Privacy & Cookie Compliance for Your Website
Your privacy policy isn't protecting you.What's Up?
I recently went through every site in our hosting portfolio (an afternoon I'll never get back.) The majority of those websites are not compliant with current privacy law.
The minority already have a cookie banner — but it doesn't actually honor the visitor's opt-out (the Global Privacy Control signal), which is the part that counts. Three things make this urgent today:
- The lawsuits are already here — firms are targeting small and mid-size businesses over trackers running without consent.
- The regulators mean it — California fined Sephora $1.2M for exactly this.
- The deadline is set — California's Opt Me Out Act (AB 566) takes effect January 1, 2027.
Chris Foley
Founder - PXLPOD Web StrategyThe problem isn't your policy.
It's what your banner does (or doesn't do) when someone opts out.Almost everyone gets this part wrong. Especially if it's a DIY job. Having a privacy policy and having a consent banner are two different things — one is disclosure, the other is consent — and plenty of sites have both. That's not where the exposure is.
The real gap: modern browsers can broadcast an opt-out — Global Privacy Control (GPC), and the older Do Not Track — that says "don't sell or share my data." A compliant banner has to listen for that signal and actually block tracking when it sees it. Most never turn that on. They pop up, collect a click, and keep firing every tracker regardless.
Worse: plenty of sites publish a policy claiming they honor those signals while the banner ignores them. Now you're not just non-compliant — you've put a promise in writing your own site breaks every day. That's the gap that gets noticed.
And no — the fix isn't "turn cookies off." Kill everything and your booking widget, store login, and even your fonts break. The work is honoring the opt-out while keeping the essential cookies running — fiddly by hand, and fiddlier still if the site runs Google Tag Manager.
You don't have to be big. You just have to be scannable.
Almost everyone gets this part wrong. Especially if it's a DIY job.
Having a privacy policy and having a consent banner are two different things — one is disclosure, the other is consent — and plenty of sites have both. That's not where the exposure is.
The real gap: modern browsers can broadcast an opt-out — Global Privacy Control (GPC), and the older Do Not Track — that says "don't sell or share my data." A compliant banner has to listen for that signal and actually block tracking when it sees it. Most never turn that on. They pop up, collect a click, and keep firing every tracker regardless.
Worse: plenty of sites publish a policy claiming they honor those signals while the banner ignores them. Now you're not just non-compliant — you've put a promise in writing your own site breaks every day. That's the gap that gets noticed.
And no — the fix isn't "turn cookies off." Kill everything and your booking widget, store login, and even your fonts break. The work is honoring the opt-out while keeping the essential cookies running — fiddly by hand, and fiddlier still if the site runs Google Tag Manager.
CCPA or GDPR.
CCPA
Of the 20 (currently) US states with comprehensive consumer privacy laws that regulate how websites handle cookies, California is the strictest. Set yourself up to meet CA's requirements you cover the rest. More forgiving: cookies can generally start on, show a consent banner, and honor opt-outs and browser signals.GDPR
Stricter: cookies start off, and you earn a yes before most fire — which affects analytics and conversion data. Our workaround is a server-aware analytics setup so you still see the journey when a visitor declines. And our banner systems detect where the visitor is located and delivers the appropriate banner.This is really hard to DIY.
The right setup handles both — but only when it's configured correctly for your specific site. Which one your site needs is exactly what we sort out on the call.Start with a 15-minute call.
There's no one-size cookie fix — the right setup depends on your site, your traffic, and how it's built. So we don't hand you a buy button and a guess. We start with a short call, figure out exactly what your site needs, and put it in place for you.You talk to us. We handle the rest.
- Book a 15-minute call. We look at your actual site together.
- We tell you exactly what it needs — and which solution fits (some sites are simple; some need more).
- We set it up and keep it working — most clients fold this into SecurePod Care so it just stays handled as the laws keep moving.