A streaming subscriber clicks “Do Not Sell or Share My Personal Information” and the request appears to work.
But behind the interface, the company’s websites and apps keep sharing that person’s data with advertising partners, and the opt-out signal sent from their laptop never reaches the account they use on their TV.
In February 2026, that gap cost Disney and ABC $2.75 million, at the time the largest settlement under the California Consumer Privacy Act (CCPA).
A preference management platform captures each individual’s choices about their data, communications, and preferred channels, then applies those choices across every system that touches them. The incumbent generation of privacy tools was built for a narrower job: Displaying a cookie banner, logging a record, and moving on.
Many buyers start a consent and preference management project by searching for OneTrust alternatives or working through a consent management platform comparison. Feature checklists tend to reward incumbents, because incumbents have had a decade to accumulate features.
A more revealing approach is to apply the tests regulators are now applying, because 2026 enforcement targets exactly the gaps that first-generation tools leave open.
1)Does It Enforce Choices, or Only Record Them?
France’s data protection authority, the CNIL, fined American Express Carte France 1.5 million euros in November 2025 after finding advertising cookies placed before users made any choice, placed despite an explicit refusal, and still being read after consent was withdrawn.
The withdrawal itself was captured correctly. The trackers simply kept firing, and the regulator treated that alone as a violation.
Legacy tools were designed to log the choice, leaving enforcement to whatever integrations the buyer assembled afterwards. A modern preference management platform suppresses trackers and signals every downstream system the moment a choice changes, and it can prove that it did so.
2) Does One Choice Update the Whole Customer Relationship?
In the Disney settlement, Global Privacy Control (GPC) signals were honored only on the specific device that sent them, even when the consumer was logged in, and California regulators found that the CCPA requires a known consumer’s opt-out to apply across their entire relationship with the business.
Browser-level tools cannot apply opt-outs across devices, because a preference center that only knows about the website holds a partial record.
The test to run in procurement is simple: If this customer opts out on their phone, show me what happens to their record in the email platform, the app, and the connected TV service, and how quickly.
3) Can it Ingest Opt-Out Signals Without Adding Friction?
Since January 1, 2026, updated CCPA regulations make recognizing opt-out preference signals an affirmative obligation, and businesses must show consumers that the signal was processed. Compliance is publicly verifiable by anyone with a browser extension, which makes it an easy first check for investigators.
The point is already being enforced. In March 2026, the California Privacy Protection Agency fined PlayOn Sports $1.1 million, in part for failing to recognize and process consumers’ opt-out preference signals and for directing consumers to industry-run opt-out tools rather than providing a working mechanism of its own.
Ask whether the platform detects and honors signals automatically, confirms the outcome to the consumer, and completes an opt-out without extra steps, clicks, or logins.
4) Could It Evidence Your Decisions Under Investigation?
Under the General Data Protection Regulation (GDPR), the burden of proving valid consent sits with the organization, and regulators can ask for that proof years after the choice was made.
California has moved in the same direction, and since January 1, 2026, businesses that sell or share personal information must document risk assessments covering those decisions.
A platform should therefore produce, for any named individual, a complete history of what they agreed to, when it changed, and which systems acted on it, with retention controls tied to documented purposes. Assembling that record manually across several tools takes days, and investigations move faster than that.
5) Is it One Platform or a Stack of Acquired Modules?
Gartner’s Market Guide for Privacy UX, published in February 2026, describes consent and preference management, privacy rights requests, and web tracker management converging into a single privacy user experience layer that consolidates and synchronizes choices across all touchpoints.
Incumbent suites largely evolved the other way, through acquisitions and bolt-on modules, so each component can pass a demo while, like in the Disney and American Express cases, the connections between them fail quietly in production.
In a consent management platform comparison, look underneath the module names for a single data model, where a choice made in any channel becomes the same record everywhere, rather than a synchronization job between products that were never designed together.
What the Choice is Really For
Every CCPA enforcement action to date has involved the right to opt out in some form, and regulators on both sides of the Atlantic are now testing mechanisms in live environments rather than reviewing policies.
The exposure sits in the gap between what an organization says it does and what its tooling actually does.
The market is consolidating around unified consent and preference management platforms for that reason, though the legal obligation stays with the organization whatever it buys.
Before signing anything, run the trace test on your shortlist. Take one real customer, change one preference, and follow it through every connected system. A vendor that can show you that journey end to end has answered the only question that matters.