Despite privacy being a major concern for both marketers and consumers, 75% of the most visited websites in the U.S. and Europe are not compliant with two major privacy regulations, according to recent research from Privado.ai. In the U.S. alone, the most visited websites share personal data with an average of 17 third-party advertisers. In Europe, that number is much lower at six third-party advertisers. 

“The consequences for privacy noncompliance range from zero to major financial and reputational damages. Many companies with privacy risks today have not been fined, but the ones that do get fined face lengthy legal battles, costly ongoing oversight, and lose valuable consumer trust,” said Vaibhav Antil, CEO and co-founder of Privado.ai in email responses to Marketing Dive.

“The State of Website Privacy” scanned the top 100 most visited websites in the U.S. and Europe in September 2024 for compliance with the California Privacy Rights Act (CPRA) and the General Data Protection Regulation (GDPR) using automated consent monitoring technology. 

The privacy landscape

The privacy landscape in the U.S. remains highly fragmented, especially with a persistent lack of a federal privacy law. The CPRA, while a California law, remains the standard when it comes to privacy compliance in the U.S. Seventy-six of the top 100 websites visited in the U.S. do not honor CPRA opt-out signals. Additionally, 75% of the top 100 websites share user data with third parties even when they opt-out. 

Media and ecommerce sites were the biggest offenders when it comes to CPRA compliance. Despite media making up 53% of the top 100 websites, 79% of these websites are noncompliant. While 79% of ecommerce websites are noncompliant, this category of sites makes up only 19% of the top 100 websites. 

“Marketers should know that once that personal data is shared with an advertising third party, it may be shared and used throughout the digital advertising ecosystem … Even if a marketing team doesn’t plan to use their audience data for retargeting, just sharing the data without proper consent puts the advertiser at risk,” said Antil. 

The risk of noncompliance

Noncompliance poses a significant risk for marketers, mostly in the form of monetary fines and penalties. With budgets already tight, fines could potentially worsen a company’s economic outlook, not to mention the reputational damage it may face. Since 2022, at least 10 companies have been fined in the U.S. for not complying with various privacy laws. In Europe, Amazon was fined $888 million for targeting users without proper consent, the report noted. 

In order to avoid penalties, marketers can work with partners who specialize in and prioritize privacy. Specialized tools such as artificial intelligence and other technologies can also be used to help increase compliance and minimize risk. 

“Marketers should be aware of the potential privacy risks when setting up new advertising partners or technologies. With the face-paced nature of marketing, it’s easy for risks to occur, but it’s not too difficult to implement guardrails to minimize risk and still execute successful campaigns,” said Antil. “It’s critical for marketing, privacy, and engineering teams to create clear processes for adding new advertising partners and changing data flows for existing partners.”