ConsentMark
Free Scan
Analytics Governance

Why Marketing Tracking Is Becoming a Compliance Risk

4 min read

Your privacy policy says one thing. Your tracking implementation does another.

In a recent engagement with a regulated energy provider, we found their privacy notice listed data flowing to seven processors. Their tracking implementation was sending data to nineteen. Nobody had noticed.

Privacy notice vs reality - a regulated energy provider documented 7 processors but 19 were actually receiving data

That gap - between what is documented and what is running - is where regulatory exposure lives. But compliance is only half the problem.

The gap is also commercial

The same organisations that cannot explain their data flows also cannot explain their numbers.

Reporting nobody trusts. GA4 says one thing. The finance team says another. The agency report says a third. Everyone presents their number with confidence. Nobody can explain the discrepancy. Decisions get made anyway - on data that is wrong by an amount nobody has quantified.

Attribution that misdirects spend. Duplicate conversion tags inflate campaign performance. Missing events break attribution models. The media team optimises spend based on numbers that overcount by 20 or 30 percent. The error compounds every quarter, but it is invisible because the dashboard looks normal.

These are not edge cases. They are the default outcome when tracking grows faster than the governance around it.

Regulatory pressure is sector-specific and intensifying

GDPR enforcement has matured. The ePrivacy Directive continues to apply, and national enforcement of cookie and consent obligations is intensifying.

  • Insurance - The Central Bank of Ireland's expectations around operational risk and outsourcing governance create obligations for how regulated entities manage digital infrastructure, including analytics and tracking systems.
  • Fintech - Payment and financial services regulators require evidence that data governance extends to measurement infrastructure.
  • Energy - The Commission for Regulation of Utilities is tightening expectations around customer data handling across digital channels.
  • Travel - Cross-border data flows and complex vendor ecosystems create heightened regulatory exposure.

The pattern is consistent. Regulators are moving beyond privacy policies and asking about implementation.

Three risks your privacy review will not find

Privacy reviews check that a consent banner exists, that a cookie policy is published, and that the documented categories look reasonable. They do not verify what actually fires in the browser. That distinction is where these risks hide.

Consent drift. Consent configurations no longer match actual tag behaviour. Consent mode was configured at a point in time, but the tags it governs have changed since. New tags have been added. Existing tags have been modified. The mapping between consent categories in your CMP and triggers in your tag manager is manually maintained - and nobody has re-validated it.

A critical nuance: in Google Consent Mode v2, setting analytics_storage: denied does not mean no data is sent. Cookieless pings still fire. Many organisations assume "denied" means silence. It does not.

Undocumented data flows. Tags send data to third parties that are not documented in privacy notices, data processing agreements, or records of processing. PII appears in URL parameters, tag payloads, or referrer strings without anyone realising.

This is a routine finding in tracking inventory reviews. Organisations are surprised by what their own tags transmit - because nobody has examined the actual network requests, only the tag configuration.

Missing audit evidence. Governance risk grows between audits with no early warning system. Unapproved tags fire, data flows to undocumented third parties, consent configurations drift - all without triggering any alert. The organisation discovers exposure only when a regulator asks or an incident occurs.

Why traditional approaches fail

One-off tracking reviews find issues at a point in time but do not prevent recurrence. The moment the report is filed, drift begins again. Privacy reviews check consent configuration but not consent behaviour. Internal teams are too close to daily delivery pressures to maintain independent oversight. Point QA tools generate alerts, but alerts without governance are just noise.

Closing the gap requires continuous verification - not a periodic review, but an operating discipline that matches the actual pace of change.

Two questions worth answering

What data is being collected today that nobody signed off?

Could you evidence compliance to a regulator without relying on documentation that has not been validated against implementation?

Check your compliance posture

Our free governance scanner tests consent behaviour, tag inventory, and data flows in under 30 seconds. It checks what actually fires - not what is configured. No signup required.

If the results raise concerns, our Executive Briefing maps your current tracking exposure and governance gaps to your regulatory context.