It was always there
Privacy did not arrive as a new issue in the last few years. Every website that places a cookie, runs analytics, or carries third-party tracking has always operated within a framework of privacy
obligations. Every client an agency has ever managed has carried some level of privacy exposure as a basic consequence of being online.
What changed was not the obligation. It was whether anyone could see it.
For most agencies, privacy sat in a category of things that were technically complex, legally sensitive, and practically impossible to surface in a client conversation without specialist knowledge none of the account team had. So it moved quietly to the edge of the relationship. Legal handled it. The consent management platform vendor handled it. And the assumption settled in that it was covered.
That assumption has always been the gap. AiSC is what closes it.
Why the gap matters more now than it ever has
The obligations were always there. The consequences of not meeting them were always real. What has changed is that regulators across the US, Europe, and the UK are now acting on those consequences at a pace and scale that makes the gap between assumption and reality commercially dangerous.
In 2025 alone, California produced 4 significant enforcement actions, each arising from a consent platform that existed but did not function as presented. American Honda Motor Co was fined $632,500 for a privacy management tool that made opting in easier than opting out. Todd Snyder was fined $345,178 after its consent platform failed to function for 40 days. Healthline Media settled for $1.55 million for a consent banner that did not disable tracking cookies. Tractor Supply Company received a $1.35 million fine for failing to honour opt-out preferences across third-party tracking technologies.
California attracts the most attention, but the enforcement picture is wider.
The Michigan Attorney General filed a lawsuit against Roku for collecting sensitive data about children via tracking pixels and cookies. The Texas Attorney General actioned both General Motors and Google for sharing personal data without consent. The Attorneys General of Colorado, Connecticut, and California announced a joint investigation into whether businesses are honouring Global Privacy Control opt-out signals. The Colorado Privacy Act and its rules on opt-out timing are widely treated as the most operationally demanding in the US. The Virginia Consumer Data Protection Act extends opt-out rights to profiling with significant effects on individuals. Connecticut's 2025 amendments broadened consumer rights further. The full picture across enacted state laws is tracked by the IAPP, Bloomberg Law, and Mayer Brown. The regulatory frameworks now cover the majority of the US population.
In Europe the same pattern holds. SHEIN was fined €150 million by CNIL, the French data protection authority, for cookie failures including placing trackers after users had refused all cookies. Condé Nast was fined €750,000 by CNILfor placing cookies without valid consent. The UK's Information Commissioner's Office is actively monitoring the top 1,000 UK websites with significantly increased fines for non-compliance.
These are not warnings. They are outcomes. The obligations were always there. The enforcement is now consistent, global, and accelerating.
And it is no longer only civil
The shift that changes the risk profile for agency clients most sharply is the legal recharacterisation now taking place. Privacy breaches are increasingly being framed not as technical failures but as deception, and in some US jurisdictions as criminal conduct.
Under California's Invasion of Privacy Act, presenting a Reject option that does not prevent tracking before it loads creates a strong argument that the interface is actively misleading users. Plaintiffs are arguing that third-party tracking deployed without valid consent constitutes unlawful interception. The Condé Nast tracker complaint pleads this argument explicitly, and a judge has allowed the case to proceed. Under state unfair and deceptive acts and practices regimes, this characterisation carries greater financial remedies than a standard privacy breach, and in criminal contexts extends to personal liability for officers.
Most cyber insurance policies exclude situations where the insured has not taken reasonable steps to minimise exposure. Where criminal intent is alleged, coverage may not respond when it is needed most. The California AG's CCPA guidanceon cross-context behavioural advertising and the mechanics explained in the Ropes Gray CPRA analysis make clear that the standard being applied is operational, not theoretical. The opt-out must work. It must work at the right moment. And it must be evidenced.
The scale of what is already happening
Sitemorse's privacy and cookies audits, conducted across 119 million websites between 2017 and 2025, show that this is not a niche risk affecting a small number of poorly run organisations (Sitemorse, Privacy and Cookies Audits, 2017-2025, internal data).
87% of websites audited are already in breach of current regulations. 43% are already misleading visitors, already operating the pattern regulators have named the illusion of choice: the consent banner appears, the Reject option is presented, and tracking fires regardless, before the user has any opportunity to act.
For an agency managing ten clients, the statistical reality is that the majority of those sites are carrying live exposure right now. The question is not whether the problem exists. It is whether the agency can see it.
Most of those organisations have no idea
The overwhelming majority of clients in this position did not create it deliberately. They installed tools, onboarded vendors, added pixels and integrations over time, and did not monitor what those tools were doing at page load. They do not want the data their sites are collecting. They are not using it. The exposure accumulated quietly in the background while the consent banner sat on the homepage giving everyone the impression that privacy was handled.
Intent is not a defence in front of a regulator. But the commercial consequence that most clients have not been told about runs deeper than the fine.
When tracking fires before consent is resolved, that data enters the adtech ecosystem. Large data aggregators whose infrastructure sits behind the tracking technologies on millions of sites collect and in many cases make that data available commercially. A client who believed their privacy was covered may be feeding their own customer signals and user behaviour into an ecosystem where their direct competitors can access it. The organisation that thought it had a consent banner in place may be inadvertently handing competitive intelligence to the market it is spending to reach.
That is not a compliance conversation. It is a commercial one, and it is one the agency with visibility is uniquely positioned to open.
Visibility is what was always missing
Privacy sits across a client's site in more places than the consent banner. A privacy policy that was accurate at launch may now misrepresent what the site is actually doing, because integrations, data processors, and third-party tools have been added since it was last reviewed. Trackers may be configured to load before consent is resolved. Consent notices may appear on the homepage but not on landing pages used in paid campaigns. The Ropes Gray state privacy law tracker and the California AG's guidance both make clear that regulators are looking at whether controls work in practice, not whether they exist on paper.
These are not things an account team could identify previously. There was no practical mechanism for an agency to look across a client's site and surface these gaps in a form that was evidenced, accessible, and usable in a client conversation.
AiSC is that mechanism. Its privacy assessment covers 61 elements across a client's site, graded A to E, examining whether privacy content is present and current, whether cookie collection reflects what is disclosed, and where consent configuration is creating exposure the client has no visibility into. The assessment does not ask the agency to make legal judgements. It produces evidence, and evidence is what changes the client conversation from a concern to a specific, actionable finding.
The Agency Revenue Radar gives agencies that view across their full portfolio, showing which client relationships are carrying the highest privacy exposure and where the most important conversations need to happen first.
The partner that was always watching
The strongest client relationships are built on one consistent proof: the agency sees things the client cannot see themselves and raises them before they become problems. That proof has never been more available to agencies than it is now, across an area that has always been part of every client's digital presence but has never been visible until this point.
The obligation was always there. The exposure was always there. The regulatory consequence was always a possibility. What agencies have lacked, until now, is the means to see it, evidence it, and hold the client conversation from a position of credibility and confidence.
The full picture for agencies that want the detail sits in the AAAnow.ai privacy whitepaper. The starting point is simpler: know where your clients stand before someone else tells them.
Using the client vie 'AiSC' to understand level of exposure
Open the client view (client can run themselves at https://aaanow.ai/confirm) summary - example below.
click '/privacy detail' - details of trackers, areas of concern highlighted.
Sources and References
US State Privacy Statutes
Virginia Consumer Data Protection Act (statutory reference) https://law.lis.virginia.gov/vacode/title59.1/chapter53/
Colorado Privacy Act opt-out statute https://law.justia.com/codes/colorado/title-6/article-1/part-13/section-6-1-1306/
Colorado Privacy Act rules (profiling opt-out, 4 CCR 904-3) https://coag.gov/resources/colorado-privacy-act/
Connecticut 2025 privacy amendments (IAPP) https://iapp.org/news/a/connecticuts-privacy-law-amendments-broaden-consumer-rights-expand-data-types-covered/
California Enforcement
California AG CCPA guidance https://oag.ca.gov/privacy/ccpa
Healthline Media settlement press release (California AG, July 2025) https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-largest-ccpa-settlement-date-secures-155
California Privacy Rights Act regulations: what your business should know (Ropes Gray)https://www.ropesgray.com/en/insights/alerts/2023/01/california-privacy-rights-act-regulations-what-your-business-should-know
European Enforcement
Condé Nast fined €750,000 for placing cookies without consent (noyb) https://noyb.eu/en/noyb-win-conde-nast-fined-eu750000-placing-cookies-without-consent
State Privacy Law Trackers
US state privacy legislation tracker (IAPP) https://iapp.org/resources/article/us-state-privacy-legislation-tracker
State privacy legislation tracker (Bloomberg Law) https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation-tracker/
State privacy law tracker (Mayer Brown) https://www.mayerbrown.com/en/insights/resource-centers/cybersecurity-and-data-privacy-resource-center/state-privacy-law-tracker
State privacy law tracker (Ropes Gray) https://www.ropesgray.com/en/sites/state-privacy-law-tracker
Whitepaper
US State Privacy Laws: Targeted Advertising and Profiling Opt-Out Rights (2026) https://web.aaatraq.com/downloads/Privacy_RISK_FEB21-R165489.pdf
