By Mason Fitch and Kate Black
The California Attorney General’s Office (“OAG”) announced an enforcement action against Healthline.com on July 1 that marks a significant development in California Consumer Privacy Act (CCPA) enforcement. This action, accompanied by the largest fine under CCPA yet at $1.55 million, highlights critical areas of consideration for any company engaging in the advertising ecosystem as well as any company that processes sensitive personal information.
Healthline is a popular website that hosts articles on various health conditions. According to the OAG’s complaint, Healthline collected browsing activity that constituted personal information and then disclosed the information via tracking technology with a litany of third-party advertising partners. The enforcement action is noteworthy because it:
marks the first use of the CCPA’s purpose limitation requirement, a significant development in enforcement tools;
raises a series of issues to consider with respect to sharing personal information with third parties, from a business’ own implementation considerations to critical contract terms; and
is yet another datapoint to consider when defining what constitutes sensitive personal information, especially with respect to browsing activity.
We’ll discuss each in turn below.
(1) Purpose limitation is on the privacy enforcement menu.
To date, most OAG CCPA enforcement actions have focused on more narrow issues that do not address the substantive question of data use. For example, whether a disclosure was made, or whether a certain control was available to users. This enforcement shows the CCPA’s teeth with respect to the use of personal information for certain purposes. The CCPA’s “purpose limitation” principle states:
“A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.”
The CCPA regulations clarify that, under this principle, secondary uses must be consistent with the “reasonable expectations of the consumer.” A number of factors are used to determine this, including the nature or sensitivity of the personal information, the “specificity, explicitness, prominence, and clarity of disclosures,” and the degree to which third parties’ role in processing that data is evident to the consumer.
The OAG used this use limitation principle to argue that processing data collected via Healthline’s tracking technology—including views on web pages with titles such as “Newly Diagnosed with HIV? Important Things to Know”—violated the use limitation requirement and therefore violated the CCPA. The requirement was violated in two ways:
When Healthline.com disclosed “health-related data” for advertising and,
When Healthline.com disclosed personal information to third parties in order for the third party to create health-related inferences based on articles a consumer read.
Both of these uses were unexpected, according to the complaint, and therefore violated the use limitation principle.
The OAG did not allege that this browsing activity was sensitive data under the CCPA despite it being “health-related data.” However, the enforcement action does make it clear that the more sensitive the information shared, the less evident it would be to the average consumer that their information would be shared, especially for advertising purposes. Therefore, businesses should expect the OAG to more strictly limit the secondary use of sensitive types of personal information, whether defined under the CCPA as sensitive personal information or not.
The OAG’s novel use of this provision of the CCPA should be taken note of by any business subject to the CCPA. Businesses that engage in behavioral advertising in particular should perform purpose limitation analyses on their secondary uses and document their assessment justifying those secondary uses. This is especially critical for any business processing sensitive (or adjacent) personal information.
(2) Vendor and cookie contract management is not easy—nor should it be ignored.
At first look, Healthline’s website appeared to offer CCPA-compliant sharing and selling controls: the company had a Do Not Sell link on their site, claimed to respond to Global Privacy Control Signals, and, though not required (or often advisable), had a pop-up asking users to accept their privacy policy.
The OAG didn’t stop at accepting facial compliance. The investigators evaluated the efficacy of the controls. According to the complaint, Healthline’s controls weren’t actually effective, and personal information was still disclosed to advertising partners post opt-out. The complaint suggested—but did not specifically allege—that investigators were shown personalized ads using personal information from Healthline after they opted out via all three controls.
The allegations surrounding Healthline’s tracking technology controls—namely, that third-party advertising partners continued to receive and use data after individuals opted out—seems basic, but implementation requires constant upkeep. The intersection between cookie controls and contract terms is of particular note in this action. Incorporating the correct contract terms for third party data sharing is critical. Additionally, overreliance on plug-and-play solutions may lead to trouble, and cookie management programs need to regularly evaluate the efficacy of privacy controls.
According to the complaint, Healthline sent a “U.S. Privacy String” to its advertising vendors that should have communicated consumers’ opt-out from the sale or sharing of their personal information. Upon receipt of that string, vendors should not use that personal information where use would constitute a sale of personal information to the vendor. But as this enforcement action demonstrates, simply sending the privacy string to vendors is insufficient.
CCPA includes a safe harbor provision that shields businesses from liability when they pass a privacy string along to a third party and the party fails to adhere to the limitations associated with the string. The safe harbor only applies, however, when the business “does not have actual knowledge, or reason to believe, that the [recipient]” intends to not adhere to the privacy string. Here, the OAG claimed the safe harbor does not apply to Healthline because their contracts did not require third parties to adhere to the privacy string. Had the appropriate contract terms been in place, it’s likely the company would have met the safe harbor provision.
This enforcement action is an important reminder to businesses that advertising contracts—often presented as non-editable by opposing parties—need a hard look and should not be accepted off the shelf without thorough analysis.
(3) Sensitive personal information is still hard to define, for businesses and regulators
The OAG used phrases that should ring alarm bells. They described the data disclosed by Healthline as "highly intimate," "health-related," "potential health information," and "referencing current diagnoses of serious diseases.” There is one phrase, however, that was never used in the complaint: sensitive personal information. There was also never a reference to California’s Right to Limit Use and Disclosure of Sensitive Personal Information, which allows consumers to limit use of their sensitive personal information to a defined set of purposes.
California defines sensitive personal information, in relevant part, as personal information that reveals “personal information collected and analyzed concerning a consumer’s health.” Surely “highly intimate” and “health-related” information “referencing current diagnoses of serious diseases” would fall within that definition?
Apparently not, at least in this enforcement action. It’s unclear why the OAG declined to address this in their complaint. It could be that they were worried about a statutory challenge, similar to what happened with the Department of Health and Human Services’ attempt to classify health-related browsing on unauthenticated webpages as Protected Health Information. That attempt was overturned in court. Perhaps they felt that they had a better case under the use limitation principle (California, unlike most other states with comprehensive privacy laws, does not require consent to process sensitive personal information) and did not need to raise the protections specific to sensitive personal information.
In any case, this enforcement action leaves businesses without additional direction or guidance regarding how to draw the line on what constitutes sensitive personal information. For Healthline, the lines are fuzzy: whereas in the familiar line of FTC cases there was a direct tie to a health condition, we now have a CCPA action where simply viewing an article is at least “health-related,” but not conclusively sensitive personal information.
While the OAG did not mention sensitive personal information in the complaint, they did address it in the proposed order with Healthline. The order includes a prohibition on disclosure of sensitive personal information for advertising purposes without providing notice that “clearly states that it uses and discloses” consumer’s “sensitive personal information for advertising purposes.” This is separate from the order’s outright prohibition on disclosing consumers’ browsing activity on “diagnosed medical condition article[s].”
The OAG’s approach on this may be confusing, but the message is clear: the lines drawing the definition of sensitive data are ever-moving, and regulators will continue to direct their focus on sensitive personal information—or, in this case, “health-related” personal information that does not meet the definition of sensitive personal information.
What businesses need to do
This is an important enforcement action that introduces new tools to regulators’ toolchest. If your business falls in scope of the CCPA, you need to:
Incorporate a purpose limitation test into your current privacy program, particularly with respect to the disclosure of personal information with advertising partners, and especially if it involves sensitive personal information or personal information relating to sensitive topics;
Perform regular audits of all privacy controls, including do not sell controls and opt outs of targeted advertising, and make sure the end-to-end process works as expected;
Audit contracts with all third parties to whom your business sells personal information to and make sure there are terms that prohibit the further use or sale of personal information upon a consumer’s opt out; and
Continue to re-evaluate how to define sensitive personal information and adjust the definition to incorporate this new data point.
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.
Mason Fitch is Of Counsel at Hintze Law PLLC and a member of the firm’s Health & Biotech Team.
Kate Black is a Partner at Hintze Law PLLC and is chair of the firm’s Health and Biotech Privacy Group, and co-chair of the Regulatory Defense Group, and Artificial Intelligence and Machine Learning Group.