A note for risk managers and general counsel
The illusion of choice.
A visitor arrives at your website. A banner offers them a choice: accept, or reject. They click "Reject" and believe the matter is settled. The question regulators are now asking, and plaintiffs' counsel after them, is whether the data had already left the building.
What actually happens on a typical page load
0 ms
Page requested
~120 ms
Third-party trackers fire
Pixels and cookies load; data may already flow to ad networks
~800 ms
Consent banner renders
The visitor is offered a choice, after the fact
+4 s
Visitor clicks "Reject"
after
Tracking continues
Misconfigured tags ignore the rejection
Everything to the left of the banner happened before anyone could choose. That is the "illusion of choice", and it is visible from outside your organisation.
See for yourself
Does your website keep its promises?
Enter your address. The result appears on screen; a fuller audit covering Value, Risk and AI Readiness can follow by email within 48 hours.
Run the check at aaanow.ai/confirm
Enforcement examples · 2025
One recurring failure: the visitor's choice never took effect.
Consent-failure penalties
Ring length scaled to penalty · 2025
Healthline · California AG
banner failed to disable tracking cookies
$1.55M
Tractor Supply · California
opt-outs never reached third-party trackers
$1.35M
Condé Nast · CNIL
cookies without consent; CIPA class action proceeding
€750K
American Honda · CPPA
opting out took several steps, opting in took one
$632.5K
Todd Snyder · CPPA
consent platform silently broken for 40 days
$345.2K
| Company | Authority | Failure | Penalty |
|---|---|---|---|
| Healthline Media | California Attorney General, July 2025 | Banner failed to disable tracking cookies | $1,550,000 |
| Tractor Supply | California, October 2025 | Opt-outs never reached third-party trackers | $1,350,000 |
| Condé Nast | CNIL, November 2025 | Cookies without consent; CIPA class action proceeding in California | €750,000 |
| American Honda | CPPA, March 2025 | Opting out took several steps, opting in took one | $632,500 |
| Todd Snyder | CPPA, May 2025 | Consent platform silently broken for 40 days | $345,178 |
| SHEIN | CNIL, September 2025 | Cookies still placed after visitors refused them | €150,000,000 |
CNIL · SHEIN · September 2025
€150,000,000
For cookie failures, including cookies still being placed after visitors refused them. Nearly one hundred times the largest US penalty of the year.
Enforcement of consent is no longer theoretical, on either side of the Atlantic.
Colorado, Connecticut and California attorneys general have announced a joint investigation into whether universal opt-out signals are honoured. These are a limited number of examples to illustrate the national regularity infringement being pursued by regulators. Sources: itemized and listed below.
Your contacts at Wilson Elser
The check is automated. The judgment is human.
Adam and Jana lead Wilson Elser's work where privacy, data use and AI governance meet: cookie and tracking compliance, consent programs that hold up under scrutiny, and the defense of privacy litigation nationwide.
If your result raises questions, they are the right first call.
Adam R. Bialek
Partner · New York, NY
Co-chair of the Intellectual Property and Technology Practice. Counsels on internet law, digital compliance, data security and website accessibility.
Jana S. Farmer
Partner · White Plains, NY
A leader of the Privacy, Security and AI practice (CIPP/US, AIGP, FIP). Advises on cookie and tracking compliance, consent and AI governance, and defends privacy claims.
The paper
Download "The Illusion of Choice"
US State Privacy Laws: Targeted Advertising and Profiling Opt-Out Rights (2026). The whitepaper behind this page: the enforcement record, the state-by-state opt-out landscape, and what honouring choice means in practice.
Download the paper , US State Privacy Laws: Targeted Advertising and Profiling Opt-Out Rights 2026, (PDF)Privacy monitoring · AAANOW
One check is a snapshot. Monitoring keeps it that way.
Websites change every week: new tags, new vendors, new pages. AAANOW's privacy monitoring keeps watching after today's check, so a compliant site stays a compliant site.
01
Your continuous weekly audit
Your site is audited every week, the same outside-in review as the check above: what loads before consent, and what happens after "Reject".
02
Alerts when it matters
An alert against significant changes: a privacy link failure, tracking appearing before consent, or anything that impacts regulatory matters.
03
A weekly report
A weekly report to your inbox: your current grade, what changed since last week, and what needs attention first.
References
Sources used on this page.
The statutes, regulator resources and reporting behind the figures and examples above.
-
Virginia Consumer Data Protection Act
Code of Virginia, Title 59.1, Chapter 53: the VCDPA, including its targeted-advertising opt-out right.
https://law.lis.virginia.gov/vacode/title59.1/chapter53/ -
Colorado Privacy Act, statute
C.R.S. 6-1-1306: consumer rights under the CPA, including the opt-out and universal opt-out mechanism.
https://law.justia.com/codes/colorado/title-6/article-1/part-13/section-6-1-1306/ -
Colorado Privacy Act, rules
Colorado Attorney General resources for the CPA and its rules (4 CCR 904-3), covering profiling opt-outs.
https://coag.gov/resources/colorado-privacy-act/ -
California Attorney General: CCPA
Official CCPA guidance on sale, sharing and cross-context behavioural advertising.
https://oag.ca.gov/privacy/ccpa -
Connecticut amendments, IAPP commentary
How Connecticut's privacy-law amendments broaden consumer rights and the data types covered.
https://iapp.org/news/a/connecticuts-privacy-law-amendments-broaden-consumer-rights-expand-data-types-covered/ -
CPRA regulations, Ropes & Gray
What the California Privacy Rights Act regulations mean in practice, including cross-context behavioural advertising.
https://www.ropesgray.com/en/insights/alerts/2023/01/california-privacy-rights-act-regulations-what-your-business-should-know -
Condé Nast cookie enforcement, noyb
The EU comparator: CNIL's €750,000 fine for cookies placed without consent.
https://noyb.eu/en/noyb-win-conde-nast-fined-eu750000-placing-cookies-without-consent -
IAPP: US state privacy legislation tracker
Live tracker of comprehensive US state privacy legislation.
https://iapp.org/resources/article/us-state-privacy-legislation-tracker -
Ropes & Gray: state privacy law tracker
Status of state privacy laws and rulemaking, state by state.
https://www.ropesgray.com/en/sites/state-privacy-law-tracker -
Bloomberg Law: state privacy legislation tracker
Bloomberg Law's tracker of state privacy bills and enacted laws.
https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation-tracker/ -
Mayer Brown: state privacy law tracker
Mayer Brown's state privacy law tracker within its cybersecurity and data privacy resource centre.
https://www.mayerbrown.com/en/insights/resource-centers/cybersecurity-and-data-privacy-resource-center/state-privacy-law-tracker
Attorney Advertising: prior results do not guarantee a similar outcome. This page is an introduction and a starting point only; it is not legal advice. The automated review is operated by AAAnow.ai Ltd ("AAANOW") and reflects publicly available areas of a website at a point in time. Where matters of legal compliance are concerned, always take advice from appropriately qualified counsel.