Most U.S. Websites Are Failing Consent Compliance… and Users’ Trust
Tag Inspector audited 450 U.S. websites across five industries to measure how sites handle consumer tracking before and after consent. What we found should concern every privacy officer, legal team, and digital executive accountable for data governance.
The consent gap is wider than most organizations realize
Consent banners are visible on the majority of websites. But a banner is not a compliance program. The data shows that displaying a consent prompt and actually honoring user choices are two very different things — and the distance between them is where legal exposure lives.
The typical U.S. website fires 25 tracking tags before a user interacts with any consent interface at all. Half of all audited sites run between 11 and 50 tags pre-consent, with the highest observed count reaching 178. That pre-consent data collection sits squarely in the crosshairs of CCPA enforcement, Colorado’s CPA, Connecticut’s CTDPA, and the wiretapping theories increasingly central to CIPA litigation.
79% of U.S. websites are still loading at least one targeting or advertising tag after a user explicitly opts out. Nearly one in four sites make no changes at all based on a user’s consent choice.
This is not a corner-case problem. After a clear opt-out signal, the median site continues sharing data with 5 advertising or analytics vendors. At the extreme end of the distribution, some sites are sending personal information to 139 platforms post-opt-out. Under 19 currently enforceable state privacy laws, each of those data transfers is a potential violation.
The platforms regulators are watching
Four third-party platforms appear repeatedly in enforcement actions and CIPA wiretapping suits filed in 2024 and 2025. All four are commonly deployed, and all four show meaningful rates of continued firing after user opt-out: the Facebook (Meta) Pixel appears on 62% of audited sites and keeps loading after opt-out on 30% of them. LinkedIn Insight is present on 54% of sites, still active post-opt-out on nearly 24%. Bing Ads UET and the TikTok Pixel follow the same pattern.
41% of all audited sites have at least one of these four platforms loading after a user has opted out. Given their prominence in recent regulatory scrutiny, leaving any of them unaddressed in a consent architecture is a material oversight.
Industry exposure is not evenly distributed
The audit covered five sectors, and the differences are significant. Healthcare leads the group with the lowest opt-out failure rate — just 21% of healthcare sites block fewer than 90% of tracking tags upon opt-out. The sector’s heightened caution tracks with FTC pixel guidance and the consequences of high-profile enforcement actions targeting health data specifically.
Finance tells the opposite story. Despite operating under some of the most scrutinized compliance environments in the country, 74% of finance sites fail to adequately suppress tracking after opt-out — the highest failure rate of any sector in the study. Media lands close behind at 71%, driven by deep ad-tech dependency. eCommerce and CPG sit in the middle at 57%: better than finance, but still more than half leaking data after a user has explicitly asked them to stop.
What enforcement actually costs
State penalties under CCPA run from $2,663 per violation up to $20,000 per violation under Colorado’s CPA. California’s Invasion of Privacy Act creates a separate private right of action at $5,000 per incident plus attorney fees — a structure that has fueled a wave of class action litigation targeting pixel-based tracking specifically.
Recent settlements give those per-violation figures real context. Healthline Media settled for $1.55M over online tracking violations. Jam City settled for $1.40M for failing to provide opt-out mechanisms for sale of personal information. Tractor Supply paid $1.35M for insufficient opt-out controls. These are not outliers. They represent the enforcement pattern that privacy teams and legal counsel are now tracking closely across every industry.
A site with an unlawful consent architecture — one with no meaningful mechanism to honor opt-out signals across its full tag stack — carries potential exposure exceeding $10M once statutory damages, litigation costs, and mandated remediation are factored together.
Where to go from here
The full 2025 State of Consent Compliance report covers all five industries, detailed per-platform breakdowns, opt-out behavior analysis, and the methodology behind the risk exposure calculations. If your organization operates a consumer-facing website and has not conducted a consent audit recently, the data in this report is a useful place to start that conversation.
