Healthline’s Record-Setting CCPA Settlement: 5 Compliance Lessons for Every Website
Last week, the California Attorney General announced a settlement with Healthline.com for alleged violations of the California Consumer Privacy Act (“CCPA”). This settlement is the largest CCPA settlement to date. While the California Privacy Protection Agency is the agency usually associated with the CCPA, the AG’s office can also enforce the CCPA.
The five things to know about California's complaint against Healthline for CCPA violations:
"The Attorney General tested Healthline's opt-out mechanisms and found they did not work correctly" -- California is testing websites to make sure they are following the rules. It is imperative to make sure your site is doing what it says it is going to do.
"Healthline had not ensured its advertising contracts contain privacy protections for readers' data required by the CCPA." -- This is not the first complaint that accused a company of failing to ensure their contracts had adequate protections. Again, review your contracts and make sure the proper precautions are being taken around consumer privacy.
"...an investigator working on online advertising investigations, including Healthline.com, began receiving both streaming TV and podcast ads for drugs treating conditions he does not have, after visiting webpages relating to those conditions." -- A consumer needs to be able to opt out of any "cross-contextual behavioral advertising".
"Healthline shared data of a potentially highly intimate nature - article titles suggesting a possible medical diagnosis - with unseen advertisers and their vendors." -- While Healthline's privacy policy "discussed targeted advertising briefly", the complaint alleged because the policy didn't discuss sharing article titles, consumers would not have reasonably assumed this information would be shared with advertisers. Privacy policies need to clearly lay out what information will be shared and with whom it will be shared.
"Healthline found a misconfigured opt-out mechanism" -- This is so common. Website operators should regularly check to ensure that their opt-outs are properly configured.
Additionally, the proposed settlement with Healthline established a compliance program for Healthline to maintain.
What does a robust privacy compliance program look like if you are dealing with sensitive personal information?
The proposed settlement agreement between California and Healthline offers some clues:
The implementation and maintenance of a program to assess and monitor whether the company is effectively processing consumers' requests to opt-out of the sale and sharing of their personal information
This would include requests submitted via opt-out preference signals, such as GPC requests.
A program to assess and monitor whether the company is effectively processing consumers' request to limit the use of their sensitive personal information.
Companies should be able to report out on a regular basis the following:
What testing has been done to assess and monitor its process of consumer request
Any analysis of errors or technical problems uncovered during the testing and what steps have been taken to remediate the problems
Companies should perform an annual review of their websites and any mobile applications to determine what third parties they are sharing information with via online tracking.
As a result of this review, companies should ensure their contracts with these third parties meet the CCPA requirements
Additionally, the company should ensure they are not selling or sharing information with these third parties of consumers who have opted out of
Companies should review their privacy policy annually to ensure they are describing information collected and potentially shared correctly.
There’s a lot of information to unpack in the complaint and the proposed settlement, but the key takeaways is that California is continuing to take their role in consumer privacy very seriously.
