Most Businesses Ignore Privacy Laws Until It's Too Late

Privacy Laws are Expanding Rpaidly Across the Globe

By 2023, approximately three-quarters of the world's population will be living under consent-based privacy legislation that requires explicit consumer permission before personal data can be collected or shared. In the United States specifically, this regulatory momentum is accelerating with newly enacted privacy laws in Colorado, Virginia, Connecticut, and Utah, along with California's significantly updated CPRA amendments to its original CCPA framework. However, a troubling disconnect has emerged: while these regulations are taking effect at an unprecedented pace, the vast majority of businesses remain woefully unprepared to comply with them. This inadequacy represents not just the beginning of privacy regulation, but rather the start of a sustained trend that balances commercial interests, individual freedoms, and national security concerns.

The Persistent Problem of Data Leakage

These emerging regulations are creating an invisible yet enormously consequential threat to organizations. Under these new laws, consumers are gaining meaningful rights to prevent their personal information from being shared with third parties. Yet many companies lack adequate systems and processes to honor these requests. The real danger lies in the fact that data frequently leaks far more extensively than organizations realize, often unintentionally. These breaches can occur through multiple pathways: tracking pixels and beacons embedded on web pages that transmit data without proper safeguards, software patches that inadvertently disrupt the transmission of consumer opt-out signals, or careless data practices from vendors and service providers. The painful reality is that consumers often discover these data leaks before the companies responsible for them do, which means the damage is already done by the time a breach is detected.

Understanding the Two Critical Compliance Gaps

The encouraging aspect of this regulatory landscape is that most new state privacy laws are being designed with interoperability in mind, meaning they share similar requirements and standards. This consistency creates an opportunity: by addressing two specific compliance failures that many organizations are currently ignoring, companies can not only shield themselves from legal consequences, but also position themselves to adapt more easily to future privacy legislation across different jurisdictions.

Compliance Area One: Implementing Multiple Opt-Out Mechanisms

A crucial requirement in the CCPA, which will continue under the CPRA, mandates that businesses (rightfully so) must offer consumers at least two different approved methods for opting out of personal data sharing. The CPRA will replace the term "selling" with "sharing" to eliminate confusion about what practices this covers. When researchers examined the largest corporations to assess compliance, the findings were deeply concerning. In a study of Fortune 100 companies conducted in the second quarter, researchers discovered that only 52 companies actually offered two or more opt-out methods, and of those, only 33 were using approved methods. The situation has likely worsened since these initial findings, particularly after regulatory agencies began issuing fines, such as the $1.2 million penalty against Sephora in August for non-compliance.

Companies are certainly attempting to do the right thing, but many of their current approaches fall short of legal requirements, especially when considering how frequently these methods fail to work properly. Five primary opt-out methods are currently used by American businesses: industry consortia that work collectively to manage opt-outs, web-based forms that consumers fill out, consent management platforms that capture preferences from website visitors, offline methods like telephone numbers or mail addresses, and user-enabled browser tools such as Global Privacy Control.

Each method has significant limitations. Industry consortia are technically the most reliable, though regulators have questioned whether they're truly sufficient on their own. Web forms can be effective when they trigger company actions like data deletion or account access, but they fail roughly half the time when attempting to communicate with web browsers due to implementation errors. Consent management platforms typically capture opt-out preferences successfully, yet they experience transmission failures more than one-third of the time when communicating with third-party vendors, what experts call "dark signals." Global Privacy Control and similar browser-based tools are now mandated by California law, and enforcement agencies have demonstrated serious consequences for ignoring these signals, as evidenced by the Sephora fine.

Companies must conduct thorough audits of their current practices, identify weak points, and ensure their opt-out methods match how they actually interact with customers. For example, providing only a phone number for opting out makes little sense if the company is sharing data about visitors who aren't logged into accounts, as call center representatives cannot realistically connect unauthenticated callers to online profiles. Organizations should consider implementing technology solutions that continuously monitor and audit their opt-out mechanisms to catch and address leaks before they cause serious damage.

Compliance Area Two: Monitoring and Auditing Service Providers

Recent additions to CCPA regulations now require businesses (again, rightfully so) to regularly and thoroughly audit their partners' data practices to ensure that any shared information is being used lawfully and ethically. This fundamental shift means companies can no longer ignore or excuse unethical behavior by their vendors, nor can they rely solely on contractual agreements to transfer liability. Researchers have documented troubling cases where personal data was misused by partners several layers removed, situations where bad actors essentially skimmed consumer data like credit card thieves skim numbers from gas pump skimmers. These actors target personal data because it's valuable to malware developers, data brokers, and even competitors.

Rick Arney, who co-authored both the CCPA and CPRA legislation, emphasized this point: companies must genuinely prioritize consumer interests, and this obligation extends beyond simply following the letter of the law to embracing its spirit. Organizations are legally responsible not just for how their direct partners use shared data, but for how those partners' partners use it. If a company fails to audit its vendors' systems, it cannot claim ignorance if those vendors violate the law. This responsibility supersedes any indemnification clauses in business contracts. The good news is that software solutions can now automate much of this monitoring work, making continuous oversight more practical for organizations of all sizes.

Why We Do What We do

Beyond the obvious legal and regulatory imperative, there's a compelling business case for prioritizing these changes. Trust and consumer relationships are becoming the defining factors in commercial success. According to the 2022 Adobe Trust Report, 69 percent of customers will stop shopping with companies that use their personal data without permission, and 68 percent will abandon brands that disrespect their stated data preferences. Modern consumers are far more sophisticated about online advertising and data practices than many executives assume, and they consistently recognize when their information is being misused without consent.

Even more telling, business leaders themselves recognize the urgency. According to KPMG research, 62 percent of business leaders believe they should be doing more to protect customer data, 33 percent acknowledge that consumers rightfully worry about how their information is used, and 29 percent admit their companies sometimes employ unethical data collection practices. The era of making excuses has definitively ended.

Companies that position themselves as privacy and consumer protection leaders have an extraordinary opportunity to distinguish themselves and strengthen their brand reputation. Fortunately, enforcement agencies understand that perfect compliance doesn't happen overnight. Colorado Attorney General Philip Weiser clarified that his office prioritizes willful violators: "our number one priority is those who are wilfully non complying with the law. That is where our blood is going to most boil." Similarly, Connecticut State Senator James Maroney, who authored Connecticut's privacy law, noted that state attorneys general are not pursuing "foot faults or little fouls"—they're focused on serious violations.

The intent behind these laws isn't to punish or hamper business; it's fundamentally about protecting consumers. This mirrors historical precedent: when email spam became overwhelming in the early 2000s and consumers demanded privacy protections, the CAN-SPAM Act of 2003 transformed email practices forever, and opt-out provisions became expected industry standard. The same transformation is now happening with privacy in digital advertising. Organizations that embrace these changes proactively will find that consumers appreciate and reward their commitment to protecting personal information.

FOLLOW US