The California AG recently announced its fourth CCPA settlement and enforcement action against Healthline Media, LLC. The complaint and proposed judgment offer insights into the AG’s strict interpretation of certain CCPA compliance obligations and continued pursuit of certain enforcement priorities. The judgment highlights that:
- Regulators may not be sympathetic to the real-world technical and engineering difficulties of operationalizing opt-out mechanisms for “sales” and “sharing” of personal information;
- The California AG confirmed that common industry practices of informational resources and publications like Healthline do not make them healthcare providers or otherwise subject them to health or “sensitive” personal information privacy laws, enabling Healthline and similar businesses to continue offering valuable health and wellness information at no cost to the public;
- Regulators continue to be focused on contracts with vendors and business partners, notwithstanding the practical challenges of compliance.
First, the judgment clarifies that regulators demand consistent compliance on “sale” and “sharing” opt-out mechanisms, notwithstanding technical and engineering complications. Accordingly, businesses should regularly test and retest their sale/sharing opt-out mechanisms. Correctly and consistently implementing and maintaining these mechanisms is often difficult, complex, and labor-intensive, even with the assistance of available third-party tools. Indeed, the complaint recognized that Healthline had to undertake an extensive manual review, and ultimately remediated any alleged deficiencies, but that did not suffice.
The complaint alleged that Healthline’s sale/sharing opt-out mechanisms did not function as intended, noting that this action and the prior Sephora enforcement action “underscore that businesses that place or display online advertising must carefully review that their systems operate as intended and comply with California’s privacy laws.” Given potential technical difficulties in properly deploying opt-out mechanisms, businesses should regularly confirm they are functioning as intended to honor consumer opt outs.
Second, the judgment signals the AG’s view on websites that provide health-related information. Critically, the AG notes in the complaint that businesses like Healthline do not solicit health information from website visitors and are “not . . . healthcare provider[s] that would otherwise have to comply with health privacy laws.” The AG also clarifies that visitors to the site may be anonymous and may visit Healthline to learn about health and wellness information for themselves or others. Consistent with that approach, nowhere does the AG state that information collected by a site like Healthline is “sensitive personal information” under the CCPA, or that third-party recipients received any real-world information about a visitor’s health or had even actually inferred a diagnosis about any visitors.
In doing so, the judgment allows Healthline and countless similarly situated businesses to largely continue operating like any other informational website, which allows Healthline to continue providing a wealth of valuable curated health and wellness information to consumers at no cost. The settlement precludes Healthline from disclosing titles of a small list of articles available on Healthline that could “potentially” indicate a reader may have been diagnosed with a serious illness and that third-party advertising providers could “potentially” use to infer a diagnosis.
While the complaint states that Healthline adequately disclosed its data sharing and third-party advertising practices in its privacy policy, the AG suggests that the CCPA requires something more for uses of certain types of personal information that go beyond a consumer’s reasonable expectations. The complaint does not specify what that would be, or how to distinguish between expected and unexpected “potential” data uses made by third parties, but the AG takes the position that a business’s “sale” or “sharing” of personal information associating an individual with informational articles with titles that merely “potentially” indicate an illness could suffice to heighten obligations beyond privacy policy disclosures.
Third, the judgment clarifies that regulators will continue to scrutinize contracts with vendors and other recipients of personal information, demanding compliance even in the face of rapidly changing privacy laws that frequently change requirements for such contracts. Businesses should thus review contracts to confirm they comply with existing requirements. The complaint discussed the importance of maintaining contracts with recipients of personal information “sales” or “sharing” that included contractual provisions mandated by the CCPA for “third parties.” Notably, the complaint appears to recognize that the online advertising industry’s contractual framework and privacy string for conveying consumers’ opt-out choices may suffice to meet these “third party” requirements.
The settlement provides informative lessons about the AG’s interpretation of CCPA obligations and enforcement priorities, and demonstrates that regulators can demand compliance regardless of practical challenges. For businesses that have not recently tested the functionality of their opt-out mechanisms or reviewed contracts, the time to do so is now.
