Three-quarters of top sites ‘fail to get consent for ads’

Online businesses continue to be in breach of one of the key tenets of data protection law, with a new analysis revealing that three-quarters of the 100 most visited websites on both sides of the Atlantic are still failing to gain consent for advertising.

According to Privado.ai’s 2024 State of Website Privacy Report, 74% of the top 100 websites in Europe do not honour opt-in consent as required by GDPR and UK GDPR.

Media and ecommerce websites make up 78% of the top 100 websites and account for 86% of the non-compliance, and, although the report does not finger individual brands, those in the top 100 which were investigated include the sites of most tech giants as well as the Guardian, the Daily Mail, Marks & Spencer, Tui, John Lewis, Ikea, B&Q and Sainsbury’s.

Meanwhile, the top 100 websites in the US had a similar non-compliance rate of 76% for not allowing opt-out consent as required by the California Privacy Rights Act (CPRA), Privado found the median volume of compliance risks to be three times higher in the States.

Media, ecommerce, and lifestyle (B2C technology) websites make up 83% of the top 100 websites in the US and have the three highest rates of non-compliance risk (79%, 79% and 73% respectively). US sites among the top 100 also include the tech giant “usual suspects”, plus Target, Walmart, Costco, Bestbuy and Home Depot.

The State of Website Privacy Report is based on data from Privado’s consent monitoring solution collected in September 2024, published in response to increasing data protection fines across both continents.

Six of the 20 largest GDPR fines since 2018 have been issued over online consent compliance violations, with Amazon receiving the second-largest GDPR fine to date, €746m (£636m), for targeting users with ads without proper consent in 2021.

The fine, issued by Luxembourg’s National Commission for Data Protection, followed a complaint filed by 10,000 people against Amazon in May 2018, through a French privacy rights group La Quadrature du Net.

However, the online retail giant Amazon launched an appeal against the GDPR fine earlier this year, arguing that the decision is “flawed for many reasons”.

In the US, since 2022, at least 10 companies have been fined for violating online consent compliance as regulated by CPRA, the Federal Trade Commission, and the Health Insurance Portability & Accountability Act.

With fines mounting and consumers demanding greater privacy, personal data sharing from websites has become a major legal risk for companies worldwide, with the report also revealing that the most visited websites share personal data with an average of 17 advertising third parties in the US and six in Europe.

To comply with GDPR, websites in Europe must block personal data collection and sharing with third parties unless the user provides opt-in consent; while under CPRA, websites in the US must block personal data sharing with advertising third parties if the user opts out of data sharing.

Privacy teams typically lack the visibility and controls to track what third parties are integrated with on their websites and whether they are honoring consent requirements.

Privado claims that with teams using so many third parties to optimise marketing and website performance, privacy teams need comprehensive solutions to continuously monitor consent and data flows.

It maintains that, while consent management platforms (CMPs) are effective at managing the complexity of implementing consent banners and data flows across websites, they cannot sufficiently monitor and validate consent compliance.

Privacy teams need continuous website monitoring solutions to mitigate privacy risk at scale, Privado reckons, adding that solutions should provide a real-time view of third parties integrated with their websites, detailing each data element being sent to which third parties, and consent banner functionality.

Consent management platforms are critical for collecting, acting on, and recording consent, but they lack the full visibility and governance to ensure personal data does not improperly leak to advertising third parties.

Privacy code scanning enables the complete and continuous visibility and governance needed to ensure compliance with today’s complex web of privacy regulations.

Privado CEO Vaibhav Antil said: “Websites have added cookie banners in an attempt to comply with the latest privacy laws, but the banners are usually misconfigured. Especially as marketing technology constantly changes on websites, privacy teams need continuous consent testing on to ensure compliance.”

Related stories
Certification plan aims to finally tackle online ad privacy
Retail chiefs fear tightrope between privacy and data
GDPR six years on: Is the EU law still fit for purpose?
Data collection gaps blowing holes in marketing activity
Most consumers believe their data is being misused
Track and trace: Brits uneasy at online retail snooping