A recent enforcement action by the California Attorney General against a leading healthcare publisher (order PDF) underscores a critical reality: compliance with privacy laws like the California Consumer Privacy Act (CCPA) is an ongoing, strategic responsibility shared across the digital advertising ecosystem.

At DeepIntent, we don’t view enforcement actions as isolated cases but as roadmaps. They reveal what matters to regulators, what behaviors they’re scrutinizing, and most importantly, where we must exceed baseline compliance to protect our platform, our partners, and the health consumers we serve.

The recent complaint (complaint PDF) alleged that third-party tracking technologies, namely pixels and cookies, were used on health-related web pages without proper consumer opt-out mechanisms, resulting in a monetary penalty and mandatory operational changes. This is a key example of how regulators are actively examining the entire data ecosystem, especially in high-sensitivity contexts like health-related advertising.

• Compliance is an active process. Staying aligned with laws like the CCPA requires ongoing vigilance, or you risk steep fines and legal action.

• Transparency is key. Consumers and customers should have a realistic understanding of how their data is collected and used.

• Opt-outs must work and be tested. Regular checks are essential to confirm that tracking technologies honor consumer choices as intended.
  

• Going beyond the letter of the law is often necessary. In the absence of detailed regulatory guidance, it’s important to be “more than good enough.” By proactively building safeguards that exceed minimum requirements, DeepIntent stays prepared for evolving interpretations and precedent-setting enforcements. 

• Accountability is part of partnership. It’s no longer defensible to pass liability through contracts alone. If your partners misuse data, you may be held responsible.

• Contractual requirements must meet state privacy standards. The law mandates specific contractual language when sharing personal information, including clear service provider restrictions, data use limitations, and assurances around honoring consumer rights.

• Health-related content is sensitive. Any data linked to such content—whether explicitly stated or inferred via context—may be treated with heightened regulatory sensitivity.

• Compliance is about driving collective progress. Leaders will seek to improve more than just their own internal processes. DeepIntent actively participates in efforts to advance standardized, industry-wide mechanisms for consent propagation.

At DeepIntent, we’ve long emphasized the importance of selecting partners who operate with transparency, integrity, and a shared commitment to privacy. This case reaffirms that strategy—and why we only work with partners who demonstrate robust privacy practices. Our Data HealthChecks initiative, which evaluates vendors and gives clients insight into our platform’s data sources, is a prime example of this commitment. 

How DeepIntent Stays Ahead of Privacy Risks

DeepIntent understands that compliance isn’t static. It evolves alongside regulatory trends, enforcement actions, and technological innovation. Our privacy program is built on this premise.

Here’s how we protect our partners, consumers, and ourselves:

We analyze enforcement actions like this one to identify patterns and emerging regulatory focus areas. This intelligence feeds directly into our privacy operations, helping us continuously refine our program.

The DeepIntent privacy and commercial teams work closely to ensure that all agreements are compliant with CCPA, including any mandatory terms, clear data processing rights, and restrictions on data usage. These are not just legal boilerplate; they reflect operational safeguards we enforce.

DeepIntent works with partners who align with our privacy standards. Before onboarding and on an annual basis, we conduct rigorous due diligence on our partners’ privacy and security practices to ensure any collection or use of data is in accordance with the terms of our agreements and applicable privacy laws, including the CCPA, and to ensure that any data shared will be adequately protected.

The DeepIntent platform is engineered to respect consumer privacy from the outset. Our efforts span integrating with and honoring Global Privacy Control (GPC) signals, enabling real-time opt-outs and access requests, collaborating with partners to fulfill similar obligations, and enforcing internal safeguards that restrict the collection and use of sensitive data, including inferences.

Privacy compliance is an ongoing commitment that requires vigilance and adaptability. DeepIntent teams undergo regular privacy training, conduct annual data protection impact assessments, periodically review contracts for required privacy terms, and conduct annual privacy and security audits. Additionally, we track ongoing cases and legislation and implement product and policy changes as the shifting regulatory landscape requires. 

Final Thoughts

The message from regulators is clear: compliance is a shared responsibility. Marketplace participants must not only ensure their own practices are compliant, but must also work with partners whose data practices and tools are equally aligned with applicable privacy law.

At DeepIntent, we don’t wait for enforcement to react—we act preemptively. Our commitment is to keep our platform and our partners ahead of regulatory expectations and to support privacy as a pillar of responsible innovation in healthcare advertising.

Want to learn more about how a healthcare advertising platform ensures privacy compliance? Click here.