Cookies in the Cross-Hairs: Enforcement Continues

In April of this year, the California Privacy Protection Agency imposed a $632,500.00 monetary penalty on American Honda Motor Co. In our discussion of that action - Are Cookies Banners Crumbling? – we raised the alarm for companies that engage in targeted or cross-contextual behavioral advertising, warning that additional enforcement in this space was likely to follow.

The California Attorney General has confirmed our prediction by imposing a $1.55 million monetary penalty on website publisher, Healthline Media LLC, for a variety of activities related to their targeted advertising.

By way of brief background, California Attorney General Rob Bonta announced on July 1, 2025, the largest settlement to date under the California Consumer Privacy Act (“CCPA”) (pending court approval), which was levied against Healthline, a health and wellness information website. Like many of these types of websites, Healthline generates revenue by engaging in cross-contextual advertising that involves the use of online trackers, including cookies and pixels. According to AG Bonta, Healthline’s practices violated the CCPA by: (a) failing to opt consumers out of the sharing of their personal information for targeted advertising; (b) violating the purpose limitation principle by using consumer information, including information that could be considered to be health and medical data, in ways not disclosed in the privacy statement; (c) failing to maintain CCPA-required contracts; and (d) deceiving consumers about privacy practices. To settle these claims, Healthline agreed to a number of onerous remedial actions, monitoring and a $1.55 million monetary penalty, not to mention the reputational damage that inevitably follows this type of public settlement. 

We have set out below key takeaways for companies seeking to avoid a similar fate.

• Promises made must be promises kept – Companies that offer a right to opt-out or even a right that is not legally required, such as affirmative opt-in to cookies, must still honor those promises. Here, Healthline offered consumers the right to opt-out of targeted advertising through a variety of mechanisms, but according to the AG, none of these methods actually opted consumers out of all selling or sharing of personal information. It is tempting to offer consumer friendly rights, but companies create risk for themselves by making promises they do not or cannot keep, and failure to do so can be treated as an unfair or deceptive trade practice.  
• Superficial compliance is not enough – Cookie management solutions are technically challenging to implement and, in some cases, have limitations as to what they can do. Proper implementation is further complicated by the fact that there are often multiple parties involved in a company’s advertising eco-system, such that it may be difficult to control or understand what specifically is happening on a website from an advertising perspective. This enforcement action made clear, however, that regulators can and do audit the functionality of these tools to confirm that they are, for example, blocking cookies when a user exercises their right of opt-out. Because websites are publicly available and can be audited using common tools, these types of reviews are low-hanging fruit for regulators. To withstand this scrutiny, organizations must take the time to understand, configure properly and test their solutions during the initial deployment. Pressure testing should also occur at regular intervals, because marketing teams and advertisers regularly make changes that can impact whether the technical solution is operating as it should and as promised to consumers. Additional guidance on this issue is available in our previous alert - Cookies Banners and Beyond: How to Avoid Common Mistakes.
• Contracts will be scrutinized – There is no doubt that the advertising ecosystem is complex, and organizations often do not have direct contractual relationships with all companies in their marketing ecosystems. Nevertheless, both the Honda and this decision make clear that confirming compliance with the CCPA’s contracting obligations is an enforcement priority. Organizations must take the time to parse through the different relationships and agreements with their advertising and marketing companies to ensure there are no gaps in the contracting chain and to understand the compliance obligations of the parties.
• Interpret the scope of sensitive information broadly – The CCPA has heightened requirements that apply to sensitive personal information, including health and medical data. The AG specifically acknowledged that Healthline does not solicit or collect information about its users’ health and medical conditions. Nevertheless, the AG argued that Healthline’s disclosure of information about specific articles read by visitors to the site (for example, “You’ve Been Newly Diagnosed with MS. What’s Next?”) as part of its targeted advertising activities could be sufficient to draw the conclusion that a particular reader might have a specific medical condition. As such, Healthline was required to comply with the CCPA’s right to limit sensitive personal information obligations and to disclose the use of this sensitive information to consumers. Based on this approach taken by the AG, organizations should assume that regulators will take a broad view of what constitutes sensitive personal information and should tailor their compliance activities accordingly.

Enforcement related to targeted advertising seems certain to pick up speed, particularly as more state privacy laws come into effect and regulators pursue collaboration and information sharing to tackle their enforcement priorities. And, the enforcement risk goes hand in hand with the growing class action risk in California, in particular, under the California Invasion of Privacy Act. Therefore, organizations must put management of their digital marketing campaigns and vendors at the top of their priority list and use the recent enforcement actions as a guidepost for these efforts.   

Related Articles:

• Cookies Banners and Beyond: How to Avoid Common Mistakes
• Are Cookies Banners Crumbling?
• CIPA Boondoggle to Continue for at Least Another Year