There’s a temptation in digital strategy to treat privacy as something to cross off a to-do list. Whether it’s a set-and-forget cookie banner or a privacy policy updated once a year, the mindset is often to tick the box and move on.
But that way of thinking comes with a price. In the case of Healthline, it cost $1.55m.
The largest California Consumer Privacy Act (CCPA) penalty to date didn’t come about because data privacy practices were ignored completely.
Healthline’s case highlights a challenge that will be familiar to many brands: the belief that meeting established compliance measures like checkboxes, banners, and assumed consent, is enough.
The outcome demonstrates just how quickly industry standards and regulatory enforcement are moving.
Healthline was found to have shared data with ad tech partners in ways that could reveal users’ medical conditions, without fully honoring opt-out rights under the CCPA. Like many organizations, they relied on third-party partners to follow the rules but did not always verify this.
Their consent banner was intended to manage tracking, but in practice, some tracking continued. Ultimately, the measures in place did not provide the level of oversight and control now expected by regulators.
Data flow verification is redefining compliance
If data privacy compliance is still viewed mainly as a matter of documentation, policy updates, or technical adjustments, it is no longer sufficient in the eyes of regulators.
Today’s enforcement efforts have become highly data-centric—moving beyond paper trails and surface-level controls to focus on what is actually happening to personal data in practice.
Regulators now use technical reviews and automated tools to examine how data flows through an organization’s systems.
They look for concrete evidence: Are opt-out requests truly respected at the technical level? Does data-sharing with third parties genuinely stop when required? Are consent signals carried through all relevant processes and platforms, not just recorded in a log or reflected in the user interface?
This is a fundamental change from a process-driven approach, where success meant meeting the perceived letter of the law, to a data-centric model that requires organizations to prove that their systems function as intended in real time.
Demonstrating compliance is now about showing, with auditable data and processes, that your practices align with both regulatory standards and user expectations.
As this gap between stated policies and actual data behavior closes, organizations face growing consequences if technical reality falls short of what is promised on paper.
From “how do we comply?” to “how do we respect people?”
Healthline isn’t an example of deliberate wrongdoing. It’s a reminder of how much work remains to move beyond process-based compliance and toward truly data-centric compliance, where teams proactively monitor and manage data flows, transfers, and interactions across their entire ecosystem.
Many organizations have inherited fragmented systems. Privacy controls have been layered on top of marketing and analytics stacks that were never designed with consent in mind.
And in the scramble to keep growing and stay relevant in a hyper-competitive digital ecosystem, it’s understandable that teams might reach for what looks like a fast solution.
But consent is not a one-and-done exercise. It evolves with every user interaction and system integration.
Every tag added to a site, every new vendor brought into your stack, every decision about how data is used…all of these change the consent equation.
This is why consent isn’t something you can set and forget.
Treating consent as static, or siloed, invites risk. It also erodes trust. And when that trust breaks down, whether through headlines, fines, or user backlash, the damage is hard to repair.
The brands that will lead in this next phase are those that recognize privacy as a data challenge to be solved. One that demands continuous attention as data flows, systems, and requirements evolve.
Leading teams embed data auditability and verification into everyday practice, asking not just what promises are made, but whether they can be proven in action as permissions change and flow throughout the data ecosystem.
Consent requires continuous data oversight
If you can’t see how your data is actually moving through your systems, you can’t reliably confirm that those flows are lawful or aligned with your policies.
If you don’t know exactly what third parties are doing with the data you share, you risk losing control over your privacy obligations.
Relying on legacy frameworks, incomplete opt-out mechanisms, or best guesses exposes your organization to unnecessary risk and undermines trust.
This is not about blaming marketers or privacy leads. For a long time, the tools and visibility simply weren’t available. That’s no longer the case.
Today, the technology exists to provide meaningful insight, traceability, and auditability at the data level. The opportunity is there for organizations to take real ownership, moving from intention and policy to measurable, ongoing verification.
Demonstrating compliance now means maintaining real opt-out mechanisms that are continually validated. It means knowing, with certainty, what data is being passed to whom, and ensuring partners are operating to the latest regulatory expectations.
Your privacy infrastructure must be monitored and updated just as actively as any other critical system.
The AGs are no longer interested in documentation alone. They want to see how your data ecosystem actually works.
Overall
Regulation will always set the floor. Customer expectations will keep raising the ceiling. Resilient organizations understand that privacy is now a data management discipline, not a legal hurdle to clear or a matter of design alone.
When you embed evidence-based privacy practices into your systems–making consent measurable, data flows observable, and third-party activity verifiable–you build trust, accountability, and credibility with every decision.
When customers see their data respected, they stay. When your infrastructure is robust, it shows. And when regulators examine your systems, you’ll be able to demonstrate that your approach is working in practice, not just in policy.
We list the best private browsers.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
