In 2024, a California consumer visited Healthline.com and opted out of tracking three separate ways: Clicking the “Do Not Sell or Share” link, adjusting the cookie banner, and sending a Global Privacy Control signal.
Investigators later found that 118 third-party advertising cookies kept firing anyway, transmitting identifiers and the titles of health articles the person had read.
In July 2025, that failure cost Healthline Media $1.55 million, the largest CCPA settlement to date.
Healthline had every surface-level compliance marker in place. What it lacked was enforcement of those choices downstream. And that gap, between recording a preference and actually honoring it, is where privacy regulation is now being fought.
The Downstream Execution Gap
A consent management platform is a tool that collects, stores, and signals user choices about personal data.
For a decade, deploying one was treated as the finish line of cookie compliance. The regulatory logic has shifted. Regulators are no longer just checking whether you asked for permission. They are testing whether the consumer’s choice was put into action across every system that touches their data.
Storing an opt-out in an isolated database achieves nothing if the marketing stack never hears about it. Healthline’s opt-out mechanisms logged consumer choices correctly. The data flows to ad-tech vendors simply continued regardless.
Enforcement Shifts from Interface to Operations
Early privacy enforcement focused on the presence of disclosures: A privacy policy, a banner, a link. Today’s actions target operational failure.
In May 2025, the California Privacy Protection Agency fined retailer Todd Snyder $345,178 after a misconfigured cookie banner meant consumer opt-out requests went unprocessed for 40 days.
The company had bought a consent management solution. It had not verified that the tool worked. As the CPPA’s head of enforcement put it, using a consent management platform does not get you off the hook for compliance.
European regulators are applying the same standard at greater scale. According to DLA Piper’s annual GDPR Fines and Data Breach Survey, authorities issued approximately 1.2 billion euros in GDPR fines in 2025, with marketing and advertising practices among the principal targets.
The pattern across these cases is consistent: The penalty attaches not to the absence of a compliance tool, but to the failure of the tool to change what the organization actually does with data.
The Patchwork Multiplier
The burden is not confined to California or the EU. Twenty US states now have comprehensive privacy laws, each granting consumers rights to opt out of data sales and targeted advertising, and each with its own nuances. For example, Colorado requires recognition of universal opt-out mechanisms. Maryland imposes stricter data minimization standards.
A multi-state enterprise must apply different rules to the same consumer choice depending on where that consumer lives.
When consent records sit isolated in a browser-level tool, tracking those variations reliably is beyond what a human team can manage. A missed opt-out in one state can trigger an audit even if the organization is compliant everywhere else.
Why Fragmented Stacks Fail
Most enterprises built their privacy tooling one regulation at a time: A cookie consent manager for the website, a separate tool for privacy rights requests, a customer data platform holding marketing preferences somewhere else again.
Each tool may work well in isolation. The failure happens in between. When a customer updates their choices in a mobile app, nothing guarantees the email platform ever learns of it. There is no single record of what the customer agreed to, so there is no reliable way to enforce it.
Both recent California cases fit this description. The consent was captured, but the systems downstream never acted on it.
Consumers Want More than a Binary Choice
There is a commercial dimension to getting this right. Preference management is the practice of letting individuals choose what data they share, how often they are contacted, and through which channels, rather than offering a single yes-or-no gate.
For example, when people can reduce email frequency instead of unsubscribing entirely, “opt-downs” replace total opt-outs, and the organization keeps a relationship it would otherwise have lost.
A self-service preference center gives customers one place to see and adjust how their data is used, which builds confidence rather than eroding it.
Consent, ultimately, is a trust exchange. People share data with organizations that demonstrably respect their choices.
The Operational Reality
For privacy, marketing, and data teams, 2026 is the point where recording consent and enforcing consent can no longer be treated as separate problems.
Regulators on both sides of the Atlantic are testing whether opt-outs propagate to every downstream system, and fining organizations where they do not.
The market is responding by consolidating consent and preference management into unified platforms that capture a choice once and enforce it everywhere. But the underlying obligation belongs to the organization, whatever tools it uses.
The question every privacy leader should be asking is simple: If a customer opted out today, could you prove that every system responded correctly?