Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Earlier this month, the California Office of the Attorney General announced a USD1.55 million settlement with Healthline Media.
Pending court approval of the agreed terms, this is the largest financial settlement to date under California's consumer privacy law.
To use advertisement industry lingo, this is a case about a publisher. The company's website, Healthline.com, is a platform "dedicated to making health and wellness information accessible, understandable, and actionable so that readers can make the best possible decisions about their health."
This is notable because the last major settlement from the California attorney general, Sephora, was concerned with the opposite end of the ad chain, a company advertising its products across the web. The Healthline complaint points out that though the rules are different for retailers and publishers, some of the lessons are quite similar. Specifically, "Businesses' over-reliance on vendors, outdated boilerplate contracts, and deprecated privacy signals can result in violations of the law, leading to substantial penalties."
IAB's Michael Hahn recently wrote an op-ed for IAPP exploring the takeaways from this case for the ad industry, chief among them the importance of properly configuring cookie settings and verifying the compliance of downstream providers with their representations, including their compliance with industry standards.
This is also a case about sensitive data. Health data is sensitive data in the U.S. and thus, under every comprehensive consumer privacy law except California, consumers must consent to the processing of health information. Instead, California's unique approach still requires companies — including publishers — to allow consumers to limit the use of their sensitive data and opt out from it being shared or sold to third parties.
However, according to the complaint, Healthline was not focused on collecting the sensitive health data of the visitors to its website. As the attorney general describes, "The company generally does not solicit health information from website visitors, like diagnoses or medications, and is not a healthcare provider that would otherwise have to comply with health privacy laws. Visitors to the site need not log in to read Healthline’s information articles."
Though this approach may not have been directly focused on monetizing website visitors' health information, it also, perhaps ironically, created a context for consumers where a high level of privacy and anonymity are more likely to be expected.
Still, site visitors could reveal their interests and create the possibility of sensitive inferences about their health based on the articles they visited on the site. This alone likely did not trigger the requirements for sensitive data under California's privacy law. States have many different requirements for what constitutes health or health-related data within their sensitive data definitions. California's is distinctive for its definition only being triggered when data "concerning a consumer’s health" is both collected and analyzed.
Perhaps Healthline was not analyzing the health data of its website visitors, but from the attorney general's perspective, the company was still sharing too much information with third parties. The argument in the complaint is a strong echo of the recent line of health cases from the U.S. Federal Trade Commission. Just as in the cases against BetterHelp and Monument, Healthline here is accused of sharing user information in a context that allowed third parties to make potentially sensitive and medically relevant conclusions about the users of the service.
According to the complaint, Healthline passed the titles of articles its website visitors were reading to its ad network partners, allowing advertisers to later target those consumers with ads for the health conditions they had been researching.
Such behavior violates what I have previously described as the gossip test for sensitive data. If sharing a fact about someone would be gossip worthy in a small town or daytime TV show, it is likely regulators will have concerns about wantonly sharing that information with third parties.
The parallels in the operation of law here are as interesting as the parallels in the facts. In the FTC context, health-related websites have engaged in practices that are allegedly inconsistent with consumers' privacy expectations, running afoul of the FTC's unfairness jurisdiction, even if the company described the relevant practices in its privacy policy. When surprise can potentially lead to privacy harms, unfairness bells start ringing.
Under the CCPA, the attorney general claims a similar rule applies. Even if a company like Healthline includes a general disclosure about the use of collected information for targeted advertising in its privacy policy, it should make sure the purposes for which personal data is processed are consistent with the "reasonable expectations of the consumer." If expectations won't match from mere privacy policy language, companies should embrace enhanced efforts either to change their practices or to shift expectations through more rigorous disclosures and choice mechanisms.
As the complaint puts it, "Thus, the law provides that invisibly sharing data of a more intimate nature to third parties, briefly alluded to in a privacy policy, may be unlawful when consumers would not expect that to happen. The law further provides that even detailed privacy disclosures regarding other intended uses of data may violate the principle if the disclosed purposes differ substantially from the consumer’s reasonable expectations."
This interpretation does not come from the bare statute, but from its implementing regulations, which include a five-point test for how to assess the reasonable expectations of consumers. With the clarifying regulations in place, the attorney general takes an expansive view of the operation of the purpose limitation principle under the CCPA.
Disclosures should properly set consumer expectations. Surprises lead to regulator scrutiny, especially when they relate to sensitive aspects of consumers' lives. This is not a new idea, but it is new for it to serve an outcome-determining role in a consumer privacy enforcement action.
Perhaps the principle of data minimization is alive and well in California after all.
Please send feedback, updates and reasonable expectations to cobun@iapp.org.
Cobun Zweifel-Keegan, CIPP/US, CIPM, is the managing director, Washington, D.C., for the IAPP.
This article originally appeared in The Daily Dashboard and U.S. Privacy Digest, free weekly IAPP newsletters. Subscriptions to this and other IAPP newsletters can be found here.
