Healthline’s CCPA Fine Highest on Record: A Privacy Wake-Up Call

Healthline.com is one of the world’s top health information websites, with 86 million visitors in June 2025 reading its health and wellness articles. We don’t know its profits because it’s in private hands, but they won’t be quite so healthy after it pays a $1.55 million California Consumer Privacy Act (CCPA) settlement to the state of California. This fine, the largest to date, is a crucial wake-up call for all online publishers.

Healthline earns revenue from ads posted next to its articles, some of them targeting individual users. The payment resolves allegations that it didn’t allow users to opt out of this targeted advertising and shared their data with third parties without the appropriate privacy protections.

What Does the CCPA Actually Require?

The CCPA took effect in 2020, giving California residents the right to know if their personal data is being collected and whether it’s being shared or sold. It also gives them the right to access it, prevent its sale, and request its deletion. Crucially, they can also opt out of having it used for targeted advertising—which is where Healthline.com got caught.

Along with the civil penalty, the company will be banned from sharing the titles of browsed articles with advertisers, as this could reveal sensitive clues about a user’s medical diagnosis. For instance, if an advertiser knows a consumer has been reading, “You’ve Just Been Diagnosed with Diabetes. What’s Next?” they could target that person with relevant ads.

If this novel stipulation makes you ask, ‘Could our website comply with that requirement?’, you aren’t alone. Before a minor oversight becomes a major fine, you need unprecedented visibility into your website’s third-party risks. The Reflectiz privacy dashboard is designed to give you exactly that control.

The Healthline Fine Signals a New Era of CCPA Enforcement

The CCPA is widely considered the standard for privacy legislation in the US. With this latest penalty—along with recent fines against Honda for $632k for failing to process opt-out requests and clothing retailer Todd Snyder for $345k for non-compliant data sharing—the regulator is signalling its clear intent to aggressively pursue privacy violations.

Any brand caught this way risks more than just fines; it risks losing customers to companies that prove they can be trusted. The bad publicity from a privacy blunder can make conscious consumers shop elsewhere. And then there are the lawsuits. The company is now facing an individual claim under the California Invasion of Privacy Act (CIPA) related to tracking technology, as well as a federal class action claim.

How to Run a Tighter Ship: A 10-Step Compliance Checklist

As we mentioned, you need to establish visibility into your third parties. One of the accusations against Healthline was that a consent banner misled consumers: when they unchecked a box, it should have disabled tracking cookies, but it didn’t.

No one is suggesting this was calculated deception. It could have been a broken technical mechanism that went unfixed—the kind of problem many website owners struggle with and that Reflectiz is built to catch. But an oversight like this can suddenly be deemed a ‘deceptive business practice,’ and you’re in trouble. You can’t fix what you aren’t aware of, which is why a real-time privacy dashboard should be the bedrock of your compliance strategy.

Once that’s in place, follow these steps:

1. Ensure Clear and Compliant Consent Mechanisms: Use transparent, user-friendly consent banners. Make opting out as easy as opting in.
2. Limit Collection and Sharing of Sensitive Data: Identify and classify sensitive data, like health-related information inferred from browsing. Obtain explicit consent before sharing it.
3. Implement Robust Privacy Policies: Maintain a comprehensive, easy-to-understand privacy policy and update it regularly.
4. Respect Global Privacy Signals: Honor Global Privacy Control (GPC) signals, which are legally recognized opt-out requests under the CCPA.
5. Conduct Regular Audits: Perform periodic audits of your data practices and review third-party contracts to ensure vendors are compliant.
6. Use Privacy-Enhancing Technologies: Minimize data collection to only what is necessary and use anonymization techniques to reduce risk.
7. Train Employees and Establish Governance: Train staff on privacy laws and appoint a team to oversee compliance and handle consumer requests.
8. Monitor Emerging Privacy Laws: Stay informed about evolving regulations like the CPRA, GDPR, and other state-level laws.
9. Respond Promptly to Consumer Requests: Adopt processes to handle consumer data requests within the CCPA’s required timelines (e.g., 45 days).
10. Avoid Deceptive Tracking Practices: Be cautious with tracking pixels and cookies. Clearly disclose their use and ensure they align with user privacy regulations and consent.

Be Safer with Reflectiz

Reflectiz maps all your website’s active third-party components, allowing you to export their actions directly to your privacy and legal teams. You can identify which third-parties are tracking users without cookie consent, detect who is obtaining geo-location or camera permissions, find cross-domain trackers, and ensure all vendors meet CCPA and GDPR regulations.

Don’t wait for a penalty to find your privacy gaps. Get full visibility and control with Reflectiz today.