Report reveals major privacy compliance failures in US, EU

Privado has unveiled its 2024 State of Website Privacy Report, revealing significant non-compliance with privacy regulations among the most visited websites in the United States and Europe.

The report indicates that 75% of the top 100 websites in these regions do not comply with current privacy laws. In Europe, it highlights that 74% of major websites fail to adhere to the General Data Protection Regulation (GDPR) requirements for opt-in consent. Meanwhile, 76% of the leading websites in the United States do not respect opt-out consent as per the California Privacy Rights Act (CPRA).

Data gathered by Privado's consent monitoring solution in September 2024 serves as the foundation for this report. The company released both the solution and the report as a response to the increasing number of privacy fines levied in both jurisdictions.

Since 2018, six of the 20 largest GDPR-related fines have been attributed to consent compliance violations, with Amazon receiving the second-largest penalty of USD $888 million in 2021 for unauthorised targeting of users with advertisements.

In the United States, at least ten companies have faced fines since 2022 for breaching consent compliance governed by CPRA, the Federal Trade Commission (FTC), or the Health Insurance Portability and Accountability Act (HIPAA).

The report underscores that website personal data sharing presents substantial legal risks with the mounting fines and increasing consumer demand for privacy.

Key findings detail that on average, the most visited websites in the U.S. share personal data with 17 third-party advertisers, while those in Europe share data with six.

"With modern privacy laws now in place, websites have added cookie banners in an attempt to comply, but the banners are usually misconfigured," said Vaibhav Antil, CEO of Privado. "Especially as marketing technology constantly changes on websites, privacy teams need continuous consent testing on websites to ensure compliance."

The report highlights the need for compliance with the CPRA amendment to the California Consumer Privacy Act, mandating U.S. websites to block personal data sharing if users opt out, and GDPR requirements in Europe, obligating websites to only collect and share data with user opt-in consent.

According to the report, non-compliance risks in the U.S. are significantly higher, averaging three times that of their European counterparts.

Top websites in both regions commonly share data with more than 20 third-party entities, a factor contributing to the non-compliance risks.

The report suggests that consent management platforms (CMPs) on their own are insufficient for achieving consent compliance. Although they help manage complexity involved in implementing consent banners and data management, they lack the capability to thoroughly monitor or validate compliance.

The combination of privacy code scanning with CMPs is recommended to effectively govern digital tracking for websites and mobile applications. This strategy is proposed as critical for ensuring comprehensive and continuous visibility and governance to maintain compliance with complex privacy regulations.