Privacy regulators are not just alert. They are in motion. Fast. In recent weeks, authorities in the Netherlands and the United Kingdom have stepped up enforcement around one thing: websites that collect and share customer data without proper consent.
This is not some distant problem. It is happening now. And for many companies, the real risk is not just legal. It is reputational.
Unintentional data sharing is more common than you think
At Nixon Digital, we recently used our Privacy Audit tool to scan over 200 websites across different industries. What we found was alarming: most websites shared customer data with third parties before obtaining valid consent. In most cases, this was unintentional. But that does not make it any less risky.
Many businesses use marketing tools, conversion scripts, or content personalization features to enhance the user experience. However, these tools often introduce third parties into the data flow. That means customer data is being shared, tracked, and sometimes even monetised long before consent has been given.
And that is exactly where the problem lies.
Authorities are done waiting
Regulators are no longer sending polite warnings. They are acting.
- In the Netherlands, the Data Protection Authority (AP) issued warnings to 50 organisations using misleading cookie banners
- The UK’s ICO launched an investigation in January into the country’s top 1,000 websites
And they are not just looking at cookie banners. They are looking at what happens under the hood:Â what data is really being collected, by whom, and when.
Tracking is no longer visible. That is the danger.
Modern tracking methods have moved far beyond cookies. Technologies like fingerprinting collect detailed information such as:
- IP address
- Browser and device characteristics
- Type of website visited
- Even the specific product a user looked at (for example, a pair of glasses on an optician’s site)
This creates detailed user profiles, often without the user’s knowledge and consent. This is no longer about poor UX design or missing cookie banners. It is about stealth data capture, and regulators are laser-focused on stopping it.
From risk to reality: Coolblue and AS Watson faced consequences
This is no longer hypothetical. Coolblue received a fine for placing cookies without valid consent. AS Watson, parent company of Kruidvat, was also sanctioned for privacy violations. These are not minor issues. These are headline-grabbing enforcement actions.
While the financial hit is painful, the long-term brand damage is even worse. Once lost, trust is hard to win back.
How can you stay in control? Start with visibility.
We get it. You cannot manage what you cannot see. That is why we built the Privacy Audit Tool at Nixon Digital.
With this tool, you can scan your entire website to get an instant overview of your data exposure. It’s a fast and simple way to understand how your site handles cookies and trackers. Want to give it a try? You can scan up to 5 pages for free. It only takes two minutes.
- Instant results
- Easy to use
- No technical setup
Whether you are a Data Protection Officer, a compliance lead or a digital marketer, this tool helps you pinpoint where your site may be violating privacy rules, before a regulator does.
Start here: www.nixondigital.io/
Real action. Real data. Real consequences.
Our scan of 200+ websites confirms what regulators are seeing: There is a widespread gap between intention and execution. Companies want to protect user privacy, but many are unknowingly failing to do so.
This is your moment to take back control. Start by running a free scan with the Nixon Privacy Audit Tool and see how your website measures up.
Sources and background reading
- NRC: No reject button but cookies placed anyway? That means a fine
- Dutch DPA: 50 organisations warned for misleading banners
- ICO UK: Top 1,000 websites under investigation
- Norwegian DPA: Enforcement on fingerprinting
- AVROTROS Radar: How cookie banners should actually work
- IPWatchdog: Rise of cookie banner lawsuits in the US
- AP ruling: AS Watson decision
- AP ruling: Coolblue decision
- Nixon Digital LinkedIn: Audit insights from over 200 websites
Frequently Asked Questions
What does it mean if a website is sharing data without consent?
Sharing data without consent means a website is collecting or transmitting user information, such as browsing behavior, location, or IP-address without the user’s explicit permission. This often happens through cookies, trackers, or embedded third-party scripts that are loaded before consent is given. Such practices can violate privacy laws like GDPR and CCPA. Detecting and stopping unauthorized data sharing is essential to protect user trust, maintain legal compliance, and prevent financial or reputational consequences.
How can I tell if my website is sharing data without consent?
You can detect unauthorized data sharing by conducting a privacy audit using tools like Nixon Pro. These scans identify trackers, cookies, and scripts that load before a user grants consent. Regular audits are vital, especially after installing new plugins or marketing tools, as they can introduce hidden tracking elements that bypass your consent management setup and put your website at compliance risk.
Why is data sharing without consent a legal risk?
Under privacy laws like GDPR, CCPA, and the ePrivacy Directive, businesses must obtain clear, informed, and explicit consent before collecting or sharing personal data. Sharing data without permission can result in regulatory fines, legal investigations, and public trust loss. Even accidental violations caused by poorly configured scripts or third-party tools can be penalized. Ensuring proper consent management helps safeguard both compliance and a company’s reputation.
What steps can I take to stop unauthorized data sharing?
To prevent unauthorized data sharing, use a Consent Management Platform (CMP) to block cookies and trackers until users give permission. Audit your website and your CMP regularly to check if the implementation stays working as intended. Configure third-party tools to respect consent preferences, and ensure your cookie banner meets legal requirements. Training teams on privacy compliance also helps maintain long-term control over data collection and ensures you stay compliant with evolving regulations.
How often should I audit my website for privacy compliance?
It’s best to audit your website at least quarterly, or immediately after adding new tools, plugins, or integrations. Privacy risks can appear suddenly when third-party providers update their code or add new tracking features. Using website privacy scanning tools like Nixon Pro enables continuous monitoring, so you can detect and address non-compliance in real time, protecting your business from legal risks and strengthening customer trust.
