Almost Half of Top Websites Now Misconfigure Google Consent Mode in Violation of Privacy Laws, Privado AI Research Finds

NEW YORK--(BUSINESS WIRE)--Privado AI, the agentic privacy platform reducing compliance risk at scale, today released research finding that 48% of the most-visited websites it tested have a misconfigured Google Consent Mode, sending personal data to Google Ads, even when visitors opt out.

The scan of 250 of the most-visited websites across California, France and the UK was run the morning after June 15, 2026, when Google removed the Google Analytics setting that had limited personalized ads when consent was set up wrong. With that backstop gone, Consent Mode is now the only control standing between a visitor’s choice and the Google ad stack. Any Consent Mode misconfiguration will now send the full signal to Google Ads for cross-device remarketing against visitors’ consent.

Consent management platforms record a visitor’s choice, but they were not built to verify if it is enforced across the tags and third parties that fire on a page. As marketing teams change third-party data flows week to week, new gaps open that the banner cannot catch.

On 48% of the sites Privado AI scanned, the visitors’ personal data was sent to Google Ads without proper consent. A person who opts out, expecting not to be followed, will still see personalized ads from that website across devices linked to their Google account. For the business running the site, the gap between the choice on screen and the data leaving the page is the compliance exposure for CCPA, GDPR, and many other privacy laws.

What the scan found

• 48% of sites have at least one Google Consent Mode misconfiguration
• 40% in California keep Consent Mode granted after a Global Privacy Control opt-out, violating CCPA
• 28% in Europe start in a granted state by default, violating GDPR
• 19% in Europe do not switch to denied after a visitor selects reject all, violating GDPR
• Across the wider compliance study, 90% of sites fail at least one privacy compliance test, and 87% fail at least one check under the California Consumer Privacy Act (CCPA).

Daniel Goldberg, Chair of Data Strategy & Privacy at Frankfurt Kurnit Klein + Selz, said, “GDPR, CCPA, and CIPA (California Invasion of Privacy Act) operate differently, yet many companies implement cookie-based approaches designed for GDPR. As a result, they miss key state law requirements, helping explain why California implementation lags. This increases regulatory and litigation risk, including exposure to dark patterns and misleading claims.”

The findings arrive as enforcement accelerates. Fines and lawsuits tied to website data sharing are rising under the CCPA, CIPA, the Video Privacy Protection Act (VPPA), and the EU’s General Data Protection Regulation (GDPR). Regulators in the UK and EU have announced enforcement sweeps. Under the CCPA, penalties are assessed per violation and rise when violations are intentional or involve minors, so a single misconfiguration repeated across millions of sessions can carry material exposure.

The full report, The State of Google Consent Mode, is available at privado.ai.

Vaibhav Antil, Co-Founder and CEO of Privado AI, said, “Collecting consent and enforcing it are two different things. The banner records the choice, and the data reaches Google Ads anyway. What our research shows is that surface-level compliance and manual checks are no longer enough. The controls change overnight and the websites change every week, so a setup that passed last month can be failing today, and no one would see it. Privacy is fast becoming critical infrastructure within businesses, too important and too complex to fail, and as such requires intelligent real-time monitoring.”

About Privado AI

Privado AI is the agentic privacy platform to reduce compliance risk at scale. With AI agents and real-time software scanning designed for privacy teams, Privado AI automates manual compliance work, delivers complete personal data visibility, and helps eliminate privacy risk. As technology has outpaced manual privacy controls, Privado AI has built AI-native solutions to automate risk discovery, assessments, and data maps. It prevents website and app privacy violations with automated audits that verify consent compliance, populates entire assessments with agents that analyze documentation, contracts, and data flows, and builds dynamic data maps by scanning web, app, backend, and third-party software. Founded in 2020 and based in New York, New York, Privado AI is trusted by enterprise and SMB companies around the world, including Riot Games, Principal Financial Group, Virgin Voyages, and HERE Technologies.

Notes to editors

Privado AI’s Web Auditor scanned the top 250 websites by traffic in each market (excluding .edu, .gov and .org domains) across California (CCPA), France and the UK (GDPR), simulating real user sessions that included Consent Mode parameters, Global Privacy Control opt-outs, and reject-all sessions. Sites were scanned before the change on June 11 and again after it on June 16, 2026.

Acronyms: CCPA, California Consumer Privacy Act; CIPA, California Invasion of Privacy Act; VPPA, Video Privacy Protection Act; GDPR, General Data Protection Regulation; GPC, Global Privacy Control.