Privacy Daily is a service of Warren Communications News.
Subscriber Login

Website Cookie Banners Don’t Always Equal Compliance, Privacy Experts Say

February 27, 2025 by Kara Thompson|Privacy Notes

Websites with cookie banners allowing a visitor to opt out may still store cookies or scripts, raising compliance risks, said privacy experts on a Privado panel Thursday.

Sign up for a free preview to unlock the rest of this article

Start My Free Preview

“What we realized was, as privacy and marketing collaborated on these websites, they put in a lot of time, energy, money…to implement the [consent management platform], but at some point of time, some misconfiguration happened,” said Vaibhav Antil, co-founder of Privado. “This is the state that we are in.”

Rob Priore, senior manager for privacy and compliance technology at ZoomInfo, said this is a problem because just by visiting your website, “anyone can look and see if you're following the privacy requirements around opt-out, opt-in, etc., and there are real stakes here.”

He said that litigation is starting to come up around issues like this, from wiretapping claims under the California Invasion of Privacy Act to deceptive business practice claims under the FTC. “Get your house in order, get the cookies down and prove that you can get them down, and I would say you're less likely to be a target” of litigation, Priore said.

Ensuring there are no gaps in your cookie banner compliance is important because “there's been a lot of innovation on the litigation side by people on how to go after companies,” Antil said.

Such compliance pitfalls come because cookies are hard to figure out, Priore said. “Part of the procedure is you're going to scan the site to try and categorize the cookies,” he said. “None of the tools are going to be 100% accurate on categorization. Some sites have hundreds of cookies. It's just a real manual, heavy lift to actually understand what these cookies do.”

There are also differences within jurisdictions and even from website to website, he said. “You may have websites that have gotten rid of cookies," Priore said. That “doesn't mean they're not taking user data" or that "they're not violating consent.”

Antil said that because things are constantly changing, there must be a team on the issue. “You need the governance around the consent solution, which is continuously auditing and scanning your websites, so you get alerts back.”

“Because these websites are dynamic, and new cookies are popping up and new things are happening ... you need to check it periodically,” Priore said. “I would say once a month, go through, do a full audit. Make sure the banners fire, make sure the cookies drop, make sure that the jurisdictional banners are working properly.”

While hard, it's important for gaining users’ trust, he said. “If I can see that you're not complying with basic privacy requirements on your own website, what are you doing behind the scenes?”