Legal Enforcement for Consent

Enforcement is no longer theoretical. After analyzing consent compliance on 5,000 websites, DataGrail found that several organizations have faced enforcement actions due to improper CMP setup or failures of the tool itself. Our Data Privacy Trends Report explores how businesses are reacting to Universal Opt-Out Mechanisms (UOOMs) such as Global Privacy Control (GPC). These mechanisms are designed to allow consumers to easily tell businesses not to sell or share their personal data for advertising.

Here’s the catch: 69% of organizations still fire tracking cookies after a visitor opts out. This means these businesses continue to deploy tracking cookies and, be it inadvertently, are violating consumer preferences. This is likely because businesses think they are compliant, but the technology they have in place isn’t configured properly, or it doesn’t support GPC. Alternatively, they are unaware this is now a requirement or are unprepared for upcoming legal changes.

In 2025, a major automotive brand was fined over $630,000 by the California Privacy Protection Agency for consent violations that included asymmetric cookie choices, excessive verification requirements for opt-out requests, and missing vendor contracts with advertising partners. A national retailer paid over $345,000 after its consent banner malfunctioned for 40 days while data collection continued uninterrupted. A large retail chain settled for $1.35 million over failures that included ineffective opt-out mechanisms, unprocessed GPC signals, and missing vendor contracts. On the EU side, GDPR fines have exceeded €7.1 billion cumulative since 2018, with consent violations a consistent enforcement trigger.

This discrepancy emphasizes the complexities of the current consent environment. Do-Not-Sell request volumes increased 37% year over year, and enforcement agencies have the resources and mandate to investigate. The pattern is consistent: having a consent tool deployed is not a defense. Regulators are looking at whether the tool actually works: whether opt-out signals are honored, whether consent design is symmetrical, and whether the business can document compliance.