CCPA Radar tracks publicly announced enforcement actions, settlements, and penalty decisions under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Its purpose is to provide a clear, practical view of how California regulators interpret and enforce privacy obligations in real cases.
The radar brings together key information on enforcement trends, including the regulator, the organization involved, the amount of the penalty, the legal basis of the violation, and the core compliance issues identified in each matter. By presenting these cases in one place, CCPA Radar helps privacy, legal, compliance, and security teams better understand which failures most often lead to regulatory action.
More than a list of fines, CCPA Radar is designed as a working compliance resource. It shows how regulators approach topics such as opt-out mechanisms, dark patterns, children’s data, privacy notices, vendor contracts, and the technical implementation of consumer rights. This makes it easier to translate enforcement activity into concrete lessons for internal privacy governance and risk management.
Healthline Media LLC
Penalty:
USD 1.55 million
Failure to allow opt-out of targeted advertising; insufficient third-party protections; handling of sensitive health-related inferences
Core issue:
July 1, 2025
Date:
Main public findings:
California DOJ stated that Healthline failed to allow consumers to opt out of targeted advertising and shared data with third parties without CCPA-mandated privacy protections, including data suggesting that a person may have a serious health condition.
Cause of the violation:
Core issue:
Recommendations:
Source:
Healthline used online tracking technologies and disclosure practices that continued to transmit data in ways inconsistent with consumer choices and without adequate contractual restrictions on recipients.
Failure to allow opt-out of targeted advertising; insufficient third-party protections; handling of sensitive health-related inferences
Treat health-related browsing signals as high-risk; ensure opt-out choices suppress downstream ad-tech transmissions; limit URL and article-title leakage; execute and monitor contracts with all third parties receiving personal information; test consent banners against real technical behavior.