Consent monitoring: How to automate CMP audits and eliminate privacy risk

Most websites today in the US and Europe have consent banners to comply with today's web privacy laws, but 75% of websites are still not privacy compliant. Why is that? 

Consent management platforms (CMPs) are effective for setting up and managing consent banners, but they do not provide the visibility or the controls to prevent compliance risks. 

Instead, companies must manually audit websites and mobile apps or risk a privacy lawsuit from violating GDPR, CCPA, CIPA, VPPA, etc. As a result, many privacy teams are unaware that their CMP is not properly collecting or enforcing consent for data sharing on websites and apps until it is too late, and there is threat of legal action. 

The risk of a CIPA lawsuit in the US has skyrocketed in recent years. At least 1,641 California Invasion of Privacy Act (CIPA) lawsuits have been filed since 2022. Since many of these claims are being filed in private arbitration and are resolved without any publicly filed lawsuits, the law firm Fisher Phillips estimates that the number of businesses affected since 2022 is closer to 5,000.

Enforcement has also increased for the California Consumer Privacy Act (CCPA) and Video Privacy Protection Act (VPPA) in the US. In 2025, Honda and retailer Todd Snyder both received landmark fines because their websites’ violated CCPA’s requirement that users must be able to opt out of data sharing for advertising purposes without providing excessive personal data. Also in 2025, Roku was sued because its connected TV apps and websites allegedly violated VPPA’s requirement that users’ video purchase or rental history cannot be shared with PII (personally identifiable information) without the user’s explicit consent.  

In Europe, UK and France regulators have vowed to clamp down on data sharing from websites and mobile apps that does not comply with GDPR (General Data Protection Regulation). In January 2025, the UK’s ICO announced its plans to assess and ensure compliance among the top 1,000 UK websites using automated monitoring, and in September 2024, France’s CNIL announced a 2025 investigation campaign into mobile apps that do not comply with its new recommendations for GDPR compliance. 

With privacy enforcement ramping up and nearly 20 new US state privacy laws since 2023, any company participating in digital advertising is at increasing risk of a privacy violation if they are not monitoring consent and data flows on their websites and apps.

This presents a huge challenge for most companies because most websites and apps are covered with pixels and SDKs (software development kits) from advertising third parties collecting user data on every visit, and CMPs are not equipped to verify that all privacy requirements are being followed. As marketing and product teams continue to update websites and apps on a weekly basis, regular and thorough audits are needed to ensure privacy compliance. 

To fill this governance gap, many companies employ privacy operations teams or consultants to manually test all websites and apps for all privacy requirements in every location, but those tests are extremely time consuming and still unreliable. 

To scale privacy compliance, privacy teams need an automated solution that regularly scans live websites and apps to ensure:

• Consent banners display properly in each location
• No unapproved third parties are receiving data
• Data flows are limited according to consent choices and applicable regulations
• Risks are immediately communicated to the privacy team and other stakeholders

By simulating user activity for each consent action on live websites and apps and recording personal data flows, all necessary privacy compliance checks can be fully automated. We call this live product scanning. Unlike privacy code scanning, live product scanning requires no technical implementation, just the URL or app file is needed.  

Privado.ai’s Web Auditor and App Auditor offers the most comprehensive live product scanning solutions to monitor consent and data flows for complete privacy compliance in all locations.

Why consent management platforms don’t ensure consent compliance 

Consent management platforms (CMPs) collect, act on, and record user consent for websites and mobile apps. On the surface, these tools offer customizable cookie banners that allow users to opt in or out of data sharing. On the backend, CMPs act on user preferences by limiting data sent to third parties and internal systems. 

Although CMPs are needed to manage the complexity of implementing consent banners and data flows across websites and apps in each region, CMPs can’t sufficiently monitor privacy compliance.

Many consent management platforms can run scans to identify cookies, pixels, scripts, and SDKs, but they don’t offer the capabilities to identify privacy risks based on consent, sensitive data sharing, or cross-border transfers. 

CMPs rely on continual manual configuration to maintain compliance. If consent policies or data flows are not configured correctly for every device/channel, location, type of data, or third party pixel or SDK, there are no alerts or safeguards to prevent non-compliant data sharing. 

Additionally, non-compliance can occur if the CMP is not updated when changes are made to the website or app by the engineering or marketing team. Unfortunately for privacy teams, companies have an increasing number of websites and apps, and they are being updated constantly with releases often occurring weekly. 

Top Website & App Privacy Risks 

United States

CIPA (California Invasion of Privacy Act)

CIPA is a 1967 law that has been recently used by lawyers to sue thousands of companies for improper tracking of users without consent. CIPA prohibits recording or intercepting communications without explicit user consent. Lawyers have filed thousands of class action lawsuits since 2022 claiming this should apply to websites and apps that collect and share personal data without explicit user consent, but the courts have yet to determine how to apply the law in these cases.

• Non-compliant consent banners: To be conservative and eliminate all CIPA risk, companies should implement opt-in consent before processing personal data for users in California. Otherwise, it is generally recommended that companies can defend against CIPA litigation by following CCPA’s opt-out consent requirements. 
• User session recording tools: On websites and apps, these tools in particular, such as Hotjar and Fullstory, should be blocked if users opt out because user session recording tools have been the target in many CIPA lawsuits.
• Third-party cookies: On websites, Third-party cookies for advertising partners must be blocked if users opt out 
• Network requests: On websites, mobile apps, and connected TV apps, network requests to send personal data to advertising third parties should be blocked when users opt out

CCPA and Other US State Laws

California and nearly 20 other US states have enacted comprehensive privacy laws that have similar requirements to give users the option to opt out of data sharing to advertising third parties and require explicit consent for sensitive data sharing. 

• Non-compliant consent banners: Users should have an easy way to opt out of data sharing to advertising third parties. Best practice is to show a banner that clearly states users’ opt-out options, the type of data sharing be shared, and for what purpose. Banners cannot use privacy dark patterns to mislead users with confusing colors or text. 
• Global Privacy Control (GPC): GPC is the current standard for universal opt-out mechanisms on websites in the US. GPC is a web browser setting that users turn on to automatically opt out of data sharing for advertising purposes. CMPs must be set up to automatically block third-party advertising cookies and network requests when GPC is turned on.   
• Third-party cookies: On websites, Third-party cookies for advertising partners must be blocked if users opt out 
• Network requests: On websites, mobile apps, and connected TV apps, network requests to send personal data to advertising third parties should be blocked when users opt out
• Sensitive data sharing: State privacy laws impose additional restrictions on sensitive data categories including health, location, and financial data tied to PII. If sensitive data tied to PII is shared with third parties, websites and apps must offer an opt-out option that explicitly states sensitive data sharing will be limited in addition to the general personal data opt-out option. Other state laws require explicit opt-in consent for sensitive data sharing like Washington’s My Health My Data Act does for health data. 

FTC (Federal Trade Commission) 

• Sensitive data sharing: Across the US, the FTC restricts sharing of sensitive health, location, and financial data tied to PII without explicit consent 
• Children’s data sharing: Across the US, the FTC enforces the federal law COPPA (Children's Online Privacy Protection Act). COPPA restricts collecting and sharing of all personal data for children under 13 without explicit parental consent

VPPA (Video Privacy Protection Act)

• Sensitive data sharing: Across the US, this law restricts sharing video purchase or rental history tied to PII without explicit consent. VPPA allows for government enforcement and private legal action.

Europe

GDPR (General Data Protection Regulation) 

• Non-compliant consent banners: Websites and apps must have a banner allowing users to clearly opt in or opt out of personal data collection and sharing. Banners cannot use privacy dark patterns to mislead users with confusing colors or text
• Third-party cookies: On websites, non-essential third-party cookies must be blocked unless users opt in
• Network requests: On websites, mobile apps, and connected TV apps, network requests to send personal data to third parties should be blocked unless users opt in
• Sensitive data sharing: Sensitive health, location, or financial data tied to PII cannot be shared with third parties without explicit consent. Websites and apps must disclose the sensitive data being shared and the purpose of sharing before obtaining explicit consent. 

IAB TCF (Interactive Advertising Bureau’s Transparency & Consent Framework)

To provide ad buyers, ad sellers, and intermediaries with a standardized approach to comply with GDPR, the IAB (Interactive Advertising Bureau) introduced the Transparency & Consent Framework (TCF) in 2018. TCF is a voluntary standard websites and mobile apps opt in to and is often required to work with ad partners. Most notably, ad exchanges often require publishers to implement TCF to sell personalized ads. TCF non-compliance primarily leads to serving fewer personalized ads but may also lead to a GDPR violation.    

• Prebid for Personalized Ads: Websites and apps should not send user identifiers to initiate ad auctions unless users opt in, and auctions should be delayed long enough for users to opt in.
• GDPR Signal for Data Sharing: Failure for the CMP’s GDPR signal to match consent can cause network requests or personalized ads to occur without consent 
• User ID Storage: User identifiers like cookies or advertising IDs should not be stored by the website or app unless the user opts in
• Consent by Vendor: Unless the user opts in to share data with specific vendor(s), no specific vendors to should be instructed to receive personal data 
• Consent by Purpose: Unless the user opts in to share data for specific purpose(s) such as advertising, personal data shouldn’t be shared for any specific purposes
• User ID Sharing: The buyer in an ad auction should not receive any user identifiers unless the user opts in

Live product scanning: How Privado.ai automates CMP audits and eliminate privacy risks

Live product scanning monitors data flows and assesses risk that is live in user-facing products such as websites, mobile apps, and connected TV apps to support world-class digital tracking governance. 

Live product scanning simulates user behavior on websites and apps for each consent action, records data flow activity, and identifies risks based on the applicable privacy requirements. Because privacy requirements and regulations vary significantly by location, it is critical that user behavior can be simulated in each relevant location and analyzed against each location’s privacy requirements. No technical implementation is required to scan live websites or apps. Only the URL or app store file is needed.

With the following capabilities, Privado.ai can ensure CMPs and consent banners function properly to collect and act on user consent. 

Monitor personal data flows on websites and apps in real-time

• Simulate the user journey across all pages pre and post login to obtain full visibility
• Catalog and categorize all third parties receiving personal data via pixels, scripts, tag managers, SDKs, and cookies
• Identify hosting location for each third party to flag cross-border data transfers
• Catalog all active cookies by third party, category, and lifespan
• Record third party and cookie activity by consent action: accept, reject, no action
• Identify and categorize each personal data element shared
• Record each data element shared to each third party by consent action 

Run compliance checks for each privacy requirement

Consent Banner and Link Visibility

• Check that consent banners load properly on every website and app 
• Flag privacy dark patterns: check reject button visibility and button color contrast 
• Check privacy and regulatory links display properly 
• Generate screenshots for validation

Cookie Governance

• Cookie Expiry Duration Check
• Cookie Uncategorized Check

Opt-Out Consent Compliance in the US

• Third-party cookie blocking (traditional opt-out): Ensure third-party cookies are blocked if the user opts out on website or app 
• Third-party cookie blocking (GPC signal): Ensure third-party cookies are blocked if the user opts out using browser’s GPC signal for all websites
• Network requests (traditional opt-out): Flag any third-party pixels or SDKs that collect data if the user opts out on website or app 
• Network requests (GPC signal): Flag any third-party pixels or SDKs that collect data if the user opts out using browser’s GPC signal for all websites
• Run above checks users located in California and other high-risk states

Opt-In Consent Compliance for GDPR 

• Third-party cookie blocking: Ensure third-party cookies are only used if the user opts in
• Network requests: Flag any third-party pixels or SDKs that collect data without opt-in consent
• IAB Transparency and Consent Framework (TCF): Validate that data is only shared for the purposes and third parties that the user has opted into
• User ID storage: Check that first-party cookies and other user IDs are only stored with opt-in consent
• Prebid configuration: Ensure no personalized ad auctions occur on the web page or app unless the user has given consent
• Run all checks for each European country’s version of websites and apps

Sensitive Data Sharing

• Determine which data categories should not be shared with advertising third parties or any third parties at all
• Run checks to flag non-compliant sensitive data sharing which may include health, location, financial, video rental/purchase history, and/or children’s data

IAB Transparency and Consent Framework (TCF) Compliance Checks

• Prebid configuration 
• GDPR signal adherence for data sharing
• User ID storage 
• Consent by vendor
• Consent by purpose
• User ID sharing

Immediately notify privacy team of compliance risks

• Receive automated risk alerts for each banner, cookie, pixel, tag manager, or SDK that violates your privacy policies 
• Identify the reason for each risk and get recommended steps for resolution

Link risks to code-based evidence to accelerate resolution 

• Identify exact scripts/pixels/tags causing each risk
• Download HAR file showing network log from each risk 

Set regular scans across all websites and apps

• Schedule recurring scans on all live websites and apps on a daily, weekly, or monthly basis
• Get scan results in minutes 
• Run scans on websites and apps in staging to prevent non-compliant updates from going live

Get started with Privado.ai

• No technical implementation on website or app required: Simply input the necessary web domains and app store files (IPA for iOS or APK for Android) 
• Request a free website scan
• Learn more at our Web Auditor and App Auditor product pages