Skip navigation
GDPR_image.jpg Getty Images

Top U.S. Websites Run Afoul of European Data Privacy Law

Research by Zendata found that many leading U.S. websites have failed to abide by the EU's General Data Protection Regulation. Learn about the research’s key findings.

The General Data Protection Regulation (GDPR), which aims to prevent unethical data usage, went into effect in May 2018, yet leading U.S. websites still haven’t complied with the European data privacy law.

Sixty-seven percent of the top 1,000 U.S. websites are not GDPR compliant. Zendata, a regulatory compliance technology vendor, used its software to analyze the top 1,000 U.S. websites in December 2021 to identify which regulations they failed to follow for EU visitors. The company found that these websites fell short in three main categories: transparency, new forms of tracking, and communication.

How U.S. Websites Missed the Mark

One of the most alarming findings is the lack of GDPR compliance in terms of transparency, Zendata said. Forty-three percent of the top U.S. websites did not contain an option to opt out of having consumer data sold, while 55% didn’t have a cookie consent message on the first load. In addition, about one-third of the websites not only lacked a cookie message on the first load but also had ad trackers present on their site. 

ZendataChart that shows percentage of websites that fail in privacy policy transparency

Compounding the issue is a rise in device fingerprinting. Nearly half (44%) of the top U.S. websites used this data-tracking tech to keep tabs on their visitors’ browsing behavior, Zendata found.

On top of that, 41% of websites were ambiguous about why they collect consumer data. Websites’ privacy policies can be indecipherable due to their length, terminology and vague language. Zendata used machine learning to identify websites with "difficult to understand” privacy policies by examining several factors: privacy policy length, the structure of the website, description of data uses, readability of the page, sentence length, and lexical diversity. Eighty-two percent of the websites had complex privacy policies that are difficult for the general consumer to understand.

Implications of GDPR Violations

While GDPR is a European data privacy law, the top 1,000 U.S. websites (and millions of other websites) offer goods and services to EU residents, Zendata noted. These websites capture identifiable information about website visitors, making them subject to GDPR compliance.

Noncompliance with GDPR can have legal, financial and ethical consequences. Any company that fails to comply with the EU regulations can receive fines that range from $80,000 to $120,000, with millions of dollars more in cases of security breaches.

Consumer interest in privacy is also on the rise, and many existing or potential customers actively avoid companies that have unethical data-collection or data-sharing practices. Therefore, companies that invest in consumer data privacy can see boosts in company reputation and brand image, which can translate into increased revenue and reduced customer attrition, Zendata said.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.