On paper, proper consent hygiene is one of the easiest ways to improve your compliance posture, yet over 63% of websites are still struggling.
Consent is the most visible part of any privacy compliance program. It’s on the homepage. Any regulator, plaintiff attorney, or privacy-curious journalist can check it without a subpoena. Of course it’s an enforcement target. And if the $4.3 million California brought in on public settlements alone in 2025 is any indication, state enforcement agencies are ready to take action.
Yet, according to our 2026 Privacy & AI Trends Report, getting compliant doesn’t require huge sacrifices from your marketing team, and you can make meaningful progress with just a few simple steps.
Read on for a closer look at the numbers and what you can do to ensure your consent management holds up to inspection.
The opt-out signal paradox
According to DataGrail’s audit of 5,000 popular websites, at least 63% fail to fully comply with UOOMs today. Meanwhile, only 1.3% of users actually send GPC or DNT signals.
Consumers may not use opt out signals in mass, but regulators do. An opt out signal gives a meaningful impression of your privacy posture the moment a potential auditor lands on your website.
As of 2026, 10+ states require businesses to honor universal opt-out mechanisms (UOOMs) like the GPC. When a user’s browser sends this signal, covered companies are legally required to stop non-essential tracking for that user. Regulators across states now coordinate enforcement, and GPC compliance has become a routine early checkpoint in any audit. Failing to honor GPC signals doesn’t immediately fail an audit. It does draw increased scrutiny. And if you can’t demonstrate it has resolved the issue to the regulator’s satisfaction, GPC non-compliance becomes another layer of exposure on top of whatever else was flagged.
2025 actually showed an improvement. The failure rate was 75% in 2023, and 69% in 2024. Companies are making progress, but slowly, and the regulatory bar keeps moving in the other direction: more states are adopting UOOM requirements, and enforcement capacity is growing.
Every test DataGrail performed was in a state that requires GPC compliance. None of the websites tested were exempt from the state’s privacy laws. The test attempted a GPC signal rather than Do Not Track (DNT) as our research found that users are nearly three times as likely to employ a GPC than a DNT signal. And the practical percentage may be much higher: our final figure does not consider websites whose non-compliance we could not verify with absolute certainty.
The Takeaway
Well over half of websites have sacrificed consent compliance in exchange for tracking less than 2% of their visitors. The business impact of honoring opt out signals is minimal. The compliance impact of not honoring them is not.
Don’t let GPCs and other UOOMs be an afterthought. Plan your consent strategy around them from the start. GPC compliance can be a very simple and low-risk step to making the right impression with potential auditors from the start.
For now, consumers rejecting trackers is a relatively minimal concern
The UOOM compliance gap isn’t the only tension between privacy and marketing teams. The most common stall when implementing a consent banner isn’t technical, it’s navigating internal debate over the banner’s copy. Stakeholders worry that offering “too much” transparency in a banner will sacrifice important business reporting and advertising tools as consumers indiscriminately opt out given the opportunity. Privacy teams balance this tension against increasing regulatory scrutiny of dark patterns.
But at least for now, DataGrail’s research shows the customers who encounter your consent banner aren’t opting out.
Across all consent banner configurations and industry types, fewer than 15% of users make a conscious choice to opt out of some or all non-essential tracking today.
48.3% of users engaging with a consent banner simply accept all tracking. 12.4% select essential cookies only, 2.3% configure custom settings, and 37% exit without making a selection at all.
Keep in mind, not all consent banner configurations will offer users all of these options. User selections could also be influenced by your industry, recent news events, and the language you use in your banner. We saw some websites achieve “accept all” rates as high as 95%.
The more complicated question is how a business treats users who exit without making a selection. Most U.S. states allow websites to opt users into tracking non-sensitive data by default, and as a result, many banners are built to continue tracking users who hit the “X” button, dismiss a banner, or simply browse while ignoring the banner. But this result isn’t necessarily the expected outcome for the user, who may not know the details of their local regulations.
New and amended regulations are growing increasingly suspicious of the dismiss button as a dark pattern, and class action litigators arguing CIPA, ECPA, or VPPA claims have also won court cases on this point. As regulatory and enforcement pressure increase, we may see user behavior shift.
For now, it’s up to you and your stakeholders to decide how to handle users who dismiss the banner in the U.S. There are pros and cons to defaulting to tracking or non-tracking on dismissal, and the decision should factor in your customer expectations, marketing philosophy, and overall risk tolerance.
The Takeaway
Implementing a consent banner isn’t the threat to analytics and advertising data quality your partners in marketing may fear. Write clear and transparent banner copy and compare your results against the benchmarks.
If potential impact on marketing is a blocker to your consent implementation, start with a phased approach. Bonafide Health implemented a clever approach of testing the impact of small wording changes or new state privacy requirement rollouts in states still lacking in any formal consent requirements first to help forecast the impact on larger markets and keep their growth team meaningfully informed.
Best-laid plans still require maintenance.
The number of websites that fail to honor UOOMs is so high, it’s unlikely that every offending website disregarded UOOMs on purpose. Many websites simply miss some non-essential trackers when configuring their consent management platform.
Ideally, your privacy team regularly reviews consent compliance and implements safeguards. It’s difficult to be part of every website decision, so pay the closest attention to top offenders.
DataGrail’s research found that when trackers fire despite a GPC signal, Google Analytics is the most common offender, accounting for 27.1% of all trackers that ran after a GPC opt-out was received. Meta and Microsoft round out the top three.
43.8% of trackers that fired despite a GPC signal were targeted advertising trackers, the category that currently carries the highest enforcement sensitivity and the most regulatory attention.
These aren’t obscure tools. They’re standard components of most marketing and analytics stacks. Getting them to honor GPC signals requires knowing they’re on your site, understanding how your consent management platform interacts with each one, and verifying that configuration holds across site updates, new tag deployments, and vendor changes.
The Takeaway
At a minimum, train your web team to ensure you’re in the loop on Google Analytics and targeted advertising updates. These are the most likely causes for straying off track on your compliance.
Realistically, you need continuous oversight. Many scripts are named so cryptically that without careful documentation, categorizing them all can take hours. For DataGrail customers, Vera, DataGrail’s AI agent, can detect and classify cookies in bulk, eliminating the manual guesswork entirely.
Consumer awareness reshapes opt-out behavior
One of 2025’s largest news items was the California Attorney General’s announcement of a $1.55 million settlement with Healthline. While the complaint covered wide ground, the most discussed element was the argument that by selling browsing data with third parties for pages that could imply specific health diagnoses, Healthline hadn’t just shared personal data, Healthline arguably sold sensitive data.
In the very same year, DataGrail found that health and wellness brands saw over 20 times more opt-out requests on average in 2025 compared to 2024.
The pattern is instructive beyond the health vertical. When a high-profile company gets fined for tracking-related violations, it creates heightened scrutiny for the entire industry category. Companies that relied on low consumer awareness of their consent practices found themselves exposed not by regulators finding them first, but by consumers deciding to act after a news story changed their understanding of what was at risk.
Health and wellness brands now lead all industries in “Do Not Sell or Share” request volume, at 758 requests per month per 5 million unique annual web visitors. That’s significantly higher than any other industry in DataGrail’s dataset.
While the health and wellness industry has long managed high deletion and access request volumes, before 2025, the industry’s opt-out volume was barely a blip on the radar. Consumer behavior has completely transformed in this category.
For privacy teams in any industry where a peer company has faced consent enforcement recently, this is a useful signal: heightened scrutiny tends to spread.
The Takeaway
Your own privacy events aren’t the only ones your team needs to track. Even if your privacy stature is top-notch, public settlements, data breaches, and civil actions can ripple and impact consent preferences and opt-out volume among your audience too. Your team needs to be prepared to rapidly scale up any time an adjacent company takes a punch.
What this means for your consent program in 2026
The consent management data from 2025 points to a few practical priorities:
Start with a baseline audit. Before building a remediation roadmap, know what’s actually running on your website and whether your consent management platform is honoring the signals it’s supposed to. Many teams discover they have more tracker coverage gaps than expected.
Treat compliance as part of your WebOps workstream, not a one-time fix. New tag deployments, vendor updates, and site changes can reopen gaps that were previously closed. Continuous monitoring is the only way to stay ahead of this.
Watch your industry peer group. The health and wellness opt-out surge shows that enforcement against a peer company can rapidly change the consumer and regulatory climate for everyone in a category.
DataGrail Consent gives you the infrastructure to get this right
Auditing your current consent posture, monitoring new tracker deployments, and ensuring GPC signals are honored across your tech stack aren’t one-time tasks. They require continuous oversight and the ability to act quickly when something slips.
DataGrail Consent is built for exactly this. Vera, DataGrail’s AI agent, scans and classifies cookies in bulk, flags new trackers as they appear, and surfaces compliance gaps before they become enforcement risks. You get continuous GPC signal monitoring, low-code configuration, and full consent workflow management without waiting on a developer.
AI-forward teams can even use DataGrail directly with Claude or Cursor to query consent data, pull compliance status, and complete work directly in the platforms your team already uses.
Whether you’re starting from scratch or looking to close the gaps from your current CMP, DataGrail Consent is ready to help.
Get the full story
Consent management is one topic in DataGrail’s 2026 Privacy and AI Trends Report. The report also covers the rapid expansion of AI governance risk, the continued growth of data subject requests, and the country’s readiness for the CCPA’s new risk assessment requirement.
Read the full 2026 Privacy and AI Trends Report for the complete picture of where privacy stands this year and what privacy teams need to prioritize to keep pace.
