What We Learned Scanning the Fortune 1000

Hi everybody, I'm Dave, CTO at ObservePoint. I'm responsible for the product development for the product that we all know and love as ObservePoint.

Today we'll be walking through the results of our Fortune 1000 website benchmarking — something we were very excited about. ObservePoint is in a unique position to create these benchmarks, not only from the companies we work with directly, but also by looking at other websites to identify trends and see what's working and what isn't. Dave, I'll turn it over to you — I know you have a lot of content to cover.

Welcome, everyone. This will be interactive — I'll be asking questions and looking for answers in the chat. We wanted to give you a benchmark to compare your own organization against. We divided our analysis into three categories: analytics coverage (how well they track and measure their own visitors), privacy consent (where we'll spend the majority of our time), and accessibility. After we go through all of this, we'll talk about how to make improvements and do a little better as people responsible for web governance.

Let's start with web analytics. Our methodology: we visited the corporate homepages for the 1,000 biggest companies in the world and the top 10 pages linked from those homepages, and collected information on how they're doing. First question: what percent of those pages have any analytics technology present? Most of you guessed near 100% — and that's what I expected too. The answer is 68.9%. Lower than you'd expect, but still a supermajority. Keep in mind some of these are corporate homepages that don't get heavy customer traffic. If we looked at every brand owned by every Fortune 1000 company, that number would be much higher.

Now, how much do the world's 1,000 biggest companies care about your privacy? We set up ObservePoint audits to visit all Fortune 1000 websites, find their consent manager through automation, opt out of tracking, visit the 10 linked pages, and record what tracking we still found. First question: what percent of Fortune 1000 companies have a consent manager where visitors can actually express their tracking preferences? The answer is 46.7%. The other half do not provide visitors any way to opt out of tracking. We recognize a couple dozen different CMPs representing well over 90% of the market, so I'm confident this is accurate within a few percentage points. Next: of the half that do have a CMP, what percent still load advertising trackers after a user opts out? The answer is 55%. And what percent still set third-party cookies after opt-out? 71%. Third-party cookies are particularly important because they have the ability to track visitors across websites — not just on your own site. When a visitor explicitly says "I don't want to be tracked," the majority of sites are still doing both.

For everyone on the marketing side who may not think about this technically: when people come to your site and say "don't track me here, don't track me elsewhere," the majority of the time, you're doing both of those things. And to answer a question that came in — yes, this is illegal. There are very specific laws outlining this, not only across the U.S. but under GDPR as well. It's not just illegal, it's reckless — it's like driving without a seatbelt. You could do it, but you're just waiting for an accident or a fine. Why not put the protections in place now to avoid the embarrassment, the costs, and the risk?

Before we conclude these numbers are as bad as they look, let's address consent mode. Just because an advertising tag is present on a page doesn't necessarily mean a site is violating a visitor's privacy. Multiple ad vendors have released a feature that lets you load an advertising technology but instruct it that the user has opted out — in which case it won't deliver personalized ads, won't store contextual information, and won't track them cross-site. Google and Microsoft/Bing both offer this. So could consent mode be the redemption story here? We inspected the actual payloads being sent to advertisers to detect whether consent mode flags were present and correct. For Google: 55.5% of sites using Google Ads sent any consent mode flag at all — progress for a relatively new feature. But of those, only 52% sent the correct opt-out flag. The other half sent a flag telling Google to go ahead and track. For Microsoft/Bing, only 5.8% of sites sent any consent mode flag. The redemption arc did not materialize. We also checked for TCF strings and the Global Privacy Platform — both IAB-standardized consent mechanisms — and found no evidence of either in any of our US-based opted-out audits.

Let's talk about Europe. Consent mode was primarily designed for a European audience, so let's see how these sites perform when visited from Germany. GDPR governs privacy for approximately 30 nations in the EEA, and under GDPR, websites must obtain informed, explicit, and prior consent before tracking visitors for advertising. This is the opposite of the U.S. default — in Europe, visitors must be considered opted out by default, and tracking requires affirmative consent. GDPR has been law for about 9 years. What percent of Fortune 1000 websites still load advertising technologies when visited from Germany, before any consent is given? The answer is 68%. If you open a brand-new computer in Germany and visit a Fortune 1000 website, there's a 68% chance advertising technology is tracking you immediately. And 73.1% still set third-party cookies before getting consent — enabling cross-site tracking of visitors who have never had the chance to say yes or no.

That's insane. We've been doing this for nearly a decade, and I remember when GDPR was the biggest thing in marketing — entire SaaS companies were built around preparing for it — and 9 years later we're still just under 70%.

California was the first U.S. state to pass web privacy regulation and the first to initiate regulatory fines from its Attorney General. One mechanism California cares about specifically is the Global Privacy Control signal. GPC is a browser-level setting that pre-informs websites — in the HTTP request headers — that the visitor does not want to be tracked for advertising. It's available in privacy-focused browsers like Brave and through extensions for Chrome and Edge. California has specifically named GPC in multiple regulatory fines. The first company they went after was a French company — meaning the location of your business matters less than the location of your visitors. What percent of Fortune 1000 websites fail to honor the GPC signal for California visitors? The answer is 93.1%. GPC is essentially not being honored at all. The California AG went after Healthline Media two months ago — they agreed to pay $1.55 million to resolve allegations that specifically included failing to honor GPC and failing to honor users' CMP opt-outs. California has also gone after Honda and has been hitting companies roughly once a month. The good news: honoring GPC doesn't require a CMP, and ObservePoint supports GPC as a checkbox option in any website audit.

When you load a third-party tag, it makes a network request to a server that is not yours. Do you know which countries those servers are in? The U.S. Department of Justice issued an order prohibiting the transfer of U.S. sensitive personal data to a list of countries of concern. Of the Fortune 1000, only 9 sites sent data to a prohibited country — less than 1% — and almost all were search engines that legitimately operate in those countries. That's actually good news. On the GDPR side: 98.1% of Fortune 1000 sites send visitor data from Germany to countries outside the EEA or UK, but that's largely a sample bias since most Fortune 1000 companies are U.S.-based. The more meaningful number: 25.2% send data to countries that are neither the EEA/UK nor the USA. And even a basic HTTP request carries at minimum the visitor's IP address and user agent string — both potentially identifying for tracking purposes — so every tag you load is sending something about your visitor somewhere.

The third area we looked at is accessibility — the requirement that websites be usable by people with disabilities, including vision impairments, mobility limitations, colorblindness, and hearing impairments. The W3C created WCAG, the Web Content Accessibility Guidelines, and about half of those items can be tested through automation. We applied WCAG version 2.1 at conformance levels A and AA — the most commonly enforced standard. The numbers are sobering. Only 8.7% of Fortune 1000 websites have any moderate accessibility issues — that's actually good news. But 99.6% have at least one serious accessibility issue, and 89.3% have at least one critical issue — the kind that seriously impairs a person's ability to use the site at all. From a financial standpoint, a class action suit against Fashion Nova totaled $5.15 million — brought by a private law firm, not a regulator. And 2,014 accessibility lawsuits were filed in just the first six months of this year, a 37% year-over-year increase. Beyond the legal risk, it's also just bad marketing and bad branding to exclude portions of your potential audience.

There was a question about Accessibe — how much do services like that affect your results?

Accessibe has an audit service, but they also have a script that runs on your site and corrects certain accessibility issues in real time. If Accessibe makes a live fix, ObservePoint will see that fix and not count it as an issue — so those corrections are reflected accurately in our results.

All of these problems — analytics, privacy, and accessibility — can be addressed with a common set of principles. Here are the three pillars we've seen work for organizations taking this seriously. First, automated audits. These problems are pervasive, high-volume, and nearly impossible to detect manually. No law requires third-party web governance audits yet, but the principle is the same as financial auditing: you need an independent, automated tool to surface what you can't see. Second, validate what matters. From those audits, monitor trackers, cookies, and countries — and have alerting in place to notify you when something falls out of compliance. Third, remediation. Knowing about problems is only valuable if you can act on them. You'll need a clear charter, established processes, and alerting so you know when to act. ObservePoint's Web Governance Maturity Assessment ties all of this together — it measures not just your audit results, but the organizational actions behind them, gives you a maturity score, and benchmarks you against similar companies with concrete next steps.

If today has made you wonder whether your CMP is working — or whether you should have one — we're generating custom report cards using ObservePoint for a one-time audit, showing how your site stacks up against the Fortune 1000 cohort we shared today. Just indicate you're interested and one of our web governance consultants will get that to you. We'll also be hosting a webinar within the next month on statewide privacy laws in the U.S., joined by Deloitte and the Chief Privacy Officer for the State of Utah. Thank you all for joining today — and thank you, Dave, for walking us through all of this.

Thanks everyone — go check your websites!