Calif. AG: Healthline Shared Data Suggesting Consumers' Possible Medical Conditions

The settlement, which is pending a court's final approval, would resolve allegations that the company’s use of online tracking technology on Healthline.com violated the CCPA, said Bonta's office. A California DOJ investigation found that Healthline failed to let consumers opt out of targeted advertising. In addition, the company shared data with third parties without CCPA-mandated privacy protections, including information suggesting individuals had serious health conditions, the AG's office said.

“Our settlement with Healthline underscores that Californians have critical privacy rights under the CCPA to fight online surveillance -- including by website publishers,” said Bonta. “Healthline shared data with third parties that could have revealed consumers’ private medical diagnoses, and while doing so, disregarded [their] rights to opt-out of the sale and sharing of this data.”

Healthline, which allows online trackers like cookies and pixels, shared data that could identify consumers in combination with an article they were reading, the California DOJ said. “Some titles indicated that the reader may have already been diagnosed with a serious illness, such as 'You’ve Been Newly Diagnosed with MS. What’s Next?'" The state said “dozens of trackers” on Healthline.com were “sharing consumer data with numerous third parties.”

“No one likes the thought of [a] stranger standing over their shoulder, watching what they read online, taking notes, and then telling others about it,” said Bonta’s complaint Tuesday to the California Superior Court for San Francisco. “This consumer protection privacy case arises from Healthline allowing tech companies to engage in similar behavior in connection with the online advertising on the company’s website, Healthline.com.”

Healthline’s alleged CCPA violations included sharing data with advertisers even after a consumer opted out, as well as not limiting use of personal information to the purposes for which it was collected, said the state. Healthline violated the latter “by sharing article titles suggesting a consumer may have already been diagnosed with a specific medical condition to target advertising at the consumer.”

In addition, Healthline failed to ensure its advertising contracts included CCPA protections. “Instead, Healthline had assumed, but not verified, that the third parties had agreed to abide by an industry contractual framework.”

Healthline also violated California’s unfair competition law, said the California DOJ, by putting a consent banner on its website that didn’t disable cookies, “despite purporting to do so if a consumer unchecked a box.”

The proposed injunction included in the settlement requires Healthline to ensure that its opt-out mechanisms work properly and to stop sharing article titles that suggest a consumer’s diagnosis, said the California DOJ. Also, the company “must maintain a CCPA compliance program that, among other things, mandates that Healthline audits its contracts for specific, required privacy terms or confirm that third parties have signed an industry contractual framework that includes those terms.” Finally, Healthline must “maintain accurate online disclosures and privacy policy.”

The settlement marked Bonta’s fourth enforcement action under the CCPA. The California attorney general last year announced separate settlements with DoorDash, Sephora and Tilting Point Media.

More enforcement actions could come soon. In March, Bonta announced an investigative sweep in the location data industry (see 2503100068).