The California Attorney General recently fined Healthline Media, LLC $1.55 million—the largest CCPA[1] settlement to date—for violating California’s privacy law by failing to honor “opt out” requests of website users and making other improper disclosures of their personal information (PI).
Allegations Against Healthline
Healthline operates an advertising-supported website with articles about medical/health topics. The California AG alleged that the website contained invisible cookies and pixels that gave advertisers PI—such as unique consumer identifiers stored as cookies and the title of articles that consumers were reading—which facilitated targeted advertising. The California AG alleged that Healthline: (1) failed to honor website visitors’ requests to opt-out of the selling or sharing of their PI; (2) disclosed PI to third parties without using CCPA-compliant contracts; and (3) violated the CCPA’s “purpose limitation principle.” The California AG also alleged that Healthline deceived consumers about its privacy practices under the state’s unfair competition law.
Key Takeaways
1. Opt-out mechanisms must be effective. Healthline’s website included three opt-out mechanisms: (i) a cookie banner; (ii) a “Do Not Sell or Share My Personal Information” link, and (iii) the Global Privacy Control, a technical method for users to “opt out” via a browser setting. Despite these measures, the California AG found that users who attempted to opt-out of targeted ads continued to receive them. A business’ opt-out mechanisms must actually accomplish their purpose to satisfy the CCPA.
2. Third-party data contracts must not be overbroad. The California AG alleged that Healthline’s contracts with advertisers did not satisfy the CCPA, because they allowed advertisers to use PI “for any business purpose,” for “‘internal use’ inuring to the recipients’ ‘direct benefit,’” or for unspecified “purposes contemplated”. The CCPA requires contracts with third parties receiving PI to, among other things, “[s]pecif[y] that the personal information is sold or disclosed by the business only for limited and specified purposes.”
3. Disclosure of PI must be reasonable. Healthline allegedly violated the CCPA’s “purpose limitation principle,” because its disclosures of the titles of the articles read by website users to unseen advertisers were neither disclosed nor “reasonably expected” by consumers. Under the CCPA, businesses must process PI for the purposes for which it was collected or for another disclosed compatible purpose, which must be “consistent with the reasonable expectations of the consumer.” Here, Healthline allegedly disclosed “article titles suggesting a possible medical diagnosis—with unseen advertisers and their vendors” in violation of this principle.
4. Health data will be a focus for state privacy regulators. This enforcement action highlights how states have stepped in to protect consumer health data that falls outside the scope of federal health privacy and state medical record laws. Such data may be aggregated with other health data held by the advertisers or the other entities to which the data is disclosed to create detailed profiles of website users. We anticipate the continued expansion of state regulation and enforcement in this area through state consumer data privacy, consumer health privacy, and unfair competition laws.
[1] Cal. Civ. Code §§ 1798.100 et seq.