The Consent Problem No One Sees Coming
Most organizations assume their consent management systems are working as designed. A user revokes consent, and the site stops collecting data. Simple… in theory.
In practice, the Sentinel Insights Consent Scanner finds that tracking technologies often continue firing even after consent is withdrawn. In fact, across hundreds of enterprise scans, roughly 90% of sites tested show some level of continued tag activity after a user revokes or refuses consent.
These findings point to how easily consent enforcement can break down once live tags, browser behavior, and vendor updates are involved. Most teams don’t discover the problem until they see the data for themselves.
How the Consent Scanner Works
The Consent Scanner is a one-time diagnostic that demonstrates what happens when user consent changes. It is separate from our continuous monitoring platform, which provides ongoing visibility across every user and tag.
Each scan simulates a few different user experiences:
-
Revoked Consent: A user withdraws consent mid-session and continues browsing or revisits the site after previously revoking consent.
-
Global Privacy Control (GPC): A user visits the site with a browser that automatically sends a “do not sell or share” signal.
In each scenario, Sentinel records whether tracking technologies continue to collect or transmit data after the scanner withdraws consent. The output is factual and technical, showing what is actually occurring on the website.
What the Scans Reveal
These scans have shown consistent results across organizations and industries. The key takeaway is: Tracking technologies frequently remain active after consent is revoked. And when we say “frequently,” we mean “almost always.” Our scanner detects examples constantly where activity from major vendor tags and advertising pixels keep collecting data even when consent status changes.
And the causes vary. Configuration drift, tag piggybacking, and logic errors inside tag management systems are common. Consent management platforms and tag managers can lose synchronization when third-party vendors update their code or introduce new triggers. Some tags, such as Facebook, include auto-tracking features that continue collecting data unless explicitly disabled. Many organizations are unaware that these behaviors exist until they appear in the scan results.
“Many of the people we’re talking to are surprised that their consent management practices have gaps. We hear this all the time, and it’s a common problem. Even after fixes, some sites still show tag activity on follow-up scans.”
– Cara Caruso, CEO
That reaction of surprise and disbelief is typical. And once teams at these organizations view their own scan results, the risks become visible and specific.
A Case Study in Real-World Validation
A recent scan for a global hospitality brand illustrated how this plays out. Our consent scan quickly identified tag activity after consent revocation and GPC signaling. The company’s internal team was asked to review the findings and requested a meeting with us to go over them together. Our analysts walked through each test step-by-step and confirmed that there was measurable tracking activity after consent was revoked.
This review process focused on verification, not remediation. Sentinel’s role was to validate the evidence so the organization’s privacy and engineering teams could address it internally.
“Our job is to make the evidence clear enough that legal and privacy teams can act with confidence. Governance begins with visibility.”
– Kevin Wysocki, CPO
This distinction defines Sentinel’s work. The platform verifies what is happening on a website so that enterprises can analyze, document, and resolve the issues, before they become a problem.
Why It Matters
For privacy professionals, these scans often provide the first proof that consent enforcement gaps exist. Many assume that deploying a consent banner ensures compliance, others have reservations but no way to verify. These scans and our monitoring tag reveal how consent logic works under real conditions.
Even one tag firing after a user has revoked consent can create exposure under regulations such as CPRA, Law 25, or GDPR. Several state laws also require honoring Global Privacy Control (GPC) signals as an opt-out signal for tracking. Because regulators can detect these behaviors automatically, organizations need independent confirmation that consent systems are working correctly.
The Consent Scanner delivers that confirmation before a regulator or a class action attorney does.
From Awareness to Governance and Promise to Proof
Each Consent Scanner report includes:
-
A record of tag behavior under all three test conditions.
-
A baseline for measuring improvement once updates are made or monitoring is deployed.
For most organizations, this first assessment starts a larger governance effort. The findings clarify where enforcement breaks down and provide a verifiable path toward correction.
Consent must hold true each time a tag fires, a page loads, or a browser signal changes.
The Consent Scanner shows the proof of how consistently that promise is being honored.
