California's Attorney General Imposes Record-Breaking Fine in Latest CCPA Sanctions
The California Attorney General (CA AG) has issued a record-breaking $1.55 million settlement with Healthline, marking the largest under the California Consumer Privacy Act (CCPA) to date. This action comes amidst growing regulatory attention on targeted advertising and the disclosure of sensitive information for such purposes.
The settlement, which surpasses the previous record of $1.2 million paid by Sephora in 2022, highlights several key takeaways regarding privacy protections under the CCPA.
**Purpose Limitation Requirement and Health Information**
Healthline, a health information company, allegedly violated the CCPA by failing to limit the use of personal data to specified purposes. The settlement addresses concerns about sharing health-related information, which is particularly sensitive and protected under privacy laws.
**Targeted Advertising**
Healthline also failed to honour opt-out requests for targeted advertising, allowing personal data to be used despite consumer objections. The settlement includes a novel term prohibiting Healthline from sharing article titles that could reveal a consumer's medical condition, effectively banning certain data transmissions.
**Contractual Oversight with Third-Party Advertising Partners**
Healthline was criticized for not including required data protection provisions in contracts with service providers and third-party advertisers. This failure to implement proper contractual measures led to unauthorized data sharing, violating CCPA requirements.
**Size of the Penalty**
The significant penalty underscores the seriousness with which California treats privacy violations, emphasizing the importance of compliance with CCPA regulations. Companies that process sensitive data, such as health information, should be particularly focused on these developments.
This settlement is a reminder that CCPA compliance should continue to be an area of priority for companies. As regulatory bodies become more active in enforcing privacy laws, companies that process health data or information that can reasonably be associated with health data should be aware of the increased scrutiny they may face.
The settlement follows a series of notable enforcement actions by the CA AG's office against Sephora, DoorDash, and Tilting Point Media. It also comes in the wake of broader CCPA investigative sweeps, including recent efforts focused on the location data industry.
The California Privacy Protection Agency has recently announced its first enforcement action under the CCPA and has been actively enforcing the state's data broker registration law. These actions signal that CCPA compliance should remain a top priority for businesses operating in California.
[1] California Attorney General's Office, Press Release, Healthline Agrees to Pay $1.55 Million to Settle Allegations of Violating California Consumer Privacy Act (CCPA) (14 April 2023)
The settlement imposed on Healthline demonstrates the potential consequences of failing to adhere to the Purpose Limitation Requirement as stipulated in the California Consumer Privacy Act (CCPA), especially when dealing with sensitive health information. This incident could lead to litigation, prompting companies to prioritize cybersecurity law, particularly in data-and-cloud-computing and technology sectors. Additionally, the case stresses the significance of contractual oversight with third-party advertising partners to prevent unauthorized data sharing, thus ensuring compliance with CCPA regulations.
