On July 1, California Attorney General (AG) Rob Bonta announced a significant proposed settlement with Healthline Media LLC (Healthline) — a prominent website publisher of health information and wellness articles. The proposed settlement follows allegations that Healthline’s use of online tracking technology violated the California Consumer Privacy Act (CCPA). This is the third action under the CCPA announced by Bonta this year.

Healthline generates revenue by selling ad space to businesses that offer targeted advertising to website visitors. Per the California AG, Healthline’s website is among the top 40 most visited websites in the world, and according to its complaint, it is estimated that as many as 6.5 million consumers located in California visit Healthline each month. Healthline’s website employs dozens of online trackers, such as cookies, to relay consumer data to third parties, including advertisers. This data includes unique identifiers and article titles, some of which allegedly disclosed consumers’ medical diagnoses or private health concerns based on their searches and viewed articles. Presumably, this personal information was made available to various third parties that used it to push targeted advertisements to consumers based on search history.

The California Department of Justice’s investigation focused on the website’s mechanisms for users to opt out of “sales” and “sharing” as defined under the CCPA. Regulators allege that Healthline continued to transfer personal information to advertising businesses through trackers even after consumers opted out of such transfers through the mechanisms provided on its website. Transfers via tracking technologies allegedly persisted even after a consumer disabled tracking cookies through their website browser.

The complaint against Healthline outlines several violations of the CCPA and the Unfair Competition Law (UCL). Specifically, Bonta alleged that Healthline failed to honor consumers’ opt-out requests regarding the selling and sharing of personal information for targeted advertising, a right protected under the CCPA. See Civil Code § 1798.120(a), (d) and § 1798.135(a), (c)(4). Healthline allegedly breached the “purpose limitation principle” by using personal information for purposes beyond those disclosed in its privacy policy, including in a manner that was not reasonably necessary or proportionate to achieve the purposes for which it was collected in violation of Civil Code § 1798.100(c), (d). Healthline also allegedly neglected to maintain CCPA-required contractual obligations with third parties buying or receiving personal information through the trackers in violation of Civil Code § 1798.100(d) (including contract terms that mandate certain privacy protections limiting third party use of personal information they receive). Further, Bonta alleged Healthline misled consumers by displaying a cookie banner that purported to allow consumers to disable advertising cookies but failed to do so. Bonta alleged, inter alia, these violations of the CCPA also violated the UCL, Business and Professions Code § 17200 et seq.

The proposed settlement requires Healthline to: (1) pay $1.55 million in civil penalties; (2) implement a CCPA compliance program; (3) cease sharing and/or selling personal information combined with information that allows the recipient to determine what specific diagnosed medical condition information a consumer is viewing (with certain exemptions under the CCPA); (4) provide a CCPA-compliant notice concerning its disclosure of consumers’ personal information is disclosed for advertising purposes; and (5) timely process opt-out requests.

Our Take

The California AG’s investigation is notable because it demonstrates the evolution of the California regulatory regime under the CCPA. Superficial compliance is no longer sufficient. Instead, regulators are looking beyond the cookie banners and digging into the complexities of processing activity and how businesses are actually using consumer data.

One intriguing aspect of the California AG’s investigation is the application of consumers’ reasonable privacy expectations to allege a violation of the “purpose limitation principle.” Bonta appears to view the sale of consumers’ health-related searches and viewing history to third parties as problematic — independent of Healthline’s alleged failure to hone consumer opt-out choices.

This proposed settlement serves as a critical reminder for businesses to carefully consider their personal information processing practices with an eye toward consumers’ reasonable expectations. Moreover, simply having a mechanism to effectuate consumer choices and data subject rights is not adequate if the mechanisms do not work properly. “Set it and forget it” appears inadequate if privacy controls aren’t functioning the way they are supposed to, or changes make previously operational controls inoperable. Regulators are happy to “look under the hood” and can do so without interacting with or seeking permission from website owners.

Ultimately, businesses should consider running scans and assessments to understand their data flows and test the efficacy of their data subject rights processes. Privacy notices, cookie policies, and other disclosures and interfaces should be regularly verified to confirm accuracy and to avoid allegations of misrepresentation or deceptive trade practices. Businesses must balance compliance (and the risk of regulatory scrutiny) with the potential negative impact of mechanisms that limit transfers through business-critical trackers.

Troutman Pepper Locke State Attorneys General Team

Ashley Taylor – Co-leader and Firm Vice Chair
Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations and enforcement actions, federal agency actions, and accompanying litigation.
Clay Friedman – Co-leader
Clay co-leads the firm’s State Attorneys General practice and is nationally ranked by Chambers USA for AG Government Relations and in Best Lawyers for Advertising Law. He has dedicated his entire career to state attorney general and federal work, serving for nearly a decade in a senior role and more than 25+ years in private practice. Clay focuses his practice on helping industry-leading companies mitigate the risks associated with state and federal regulatory investigations and associated litigation.
Chris Carlson
Chris advises clients on regulatory, civil, and criminal investigations and litigation. With a background as an assistant attorney general, he provides practical guidance to clients with matters involving state attorneys general and federal regulatory agencies.
Lauren Fincher
Lauren has vast experience handling state attorneys general investigations, navigating complex regulatory compliance matters, and providing strategic counsel in enforcement actions across various industries. She helps clients manage high-stakes regulatory matters and guides them through complex legal landscapes.
Stephen Piepgrass
Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, representing clients in single and multistate enforcement actions, including inquiries and investigations, as well as litigation involving state attorneys general and other state and federal governmental enforcement bodies. He has significant experience handling actions with federal agencies, including the CFPB and FTC, as well as single plaintiff and class action litigation for clients in highly regulated sectors such as financial services, health care, pharmaceutical, and education.
Michael Yaghi
Mike handles high-profile state attorneys general, FTC, and CFPB investigations by advising clients through these complex government inquiries. He assists clients through the entire life cycle of investigations, from regulatory enforcement through formal litigation.
Samuel E. “Gene” Fishel
Gene is a former regulator with two decades of experience who has overseen state privacy and cybersecurity regulation enforcement, led national, multistate attorneys general privacy investigations, and prosecuted computer crimes at the state and federal levels. He has served at the forefront of state attorney general and federal enforcement, and utilizes this experience to proficiently represent client interests.
Jay Myers
Jay assists clients in heavily regulated industries, including health care, energy, insurance, emerging industries, and data privacy. He provides both regulatory legal advice and government relations strategies. Jay’s past and current clients include Fortune 10 companies, startups, nonprofits, industry associations, and advocacy groups. Recognizing that state government matters are often complex and multifaceted, he utilizes regulatory guidance, government advocacy, or both in tandem to deliver tailored solutions for each client’s unique needs.
Jessica Birdsong
 Jessica is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. She received her J.D. from the University of Richmond School of Law, magna cum laude, where she served as associate articles editor of the Journal of Law & Technology.
Blake R. Christopher
Blake collaborates with clients on matters related to government contracting, investigations, and disputes. His senior-level government experience generates valuable insights and strategies for clients across a variety of industries.
Nick Gouverneur
Nick is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. He received his J.D. from the University of Illinois College of Law, where he served as a member of the Journal of Law, Technology & Policy.
Troy Homesley
Troy is an accomplished litigator who has represented and defended clients across a wide range of complex, high-stakes disputes at both the trial and appellate levels. He has represented technology companies, business executives, law firms, investment funds, high-ranking federal officials, international non-profits, and asylum seekers. Troy draws on his broad litigation experience to advise clients before litigation arises, while claims are pending or threatened, and leading up to and through trial and appeals.
Natalia Jacobo
Natalia is an associate in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice, based on the West Coast. She routinely counsels clients on a variety of state and federal regulatory matters, with a particular emphasis on consumer protection and data privacy matters.
Namrata Kang
Namrata (Nam) is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. She routinely advises clients on a wide variety of state and federal regulatory matters, with a particular emphasis on state consumer protection laws relating to consumer financial services and marketing and advertising. Nam’s experience transcends multiple industries, including financial services, telecommunications, media, and sports betting.
Michael Lafleur
Michael is an associate in the firm’s Regulatory Investigations, Strategy, and Enforcement Practice Group. Based out of the firm’s Boston office, Mike has deep experience in litigation, investigations, and other regulatory matters involving state-level regulators and state attorneys general.
Philip Nickerson
Philip represents clients in sectors such as financial, tech, real estate, and energy in a range of litigation matters. He is experienced in matters involving trade secrets, government investigations, commercial contracts, construction and product defect.
Lane Page
Lane specializes in federal and state regulatory investigations and complex civil litigation. He focuses on representing financial institutions and other businesses, with a particular emphasis on consumer protection and fair lending issues.
Dascher Pasco
Dascher is an attorney within the Regulatory Investigations, Strategy, and Enforcement practice, based in the Richmond office. She joined our firm after working in personal injury and medical malpractice for a Virginia trial law firm. Dascher brings varied legal experience to the firm with strong litigation and regulatory strategy capabilities.
Kyara Rivera Rivera
Kyara is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. She received her J.D. from the University of Richmond School of Law, cum laude, where she served as publications and online editor of the Public Interest Law Review.
Timothy Shyu
Timothy is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group.
Trey Smith
Trey focuses his practice on representing and advising regulated utilities before state public utility commissions. He routinely helps clients obtain certificates of public convenience and necessity for transmission infrastructure. In this role, Trey works with his clients’ subject-matter experts to manage administrative proceedings, including by preparing initial filings; responding to discovery requests; drafting rebuttal testimony; and litigating any disputed issues.
Daniel Waltz
Dan helps clients navigate all aspects highly regulated relationships between industry participants and federal, state and local governments. Whether engaging with regulators, negotiating transactions or representing clients in the courtroom, he delivers solutions that help his clients achieve their strategic goals.
Cole White
 Cole is a member of the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) group. He has a decade of experience working in the attorney general community, having joined the firm from the Wyoming Office of the Attorney General, where he was assistant attorney general.
Stephanie Kozol
Stephanie is Troutman Pepper Locke’s senior government relations manager in the state attorneys general department.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Navetta David Navetta

David advises clients on all aspects of technology and data law, including data privacy, information security, artificial intelligence (AI), financial reporting, data governance, technology-related transactions, and data monetization and use.

Read more about David Navetta
Photo of Bianca Nalaschi Bianca Nalaschi

Bianca brings extensive experience in data privacy, cybersecurity, and litigation. She develops incident response strategies tailored to unique client objectives, coordinates with third-party experts to determine the nature and scope of cybersecurity events, and counsels clients on compliance with state, federal, international, and…

Bianca brings extensive experience in data privacy, cybersecurity, and litigation. She develops incident response strategies tailored to unique client objectives, coordinates with third-party experts to determine the nature and scope of cybersecurity events, and counsels clients on compliance with state, federal, international, and contractual legal obligations. Bianca has represented clients in third-party liability actions, from pre-suit through case resolution.

Read more about Bianca Nalaschi
Show more Show less
Photo of Daniel Waltz Daniel Waltz

Daniel is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and State Attorneys General team. He counsels clients in connection with navigating complex government investigations, regulatory compliance, and transactions, involving state and federal government contracting obligations. Drawing on

Daniel is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and State Attorneys General team. He counsels clients in connection with navigating complex government investigations, regulatory compliance, and transactions, involving state and federal government contracting obligations. Drawing on his broad experience as a former assistant attorney general for the state of Illinois, Daniel is a problem solver both inside and outside the courtroom.

Read more about Daniel Waltz
Show more Show less
Related Posts
 California Privacy Protection Agency Announces Multistate Sweep Targeting GPC Compliance
September 11, 2025
 California AG Announces Investigative Sweep Targeting Geolocation Data
April 15, 2025
TPL_RegOversightBlog1200x600_StateAG_2025YIR
2025 State AG Year in Review
January 20, 2026