Most Companies Don’t Honor Privacy Opt-Outs

By Maria Dinzeo

Global privacy control lets computer users set privacy preferences in their browsers, automatically sharing those choices whenever users go to a site. It’s supposed to give individuals more control over their personal data, allowing them to opt in or out of cookie usage, data sharing, data selling and targeted advertising.
But they only work if companies honor them. And in most instances, they don’t.
Research from two major privacy compliance firms found that the vast majority of the most-visited websites in the United States and Europe do not honor GPC and opt-out preference signals.
“It’s not that they don’t want compliance or they don’t want to honor; it’s just somehow it’s broken,” said Vaibhav Antil, CEO of privacy software company Privado, whose State of Website Privacy Report 2024 found 76 of the top 100 websites in the United States do not honor opt-out consent signals, as the California Privacy Rights Act of 2020 requires.
More than 80% of those sites were in the media, e-commerce and lifestyle industries, which rely heavily on ads to drive and monetize website traffic.
The United Kingdom fared no better, with 74 of the 100 most-visited sites not honoring the opt-in preferences required under the Data Protection Act 2018, which mirrors the provisions of the European Union’s General Data Protection Regulation of 2016.
“In Europe, there is no signal. You have to interact with the banner. So, in our test, we actually interacted with the banner. We would go in, reject all cookies and see if still calls are being made or trackers are being fired or cookies are being stored,” Antil said.
They were.
And if these websites are not honoring GPC signals, it’s fair to assume that they are not honoring simple “do not sell/share” opt-out clicks. “We didn’t explore it, but it should be similar because the thing is these are misconfigurations,” he said.
Privado’s findings track with similar data from consent management platform DataGrail in its 2024 Data Privacy Trends Report. DataGrail audited more than 5,000 websites and found 75% of them do not comply with GPC requests.
This comes as consumers are increasingly interested in protecting their privacy. DataGrail found more than a 200% increase in data subject access requests from 2021 to 2023.
“When you actually engage with the cookie banner, and you’re hopefully trying to address your preferences, you actually hope they work. Sorry to tell you they probably don’t,” DataGrail CEO Daniel Barber said at his firm’s annual privacy summit in June.
Why is that? It’s complicated, said Jules Polonetsky, internet privacy expert and CEO of the Future of Privacy Forum. “When you visit a website, a kaleidoscope of cascading things occurs. The second you request a webpage, your browser is requesting cookies from a website. Milliseconds later, the servers that have just been pinged are pinging companies and other companies and networks and multiple third-party plug-ins are loading,” he said.
“Ignoring privacy requests in states where they are legally obligatory creates a huge legal risk. Most companies that do so usually don’t have evil intentions but haven’t properly configured their consent-management tools. Getting these tools to work properly can be hugely complicated, and we see even sophisticated companies dropping the ball, or shall I say, dropping the cookie,” he said.
The nebulousness of an internet protocol address makes it more difficult to identify who is making the opt-out request. “An IP address could be you and your laptop at home or at a Wi-Fi on a university campus, and that’s one IP address for the whole college,” said Ryan O’Leary, research director at International Data Corp.
“It’s hard to manage the consent, and after you leave that website, it’s almost like you weren’t there. When you have a known relationship with a brand — let’s say you log into your Apple ID or Target account — you’re a known person” and have to manage the consent there,” he said. “But it’s virtually impossible to marry that ID to the IP address that clicked ‘do not track.’ If you’re just bumping around from channel to channel or website to website, they don’t have a duty to honor your choices.”
GPC has some 50 million users worldwide. Currently, just three states—California, Colorado and Connecticut — require companies to comply with GPC signals. But laws requiring opt-out signals kick in in Delaware and Montana on Jan. 1, and in Oregon and Texas one year later. And while New York doesn’t have a consumer data protection law, its attorney general, Letitia James, argued in guidance released this summer that data laws on the books bar websites from making false or misleading statements, which she said means that any privacy controls a site claims to offer must work as described.
Justin Yedor, a Baker & Hostetler partner who specializes in California privacy laws, said that many consumers who have set up GPC signals live in states without a privacy law requiring websites to honor them. “So just the fact that the GPC is not being recognized, I don’t think implies there’s necessarily any non-compliance,” he said.
But the legal risks from failing to honor opt-out signals are real.
“Sale/sharing opt-out has been the most enforced issue under the [California Consumer Privacy Act] from the very beginning of the CCPA enforcement. It’s a big issue for both the California [attorney general] and the California Privacy Protection Agency, who are dual enforcers. Both of them are highly interested in this issue. In terms of top compliance issues from a regulator standpoint under the CCPA I think it’s really difficult to conclude that there’s any other issue that comes first before that one,” Yedor said.
And beyond the regulatory realm, plaintiffs lawyers are lurking, Yedor said.
“If you right click in Chrome, you can inspect the site and see what cookies are loading. You can see when certain scripts are firing. You can review the data packets that are within a cookie. There’s really a lot that you can see without any sophisticated tools. If you take the extra steps to look, you can see it. And that’s what plaintiffs counsel are doing,” he said.
“It’s important for businesses that are working to comply with these laws to make sure that they’re checking, as well, because they don’t want to be the only one in the dark. You don’t want plaintiffs counsel intensely scrutinizing your site and you haven’t taken a look at it,” he added.
Polonetsky said that while there are “the crappy lawyers sending copy-and-paste lawsuits to thousands of companies offering to settle and go away, the more sophisticated ones run real forensic tools and do a lot of research.” For instance, he said, the plaintiffs firm Edelson operates technical labs and does in-depth forensic work.
State attorneys general also are on the prowl for violations, relying on technology built by computer scientists, including Ashkan Soltani, a former chief technologist for the Federal Trade Commission who’s now executive director of the California Privacy Protection Agency. At the federal level Polonetsky said, the FTC is focusing on websites related to health care and mental health. “We’ve seen actions, particularly in areas where data might be particularly sensitive,” he said.
So how do companies avoid all of this scrutiny? By making sure consent management settings are properly configured.
“Putting up a consent banner is not enough. You need to actually test if it is working or not,” Antil said.
That’s trickier than it sounds. Antil said websites are so dynamic that it’s hard to keep up, especially as companies add more third-party integrations.
“So literally you add a line of code, and you suddenly have Google Analytics as part of your website, Meta Ads. Now, it has moved to a point where you literally have platforms where you just insert one integration of a tag manager, and then that is owned by a marketing team. And from there you can actually switch on and switch off third parties just by a click of button,” he said.
“As you’ve democratized adding more and more third parties and made it easier for that integration to happen on the website, I think that’s one of the main reasons why these consent issues pop up. There is a real possibility that you have a 100-person marketing department, and they might not know the consequences of switching on a new pixel,” he said.
O’Leary added: “The challenge is this is not the main business for folks. It’s an additional kind of workflow you need to do, and it’s not bringing in any revenue.”
At the same time, the consequences of missteps can be substantial, ranging from costly settlements or judgments to reputational damage and an erosion of consumer trust.
“The whole impetus behind these regulations is to give people the ability to opt out,” O’Leary said, noting that awareness is growing among consumers of the harms that can result from being tracked without their knowledge.
“There’s a lot of scary stuff that could happen,” O’Leary said. “There are certainly people that would not want to be tracked and have a lot to lose.”