Over Half of Websites Don’t Respect User Privacy

New Research Reveals Widespread Non-Compliance with User Opt-Out Requests

You may have thought that when users check the ‘reject all’ box on those website privacy pop-ups, that would be the end of it. The site would respect their choice and wouldn’t go sharing their data with anyone it shouldn’t. But researchers at Wesleyan University recently discovered that more than half of the U.S. websites they looked at would ignore their wishes.

Websites’ Global Privacy Control Compliance

A new paper by associate professor of computer science Sebastian Zimmeck and his students found that in April 2024, only 45% of websites respected people’s data sharing preferences when they decided to opt out of tracking. It specifically examined compliance with Global Privacy Control (GPC) signals, a mechanism for users to opt out of data sharing across websites. The study focused on a sample of websites, not necessarily all websites globally, but it’s likely safe to assume that we can apply its findings more broadly, given that Zimmeck’s team looked at a significant sample, monitoring compliance rates with opt-out requests across 11,708 websites since December 2023, and that previous measurements have all been close to that 45% figure.

This is bad news for website visitors who thought they were opting out of being profiled and having details about their lives passed to data brokers and ad networks, sometimes in ways that could disadvantage them personally (such as when it’s sold to entities like landlords or background check firms).

But it’s also troubling news for website owners themselves, who are courting disaster if they don’t work to turn this around. With 71% of U.S. adults worried about government data use and 67% feeling they have little understanding of what companies do with their data, companies had better respect their concerns or risk their disapproval.

To be clear, Zimmeck’s paper doesn’t outright accuse websites of deliberately violating user privacy, but it does suggest this is a complex issue that’s often tied to technical flaws and outdated systems. When we contacted him, Zimmeck said: “Website publishers should take privacy compliance seriously. They should educate themselves on the applicable law and take the necessary technical steps to make their site compliant. This is not a one time task, but requires a continuous effort as laws evolve and sites get updated.” 

Specifically many sites have broken or incomplete consent mechanisms:

• Many sites rely on third-party scripts and integrations that continue to drop tracking cookies even after a user opts out.
• Some privacy notices and opt-out tools are misconfigured or poorly maintained, meaning they don’t correctly communicate user preferences across all embedded technologies.

So, what we have here is most likely a problem of inadequate systems rather than malicious intent. They often lack the robust privacy validation processes they need, and privacy checks are often done manually and infrequently, making it easy to miss violations caused by updates, new scripts, or errors in data flow.

What the paper urges website owners to do is to move toward automated and continuous monitoring. This way, organizations will be able to align their practices with user expectations and catch issues early. It also emphasises the need for proactive privacy validation tools that catch leaks, broken policies, and rogue scripts in real time.

In essence, the paper leans more toward systemic and technical negligence rather than deliberate disregard, and the fix is to adopt better tools, more accountability, and real-time transparency.

The Patchwork of Privacy Laws in the U.S.

No single federal law guarantees comprehensive online privacy rights for all citizens. Instead, 19 states have comprehensive privacy laws, covering about 44% of the population. Residents of states without these laws often lack legally enforceable rights to opt out of data collection, to see what data is collected, or request that it be deleted, so does that mean that website owners who are among the 55% not respecting opt-outs can get away with it in those states?

Yes and no. Although a website isn’t technically breaking state law if that law doesn’t exist, the Federal Trade Commission may still take an interest. It can pursue cases under its authority to punish deceptive or unfair business practices, and misleading privacy policies or hidden tracking might be enough to trigger federal action.

Why Websites Still Need to Be Careful

The other thing to consider is that a lack of law doesn’t mean a lack of risk. Violations can still lead to public backlash, loss of user trust, and bad press, so it makes good business sense to actively monitor and validate web privacy. This doesn’t need to be overly complex, and larger platforms often apply uniform privacy standards nationwide or globally to simplify operations and minimize legal headaches.

So, while some companies may not be legally required to respect opt-out preferences in certain states, they’re playing with fire by ignoring them. It’s not just about the law—it’s about reputation, future-proofing, and ethical responsibility. But what’s the best way to ensure ongoing compliance?

Continuous Web Privacy Validation: Simplified

Reflectiz’s new privacy dashboard has taken that ‘…doesn’t need to be overly complex’ to heart. It allows organisations of any size to align their privacy policies with real-world practices, putting all necessary tools and reporting in one place.

Older approaches to privacy monitoring tend to be reactive, but they can’t hope to keep up with dynamic modern features like AI chat. Reflectiz can, because it’s proactive, with continuous data mapping, policy matching, instant alerts, fix validation, and dashboard oversight, continuously monitoring your websites, applications, and third-party code live in production. 

Stay safe and avoid the fallout from a faulty ‘reject all’ mechanism (and more). Add continuous privacy validation to your website today. Register here.