Strategic Approach to CMPs & State Privacy Regulations

First question for you both: why does it matter for organizations to effectively implement a CMP solution — and what are some of the risks that come from noncompliance?

I'll cover it in two parts. On the "why it matters" side, there's a lot of research showing that trust in organizations and government is at an all-time low — and a lot of that distrust centers on what's happening with data. It's an invisible process. CMP solutions provide an initial mechanism to build trust. Your first engagement with a citizen or customer now is often through a website, and you have a choice: either build trust by giving notice of what you're going to do with their data, or just start processing and tracking without that. In government, we're looking at how we improve data governance at those initial touchpoints to start reversing that trend, and a CMP is our transparency mechanism. The risks of noncompliance are really the same thing — it's trust. If we don't give notice, people inherently won't trust us. Being transparent through a CMP is our mechanism to begin building that trust and derive everything else in our data governance process from there.

Thanks for having me, Dave — happy to be here with you and Chris. I think it's really a balance of factors: the trust dimension Chris described, user experience, and then the significant regulatory risk that organizations have to manage. From a risk standpoint, we've seen regulators enforcing these laws. We've also seen the trust and brand erosion that comes from doing this poorly. If a consumer knows they opted out of cookies on your site, and they're still mysteriously getting targeted emails, an educated consumer knows exactly what happened — and you've just eroded your brand. There's also the risk from law firms pursuing organizations for breaches. It's really a myriad of different risks converging at once.

One thing I'll add on the regulatory side: I've often wondered why we're not hearing more big-name companies in headlines for privacy noncompliance. The reality is that most enforcement actions don't make headlines — the mechanism by which regulators interact with companies in breach is a private legal channel, and companies aren't required to disclose that they've been contacted. For every enforcement action you hear about, there are probably at least a dozen you haven't.

A lot of states have a remedy period, and I imagine there are many organizations scrambling to clean things up during that window. We've helped some of those organizations ourselves — they come to us after being contacted by a regulator and are in pretty bad shape trying to get things sorted out.

One thing to keep in mind: government is usually a few years behind in learning how to actually enforce these laws. They'll pass the law and want change to happen, and enforcement comes once they see how it's implemented and where compliance stands. I participated in a panel at the National Association of Attorneys General last year, and I've also been on a panel with our Utah AG — there is active movement toward coordination between state AGs on how to do better enforcement around data governance and privacy. The industry has matured enough that I think you'll start to see more standardized enforcement approaches across states. Now is definitely the time to get your programs in place.

I wonder if some of the AG offices have also had a hard time competing for the talent they need to really go after these issues — it's a pretty unique skill set. Chris, do you have insight into that?

That could be a factor, but I'd also say this: the same tools an organization can use to scan their own website and identify where they're tracking are also freely available to AG offices. Enforcing this type of law is not more technically complex than prosecuting online child exploitation — which is already a very technical area. The tools being built for organizations on this call are also being built and sold to enforcement offices, and I think they will start to scale enforcement using them.

Speaking of enforcement — let's talk about the U.S. and global privacy landscape, how it's evolved, and what changes are happening right now.

We've been on a regulatory rollercoaster for about 8 or 9 years now — starting with GDPR, followed by CCPA, and now we're at 20-plus U.S. state consumer privacy laws, with it literally changing by the week. For global organizations, you're also managing Europe, North America, and rest-of-world simultaneously. The advice we typically give our clients has two parts. First, think about geolocation from a CMP standpoint — you'll likely need different strategies for different regions, particularly opt-in for GDPR versus opt-out for U.S. states. Second, take a principles-based approach. Trying to get down to the granularity of 20 individual laws can be a real headache. Figure out the 90 or 95% of those laws that overlap — where the Venn diagram meets in the middle — manage to that, and deal with the outliers as they come up. That's honestly one of the few ways to preserve your sanity in dealing with all these laws.

There are a couple of things happening in the public sector that also dovetail into the private. Government privacy laws at the state level are a state sovereignty matter — there's no national privacy law. And while you have more than a dozen comprehensive consumer privacy laws, every state's government data privacy laws are different. Utah is one of the only states that has modernized these into a comprehensive government data privacy law. That adds complexity, because you have to interpret older notice and consent laws — originally written around paper processes — and apply them to digital contexts. My recommendation for any private-sector company that wants to do business with state, city, or county governments: have a notice process and a CMP, because at minimum you'll be meeting a baseline that most others aren't. States reevaluating their current laws are very likely to find existing structures that require CMPs for processing citizen data. There's also been a mass hybridization of what were government services — from paper-based to digital SaaS provided by third parties — and it's still not fully resolved whether consumer privacy law governs situations where a citizen is handed off from a government website to a private .com. My recommendation is clear: have a proper notice, consent, and CMP process in place, because it is very likely to become a future standard regardless of sector.

What are some of the key trends you're seeing right now that are driving businesses to adopt CMPs?

In Utah, it's actually enforcement. Since we've modernized our laws, we've built enforcement directly into our strategy — across over 1,500 government entities at once. We've set deadlines for them to inventory their systems, identify noncompliance, and document their strategies to come into compliance. And there's external enforcement coming as well, where citizens will be able to submit complaints. The other driver is the growing recognition of what pre-existing laws already require. On our website, we have a 50-state tracker of public privacy laws — the vast majority of states have notice and consent laws that could already be interpreted as requiring some form of CMP for web tracking. As states get dedicated privacy officers and realize they have these antiquated laws, they're going to be pushed toward CMPs as the mechanism to demonstrate public trust.

The biggest trend I've seen is the confluence of two forces: the proliferation of legislation on one side, and organizations finally understanding the marketing power of first-party data on the other. There are marketers who understand exactly how much you can do with cookies and tracking data, and a lot of consumers actually like a tailored experience — personalized recommendations, relevant suggestions. That's genuinely valuable. But the collision between that marketing ambition and the regulatory requirements is what's really driving CMP adoption — marketing leaders on one side, privacy leaders on the other, trying to find a way to make it all work together.

That first-party relationship directly with your customers is absolutely important to protect. If you implement tracking wrong, you can quickly find yourself with data being shared with third parties in ways that will reputationally harm you. I've actually pulled my own data broker report — which anyone in Utah can do — and was amazed to find web tracking data in it. We recently had a product presented to us that had aggregated over 1,500 data points on individual Americans, some of it sourced directly from third-party website tracking. Many organizations don't realize that when they implement certain tools, that data flows into third-party broker systems and gets sold — sometimes for good uses, sometimes not. Your customers don't realize it either, and they wouldn't appreciate knowing it. That's a big reason to get a proper tool in place to protect that relationship.

The scary thing is, a lot of organizations don't even realize their own websites are sending data to third parties. They might be working with an outside marketing agency, or connecting to a third-party platform, and data is flowing outside the organization without anyone knowing — because they don't have good governance or monitoring around their websites. We find that frequently when working with organizations that are just starting down this road: they simply have no visibility into what cookies and trackers are on their site, what's being collected, or where it's going.

We had a Q&A question come in that dovetails nicely with our next planned question. What are some practical tips for organizations implementing CMPs and identifying regulatory requirements — and if you can put an analytics lens on it, what would be one practical soundbite to take back to your team?

The most important thing I'd say is good governance and cross-functional working groups. This is never a problem solved by one team. Typically it's a three-legged stool: IT, marketing, and privacy — all working closely together, understanding what each other is doing, and being clear on who owns what. That's the first priority. Below that: strong operational processes, all the way from the inception of a website through to offboarding and remediation — including how you work with third parties. Then, a great monitoring program that is risk-based, scanning different websites based on their associated risk on a regular cadence. We have one client that runs scans daily and maintains a 24-hour SLA to remediate anything new that appears on their website. That level of diligence tells me their processes before code hits production are also very solid. Most organizations don't hit that level, but it's a question of what your own risk tolerance is based on the types of visitors and the volume of traffic your site receives.

I'd add that the core factor helping companies take on this problem efficiently is creating visibility. Many web problems are high-visibility by nature — a broken checkout flow shows up immediately in dashboards and support tickets. Privacy compliance is in a different class. It lurks invisibly and doesn't naturally cause alarm bells to fire. That's why you need a monitoring tool to surface these issues and alert stakeholders when they happen. To put some real data behind that: we recently audited the homepages of all Fortune 1000 companies, visiting each homepage and 10 linked pages. We asked the audience to guess: what percentage had a consent manager? The answer is 46.7%. About half the Fortune 1000 does not have a CMP at all. Of the half that does, we found that 55.4% still load advertising tracking technologies after a visitor opts out. That's not an edge case — it's the majority of CMPs among the largest companies in the world not functioning as intended. And again, this is exactly the kind of problem that won't surface on its own. You need an audit tool to identify it and make it visible to your stakeholders.

Let's go to our last planned question: what are the critical factors for an effective consent management program?

If I had to summarize across all the layers: start with great governance — cross-domain leadership, everyone on the same page. Second, solid operational processes covering the full lifecycle from website design through to offboarding and remediation with third parties. Third, a great monitoring program that's risk-based and regularly scanning based on the risk profile of each website. Those are the most important factors that come to mind.

I agree with all of that, and I've actually had to implement it. Our governance framework required us to identify the legal requirements for government entities, procure a scanning tool to identify web tracking, and build out the notice and then consent requirements in sequence. Our state auditor just completed an automated audit of 1,500 government entities — and interestingly, around 46% had some form of notice in place, very similar to your Fortune 1000 number. The rest were non-compliant, and even those with notice had issues. The key to getting there has been the framework: governance, the right tooling, auditing to help entities know where they stand, and education. How do you educate across a decentralized environment — 1,500 different website admins — so each one knows how to fix their own situation? For large Fortune 1000 companies, you're probably in a similar situation. You need the framework, the structure, and a decentralized approach to bring everyone into compliance.

Chris, the point about auditing is a great one. I'd encourage organizations to take advantage of internal audit as an independent reviewer. I know internal audit sometimes strikes fear into people, but team with them — have them take an independent look at your digital monitoring program periodically. An independent third party confirming you're doing things correctly is a real asset.

When enforcement comes, having documentation showing reasonable attempts to comply goes a long way. Even just saying "internal audit, can you help us create a standard process and come in and review it" gives you something concrete to show a regulator. It's going to take time, there will be mistakes, things will roll out imperfectly — but the goal right now is to get a program started and mature it over time. Finding issues through internal audit is much, much better than finding them through an external regulator.

First Q&A question from an attendee: what would you recommend for websites not planning to have tracking cookies at all? Would you still recommend a CMP if only necessary cookies are firing?

For more static sites where you're not expecting much consumer engagement or tracking, I'd still put them in your auditing program — just on a less frequent basis, like monthly or quarterly. Just to confirm there really are no unexpected cookies loading. That way, if something does pop up, you can either add a CMP if one becomes necessary, or have a conversation with the business about whether certain technologies belong on that site at all.

Also be mindful of the notice obligation. Even if there are only essential cookies, do you still have a requirement to give notice that that tracking is occurring? Depending on the state laws and what's happening in Europe, you may still want a lightweight tool to at least provide that notice — even if you're not giving users something to opt out of.

I'll add — not a lawyer, so take this accordingly — but I am aware of a major retailer that is an ObservePoint customer who has chosen not to have a CMP for exactly this reason. They only have essential first-party cookies that cannot be opted out of, plus a single analytics tool. All of it qualifies technically as first-party, and it cannot be opted out of, so they've made the decision not to deploy a CMP. It seems to be working out fine. My read: if you genuinely have only essential cookies, you probably don't need a CMP — but you do need to be confident you know that for certain, and monitoring is the only way to stay confident.

Next question: teams sometimes push back on privacy monitoring because they don't feel urgency. Chris, you mentioned government typically lags — is there real urgency coming that I can point to?

Enforcement is already picking up, and I don't think government is going to be lagging much longer. Utah's government data privacy law is arguably the most comprehensive in the nation — even compared to CCPA. With the AG coordination we've discussed, and the ease with which enforcement offices can use these scanning tools, what Dave just showed about Fortune 1000 compliance rates is actually exactly what I'm talking about — it's very easy to find noncompliance at scale. I think we're maybe 18 months out from seeing a significant increase in enforcement activity. That should be all the urgency anyone needs to get rolling.

I'd also add the value of a strong privacy training and awareness program. Educating your organization that this isn't just about regulation and enforcement — that privacy is also a human right, and that consumer trust is at stake — helps move the conversation beyond pure compliance. There's already been plenty of enforcement. Pull those news articles and put real statistics in front of your stakeholders. That said, it obviously depends on your business model and how consumer-facing you are — that changes your risk profile significantly.

One more thing to watch beyond consumer privacy: Utah passed the nation's first Digital Choice Act last year — unanimously — which essentially says individuals own their data and should be able to immediately download copies of it and decide where to take it. Multiple other states have already filed similar bills. This concept of individuals owning not just their data but their identity is adding political pressure that will expand beyond social media into other platforms. Having a CMP in place even just helps you understand the provenance of your data — where it's coming from — which will matter as these new types of legislation arrive.

Another question from an attendee: analytics teams tend to bypass privacy conversations entirely. What's your advice for getting their attention and focus on adhering to privacy regulations?

Similar to the previous answer — create awareness, help people understand the implications. But I'd come back to the cross-functional governance point: privacy, marketing, and analytics need to be talking all the time, not operating in silos. The organizations that do this really well are the ones where those teams are in constant communication on a day-to-day basis. In that kind of relationship, analytics and website owners naturally develop a real understanding of why privacy matters — because they're hearing it regularly from colleagues they trust.

There's often some confusion about what analytics teams actually need versus what they're collecting. Once you remove the third-party data sharing component and focus on what they can do with essential first-party data, you often discover they're over-collecting — maintaining data longer than needed, tracking more than they actually need to achieve their goals. When you have honest conversations, you frequently find that analytics teams can get the same great outcomes with less data, less risk exposure, and a much better relationship with the customers they're serving.

At ObservePoint, we work with hundreds of organizations, so we see what separates the ones that build real organizational momentum around privacy. Two patterns stand out. First: legal team involvement. When legal is driving the privacy need, organizational motivation follows quickly. Second: companies that have already been fined or received a regulatory penalty are extremely motivated — mostly because they've paid significant money, taken brand damage, or experienced another serious consequence. You can tell those stories. They're available online, and they are genuinely persuasive. Legal counsel engagement, and learning from organizations that have already been burned — those are the two most reliable paths to getting real attention.

One final question: do you have any recommendations for how to give notice that you're going through remediation without waving a big red flag?

I'd assume this is about giving notice to regulators rather than consumers. Regulators have far more patience and understanding if you can demonstrate you're already on the path to remediation. If they do come to your door, being able to quickly produce a structured plan — here's what we've accomplished, here's what's left, here's which sites have CMP deployed and which are still to come — goes a long way. Show that you've taken a risk-based approach and thought about it systematically. I wouldn't proactively contact a regulator to say you're not yet in compliance, but having your documentation in order — project plans, remediation trackers, supporting evidence — that's critical ammunition if a regulator does show up.

On the public entity side, it's different. In Utah, our strategy has been radical transparency about noncompliance — creating a safe space for government entities to acknowledge where they stand and document their path forward. We've set a deadline of January 1st, 2027 for all entities to have an inventory of their noncompliance and documented strategies to come into compliance, knowing we're dealing with millions of web pages across thousands of domains. That gives us a burndown chart to show increasing maturity across the board. For the private sector, that level of public transparency probably isn't the right approach for reputational reasons, but the underlying principle — having honest, structured conversations internally and documenting your progress — absolutely applies.

Thank you, Chris and Eric, for sharing your insight with our audience today. And thank you to everyone who attended and brought such great questions. Until next time.

Thanks, all.

Thank you.