The most visited websites share personal data with an average of 17 third-party advertisers in the U.S. — and 76% of the most visited websites in the U.S. do not honor CPRA opt-out signals. These findings where revealed in the “2024 State Of Website Privacy Report,” which was published by privacy solution provider Privado.ai.
As part of the research, the company uncovered that 75% of the 100 most visited websites in the U.S. and Europe are not compliant with current privacy regulations. With fines mounting and consumers demanding greater privacy, personal data sharing from websites has become a major legal risk for companies worldwide. To learn more about the data privacy landscape, the Demand Gen Report team sat down with Vaibhav Antil, CEO of Privado.ai.
Demand Gen Report: What were the most common reasons why websites failed to comply with CPRA and GDPR consent requirements?
Vaibhav Antil: The most common reasons originate from third-party scripts that are integrated in websites. One common reason is these scripts are being loaded before the cookie banner script, which means the consent management platform (CMP) doesn’t have an opportunity to block the third-party script from loading in the first place.
Another reason is that websites use tag managers like Google Tag Manager, which are whitelisted in the CMP. That means that consent management must be configured in the tag manager itself. Over time new pixels/scripts are added directly into the tag managers thus bypassing the CMPs intended consent configuration.
DGR: How do changes in marketing technology contribute to misconfigured consent banners, and what steps can organizations take to address these challenges proactively?
Antil: Over time, adding new tools on websites have been democratized and marketing teams can directly add pixels and tags via tag managers and other marketing platforms. Marketing teams use these technologies to move fast and increase revenue but sometimes lack privacy context when implementing a new marketing tool. Privacy teams need to constantly test consent on their websites, make results available to marketing and enable them by giving alerts on non-compliance.
DGR: Given the limitations of CMPs, what key features should organizations prioritize when integrating privacy code scanning solutions with CMPs?
Antil: There are two key features organizations should prioritize:
- Reactive scanning, which involves regularly scanning websites and apps to ensure there are no privacy issues; and
- Proactive scanning, which means scanning new code changes before they go live to ensure any new script integration is discovered and consent flows are implemented.
DGR: How can organizations future-proof their websites against evolving privacy regulations beyond GDPR and CPRA, particularly as more countries introduce their own privacy frameworks?
Antil: Organizations can:
- Train people on marketing and development to ensure they bring in privacy teams in conversation as they evaluate new technologies;
- Ensure privacy reviews are triggered as part of procurement and proof-of-concept processes; and
- Implement consent testing tools and code scanning tools to ensure privacy teams can proactively find and fix any privacy issues.