4 For 4: California AG Bonta focuses on opt outs and data sharing in fourth enforcement action yet under the CCPA

On July 1, 2025 California Attorney General Rob Bonta announced a $1.55 million settlement with Healthline Media LLC (Healthline), resolving allegations that Healthline’s use of online tracking technology violated the California Consumer Privacy Act (CCPA). This settlement marks the California Attorney General’s fourth enforcement action to date, under the CCPA. The settlement, available here, is still pending court approval. The government’s investigation concluded that Healthline had failed to allow consumers to opt-out of targeted advertising technologies and shared data with third parties for marketing purposes that had not been disclosed in its privacy disclosures. The disclosed data included article titles, such as “You’ve Been Newly Diagnosed with MS. What’s Next?” that could allow marketers to infer that consumers viewing the content may have certain health conditions. As part of the settlement, Healthline is prohibited from sharing this content with its marketing partners.

The complaint, available here, specifically alleged Healthline violated the CCPA and the Unfair Competition Law. The allegations:

Failure to opt consumers out of the sharing of their personal information for targeted advertising. The CCPA gives consumers the right to opt-out of the sale or sharing of their personal information for certain targeted advertising. Healthline continued to share data with some third parties involved in advertising, even for consumers who exercised their right to opt-out.
- Baker’s Compliance Tips
  - Test Your Site. Periodically test cookie consent mechanisms on your website to ensure that all relevant technologies effectively respond to the consent mechanism. Most market-leading solutions require additional configuration following their initial deployment to effectuate opt-out rights.
  - AI Tools Are in Scope. Though cookies were the emphasis of the Healthline complaint, other forms of technology may also trigger opt-out requirements. For example, AI tools used in consumer profiling may necessitate an opt-out. Although California’s AI regulations are still progressing through the legislative process, the right to opt-out of targeted marketing powered by AI has been in effect since January 1, 2020 and is actively being enforced by the California AG and California Privacy Protection Agency.
Violating the Purpose Limitation Principle. Under the CCPA, a business’s use of personal information is limited to the purposes for which the personal information was collected or processed or another disclosed, compatible purpose. Healthline.com is a health website that generates revenue through ads and uses online trackers to communicate data about readers to advertisers and third parties. These trackers run invisibly in the website’s background, so consumers have no visibility into how many trackers might be running. The AG alleged Healthline violated the CCPA’s purpose limitation principle by sharing article titles that include disease names, suggesting a consumer may have already been diagnosed with a specific medical condition to target advertising at the consumer.
- Baker’s Compliance Tips
  - Update Disclosures. Businesses should regularly review and update consumer disclosures to ensure that marketing use cases for consumer data are accurately disclosed in their consumer facing privacy policies, as required by the CCPA.
Failing to maintain CCPA-required contracts. The AG alleged Healthline had not ensured its advertising contracts contain privacy protections for readers’ data required by the CCPA. Instead, the AG alleged that Healthline assumed, but did not verify, that the third parties had agreed to abide by an industry contractual framework.
- Baker’s Compliance Tips
  - Vendor Diligence. Conduct diligence on providers of website cookies as part of vendor diligence and data governance practices. To the extent contracts or terms are agreed upon with service providers, ensure the contracts include CCPA requirements.
  - Third Parties vs. Service Providers. Under the CCPA, vendors who receive data from the business for purposes of “cross-context behavioral advertising” are classified as “third parties” under the statute with respect to that data. Therefore, businesses are required to provide their consumers with the opportunity to opt-out of those disclosures. Service providers, acting on behalf of these businesses, must also adhere to specific requirements regarding the use of this data, as outlined in their contracts. Businesses should be aware that the major providers of online advertising technologies generally will classify themselves as a “third party” recipient of data collected for purposes of cross-context behavioral advertising, disclosures to whom require a consumer opt-out mechanism, even if they act as a “service provider” with respect to other forms of data that are collected as part of the engagement.
Consent Banners. Healthline.com featured a “consent banner” featuring a checkbox that purportedly allowed consumers to toggle cookies. However, the investigation found that this consent mechanism did not actually disable tracking cookies which constituted a deceptive business practice.
- Baker’s Compliance Tips
  - An inaccurate consent mechanism not only constitutes noncompliance with CCPA as described above but can also create additional UCL and FTC risks. This makes periodic testing of these mechanisms even more imperative.

This settlement represents AG Bonta’s continued commitment to enforcing the CCPA and highlights the importance of taking proactive steps to ensure CCPA compliance.

Analyzing critical legal trends and developments across data, cyber, AI and digital regulations from around the world and beyond borders

Related Posts

The Mexican Patriot Act? Legislative Reforms Approved in Mexico – July 2025

Australia: FY26 edition of the Directors’ Duties in Australia Guide

Fraud in the Modern Era and a Proactive Approach to Anti-Fraud Practices