CCPA Settlement, UCPA Case, and International Compliance Trends

Want to receive these privacy recaps in your inbox each week? Subscribe here.

United States

California AG Settles with Healthline Media Over Alleged CCPA Opt-Out Violations

Attorney General Bonta announced a $1.55 million settlement with Healthline Media LLC over allegations that the healthline.com website publisher violated the California Consumer Privacy Act (CCPA) and California’s unfair competition law. The complaint alleges that Healthline failed to allow consumers to opt out of the sharing of personal information (including titles of articles, such as “You’ve Been Newly Diagnosed with MS. What’s Next?”, suggesting that the reader may have a serious health condition) with third parties for targeted advertising, failed to have required contracts in place with third-party recipients of the information, and failed to limit the use of personal information to what is reasonably necessary or proportionate to achieve the purposes for which the date was collected, and offered a cookie banner that purported to allow consumers to disable advertising cookies but failed to do so.  In addition to the monetary settlement, Healthline will be banned from sharing article titles with third parties revealing that a person may have already been diagnosed with a medical condition.

TAKEAWAY

The following are two particularly notable aspects of the complaint in this case: 

• Analysis of Healthline’s reliance on the IAB “U.S. Privacy String” to communicate opt outs to non-signatory third parties. The complaint lays out that, although Healthline was a signatory to the IAB’s contractual framework binding other signatories to CCPA-mandated terms, not all of the third parties to whom Healthline shared personal information were signatories to the contractual framework, and Healthline’s independent contracts with those other third parties didn’t always contain the CCPA-mandated terms or contractually bind the third-party recipient to take any specific action or inaction when receiving opt outs via the IAB U.S. Privacy String. The complaint said that “Healthline should have confirmed in clear contractual language, and not merely assumed, that the third parties it provided opted-out consumers data to would honor the privacy string and abide by [the CCPA] by not further selling or using opted-out consumer data”. As remedial measures, Healthline reportedly undertook an extensive manual review to identify all relevant trackers and disable all sales and sharing through online trackers to third parties that did not have contracts that complied with the CCPA’s requirements.

• Analysis of the “reasonable expectations of the consumer”. One of the arguably more subjective (and thus less understood) requirements under the CCPA is for companies to limit their use of personal information to only “the purposes for which the [data] was collected” or “for another disclosed purpose that is compatible with the context in which [data] was collected”. The regulations’ attempt to clarify that requirement says that the purposes “shall be consistent with the reasonable expectations of the consumer” and provides factors to consider, such as the “nature” of the personal information, the “specificity, explicitness, prominence, and clarity of disclosures”, and the “degree to which the involvement of service providers, contractors, third parties, or other entities in the collecting or processing of [the data] is apparent to the consumer”. The complaint in this case alleged that Healthline violated that requirement because Heathline’s privacy policy never mentioned sharing article titles (even though it did briefly mention targeted advertising), and consumers would not see the sharing of the titles (which occurred only in the digital background), so Healthline “could not establish that consumers reasonably expected that Healthline would share potentially health-related data, as the purpose limitation requires.”  

Utah AG Sues Snap over Alleged Privacy Violations

The Utah Attorney General filed a complaint against Snap Inc. alleging, among other claims, violations of Utah’s comprehensive privacy law, the Utah Consumer Privacy Act (UCPA). Specifically, the complaint alleges that Snap:

• Permitted users under 13 to use My AI (including by asking for more information even after users indicated they were under 13) without parental notice or consent. 

• failed to give consumers material information about the processing of their personal data, in particular by failing to disclose the sharing with OpenAI of conversation data users provide to Snapchat’s My AI feature, and conversely stating in its privacy policy that it does not share private communications with service providers;

• failed to provide consumers with any clear notice or ability to opt out of the sensitive data (including geolocation data and biometric data such as speech and voice data) collected through Snapchat’s My AI feature; 

TAKEAWAY

Although not all of the claims are specific to children, the press release from the AG’s office indicates the platform’s young audience as a primary motivator for the lawsuit, which also included claims regarding alleged addictive features of the platform, highly sexual material in areas of the platform designated for teens, and lack of safety protocols in the My AI feature to prevent giving inappropriate advice to underage users. 

A LITTLE MORE PRIVACY, IF YOU PLEASE

• Colorado’s Privacy Amendment Regarding Biometric Data Takes Effect
• Spain Releases a 2025 Privacy Enforcement Report, Showing a 30% Complaint Uptick

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.