Cressive Privacy Compliance logo
| |

Is Your Website Tracking Visitors Legally?

ByRichard Game

A Practical Introductory Guide to Website Privacy Compliance (to Advanced) in 3 Stages

Do you care about privacy? You should. Your customers do. The law says you must. Over 80% of users decline cookies – is that you? Yet more than 95% of websites track them anyway – is that you too?

Technically illegal; alarmingly common. Your site(s) is probably already non-compliant, ie. illegal.

Whenever inventing new technology (steam engines, electricity, TikTok), we rush to exploit it first and ask ethical questions later. Cookies were no different. Regulators are now catching up and fining companies millions for illegal non-compliant websites. And while the spectre of a fine may seem a long way off, can you in good conscience put hand on heart and say your website is respecting customer privacy?

Here is an introductory guide to privacy compliance and customer tracking — to challenge you: how not to be the moral equivalent of spam in your customers’ inbox. Do you like getting spam? No. Do you send spam? No. Do you like being tracked online? No. Does the website you’re responsible for track?…

Stage 1: Are You Required to Comply — Or Choose Not To?

Is Your Website (i.e. You) Legally Required to Comply?

Does this apply to you and me? In short, most likely, yes. If you:

  • Receive traffic from the EU, UK, California, or Canada – to name but four hotspots
  • Use any analytics, ad tracking, or CRM integrations – ie. is other than a single dormant page
  • Share data with platforms for marketing or personalisation – most do, even unwittingly.

GDPR says: anything non-essential requires opt-in consent before it’s set.  GDPR is the main law; the ePrivacy Directive (a.k.a. “the cookie law”) is its sidekick. Together, they require prior, informed, opt-in consent. It is fast becoming the global standard, with CCPA PIPEDA and PDPL on the inside rail.

How & What We’re Talking About

Cookie banners: just showing one does not make you compliant. Most banners today are broken or misleading.

  • Cookies should not be dropped before consent, but 95% of sites do it anyway – really
  • Even when users click “Decline,” banners ignore this and sites still track them – alarmingly
  • Obscure designs, delayed opt-outs, and dark patterns are everywhere – we’ve all seen it.

This applies to any website, large or small. And chances are you’re using tracking technology, whether you know it or not.

What Counts as Tracking?

  • Cookies even for “basic” analytics – like Google Analytics (GA4), Google Tag Manager (GTM)
  • Third-party pixels – like Meta/Facebook, LinkedIn
  • Session replays – like Hotjar, FullStory
  • Network requests, script injections, fingerprinting, pings, beacons, eTags – and many more nasties.

A straightforward equation of PRIVACY > COOKIES. Therefore the term cookie banner is actually an oversimplified, outdated, and insufficient name for it; privacy banner would be better. Either needs to work.

Why Businesses Don’t Comply

  1. They don’t know the law – but ignorance is no defence
  2. They assume tracking violation is too trivial to matter, or deprioritise it – to stay “under the radar”
  3. They thought “someone else” in their company did it – yes, including that ‘external person’ you thought knew what they were doing when they set it up, and you didn’t know how to check their work
  4. They ‘put off’ implementing consent so as not to ‘miss out on’ traffic data – an inevitable consequence
  5. They don’t know for one website let alone the 100 they manage – but ‘it’s difficult’ is no defence.

Decision Point:

Are you comfortable tracking users without their consent, knowing it breaches the law — or by not knowing — if you might not get caught? This isn’t a grey area. It’s black and white, and you’re running a red light. 

Do you in good conscience know either way?

Stage 2: Are You Taking Compliance Seriously?

Best not guess; proactively audit your risks. Even if enforcement hasn’t reached you yet, your privacy setup may already expose you — find out and ensure you know what your websites track, and how.

Red Flags & Risk Triggers

  • You use Google Analytics, Meta Pixel, TikTok Ads, or HubSpot – or you have agencies adding this stuff – and let’s be very clear that any tracking of this kind is a serious risk to your compliance
  • Your banner appears, but doesn’t block anything
  • You use embedded YouTube, Maps, Calendly, or chat tools that set cookies silently
  • You can’t say: “How many trackers fire on our homepage and are they blocked until consent?”

Key Questions to Ask (and Answer) Now

  • Is our banner legally configured – or just cosmetic?
  • Do we log consent properly – or just assume?
  • Can we detect new trackers when devs or agencies add them – with or without our knowledge?
  • Can we prove, with evidence: “We comply with the relevant GDPR/CCPA/CPRA rules”?

If you can’t answer these, your risk isn’t theoretical, it’s operational. Saying “we thought the banner was set up correctly” won’t impress regulators – nor customers.

Stage 3: Full Technical Compliance — Treat Customers With Respect

This is where mature organisations arrive (tickets for a trip to Cressive-ville available below) — because they care about customers, or at least about brand trust, data quality, and being audit-ready.

What Real Compliance Looks Like

  • Privacy banners that actually block all un-consented tracking with suitable and correct configuration
  • Automated detection of rogue scripts, cookies, and trackers (both client- and server-side)
  • Customers’ geography accounted for (stricter in EU, Middle East, Canada, increasingly the US)
  • Audits logged and documented, with monitoring that show regulators you are proactive
  • Consideration of Global Privacy Control (GPC) – OK, a more advanced aspect but it’s here and important, and real compliance knows where you stand on it.

Still need convincing? There’s (a lot) more: i) the existence of Google Consent Mode* (GCMv2) confirms even Google knows that GA4 is not compliant, and ii) are you aware of the stipulation in Google’s own T&Cs that to use its products, like Google Ads, a (/your) website must itself remain privacy compliant? – therefore all those 95% of non-compliant websites will therefore be simultaneously not compliant with Google T&Cs , and iii) MS Clarity has followed suit in requiring you to be compliant to use it… … …

*(Google Tag Manager is now ruled to be not compliant by the German courts. True. Holy moly… Therefore if you use GA, GTM or GCMv2 on your website then it is likely illegal, Blimey. )

So, Why It Matters & What Matters Most To You

  • Regulatory risk: non-compliant website (with broken banners, etc etc) now attract fines
  • Brand trust: respect your customers or lose them
  • Investor diligence: privacy is part of M&A checklists
  • Legal compliance: you obey the law elsewhere – why not in website privacy compliance?

This isn’t just hygiene. It’s modern digital governance. It’s your brand respecting customers. And it’s the law.

A Real-Life Example (Because Humans Like Stories)

An American retailer installs a marketing pixel. EU visitors arrive. No consent asked. Data flows. One visitor complains. Regulators agree: personal data was processed without consent. Result: a hefty fine. This isn’t theory. It’s happening. But ignoring privacy isn’t just illegal — it’s bad manners, and a risk to your brand.

You risk brand reputation when you find yourself outed in social media by an irate customer whose privacy you did not respect. (Indeed, you might have the privilege of being showcased in one of our ‘Bad Examples of Privacy‘ updates, alongside ‘Good Examples of Privacy’ against which to benchmark your brand…)

The Three Stages (For People Who Like Tables)

StageFocusKey Question
1Legal baseline“Are we setting cookies without real consent?”
2Operational risk“Does our privacy banner actually do anything?”
3Compliance maturity“Can we prove compliance — today and tomorrow?”

Next Action?

Nearly every website tracks. Worryingly few do it transparently, respectfully, and legally.

Think of this as digital hygiene. In the 19th century, people learned not to dump sewage in the town well. In the 21st, we’re learning not to drop trackers before consent. Do your bit: our rivers — digital and real — are polluted enough already. You need to track — you do marketing — but do it nicely, and do it legally.

(Pragmatically, at least demonstrate your proactivity in being compliant,, to avoid costly and time consuming legal suits — be like our US clients, be monitored, and avoid getting sued every other week.)

Your choice: fix it now, or become the case study quoted in the next regulator’s press release. We can help. Take a Cressive approach to doing privacy properly: read more and ask for a free scan

Assess your privacy compliance status with Cressive Privacy Compliance

Scan your site

Sign up for free site monitoring by Cressive Privacy Compliance

Sign up for Monitoring

Learn more about Privacy Compliance, applicable laws & our solution

Learn More

Author

Similar Posts