The California Attorney General announced a settlement with website publisher Healthline Media LLC, resolving allegations that its use of online tracking technology on its health information website, Healthline.com, violated the California Consumer Privacy Act (CCPA).
An investigation by the California Department of Justice (DOJ) found that Healthline failed to allow consumers to opt out of targeted advertising and shared data with third parties without CCPA-mandated privacy protections – including data suggesting that a person may have a serious health condition.
The proposed settlement, pending final approval from the court, includes $1.55 million in civil penalties and strong injunctive terms, including a novel term that prohibits Healthline from sharing article titles that reveal that a consumer may have already been diagnosed with a medical condition – banning the company from engaging in these types of data transmissions.
Healthline.com is a health and wellness information website that is one of the top 40 most visited websites in the world. Healthline generates revenue by showing ads – some of which are personally targeted at the reader. To maximize ad revenue, Healthline allows online trackers, like cookies and pixels, to communicate data about readers to advertisers and other third parties.
Healthline shared data that could uniquely identify the consumer, in addition to the title of the article they were reading. Some titles indicated that the reader may have already been diagnosed with a serious illness, such as “You’ve Been Newly Diagnosed with MS. What’s Next?” And because these online trackers run invisibly in the background in the first milliseconds when a webpage loads, consumers often have no idea how many online trackers might be running. In Healthline’s case, dozens of trackers were sharing consumer data with numerous third parties.
The complaint alleges Healthline violated the CCPA and the Unfair Competition Law by:
– – Failing to opt consumers out of the sharing of their personal information for targeted advertising. The CCPA gives consumers the right to opt-out of the sale or sharing of their personal information for certain targeted advertising. Businesses and website publishers must honor these requests, including requests submitted through the Global Privacy Control. Healthline continued to share data with some third parties involved in advertising, even for consumer who exercised their right to opt -out.
– – Violating the Purpose Limitation Principle. Under the CCPA, a business’s use of personal information is limited to the purposes for which the personal information was collected or processed or another disclosed, compatible purpose. Healthline violated this principle by sharing article titles suggesting a consumer may have already been diagnosed with a specific medical condition to target advertising at the consumer.
– – Failing to maintain CCPA-required contracts. Healthline had not ensured its advertising contracts contain privacy protections for readers’ data required by the CCPA. Instead, Healthline had assumed, but not verified, that the third parties had agreed to abide by an industry contractual framework.
– – Deceiving consumers about privacy practices. The Unfair Competition Law prohibits deceptive business practices. Healthline.com featured a “consent banner” that did not disable tracking cookies, despite purporting to do so if a consumer unchecked a box.
Under the settlement Healthline is required to ensure that its opt-out mechanisms work correctly; must stop disclosing information that can link a specific consumer to a specific article title that suggests that consumers have been diagnosed with a disease; must maintain a CCPA compliance program that, among other things, mandates that Healthline audits its contracts for specific, required privacy terms or confirm that third parties have signed an industry contractual framework that includes those terms; and maintain accurate online disclosures and privacy policy.