A wave of enforcement actions in early 2026 points at the same gap, and it's not where most compliance programs are looking.

‍

Something interesting happened in the California AG's February 2026 settlement with a major streaming platform - at first, nothing appeared to be wrong. The opt-out mechanism worked. The consent banner was live. The CMP was configured correctly. Users who asked to opt out of targeted advertising had their requests logged.

The problem was that the data kept flowing anyway.

The opt-out signal wasn't propagating to third-party ad partners the way the system was designed to. More importantly, no one had tested whether it was. The settlement ($2.75 million, the largest CCPA penalty to date) wasn't about a company that ignored privacy completely; it was about a company that built a privacy program, deployed it, and never looked closely at what it was actually doing in production. This is not a single-site issue. It happens across thousands of domains simultaneously, each with different tags, vendors, and configurations, where small execution gaps compound into systemic risk.

This is the same story as the Healthline settlement a year earlier ($1.55 million). Same story as the Honda enforcement action, where asymmetric opt-out flows turned out to be unlawful. The compliance failure isn't at design. It's after deployment - in the production environment, where the real users are, where the real data is moving.

‍

‍Why This Is an Ad Tech Problem, Not Just a Brand or Publisher Problem

‍

‍This pattern didn't start in the US -- Europe got there first.

Under GDPR, both controllers and processors are directly liable for their roles in personal data processing. That means decisions about how tags, pixels, and scripts execute on page and pass signals downstream are compliance decisions for every party in the chain, where enforcement happens in code, not configuration. Belgian courts pushed this further: in a series of rulings that ultimately drove the TCF 2.3 update, they found that vendors receiving consent signals without being verifiably disclosed to users were operating outside the framework - and that IAB Europe itself, as the framework administrator, shared controller responsibility for how those signals were used downstream. European litigators in Belgium, Germany, and the Netherlands have conducted sweeps of hundreds of sites focused specifically on the behavior of third-party tracking technologies, not just the consent banner sitting on top of them.

If that sounds familiar, it should. The US enforcement wave is following the same logic with different statutory hooks. GDPR preceded CCPA. The TCF accountability rulings preceded the US supply chain enforcement actions. The underlying argument - that downstream data recipients share compliance obligations for how they handle signals they receive - is the same argument showing up in US courts and regulatory settlements right now. Europe just got there a few years earlier.

If you run an SSP, a verification platform, a DSP, brand site, or any service where your code runs on publisher properties, you have a version of this problem - even if it's not your CMP and not your consent banner.

Regulators are increasingly interested in what happens in the data flow, not just at the point of consent capture. The FTC's January 2026 order against GM followed data through two downstream data brokers. California's new executive attestation requirement asks for evidence of compliance, not declarations of intent. The 10-state enforcement consortium is sharing intelligence across jurisdictions, both within the US and globally. And CIPA plaintiffs are actively testing whether ad tech intermediaries (not just website operators) carry liability for what travels through the bid stream.

This isn’t a whole ground shift, however, and it doesn’t change much about how any business operates regarding privacy. It simply means the compliance question has gotten more specific: not 'are we compliant?' but 'what can we demonstrate, for which domains, under which consent states, at which moments?'

‍

‍The Gap That Keeps Showing Up

‍There's a structural reason this keeps happening. Most compliance programs are built to validate configuration: the CMP settings, the consent banner behavior, the tag governance policy. That work is real and it matters, and certainly is the foundation for a good privacy program.

What it doesn't capture is what happens in production, under real user conditions, across the full data flow. A tag that fires correctly in QA can behave differently in live environments. A consent signal that propagates correctly on web doesn't always propagate correctly in-app. An opt-out that's honored by one downstream partner may not reach another. These gaps are invisible to static scanning and inconsistent audits - and they're exactly what regulators are finding when they look. At scale, this becomes a code execution problem. Each page load triggers dozens of independent scripts and partner calls, and there is no reliable way to verify how those signals propagate across thousands of sites without observing runtime behavior directly.

The practical question for ad tech platforms is whether you have visibility into that production layer across your supply. Not a snapshot from last quarter's audit, but ongoing evidence of what's actually happening when real users are browsing brand or publisher sites right now.

‍

‍What Good Looks Like

‍The companies that weathered enforcement scrutiny best in 2025 had a few things in common. They could answer specific questions with specific evidence. They could show, for a given domain, what a user with a given consent state actually experienced, not just what the policy said they should have experienced. And they had timestamped logs that documented compliance behavior consistently over time, not just for singular audits.

That kind of evidence doesn't come from configuration reports. It comes from consistent behavioral monitoring: observing what actually happens in production, across consent states and jurisdictions, as an ongoing practice rather than a periodic exercise.

The technology to do this at scale - across thousands of domains, without requiring those brands or publishers to change anything in their existing stack - is newer than most people realize. But the enforcement environment is catching up fast.

‍

‍A Note on What We're Building

‍PrivacyGuard Console came out of watching this pattern repeat. We kept seeing compliance programs that were genuinely well-designed produce production environments that regulators found wanting - not because anyone cut corners, but because nobody was continuously checking what was actually happening in production.