Privado AI finds Google Consent Mode errors on 48% of sites

Privado AI has published research finding that 48% of 250 heavily visited websites it tested had misconfigured Google Consent Mode. The study covered sites in California, France and the UK.

The findings focus on how websites handle users' consent choices for advertising and analytics tools tied to Google Ads. According to the research, misconfigurations can result in personal data being sent to Google Ads even when a visitor has opted out through a cookie banner or a browser-based privacy signal.

Privado AI scanned 250 high-traffic websites across the three markets and found that nearly half had at least one Google Consent Mode error. In its wider compliance study, 90% of sites failed at least one privacy compliance test, while 87% failed at least one check under the California Consumer Privacy Act.

The issue has drawn attention because Google removed a Google Analytics setting that had limited personalised advertising when consent settings were implemented incorrectly. Privado AI said this left Google Consent Mode as the main control between a visitor's opt-out choice and Google's advertising system.

Regional findings

In California, the research found that 40% of sites kept Consent Mode in a granted state after a Global Privacy Control opt-out. Privado AI said this directly conflicted with the California Consumer Privacy Act.

Among the European sites tested, 28% began from a granted state before a user had made any choice. Another 19% did not switch to denied after a visitor selected a reject-all option.

The research covered France and the UK as the European markets in the sample. Privado AI argued that these patterns raised concerns under the General Data Protection Regulation because consent was either assumed by default or not fully enforced after refusal.

Consent management platforms typically record a visitor's selection but do not necessarily verify that choice is enforced across every tag and third party operating on a page, Privado AI said. It argued that frequent changes to marketing and advertising tools can create gaps between the selection shown on screen and the data transfers that take place in the background.

That gap has become more significant as regulators in California and Europe increase scrutiny of website data-sharing practices. Privado AI pointed to rising fines and lawsuits linked to website tracking and data-sharing under laws including the California Consumer Privacy Act, the California Invasion of Privacy Act, the Video Privacy Protection Act and the General Data Protection Regulation.

Legal risk

Daniel Goldberg, Chair of Data Strategy & Privacy at Frankfurt Kurnit Klein + Selz, commented on the broader legal setting around privacy implementation across different jurisdictions.

"GDPR, CCPA, and CIPA (California Invasion of Privacy Act) operate differently, yet many companies implement cookie-based approaches designed for GDPR. As a result, they miss key state law requirements, helping explain why California implementation lags. This increases regulatory and litigation risk, including exposure to dark patterns and misleading claims," Goldberg said.

Privado AI said the risk is that a user may reject tracking, expect not to be followed, and still receive personalised advertising linked to a Google account across devices. For site operators, that creates a potential mismatch between the consent interface presented to consumers and the actual handling of personal data.

Under the California Consumer Privacy Act, penalties can be assessed per violation and can increase when breaches are intentional or involve minors. Privado AI argued that if a technical error is repeated across large numbers of visits, the financial exposure could become significant.

Monitoring problem

The results highlight the limits of relying on banner-based compliance tools alone, according to Privado AI. It said recording consent and enforcing that choice at the level of advertising tags and third-party services are separate tasks.

Vaibhav Antil, Co-Founder and Chief Executive Officer of Privado AI, said, "Collecting consent and enforcing it are two different things. The banner records the choice, and the data reaches Google Ads anyway. What our research shows is that surface-level compliance and manual checks are no longer enough. The controls change overnight and the websites change every week, so a setup that passed last month can be failing today, and no one would see it. Privacy is fast becoming critical infrastructure within businesses, too important and too complex to fail, and as such requires intelligent real-time monitoring."

Privado AI said its web auditing system simulated real user sessions on the websites tested, including sessions involving Consent Mode parameters, Global Privacy Control opt-outs and reject-all choices. It excluded .edu, .gov and .org domains from the sample.

The research adds to growing scrutiny of how large consumer-facing websites implement consent tools in practice, particularly as enforcement shifts from the wording of banners to the technical behaviour that follows a user's decision.