CCPA Settlement Signals Focus on Web Tracking Health Data

In June 2025, California Attorney General Rob Bonta filed a proposed settlement with Healthline, a health information website, for its handling of personal information under the California Consumer Privacy Act (CCPA). Specifically, Healthline utilized web tracking technologies, failed to allow users to opt out of such technologies from gathering data on their web activity, and sold that data, including the specific titles of articles visited by users, to third parties. Bonta’s position is that these article titles, when paired with users’ personal data, have the capacity to indicate users’ medical diagnoses. Under the settlement, Healthline will pay $1.55 million in civil penalties and will be subject to certain injunctive terms relating to the linking of user data to article titles. 

Web Tracking Enforcement Trends 

California is not alone in its desire to regulate data collected from web tracking technologies on health-related websites, and the state’s analysis in this settlement is reflective of recent federal-level guidance. In December 2022, the Department of Health and Human Services (HHS) published a bulletin that details how the Health Insurance Portability and Accountability Act (HIPAA) applies to data collected from web tracking technologies. More specifically, the bulletin explains that when a HIPAA-regulated entity collects information through a website or mobile app, the individual is automatically connected to that entity and that connection is indicative that the individual has received or will receive health care services or benefits from the covered entity. Thus, when such data is sold or otherwise disclosed to a third party, it qualifies as an unauthorized disclosure in violation of HIPAA. This is the same rationale that Bonta used to enforce CCPA. 

However, this position has not been wholly accepted. Initially, the HHS guidance applied broadly to all websites, including unauthenticated websites that do not require a username and password. On June 20, 2024, the U.S. District Court for the Northern District of Texas issued an order declaring the HHS guidance unlawful and vacating this portion of the guidance. In light of that order, HHS is evaluating next steps, signaling a continued interest in enforcing against this kind of practice.

What to Expect 

California is the first state to adopt the federal government’s analysis that web tracking technologies on health-related web pages implicitly create health-related data for its users. We anticipate that other states, especially those with health privacy laws, may follow suit. As states and the federal government continue to pursue enforcement in this area, hosts of health-related web pages should refrain from selling or otherwise disclosing web tracking data that is tied to individual users. Goodwin’s Healthcare and Data, Privacy & Cybersecurity lawyers will continue to monitor changes in regulatory action and enforcement. 

 

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.