Cressive Privacy Data – Q3 2025

81% of website visitors decline cookies — asking you not to track them. 
95% of websites track anyway, in breach of GDPR/ePrivacy rules. Only 5.4% are compliant.

If reality of the current Internet is only 5.4% of websites are compliant, why have laws that aren’t policed? Actually they are — more fines are being issued every month.

Will you avoid a fine — or be next to be outed by your customers on social media for not caring?

Perhaps more remarkable: most non-compliant site owners don’t know they’re non-compliant until we tell them.

An Expensive Mistake 95% of Companies Are Making

This doesn’t mean 95% of companies don’t care about privacy — it means most think they’re compliant when they aren’t. 

Too many marketers believe a cookie banner = compliance. It does not. Not even close. We can show you.

A cookie banner can be like a cardboard cut-out security guard at the door while thieves climb through every window. It looks official, but the real threats walk straight in.

The current market share of cookie banners: OneTrust leads way with a 16% market share — and growing fast. But a cookie banner can be like printing an MOT certificate – pointless unless you perform the test itself and ensure safety, in this case privacy; the sector is flooded with ineffective, poorly configured banners.

What’s Collecting Data While Your Cookie Banner Isn’t Looking

And while you’re focused on cookies, everything else is still harvesting data:

• Network requests send IP addresses, referrer data, and user agent strings every time a page loads.
• Tracking pixels from Facebook, Google, LinkedIn beam back data before your banner even appears.
• Browser fingerprinting builds unique profiles from device settings, fonts, timezone.
• Client-side scripts from analytics, chat widgets, marketing tools start collecting instantly.

Your cookie banner may see none of this; may block none of this. Meanwhile, bad actors exploit these methods the way spammers dodge filters: endlessly, for their own gain.

If you don’t know what’s firing, you need to audit your website’s privacy.heoretical. It’s operational. And “we thought the banner worked” won’t impress regulators – nor customers.

When the Fines Come, They Come Hard

Privacy regulators aren’t bluffing. During the last 18 months:

• Meta: €1.2 billion (data transfers)
• Amazon: €746 million (processing violations)
• TikTok: €345 million (failing to protect minors’ data)

These weren’t companies without cookie banners. They were companies who thought they were “covered.”

Healthcare, pharma, and finance are particular targets due to industry standards. Their banners and tracking setups are under scrutiny.

The pattern is clear: cookie banners create false confidence, and false confidence creates fines. (Privacy banner would be a better term than cookie banner but that’s another post…)

Your Website Changes Daily — Your Compliance Doesn’t

Most companies audit quarterly. That’s 89 days where a single rogue script can break compliance and cost millions / leave you at brand risk. (Think we’re exaggerating? Ask us about the predicament some of our US clients find themselves in.)

Meanwhile, your cookie banner sits there, looking official, blocking the same old cookies, while new trackers slip past unnoticed.

How to Increase the 5% of Compliant Websites

Truly compliant companies don’t just manage cookies. They monitor everything:

• Catch network requests sending data without consent.
• Detect when new trackers appear.
• Spot fingerprinting and pixels.
• Automate scanning in real-time, not months later.
• Keep detailed logs, timestamps, and proof regulators can accept.

Stop Guessing, Start Knowing

Your cookie banner is necessary but nowhere near sufficient. (Original: Your cookie banner is necessary but not sufficient. It’s not enough.)

If you’re serious about avoiding fines, you need to see what’s really tracking users. In business terms: audit, monitor, act.(Original: – where the business and professional version of ‘see’ is: audit, know, be proactive, monitor.)

Because when regulators come calling, “we had a cookie banner” won’t save you.

Fines are growing in size and frequency. Today, mostly for egregious breaches — but how long until regulators make an example of companies who simply flout the rules?

And beyond fines, there’s reputational risk: being outed on social media as a brand that ignores privacy.

Are you fine with that?