California's Sophisticated Privacy Probe of Healthline Could Affect Many Other Companies
A California privacy enforcer’s first use of a purpose-limitation requirement under the California Consumer Privacy Act (CCPA) makes this week’s record $1.55 million settlement with Healthline a significant enforcement action for companies in many sectors, privacy experts told Privacy Daily this week. Also significant was the highly technical, in-depth investigation that the office of Attorney General Rob Bonta (D) conducted, they said. Signs point to increased privacy enforcement ahead.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Tuesday’s settlement called out Healthline for failing to limit use of personal information to the purposes it was collected for, among other violations (see 2507010074). The California AG’s office said the company violated this purpose-limitation requirement when it shared "article titles suggesting a consumer may have already been diagnosed with a specific medical condition to target advertising at the consumer.” Healthline called the settlement “amicable” while defending its commitment to privacy in a statement Tuesday (see 2507020050).
It's the "first time that we've seen -- at least in health care -- an action where the purpose-limitation principle was referenced," Jeremy Mittler, an expert on health care privacy and advertising, said in an interview. The California AG is saying that it's not enough for a company to decide that the data it has isn't sensitive, he noted. Now companies must "take into account a consumer's reasonable expectation. And if a consumer wouldn't reasonably expect you to take their data and do something with it, then you have a problem."
"It's common sense that companies should not share data that would link a person to their health condition -- and there's a lot of that happening in this space,” said Mittler, adding that many health care advertisers try to predict whether someone has a medical condition.
Invoking CCPA’s purpose-limitation for the first time is significant, agreed Mason Fitch, an attorney with Hintze Law. “In the past, most CCPA enforcement has focused on operational, rather than substantive, issues -- for example, the lack of required disclosures or failure to provide certain controls," he said in an email. "Purpose limitation goes a level deeper by assessing whether a certain use of personal data is appropriate.”
“Compliance with purpose limitation principles isn't a black and white issue like whether a required disclosure is made,” added the privacy lawyer. “Rather, it is a much more subjective assessment that will have to be fine-tuned as we see more enforcement actions from California. Companies will want to incorporate this assessment into their privacy programs and document their consideration of the purpose limitation principle.”
California’s action also provides fresh insight as to what regulators may consider protected health information (PHI), said Fitch. “This is a difficult line-drawing problem for companies and regulators -- for example, you could very reasonably imagine that someone who views an article titled ‘Recently diagnosed with Crohn's Disease? Here's what you need to know’ does not actually have that condition. The viewer could be a family member of someone who was recently diagnosed, a student researching that topic, or someone who is simply curious about the condition.”
Sara Geoghegan, senior counsel at the Electronic Privacy Information Center, called the purpose-limitation aspect of the Healthline settlement “promising,” because it “should put lots of internet companies … on notice that enforcement could be coming for their inappropriate uses of data.”
“It's very significant that enforcement here is about inferences based on browsing history,” because “your browsing history can reveal really highly sensitive information about you,” Geoghegan continued. It's important that "targeted advertising is not a compatible purpose, consistent with the purpose limitation” in the California privacy law, “including when this information can lead to inferences.”
Consumer Reports Policy Analyst Matt Schwartz agreed. “They're basically saying there are certain cases where the sharing of information is so egregious and so beyond the scope of what a reasonable consumer would expect, [and] that's a violation.”
However, Schwartz wondered aloud what would have happened “if Healthline had provided opt-in consent for this … whether that would have gotten them off the hook.” That’s because the CCPA allows companies to obtain “opt-in consent for any purpose, arguably even [a] really egregious” one, he said. That’s an “interesting wrinkle that got brought up in this case that we don't fully know the implications of.”
A ‘Technically Informed’ Probe
In addition, Schwartz noted the investigation’s sophistication. The first violation was discovered in fall 2023, but the AG “look[ed] under the hood even further,” examining “each of the cookies and trackers ... installed on the website [and] paired them against the documentation of those cookies online to see what they were doing.”
Investigators even “followed the data a little bit," with one conducting a "data access request to a data broker ... to see if information that he had looked up on the Healthline website had made it to a data brokers' files about him,” which it had, Schwartz said.
The enforcers were “looking for the downstream impacts of this data being shared, which I think is a new, rather involved aspect of the investigation,” Schwartz said. “There was a lot that they looked at here, and that feels like a step up from previous investigations."
Frankfurt Kurnit privacy lawyer Daniel Goldberg said in a blog post that “the AG’s office did more than review privacy policies.” Instead, “it looked at the actual deployment of cookies and pixels, browser local storage, transmission of data, and cookie sync pixels. Investigators also reviewed documentation on cookies and submitted requests to data brokers to assess the downstream impact on consumer profiles. If you land in regulator crosshairs, expect a comprehensive, technically informed review.”
While the investigation was sophisticated, the violations were “obvious” and “pretty egregious,” said Schwartz: Companies that want to avoid investigation should “make sure that there is at least one part of your privacy program that actually works.” The AG alleged that none of the three ways Healthline gave for people to opt out worked, Schwartz said. If even one had, perhaps the AG would have been more lenient, “but when nothing works … you're kind of asking for trouble.”
Making sure that opt-out mechanisms function is "low-hanging fruit" for companies like Healthline, agreed Mittler: So is ensuring vendor contracts comply with CCPA, another problem the AG found with Healthline.
“Governance of tracking technology is not an easy task and requires constant upkeep,” said Fitch. “This is an issue that many companies struggle with. Many rely on ‘plug and play’ cookie management services; while helpful, they should not be considered plug and play -- companies need to regularly monitor that cookies are appropriately tagged and that their consent and opt-out mechanisms are operating as expected.”
The Healthline case “is another reminder that using third-party tools doesn’t absolve a company from ensuring they are correctly implemented and compliant,” Goldberg blogged. “Healthline had most of the required language in its privacy policy and passed the opt-out string, but the technical implementation didn’t work.”
More Enforcement, Higher Penalties Ahead
The Healthline settlement is "a very big deal for the health care advertising industry,” said Mittler. "It's the first time we've seen a state" zone in on health care targeted ads, and it affects "every health care advertiser" that has ads on social, connected TVs and other spaces. "There's a massive industry there, and everyone in that space needs to take high notice that, at least in California, there's going to be some enforcement action."
The settlement's record size “shows that the fines are increasing as time goes along,” said Schwartz. But it could have been much larger, he noted, as each CCPA violation can carry a penalty of up to $2,500, and there were 65,000 instances of customer opt-outs that weren't honored. California “could have put this company out of business, probably, if they wanted to.”
“The significance of the difference between the maximum penalty and the observed-in-reality penalty is that it seems like” the enforcer “will give you the benefit of the doubt if you work" with authorities to address the issues, Schwartz added. Mittler agreed: “Cooperation helps.”
Goldberg noted that the amount was much higher than California’s $345,178 action last May against menswear retailer Todd Snyder (see 2505060043). “With [CCPA] now five years old, expect larger penalties going forward.”
More significant than the money, though, is the settlement's broader message, Troutman Amin law clerk Tammana Malik blogged Wednesday. “Website publishers, especially those operating in sensitive verticals like healthcare, are now firmly in the privacy enforcement spotlight.”
Fitch said, “The two main issues here -- selling sensitive personal data and non-compliant consent mechanisms -- are hot topics for just about every privacy regulator.”
Mittler added, "It's hard to see a world where there's less privacy enforcement and action instead of more. This train is not slowing down."