Most of America's biggest websites aren't following privacy rules and are sharing and tracking personal information without permission, a report finds.
Among the 100 most-visited U.S. websites, 75 shared or sold personal data to third-party advertisers even after users told them not to, according to a review of websites by privacy-compliance firm Privado.
And 70 of the 100 websites placed cookies, which can track browsing habits across different websites and login information, on users who told them not to.
The top offenders are media and e-commerce websites, which comes as no surprise since 53 of the top 100 websites are media, followed by 19 that are e-commerce.
Websites that don't respect user privacy are harvesting personal information to make money through advertisements, but also spreading details that put people at a greater risk of data breaches that can result in scammers targeting them, including for identity theft.
Some companies under fire for violating online privacy laws are cosmetic retailer Sephora and alcohol addiction service Monument.
Sephora got fined $1.2 million in 2022 for violating California's privacy laws on how user data was collected, while Monument got fined $2.5 million by the Federal Trade Commission in 2024 for mishandling health records under HIPAA, or the Health Insurance Portability and Accountability Act.
What are the online privacy laws that websites have to follow in the U.S.?
There's no federal online privacy law, but 2018's California Consumer Privacy Act and 2020's California Privacy Rights Act, which amended the 2018 law, are currently the toughtest privacy regulations that websites have to follow in the U.S.
The laws require that websites "do not sell or share" personal information without consent and, starting in 2024, companies need to give users the option to opt-out of the selling or sharing of their personal data for advertising purposes.
California's laws apply to any website that has visitors from California, which encompasses most U.S. websites because the state is the most populous in the nation.
Privado said that 76 of the 100 most-visited U.S. websites aren't complying with California's privacy laws, including 42 media websites and 15 e-commerce websites.
Privado said nearly 20 other states have passed their own privacy laws, but California's is the current gold standard and is often stricter than other states.
In April 2024, Congress introduced the American Privacy Rights Act, which could override all state privacy laws, but the bill is a long way from passage and faces an uncertain future.