Takeaways from the California AG's latest settlement (Healthline Media)

The $1.55 million California AG settlement with Healthline Media provides a detailed enforcement blueprint covering the three most common opt-out compliance failures: not honoring consumer opt-outs for targeted advertising, violating CCPA’s purpose limitation principle by passing sensitive health data to advertising partners, and failing to maintain required data processing contracts. Healthline had taken partial steps — signing up to the MSPA industry framework — but left gaps: not all advertising partners were enrolled, and an outdated deprecated technical signal was still in use instead of the current standard. Five years into CCPA, partial or misconfigured implementations are no longer treated charitably. Offering a consent choice that isn’t honored on the backend now constitutes a deceptive representation, compounding liability beyond the underlying opt-out failure. A central lesson is the gap between cookie blocking and genuine opt-out compliance. Many companies still treat consent management as synonymous with blocking cookies via a tag manager, when the actual obligation is to understand what personal information is shared with third parties, through what mechanisms, and to ensure that sharing actually stops when a consumer opts out. Healthline’s enforcement specifically flagged sensitive health data embedded in article URL titles being passed to ad partners — a form of exposure invisible to cookie-level tools. Verification is a significantly underutilized practice: implementations need continuous technical monitoring to confirm they work as configured, not just at launch, but as websites and marketing stacks evolve over time. Tools capable of cataloging and categorizing what is actually transmitted from a site — not just what cookies are present — are now a compliance necessity. The financial and strategic calculus for privacy programs is shifting materially. The $1.55M figure should be benchmarked against current exposure, not 2020 standards, and multi-state coordinated enforcement — not yet seen but anticipated — would carry significantly higher penalties. Privacy practitioners are advised to frame budget conversations around both regulatory and private right of action risk, and to explore infosec and marketing budget lines as funding sources given the operational overlap. Vendor contract compliance — ensuring required CCPA language is present in all third-party agreements — remains unglamorous but was explicitly cited in this settlement and cannot be overlooked. Companies that proactively document their processes, maintain current contracts, and can demonstrate technical evidence of working opt-out implementations will be meaningfully better positioned when regulators come knocking.

**Colleen** We are again on the privacy huddle. Max, thanks for joining us. Normally, just myself and Alisa here, but thrilled to have you. **Max** For having first appearance, I'm nervous. **Colleen** There's nothing to be nervous about. This is a chill environment. It's a safe space. Our topic du jour is the Healthline settlement. On July first, the California attorney general's office announced a one point five five million dollar settlement with Healthline Media. The California AG specifically noted that Healthline failed to opt consumers out of the sharing of personal information for targeted advertising, noted that Healthline violated the purpose limitation principle under CCPA. Healthline failed to maintain CCPA required contracts, and then lastly, they deceived consumers about privacy practices. Some familiar things here, some new things here. Let's talk about what we can take away from this. First of all, we are right back at it with opt outs, failing to opt out consumers out of the sharing of their personal information for targeted advertising. CCPA is five years old. Alisa, have we not learned our lesson? How are we still talking about opt outs? Can you break down some of the details of this case? **Alysa** You know, I think we have been consistent that opt outs are the number one enforced issue, and that continues to be the case. And I think a lot of it comes down to there's good intentions by so many privacy practitioners and compliance practitioners, but actually doing it right is just a gap. It's a gap for a lot of companies. And I think some of that's a knowledge gap. Some of that is they're using technology that they may not be using either correctly or what they are using is never going to account for some things that they need to fill in the gap there. And I think here you had a combo of all of it. There was a configuration issue. Right? So how they configured it. We talk about that from an advertising standpoint because so many companies have their banner and they're making these statements, including about giving a choice. And if you offer a choice and then you don't actually honor the choice, that's a deceptive representation. And that is even worse because now you've got potential other claims. And we've seen a lot of private right of action suits on that point in particular. The other thing that I noted in particular is like this company was relying on there's an industry contract and opt out technical signal. IB offers the contract. It's a way that if you're doing digital advertising, there's a lot of players in the environment. It's a group industry contract that folks sign up to, and you're making certain representations about what you'll do when it comes to compliance. And so if a company sends you an opt out signal, that means something. And those contract terms represent that you will take that opt out signal and you will honor it as an opt out. They kind of did part of what that requires. They had signed up to the MSPA, but not all of their partners were signed up. That was an issue. That's something that you can look at online. And they were using an older deprecated signal to communicate the opt out, not the new one that Ivy Tech Lab offers. So good intentions in that they were trying to do something to opt out, but five years later, doing something is not enough. You need to do it correctly, and they are really dinging you when you're not doing it correctly. **Colleen** Mhmm. It continues to be a very complex process with so many nuances. And, Max, it's clearly very hard for brands to tell when things are broken. It's important to be compassionate. These are complicated problems, and, certainly, it's not just a happy meal despite what vendors and people in this marketplace say. **Max** I do think that some to some degree, I don't think people are talking enough about verification. We talk about implementing auto magic solutions to the opt out problem, but we don't really as often talk about it in in the privacy community verification that everything is set up correctly. This is just another kind of validation that the few folks in the space that are building tools to validate that your privacy implementations are working in the same way that enforcement agencies or otherwise are doing is on the right track. That that suggests to me that there's plenty of room to verify that this stuff is or isn't working because it's pretty clear to me at this point. You it's still gonna happen. People are still gonna misimplement. There's gonna be the weird tag on page and the notification that didn't show up in the application and the marketing team that went rogue. That's never gonna go away. So you at least want something to ride alongside your your implementation to make sure that you can know before someone else does because the price point's obviously getting higher. **Alysa** Mhmm. I think the important distinction too is that when we think about verifying the implementation, it's not even that we're necessarily talking legacy tool versus next gen tool. Right? Regardless of the tool that's implemented, it needs to be verified. This is when I start it and forget it. **Max** Yeah. **Alysa** Interestingly enough, it's not just does your CMP work. It's also what data are you actually collecting or passing. Again, back to auditing, you do wanna know whether or not you're passing sensitive information. And you can't just look at, oh, in the URL, the things called content or page title or whatever it is that is there. You actually have to look at many instances of the titles themselves to derive the fact that, in fact, that there's sensitivity there. That's another thing I just don't think is really being talked about or done as effectively. If you sense frustration in my voice, it's because there is some. We were at the CLA a few conferences ago talking about the criticality of unstructured data and data mapping. Fast forward many months later, the most recent conference we were attending, one person mentioned in the context of data mapping. Why are we talking about this? Isn't all the enforcement related to your website? And I was grateful that it seems like the tide is turning because it is. And the focus and energy, I think, for now should be placed on ensuring that you know what's happening on your website because that's what it seems regulators, enforcers, etcetera, are looking at as well. **Colleen** Mhmm. Let's talk about that ability to know what's sensitive, right, in data minimization. That was a big piece of this health line settlement, the idea that sensitive data was actually living in the titles of some of these articles. Alisa, I would imagine across many brands, folks are grappling with just understanding that line and what's included and what should not be included. **Alysa** Look. You can have some look at this enforcement and say, gosh. Is this the hard issue of I need to know all the possible inferences of when does it become health, like real health information about a person. And here, I think it's really noteworthy that they're pointing to titles like I've been diagnosed with Crohn's disease. There wasn't a whole lot of subtlety around the titles that they pointed out to as examples. And so I think we can spin ourselves up about the hardest questions in privacy on what to categorize as sensitive, whatnot, but I don't even think we're there yet. I think we're still in the low hanging fruit of things that might not fit into the category of social security number, but titles, anything that's a content about what somebody reads or somebody watches, I think you need to consider that. What are the possibilities of actual titles? That's what they focused on here is that data, the full string was being communicated to third parties for advertising purposes. **Colleen** Max, do you think privacy leaders and program managers are aware of the tooling available to flag that kind of data in non manual ways? **Max** I'm not sure that everyone is aware. I do think that this is a very solvable problem. Obviously, it's a solvable problem. This is what enforcers are doing. They may not have the rigorous tooling available to them, but there are ways to emulate and catalog, categorize, and and automated ways, what's going on on the website. I I think awareness is probably drawing, but I think by and large, most people are still thinking about cookie blocking. And that remains, unfortunately, the definition of consent management or website forensics. It's, can you tell tell me what cookies are on my website and block them? It remains to be seen how many more of these enforcement actions need to happen before ninety percent of people that show up to a demo or at a conference talking about these things actually broaden the aperture. But I'm certain when I say this is a solvable problem. It is not a five thousand dollar problem, though. And I think that's the other thing that's interesting about this whole settlement is, look, markets are efficient. And if if there's a one point five million dollar penalty to doing this incorrectly and you show up as a practitioner looking for five hundred or five thousand dollars worth of solution to that problem, you get what you pay for in life. And I promise you, this is not an easy problem to solve. It is solvable, but it is expensive, and it's hard. So I do think that the other part of this conversation necessarily needs to be, what does it cost to solve this problem effectively as opposed to I'm in legal and I only have budget for two thousand five hundred dollars? That's how we get here. So if you're a practitioner, my guidance to you is continue neighboring with your CSOs or your marketing teams or whomever you can that does have budget because these penalties appear to be increasing. **Alysa** Max, maybe can I just, like, repackage something you said? Because I think it's a really important point on what problem am I trying to solve. And I think you still have a lot of people who think that the problem we're trying to solve is website means cookies means that's how I solve for it. I use a solution via my Google Tag Manager, and I am set. As opposed to thinking what personal information under these laws is getting shared or made available with third parties. How does that happen? And is my solution or set of solutions accounting for that? And how dynamic is it where what I do on day one may be impacted day thirty because the website gets refreshed or because somebody adds new things. Like what is that overall process and having that being really specific, really clear so you know what you're buying, what problem you're trying to solve with those solutions. I still think some of the buyers think the problem is this when it's this. **Colleen** Alyssa, do you think as the regulators get more technically sophisticated that the understanding of the problem area is improving for privacy program managers or still long way to go? **Alysa** I think we've got some ways to go just by I look at websites a lot, and I just see where we're at. Every time you see one of these settlements announced, I think it's really important to look at read the complaint, read the allegations, look at the settlement, including the injunctive, what we'll call remedial relief. What does that company now have to do differently and account for it under an order? And then think about what you are doing. Is there anything you are doing that seems really similar to what was that issue? You don't need to be a health company. You could there could be other components here, but you gotta do that reflection and comparison because the regulators, that's why they put these orders out. It's not just for that company. It's supposed to be, everybody should take account of this issue and make sure that you are complying. And I think that dollar figure is gonna continue to go up the more the same problem is identified as not compliant. So even as you're thinking budget wise, one point five five, that's bad, but it's not like billions. And that's where we're at based on practices that the company was being investigated. Let's I don't know how long they're investigated, but usually these things might go like six months to twelve months to eighteen months. So that's back then we're really coasting into the end of summer twenty twenty five. And I think the expectations are higher. I'll also note we've talked about that consortium among a number of different state AGs and CPPA working together. We haven't seen a multi state yet. Once you start seeing a multi state, there are commonalities, including offering choice and honoring it. And the price tag on that goes up significantly. Back to the point Max was making earlier, your budget aligns with whatever resources you are using to solve the problem, you gotta compare that to what your actual exposure is in twenty twenty five as opposed to what you are looking at as benchmarking for maybe twenty twenty. **Colleen** Mhmm. And shows the criticality of being cooperative and working with these regulators while you're under investigation, but also the more tooling you have in place to demonstrate compliance, the easier that process is gonna be for you. Right. **Alysa** I don't think there's an expectation that anyone's perfect, and that's never been the standard. But having a program together, really thinking about these things that they've already flagged and having a solution for it. The contract terms were another one. That is not glamorous. It can be tedious. But do you have the magic language required by law in your agreements with these different parties? And you have to be able to point to something there. **Colleen** We were talking earlier about it's not a five thousand dollar problem, and that may well be true. And there are probably a lot of people in the privacy program manager seat who would say, yes. I know that, and the organization does not care about this problem. I'm wondering, do you think that this will get the attention of executives in a way that unlocks more opportunities resource wise, budget wise, whatever for practitioners? What's your guess there? **Alysa** I think the savvy practitioner always has to go, what's gonna make the most sense in that company? If your budget is only coming from legal, you're always gonna be working against the tight budget, but legal knows litigation exposure. And so it's not just regulators. It's all of the private right of action. Put that together. That may be your best bet. I am seeing a lot of this come under infosec teams and infosec budgeting. And there are ways that you can leverage that budgeting because a lot of the same work requirements really do overlap between those teams. So put it there. Or so many marketing teams, they have one vendor for their email opt outs. They have another vendor for their text opt outs. We're really talking about permissions and permissions to communicate, permissions to share. If you add of the budget to each of those different vendors, that's a pretty high price tag. Is there a world where it's one vendor and it manages all of that? I think the inefficiency is something worth looking at and raising because I do think that customer profile is becoming a bigger business issue and there's a lot easier way to solve that on the back end with one vendor. **Colleen** As we wrap here, Alisa, what do you think the future holds for similar settlements across other states? Can we expect to see more focus on health data? **Alysa** I think sensitive data. Health is one type, but I think we'll continue to see sensitive data via flag. The states define that in different ways and each AG has their priority within that. I do think we're gonna see more examples of that. Connecticut in their second enforcement report, that was an issue that they had flagged should learn from those and do a little bit of, looking in the mirror as to, are there things that we should be changing? We should learn from those and do a little bit of, looking in the mirror as to, are there things that we should be changing?