Editorial
eBook
5 Ways to Deliver Support That Stays in Context
The Gist
- Cookie compliance is breaking at execution, not intent. Independent audits show most websites fail to honor consent choices in practice, even when compliant-looking banners and CMPs are in place.
- Regulators are enforcing, not warning. U.S. states and European authorities are issuing seven-figure fines for consent asymmetry, misconfigured tools, and tracking that fires before permission is granted.
- Privacy failures erode trust before fines arrive. When consent controls don’t work as promised, brands undermine credibility, customer experience, and long-term loyalty — turning compliance gaps into reputational risk.
Independent research suggests that the majority of websites are failing to action user consent around cookies and are not compliant. With regulators circling and the potential for huge fines and reputational damage, here's what you need to check.
Most digital teams believe they have ticked all the necessary boxes around data privacy and cookie management on their website. User consent is provided, adequate information is given, and the website complies with the EU's General Data Protection Regulation (GDPR), the Californian Consumer Privacy Act (CCPA) and other related legislation. Perhaps there is a cookie management platform (CMP) in place.
When it comes to cookie management, some organizations have developed a false sense of security that is highly risky and even dangerous. They believe that website privacy is fully under control. However:
- My own independent research shows the majority of websites may be failing to execute user consent, leaving them exposed, despite many having cookie management solutions in place.
- Regulators around the world are being increasingly active, issuing huge fines and tightening up on their approaches.
- The public continues to care about data privacy and cookie management, and failing to deliver undermines trust in brands, as well as opening up reputational risk.
When an organization fails in data privacy — for example if their website says one thing and fails to deliver — it can undermine customer trust and integrity. A high-profile lawsuit in this area will further erode brand and reputation.
Table of Contents
- Cookie Management: Compliance Failure at Scale
- A Trust Issue as Well as a Compliance Issue
- Building Privacy on Solid Foundations
- Privacy Built on Assumptions
Cookie Management: Compliance Failure at Scale
My own independent research shows remarkable levels of websites failing the basics, including those in regulated industries such as financial services. Based on my own automated audit tools checking millions of sites (May 2023-Nov 2025), I've found approximately 60% of websites offering a "Reject all cookies" do not honor that choice in practice, mainly because cookies are actually set before consent is given.
For example, within financial services, I found 72% of the sites assessed set non-essential cookies or trackers before valid consent has been gained, mainly because analytics and advertising tags fire up when the page loads. Within professional services, 59% rely on consent tools that present compliant language but fail basic enforcement tests. For ecommerce sites, nearly three quarters (74%) are collecting behavioral data from the moment visitors enter the website; this could be due to tag misconfiguration, or is this simply lip service being paid and a token offering to the regulatory need?
Consider the site of a well-known pensions and investment provider. On their first site visit, users are offered a clear "Reject all cookies" option, but actually already tens of cookies have already been set. Given this organizations' focus on regulation and governance, is it likely that the digital team believes it is being compliant? But this is not the case and actually leaves them highly exposed.
Related Article: Inside the Privacy-First Approach to the Personalized Customer Experience
Recent CCPA Enforcement Actions (2025)
Regulators are moving beyond warnings, with fines and lawsuits tied directly to consent misconfiguration, opt-out friction, and misleading cookie controls.
| Company | Date | Penalty or Action | Compliance Failure |
|---|---|---|---|
| American Honda Motor Co. | March 2025 | $632,500 fine | Consent interface allowed one-click opt-in but required multiple steps to opt out, violating symmetry requirements. |
| Todd Snyder | May 2025 | $345,178 fine | Cookie consent platform was misconfigured and unmonitored, preventing users from opting out for 40 days. |
| Healthline Media | July 2025 | $1.55 million settlement | Failed to honor opt-out requests for targeted advertising and used a consent banner that did not actually disable tracking cookies. |
| Tractor Supply Company | October 2025 | $1.35 million fine | Opt-out preferences were not recognized or enforced through third-party tracking technologies. |
| Condé Nast | Ongoing (2025) | Class-action lawsuit | Alleged installation of tracking technologies on sites including The New Yorker and Wired without valid user consent. |
State-Level Privacy Enforcement Expands Beyond California
Attorneys general are coordinating enforcement and targeting consent failures, tracking technologies, and opt-out controls across multiple jurisdictions.
| State(s) | Authority | Action | Focus Area |
|---|---|---|---|
| Michigan | Attorney General | Lawsuit filed against Roku | Collection and sharing of children’s data via tracking pixels and cookies. |
| Texas | Attorney General | Regulatory actions against major enterprises | Sharing personal information without user consent, including third-party tracking. |
| California, Colorado, Connecticut | Attorneys General (Joint) | Multi-state investigation launched | Failure to honor opt-out signals for data sale and targeted advertising via Global Privacy Control (GPC). |
European Cookie Enforcement Intensifies
European regulators are imposing record fines and expanding monitoring, with consent enforcement focused on real-world execution rather than banner design.
| Country | Authority | Penalty or Action | Key Violation |
|---|---|---|---|
| France | CNIL | €150 million fine (SHEIN) | Cookies placed without consent, incomplete banners, undisclosed third parties, and tracking continuing after refusal. |
| France | CNIL | €750,000 fine (Condé Nast) | Cookies placed before valid user consent on a French website. |
| United Kingdom | Information Commissioner’s Office (ICO) | Active monitoring expanded | Systematic review of top websites and sharply increased fines for cookie non-compliance. |
A Trust Issue as Well as a Compliance Issue
Surveys how that most consumers consider data protection a factor in their trust of brands, so when an organization fails with their compliance, it can also undermine this trust. These failures can have a significant impact on customer experience, as consumers increasingly expect brands to respect their privacy choices.
Data privacy expert Xavier Leclerc, CEO of The Neoshields and vice-chair of the European Federation of the Data Protection Officers (EFDPO), said, "In the European market, regulators are increasing scrutiny, and brand trust is damaged when organizations are perceived to take data without meaningful consent. This is no longer just a compliance issue. It is a public trust signal of how seriously an organization treats users and their rights."
What's notable about these lawsuits both in the US and Europe is that they cover areas where the set-up of cookie management tools is erroneous, misleading, lacks detailed information, has not been effectively monitored, or is lopsided, with it much more difficult to opt out than opt in. Frequently data collection and tracking practices do not match what an organization claims users can control.
"The worst examples are websites where opt-out options, including 'reject,' are effectively meaningless because tracking and data collection have already happened before the user can make a choice," said Leclerc. "That turns consent into a formality, and it creates unnecessary risk through reputational harm and regulatory scrutiny."
Building Privacy on Solid Foundations
To combat these, organizations must ensure that they have a cookie management solution in place that actually works in practice. Leclerc commented, "In the field of cookies, compliance cannot be assessed solely through interface design or declarative compliance. It is grounded in the legal and technical effectiveness of consent, meaning the data controller's actual ability to ensure that the user's choice — acceptance or refusal — produces an immediate, traceable and legally enforceable effect."
At a high-level, organizations have opt-out mechanisms that are easy to find and easy to use. When you have a system where users find it hard or convoluted to opt-out, but very easy to opt-in, then you also have a potential issue; there needs to be symmetry around both processes.
Critically, also organizations must ensure that the statements they make about privacy are honored in practice.
More specifically, to ensure cookie compliance is in place, teams need to ensure that:
- Your cookie management platform is correctly set up and thoroughly tested.
- The user consent is in place, and the option to "opt out" is as easy to enact as the ability to "opt in"
- All the cookies in operation on a site are disclosed.
- There are no hidden pixels or third-party calls.
- There are no cookies and trackers active on page load, before any consent can actually be gained.
- Consent selections are actually actioned and never ignored, especially the "refuse all" option.
- Cookies in question are correctly tagged ("essential") to avoid consent selections being ignored due to tag configuration, for example "Essential Only" then triggering analytics or advertising. What is "essential" must align with what users think, not the marketing team view.
- Any statements about cookie management on your site are not misleading or open to misinterpretation.
- There is active monitoring in place to ensure that everything is operational, and failure is spotted as early as possible, only with an independent monitoring tool
- Monitoring is considered a sperate requirement from the service provided by your cookies management tool (an audit cannot be valid, if completed by the provider being monitored).
Webinar
Feb
25
Content Strategy Leaders Live: Scaling for Speed, Complexity and AI in High Tech
A candid roundtable on how high-tech leaders are rethinking content at scale.
Register
Webinar
Feb
26
Why Customer Insights Never Turn Into Action
The gap between insight and action is solvable...once you understand how scattered knowledge can wreak havoc on execution.
Register
Webinar
Feb
26
Do More with Less: Modernizing the Cloud Contact Center for 2026
Learn how to leverage cloud platforms without adding a single hire to personalize every customer interaction.
Register
Webinar
On demand
Cut the Noise: Deploying AI That Actually Moves the Needle
Learn how to turn AI experimentation into concrete revenue operations.
Watch Now
Webinar
On demand
Ditch the Desk Phones: How Modern Teams Drive AI-First Communications
Find out how one team finally pulled the plug on a legacy phone system. And built something smarter.
Watch Now
Webinar
On demand
Empowering Non-Profits: Smarter Crisis Communication and Community Engagement
The cost of miscommunication is measured in more than words. Learn to deliver outreach that's fast, clear and trusted.
Watch Now
Privacy Built on Assumptions
We can expect more action from the regulators in 2026. Even if you have a cookie banner and a cookie management solution in place, it does not necessarily mean that consent is actually being honored. Don't get caught by assuming that everything is working. Organizations that prioritize customer loyalty understand that transparent data practices are foundational to maintaining long-term relationships with their audience.
As brands invest in personalization strategies, they must ensure these efforts are built on a foundation of genuine consent and compliance. Confirm that everything works as it should in order to protect integrity, value and trust.
Learn how you can join our contributor community.