regulators are digging into what data is collected, how it’s shared and whether companies are honoring opt-out signals in practice.
And three, the penalties for noncompliance are increasing. As the law matures, so do enforcement expectations.
Ultimately, this isn’t just a health data story. It’s a warning about the growing disconnect between what companies believe they’ve implemented and what regulators are able to observe in the real world.
Julie Rubash, general counsel & chief privacy officer, Sourcepoint:
The AG’s complaint puts a spotlight on the CCPA’s purpose limitation. It’s not enough to mention targeted advertising in a privacy policy. If data flows aren’t transparent or intuitive to consumers, regulators may conclude that the use exceeds their reasonable expectations.
The AG’s remedy banning Healthline from sharing article titles that imply health conditions with third parties makes clear that sensitive inferences can occur at the publisher level, based on the content shared and not just at the ad tech level based on sensitive segment titles and inferences made.
This may cause publishers to take a closer look at the nature of content shared with third parties.
Daniel Barber, CEO & co-founder, DataGrail:
If you’re general counsel at a mid-sized company, consider this a wake-up call.
The California AG’s recent enforcement actions, including settlements with Healthline and Todd Snyder, mark a clear shift: Privacy enforcement is no longer reserved for enterprise companies.
When it comes to health-related web activity and ad tech, the message is even more pointed: Regulators expect all companies to honor opt-outs and obtain valid consent, but they’re placing particular scrutiny on how publishers handle health content.
The bottom line: The Healthline settlement is not an outlier, it’s a signal. Regulators are raising the bar on enforcement. Companies should expect growing scrutiny and harsher penalties if they fail to comply with universal opt-out requirements.
The responses above have been lightly edited and condensed.
🙏 Thanks for reading! And I wonder if this little guy gave his consent to get wrapped up in a kitty burrito? As always, feel free to drop me a line at allison@adexchanger.com with any comments or feedback.
