Almost half of top websites now misconfigure Google Consent Mode in violation of privacy laws, Privado AI research finds

• On June 15, 2026, Google removed the Google Analytics setting that limits cross-device remarketing, leaving Google Consent Mode as the only privacy control for Google Ads
• 48% of the 250 most-visited websites tested misconfigure Consent Mode, sending personal data to Google Ads against the visitor’s choice
• Visitors who opt out may still be tracked across devices and shown the personalized ads they declined, putting the companies behind those sites at risk of regulatory action
• The findings come from new Privado AI research, The State of Google Consent Mode

Privado AI research finds that 48% of the most-visited websites it tested have a misconfigured Google Consent Mode, sending personal data to Google Ads, even when visitors opt out.

The scan of 250 of the most-visited websites across California, France and the UK was run the morning after June 15, 2026, when Google removed the Google Analytics setting that had limited personalized ads when consent was set up wrong. With that backstop gone, Consent Mode is now the only control standing between a visitor’s choice and the Google ad stack. Any Consent Mode misconfiguration will now send the full signal to Google Ads for cross-device remarketing against visitors’ consent. 

Consent management platforms record a visitor’s choice, but they were not built to verify if it is enforced across the tags and third parties that fire on a page. As marketing teams change third-party data flows week to week, new gaps open that the banner cannot catch.

On 48% of the sites Privado AI scanned, the visitors’ personal data was sent to Google Ads without proper consent. A person who opts out, expecting not to be followed, will still see personalized ads from that website across devices linked to their Google account. For the business running the site, the gap between the choice on screen and the data leaving the page is the compliance exposure for CCPA, GDPR, and many other privacy laws.

What the scan found

• 48% of sites have at least one Google Consent Mode misconfiguration
• 40% in California keep Consent Mode granted after a Global Privacy Control opt-out, violating the California Consumer Privacy Act (CCPA)
• 28% in Europe start in a granted state by default, violating GDPR‍
• 19% in Europe do not switch to denied after a visitor selects reject all, violating GDPR
• Across the wider compliance study, 90% of sites fail at least one privacy compliance test, and 87% fail at least one check under CCPA

Daniel Goldberg, Chair of Data Strategy & Privacy at Frankfurt Kurnit Klein + Selz, said, “GDPR, CCPA, and CIPA (California Invasion of Privacy Act) operate differently, yet many companies implement cookie-based approaches designed for GDPR. As a result, they miss key state law requirements, helping explain why California implementation lags. This increases regulatory and litigation risk, including exposure to dark patterns and misleading claims.”

The findings arrive as enforcement accelerates. Fines and lawsuits tied to website data sharing are rising under the CCPA, CIPA, the Video Privacy Protection Act (VPPA), and the EU’s General Data Protection Regulation (GDPR). Regulators in the UK and EU have announced enforcement sweeps. Under the CCPA, penalties are assessed per violation and rise when violations are intentional or involve minors, so a single misconfiguration repeated across millions of sessions can carry material exposure.

Vaibhav Antil, Co-Founder and CEO of Privado AI, said, “Collecting consent and enforcing it are two different things. The banner records the choice, and the data reaches Google Ads anyway. What our research shows is that surface-level compliance and manual checks are no longer enough. The controls change overnight and the websites change every week, so a setup that passed last month can be failing today, and no one would see it. Privacy is fast becoming critical infrastructure within businesses, too important and too complex to fail, and as such requires intelligent real-time monitoring.”

Download the State of Google Consent Mode Report now