Privacy Compliance Report: How 148,000 Websites Handle Your Data

March 12, 2026 DomainsProject 7 min read
privacy research compliance gdpr

Privacy regulations have teeth now. GDPR fines exceeded €4.5 billion in cumulative penalties. California's CCPA empowers consumers to sue. Brazil, India, Japan, and dozens more jurisdictions have enacted their own data protection laws. The question is no longer whether websites should comply — it's whether they actually do.

We used LLMSE's Privacy analyzer to grade 148,360 websites on seven privacy signals: consent banners, privacy policies, cookie policies, CCPA opt-out links, third-party tracker volume, consent-gated scripts, and data processing disclosures. The results paint a bleak picture.

The Grade Distribution

Grade Sites Share
A (90-100) 3,712 2.5%
B (80-89) 5,897 4.0%
C (70-79) 50,229 33.9%
D (60-69) 1,633 1.1%
F (0-59) 86,889 58.6%

Nearly 6 in 10 websites fail. Only 6.5% earn an A or B. The distribution is sharply bimodal — sites either do the bare minimum to land in C territory, or they do almost nothing and fall into F. The thin D band (just 1.1%) suggests there's little middle ground: once a site starts caring about privacy, it typically clears the C threshold.

What Gets Measured

LLMSE's privacy grading evaluates what's actually visible on the page — the signals a user (or regulator) would encounter:

  • Consent banner (-15 if missing): Does the site ask permission before tracking? We detect 19+ consent management platforms including OneTrust, Cookiebot, and CookieYes.
  • Privacy policy (-15 if missing): Is there a link to a privacy policy? This is a hard requirement under GDPR, CCPA, and virtually every other privacy framework.
  • Cookie policy (-5 if missing): A dedicated cookie disclosure, separate from the general privacy policy.
  • CCPA "Do Not Sell" link (-5 if missing): Required for California compliance — a visible opt-out mechanism.
  • Tracker volume (-5 if excessive): Five or more third-party tracking domains trigger a penalty. We detect 40+ known trackers including Google Analytics, Facebook Pixel, and session replay tools.
  • Consent-gated scripts (-1 if ungated): Are tracking scripts deferred behind consent, or do they fire immediately?
  • Data processing disclosure (-1 if missing): Visible text explaining how user data is handled.

Missing a consent banner or privacy policy — the two critical signals — accounts for 30 points of deductions alone. That's enough to drop any site into F territory regardless of everything else.

Privacy by Industry

Not all sectors take privacy equally seriously. Here's how the top industries break down:

Category A B C D F A+B Rate
Law & Government 42 71 535 12 594 9.0%
Finance 54 71 551 14 499 10.5%
Food & Drink 146 187 1,231 19 1,073 12.5%
Shopping 132 167 1,651 32 804 10.7%
Business & Industry 1,290 2,045 13,313 469 16,438 9.9%
News & Media 127 171 1,495 41 1,994 7.8%
Education 140 271 2,374 76 3,217 6.8%
Entertainment 161 227 7,723 59 8,014 2.4%
Computer & Electronics 135 164 2,592 148 18,250 1.4%
Sports 76 94 704 20 771 10.2%

A few patterns emerge:

Finance and Shopping lead on compliance. These sectors face the most direct regulatory exposure — financial services under multiple overlapping regimes, e-commerce under GDPR and CCPA due to payment data and cross-border transactions. The A+B rates of 10.5% and 10.7% are well above the 6.5% overall average.

Tech sites are the worst offenders. Computer & Electronics has the lowest A+B rate at just 1.4%, with a staggering 85% of sites earning an F. The irony is hard to miss — the industry that builds tracking infrastructure is the least likely to comply with rules governing its use.

Entertainment follows tech into the bottom. Only 2.4% of entertainment sites earn an A or B. Ad-supported business models and aggressive third-party script loading are the likely culprits.

News & Media underperforms despite scrutiny. At 7.8% A+B, media sites lag behind the average — surprising given the public attention major publishers receive on data practices.

Privacy by Platform

The CMS or framework a site runs reveals strong privacy patterns:

Platform A B C D F Total A+B Rate
WordPress 2,054 2,469 22,932 644 20,278 48,377 9.3%
Shopify 73 94 939 14 260 1,380 12.1%
Next.js 14 40 486 17 891 1,448 3.7%
Squarespace 5 11 344 7 916 1,283 1.2%
Wix 2 1 50 1 88 142 2.1%

Shopify is the privacy leader among major platforms at 12.1% A+B, likely because Shopify's hosted checkout and cookie consent tooling provide baseline compliance out of the box.

WordPress performs respectably at 9.3% — its vast plugin ecosystem (GDPR cookie consent plugins are among the most popular) gives site operators easy access to compliance tools, though 42% of WordPress sites still fail.

Squarespace and Wix trail badly. Their low A+B rates (1.2% and 2.1%) suggest that despite being "managed" platforms, they don't push privacy compliance as aggressively as Shopify. Most small business owners on these platforms likely aren't adding consent management tools on their own.

Next.js sites fail at high rates (62% F), which makes sense — it's a developer framework, not a managed platform. Privacy compliance falls entirely on the development team, and it's clearly not a default priority.

Does Good SEO Correlate with Good Privacy?

We cross-referenced privacy grades with SEO grades to see whether sites that invest in search optimization also invest in privacy:

SEO A SEO B SEO C SEO D SEO F
Privacy A 1 25 77 158 3,441
Privacy B 2 34 145 346 5,350
Privacy C 21 290 1,140 2,830 45,857
Privacy D 4 18 45 116 1,445
Privacy F 36 367 1,410 3,112 81,924

The correlation is weak. Sites with strong SEO are slightly more likely to also have good privacy practices — but 56% of SEO A-graded sites still fail on privacy. The two disciplines clearly operate in separate silos for most organizations. SEO teams optimize for crawlers; privacy teams (if they exist) handle compliance. They rarely coordinate.

The Consent Banner Gap

The single biggest driver of F grades is the missing consent banner — a 15-point critical deduction. Under GDPR, informed consent before data collection isn't optional; it's the law. Yet the majority of sites in our dataset load tracking scripts without asking first.

This isn't just a legal risk. Browsers are increasingly enforcing privacy at the platform level. Safari's Intelligent Tracking Prevention, Firefox's Enhanced Tracking Protection, and Chrome's Privacy Sandbox are all reducing the effectiveness of unconsented tracking. Sites that skip consent mechanisms today are building on infrastructure that's actively being dismantled.

What This Means

The data tells a clear story: privacy compliance is the exception, not the norm. Despite a decade of GDPR enforcement, most websites still fail basic privacy checks. The industry has largely treated privacy as a checkbox exercise — install a cookie banner, publish a policy, move on. But the bar is rising.

Three trends are converging to make this unsustainable:

  1. Regulatory enforcement is accelerating. EU Data Protection Authorities issued more fines in 2025 than any prior year. The U.S. state-level patchwork (California, Virginia, Colorado, Connecticut, and more) is creating a compliance floor that keeps rising.

  2. Browser-level enforcement is expanding. Third-party cookie deprecation, tracking prevention, and privacy-preserving APIs are reducing the effectiveness of non-consensual data collection regardless of what the law requires.

  3. User expectations are shifting. Privacy-focused search engines, email providers, and browsers are gaining market share. Consent fatigue is real, but so is the backlash against sites that don't even ask.

Check Your Own Site

Enter any URL on the LLMSE homepage to get a full classification that includes a privacy grade, or browse sites by grade: A | B | C | D | F. You can also read more about how the privacy grading works.

The grading evaluates what's visible on the page — the same signals a regulator, browser, or informed user would see. If your site loads five tracking scripts before showing a consent banner, the grade reflects that.

Related Posts

March 09, 2026 13 min read

The COPPA 2.0 Readiness Report: How 16,000 Children's Websites Score on Safety, Accessibility, and Trust

We analyzed 16,213 children's websites — from early childhood education to kids' shopping to children's TV — across WCAG accessibility, EEAT trust, readability, GARM brand safety, and tracking technology adoption. 69.5% fail basic accessibility checks. Children's clothing sites have an 11.8% WCAG pass rate and a 58.8% failure rate. Virtually no children's sites (0.01%) use a consent management platform. With the COPPA 2.0 compliance deadline 44 days away and five states enforcing age-appropriate design codes, the children's web is not ready.

March 09, 2026 12 min read

The ADA Title II Countdown: Are Government, Education, and Healthcare Sites Ready for the April 2026 Deadline?

We analyzed 123,262 websites across government, education, and healthcare — the three sectors most affected by the ADA Title II web accessibility deadline on April 24, 2026. Only 33.6% pass WCAG. Education has the worst failure rate at 34.9%. University websites pass at just 30.7%. With 46 days until the deadline and 5,500+ projected accessibility lawsuits in 2026, two-thirds of the public-serving web isn't ready.

March 01, 2026 12 min read

European Accessibility Act Readiness: WCAG Compliance Across 256,000 EU Websites

We analyzed 256,178 websites across 22 EU languages and cross-referenced them with WCAG, SEO, EEAT, and readability grades. Only 30% of EU websites pass WCAG accessibility — no better than the global average. Finland leads at 40.2%. Bulgaria trails at 16.5%. The North-South accessibility divide maps directly to digital infrastructure investment. With EAA fines reaching 100,000 EUR, two-thirds of EU websites face compliance risk.