On 1 July 2025, California Attorney General Rob Bonta entered into a USD1.55 million settlement with Healthline Media over accusations the publisher of health articles violated the California Consumer Privacy Act. Heralded as the largest CCPA settlement to date, the case illustrates the potential pitfalls for publishers that misrepresent their opt-out controls and data sharing practices.
The allegations in Healthline will be familiar to observers of privacy enforcement cases in recent years in the U.S. First, the attorney general alleges that Healthline's opt-out tools and consent banner did not always work properly, allowing the sale of personal information for targeted advertising even after a consumer submitted an opt-out request. Second, the attorney general found that Healthline's contracts with third parties did not include the mandatory contract language required by the CCPA. Third, the attorney general emphasized Healthline sold health-related information to third parties derived from the title of pages that they viewed, such as "Newly Diagnosed with HIV? Important Things to Know," which the complaint alleges consumers did not expect.
Taken together, the case serves as a warning about what happens when a publisher fails to appropriately implement consumer opt-out requests or ensure that its downstream partners do the same. Regulators are making it clear they will scour contracts and leverage technical expertise to analyze data flows and consent management tools in search of potential violations.
What's also instructive is the attorney general's focus on Healthline's alleged failure to fully comply with IAB Privacy's Multi-State Privacy Agreement, of which the company was a signatory. The allegations outlined in the complaint, taken as true, amount to several breaches of the MSPA. According to the attorney general, Healthline assumed but never verified its ad partners were MSPA signatories and also misused the privacy signals required by the MSPA. The implication is that Healthline's failure to meet its MSPA obligations led directly to CCPA violations. Also important is the remedy, where the attorney general specified how Healthline could come back into CCPA compliance with the MSPA.
Here are some key takeaways from this significant development.
California regulators are serious about enforcing CCPA's mandatory contract requirements
In the Honda and Todd Snydercases, the California Privacy Protection Agency made clear its priority that companies enter into contracts with mandatory privacy protection language required for service providers and third parties pursuant to CCPA Section 1798.100(d) and CCPA Regulations Sections 7051 and 7053. In Healthline, too, the California attorney general explained that it "checked Healthline's contracts with advertising companies that received Healthline.com readers' data to see if they complied with the CCPA," referencing Section 1798.100(d). The succession of enforcement actions identifying a lack of contractual privity for sales of personal information should certainly put everyone on notice that this requirement is not empty.
The MSPA satisfies CCPA's mandatory contract requirements
The attorney general found that several of Healthline's partners were not signatories to the MSPA, meaning the MSPA was not in effect for data provided to these partners. Thus, he reviewed Healthline's own contracts with those companies and found that they failed to adequately address CCPA requirements under Section 1798.100(d).
In particular, the complaint alleges that instead of listing the "'limited and specified purposes' for which the data may be used" as required under the CCPA, Healthline's contracts allowed its partners to use data for any business purpose, internal use, the purposes contemplated, or “as otherwise agreed to in writing by the parties." Other mandatory contract clauses under CCPA were also "missing."
The contracts entered into by Healthline on its own accord contrast with the MSPA. The attorney general acknowledges in the complaint "the online advertising industry has developed a contractual framework that can supplement existing contracts with CCPA-mandated terms." The MSPA was developed as a set of privacy-protective terms, including contract terms from Section 1798.100(d), that spring into place among a network of digital advertising industry signatories and certified partners. These protections follow personal information as it flows through the digital advertising supply chain.
Consistent with Section 1798.100(d), the MSPA lists the "limited and specified" permissible purposes for which signatories and certified partners may process data — called "Digital Advertising Activities." These purposes include third-party segment creation, first-party advertising, frequency capping, targeted advertising, negative targeting, measurement, market research to generate campaign insights, ad fraud detection, and ad viewability. Signatories agree not to process California consumer data for third-party segment creation or targeted advertising for opted-out consumers.
The settlement notably provides that Healthline can still choose to leverage the MSPA to address CCPA's contractual requirements, but must "annually review any applicable signatory list or partner certification to verify that any third parties or service providers using that contractual framework continue to be part of that framework."
Healthlineillustrates the value of a common signaling framework in the digital advertising industry
Furthermore, the complaint alleges Healthline utilized the U.S. Privacy Signal to communicate consumer opt-out requests to its partners, despite these partners not being MSPA signatories and having not entered into any other contract that addressed how they would respond to such a signal.
According to the attorney general, Healthline "should have confirmed in clear contractual language, and not merely assumed, that third parties it provided opted-out consumers data to would honor the privacy string." In failing to do so, the complaint alleges that Healthline ceded available liability protections in CCPA Section 1798.135(g) for businesses that send an opt-out signal without actual knowledge, or reason to believe, the recipient intends to commit a CCPA violation.
The complaint illustrates the value of a common signaling framework to communicate consumer privacy choices, including for opt-out requests, and the availability of industry of liability protections built into the CCPA. The IAB's approach with the MSPA is to bind signatories and certified partners to a common signaling protocol in the form of the MSPA U.S. National String or state-specific strings, which are communicated via the IAB Tech Lab's Global Privacy Protocol and governed by a set of IAB Privacy’s technical signaling implementation guidelines — which are incorporated into the MSPA.
Users of this signaling protocol communicate to other MSPA signatories not only the end consumer's opt-out preference, but also critically that the MSPA is applicable in the first instance, i.e., confirming the parties are engaged in a covered transaction. This allows parties to the signal to speak in a common language that allows them to appropriately meet their privacy obligations.
IAB has warned of the potential pitfalls of non-signatories sending or receiving MSPA U.S. National String signals, including that parties to the transaction "run the risk of making material misrepresentations" and that "regulators such as the FTC and state attorneys general have previously enforced misleading certification advertising claims."
The MSPA also contractually prohibits signatories from sending MSPA-covered ad inventory to non-signatories to avoid similar misrepresentations. The California attorney general's enforcement action in Healthlineis yet another reminder that signatories must properly implement the MSPA in accordance with its contract provisions and ensure that their adtech partners and vendors are signatories before relying on the MSPA GPP to send opt-out signals. And most certainly, they should not be relying on the now-deprecated U.S. Privacy String, which the IAB Tech Lab deprecated in January 2024 and replaced by the GPP.
Healthlinerepresents a warning to the publishers, advertisers and adtech vendors — namely that they must comply with the MSPA's terms if they are signatories. It also represents a sigh of relief for them — namely that the MSPA can be used to meet the CCPA's contractual requirements.
Michael Hahn is executive vice president and general counsel at IAB.
