Enforcement Update for Health Information and Online Tracking Technologies

Enforcement in Focus: Online Tracking Technologies, Health Information, and Privacy

Recent enforcement actions signal a clear message: regulators are intensifying scrutiny of how health information is shared through online tracking technologies. With Healthline Media's settlement in July for $1.55 million for California Consumer Privacy Act (CCPA) violations following settlements in recent years for $2.5 million (Monument), $7.8 million (BetterHelp), and $1.5 million (GoodRx), among others, the enforcement landscape for health information and online tracking technologies in the U.S. is taking shape. The common thread: regulators take health information sharing very seriously.

Healthline

In July, the California Attorney General announced a $1.55 million settlement with website publisher Healthline Media LLC alleging that its use of online tracking technology and related data sharing violated the CCPA. A focus of the allegations was not only that Healthline offered consumers inadequate opt-out mechanisms to limit targeted advertising and data sharing with third parties, but also that the data shared inferred health information about the consumers.

One of the allegations was that Healthline allowed the use of trackers to transmit both the titles of articles read and unique consumer identifiers to advertisers and other third parties. Per the California Attorney General, this data could directly imply sensitive health information. One article title that was referenced in the filing: “You’ve Been Newly Diagnosed with MS. What’s Next?”

The complaint suggests that while Healthline presented consumers with opt-out choices through a consent management platform, the opt-out mechanism failed to effectively manage the many online trackers deployed by Healthline in line with the consumer choices made. In addition to CCPA considerations, this also led to alleged violations of California’s Unfair Competition Law as a potential deceptive business practice.

Consent and Health Information Sharing

Having opt-out mechanisms alone may not be sufficient when sharing identifiable health information in the U.S. Various state laws, including the Washington “My Health My Data” Act, among others, require express consent for sharing consumer health data with third parties in many cases. The Federal Trade Commission (FTC) has also brought enforcement actions (some of which are noted above) for sharing health information with advertisers and other third parties without consent. Also, notably, the Health Insurance Portability and Accountability Act (HIPAA) has recently elevated its focus on online tracking technologies used by covered entities and their business associates.

“When online tracking technology is deployed, it is important to have the right policy language and consent management tools. At the same time, it is equally important that the actual functionality comply as well. Faulty technical implementation can result in enforcement.”
– Paul Rothermel, Senior Attorney, Gardner Law

Other Considerations

Healthline is just the most recent of many other enforcement actions involving health information sharing and online tracking technologies. In 2024, Monument, Inc. settled allegations from the FTC that it used tracking technologies such as pixels and other programming on its website to share website visitors’ personal information with numerous third-party advertising platforms in violation of its privacy policy and without consent. The data shared included standard and custom events with the event titles revealing specific ways in which consumers interacted with the website. BetterHelp similarly settled allegations in 2023 that it shared personal information, including health questionnaire data, with various third parties for advertising purposes after it promised not to use or share users' personal health information other than for limited purposes. We would also be remiss if we failed to mention the various enforcement activity focused on children’s online privacy, with numerous cases addressing lack of parental consent for data collection and sharing or inadequate age-verification features for online services and websites.

Drug and device manufacturers should take note and take a close look at health-related information collected through their websites and mobile applications, ensure their collection and sharing practices align with their privacy promises and legal requirements, and confirm consent management features are both properly designed and functioning as intended.

Contact Gardner Law

Online tracking technologies and consumer-facing websites and applications are an important part of consumer education and health care delivery, but data collection and sharing must be carefully managed to mitigate compliance risks. As industry best practices evolve and regulatory expectations change over time, ensuring your data collection and sharing practices remain aligned with current standards is critical. Whether building a website or application from the ground up or reviewing an existing one, legal guidance can help you navigate these complexities and adapt to emerging trends.

If you have questions about online tracking technology compliance, or if you’d like assistance navigating compliance challenges, reach out to Gardner Law.