
Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.
Thank you!
Please check your email to view the guide.

It’s time to shift from trust-based to evidence-based privacy.
Since GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) came on the scene in 2016 and 2018 respectively, companies in Europe and the US have invested considerable resources to become compliant. Companies have added new privacy teams, processes, and tools to disclose privacy practices, collect consent, and manage data, and what has been the result?
In 2024, Privado AI scanned the top 100 websites in the US and Europe and found 75% were not privacy compliant because they shared personal data without proper consent. The situation is similar with mobile apps. Why is that?
Privacy tools and processes for software products like websites and apps have traditionally relied on trust. Privacy teams have had to trust that consent management platforms were properly configured for websites to block third-party cookies when users opt out. Privacy teams have to trust that a privacy impact assessment for a new app feature is accurately filled out by product stakeholders. When most companies today are managing massive amounts of personal data and technology is rapidly evolving, trust has proven to break at scale, and regulators have begun to notice.
In Europe, annual GDPR fines have increased 78% on average each year between 2020-2024, growing from $187M in 2020 to $1.2B in 2024. In the US, the annual volume of fines has increased 65% on average each year over the same time period.
These fine rates will only continue to increase as regulators now want evidence of compliance. In 2025, the UK’s ICO, France’s CNIL, and California’s Attorney General will all launch privacy enforcement campaigns on websites and mobile apps to counter widespread personal data sharing without proper consent.
Now that privacy regulation, enforcement, and consumer expectations have increased globally, we need evidence-based privacy solutions. More specifically, we need:

How can we get this level of evidence? By monitoring privacy risk at the source: software. Software is the primary source of privacy risk because it controls how personal data is collected, used, shared, and stored. By monitoring how user-facing and backend software products process personal data, companies can obtain the necessary evidence to create complete data maps, proactively remediate privacy risks, and generate accurate compliance reporting. We call this practice product privacy management.
Product privacy management is the practice of monitoring software products to mitigate privacy risk. Because software products control how data is processed in today’s tech-driven world, product privacy management can enable complete data visibility and continuous privacy governance at scale across an organization.
Complete product privacy management means privacy teams can govern personal data in real-time across websites, mobile apps, connected TV apps, backend software, and third-party applications. This level of data visibility provides the evidence for privacy teams to verify compliance and engineering teams to proactively remediate privacy risks.
Product privacy management is valuable for any B2C or B2B company processing large amounts of personal data on their websites, mobile apps, or other software products. Companies running digital ads in financial or health related industries are typically most at risk of privacy lawsuits, but companies in any industry processing personal data without proper consent are still at risk.

Best-in-class product privacy management solutions that scan code and live products enable true Privacy-by-Design and compliance at scale by integrating evidence-based privacy controls across the product development lifecycle from planning through development and maintenance.
With best-in-class product privacy management, privacy teams can eliminate the manual assessments that were missing most privacy risks and slowing down the business. By proactively mitigating privacy risk, product privacy management can also turn privacy teams into business-enablers instead of blockers.
Traditional privacy management focuses on the operations needed for privacy compliance, but it does not focus on mitigating privacy risk in software products. Privacy regulations in Europe, US, and around the world require companies to implement consent banners, publish privacy policies, offer data subject access requests (DSAR), and report data breaches.
Today’s privacy management solutions are designed primarily to meet those operational privacy needs, and privacy teams must trust that these solutions are used in a compliant manner. These technology vendors often specialize in consent management and DSAR automation solutions. Consent management platforms (CMPs) represent the key difference between traditional privacy management and product privacy management. CMPs are critical for managing consent banners and limiting data processing across websites and mobile apps, but CMPs do not monitor websites and mobile apps to verify whether the CMP and third parties have been implemented properly to eliminate privacy risk.
Traditional privacy management also overlaps with data governance. To execute privacy operations such as DSARs and reporting, organizations need to document what data they have and where it is stored. Traditional privacy management vendors offer data discovery solutions that inventory data in storage that primarily support privacy operations and data governance. Once these vendors identify personal data in storage by scanning databases and some third-party tools, the DSAR automation solutions offered by the same vendors can be set up to better meet data deletion requests from users. Data discovery solutions also support data access management and data retention needs.
What data discovery and data governance solutions do not adequately address is privacy risk. Inventorying data in storage does not identify what personal data is shared without proper consent or who it is shared with. Inventorying data in storage does not identify where personal data is collected or how it is being used. The vast majority of privacy risk comes from how software products like websites and apps collect, use, and share personal data, and yet, traditional privacy management vendors offer minimal support to address these risks.
To complete data maps and privacy risk assessments, most privacy teams today send out questionnaires and conduct interviews. Traditional privacy management vendors offer tools to support this manual data gathering process such as digitized assessment forms and templates, but these manual tools have proved to be ineffective and inefficient.
Product privacy management focuses on monitoring software products to mitigate privacy risk with evidence across an organization. Traditional privacy management focuses on executing privacy operations but relies on trust-based, manual processes to monitor and remediate privacy risk.
To learn more, check out this complete guide to product privacy management or this overview of the Privado AI platform