Data Privacy and Consent in Marketing Statistics for 2026

Data Privacy and Consent in Marketing Statistics for 2026

By Christoph Olivier, Founder, CO Consulting · Updated July 2026
Based on 34 verified statistics from 17 sources. Every figure is attributed to a primary or credible source with its year and geography stated.

This research asset compiles verified statistics on how consumers feel about data collection, when they will and will not share information, and how regulation and enforcement are reshaping marketing data practices. Every number below is attributed to a named publisher and year, with self-reported survey limits and the fast-moving regulatory context flagged where relevant. The data matters because marketing budgets are shifting from third-party identifiers toward first-party data and consent-based collection, while regulators keep raising the cost of getting it wrong.

Executive Summary

  • 81% of U.S. adults are very or somewhat concerned about how companies use the data they collect about them, per Pew Research Center, May 2023 (n=5,101 U.S. adults). Source
  • 53% of consumers say they are aware of their country’s privacy laws, up from 36% in 2019, per the Cisco 2024 Consumer Privacy Survey (2,600 consumers, 12 countries). Source
  • More than 75% of consumers say they will not buy from an organization they do not trust with their data, per the Cisco 2024 Consumer Privacy Survey. Source
  • 71% of brands, agencies, and publishers are growing or planning to grow their first-party datasets, nearly double the 41% rate of two years earlier, per IAB State of Data 2024 (500+ industry experts). Source
  • The average cookie banner acceptance rate is about 31%, with observed rates ranging from 4% to 85% depending on banner design, per an Advance Metrics five-year post-GDPR study, 2023. Source
  • European supervisory authorities issued approximately EUR 1.2 billion in GDPR fines in 2025, closely matching 2024, per DLA Piper’s GDPR Fines and Data Breach Survey, January 2026. Source
  • The California Attorney General secured its largest CCPA settlement to date, $1.55 million from Healthline Media, on July 1, 2025. Source
  • 20 U.S. states had enacted comprehensive consumer privacy laws as of early 2026, up from one (California) in 2018, per the IAPP US State Privacy Legislation Tracker. Source

Key Findings

  • 81% of U.S. adults are concerned about company data use and 71% are concerned about government data use in 2023, per Pew Research Center (n=5,101). Source
  • 73% of U.S. adults feel they have little or no control over the data companies collect about them, and 79% feel the same about government-collected data, per Pew Research Center, 2023. Source
  • 56% of U.S. adults say they always, almost always, or often agree to privacy policies without reading them, per Pew Research Center, 2023. Source
  • 67% of U.S. adults say they have little or no understanding of what companies do with the data they collect, up from 59% in 2019, per Pew Research Center, 2023. Source
  • 78% of Democrats and 68% of Republicans support more government regulation of what companies can do with personal data, per Pew Research Center, 2023. Source
  • 59% of consumers say strong privacy laws make them more comfortable sharing information with AI applications in 2024, per the Cisco 2024 Consumer Privacy Survey. Source
  • 81% of privacy-aware consumers feel their data is protected versus 44% of consumers unaware of privacy laws, per the Cisco 2024 Consumer Privacy Survey. Source
  • 30% of generative AI users report entering personal or confidential information into these tools, while 84% say they are concerned about that data going public, per Cisco 2024. Source
  • 60% of buyers say they are willing to share more data to receive personalized benefits, even though 65% agree excessive cookie use raises privacy concerns, per McKinsey, 2022. Source
  • Only 44% of consumers said they trust healthcare and financial-services companies with their data, the highest of any sector, while about 10% trust consumer-packaged-goods and media companies, per McKinsey, 2020. Source
  • Opt-in consent frameworks produce an average consent rate near 84%, while opt-out frameworks often exceed 95%, per etracker consent benchmarks. Source
  • Google confirmed in April 2025 that it will not deprecate third-party cookies in Chrome and will keep existing cookie controls, reversing its earlier phase-out plan. Source
  • Cumulative GDPR fines since 2018 reached roughly EUR 5.88 billion by early 2026, per DLA Piper, January 2026. Source
  • Notified personal data breaches in Europe rose 22% year over year to an average of 443 per day between January 2025 and January 2026, per DLA Piper. Source

Consumer Privacy Concern and the Trust Deficit

Consumer concern about commercial data use is broad and stable at high levels, which sets the baseline conditions for consent-based marketing. The strongest primary evidence comes from Pew Research Center’s nationally representative survey of 5,101 U.S. adults fielded May 15 to 21, 2023.

81% of U.S. adults said they are very or somewhat concerned about how companies use data collected about them in 2023 (Pew Research Center). 73% said they feel they have very little or no control over the data companies collect about them (Pew Research Center, 2023). 67% said they understand little or nothing about what companies do with their data, up from 59% in 2019 (Pew Research Center, 2023). Cross-nationally, more than 75% of consumers said they would not purchase from an organization they do not trust with their data (Cisco 2024 Consumer Privacy Survey). What this means for marketers is that trust is a purchase precondition, not a soft brand metric. The limitation to note is that all of these figures are self-reported attitudes, and attitudes overstate behavior: 56% of the same Pew respondents admit they routinely accept privacy policies without reading them.

Willingness to Share Data and the Privacy Paradox

Concern coexists with conditional sharing, a pattern researchers call the privacy paradox. Consumers will trade data for value they judge worthwhile, especially in high-stakes categories.

60% of buyers said they are willing to share more data to receive personalized benefits, even as 65% agreed that excessive cookie use raises privacy concerns (McKinsey, 2022). 59% of consumers said strong privacy laws actually make them more comfortable sharing information with AI applications (Cisco 2024). Only about 44% of consumers said they trust even the most trusted sectors, healthcare and financial services, with their data, and roughly 10% said they trust consumer-packaged-goods or media companies (McKinsey, 2020). The practical read is that willingness to share is contingent on perceived value, category importance, and visible safeguards, not a fixed consumer trait. A limitation is that McKinsey’s trust and willingness figures come from different survey waves (2020 and 2022) and are not directly comparable year over year.

Cookie Deprecation and the First-Party Data Shift

The technical foundation of third-party tracking has been in flux, and the industry response has been to invest in owned data regardless of the final cookie outcome. This section carries the highest regulatory and platform-risk flags because the situation changed repeatedly.

Google reversed course on third-party cookies: after announcing a phase-out, in July 2024 it proposed a user-choice prompt instead, and in April 2025 it confirmed it would neither launch the prompt nor deprecate cookies, keeping existing Chrome controls (IAPP, 2025). Despite that reprieve, 71% of brands, agencies, and publishers reported growing or planning to grow first-party datasets, nearly double the 41% share of two years earlier (IAB State of Data 2024). 95% of advertising and data decision-makers said they expect continued signal loss or new privacy legislation (IAB State of Data 2024). What this means is that first-party data strategy is now decoupled from the cookie timeline; marketers are building consented data assets because regulation and platform privacy features, not just cookies, are driving signal loss. The limitation is that IAB’s figures come from a self-selected panel of roughly 500 industry professionals and reflect stated intent rather than audited spend.

Consent Rates and Banner Behavior

Consent rates are the operational bridge between attitudes and usable marketing data, and they vary enormously with banner design, which raises both compliance and data-quality concerns.

The average cookie banner acceptance rate is about 31%, with observed rates spanning 4% to 85% (Advance Metrics, 2023). When a clear “Reject all” button is present on the first layer, roughly 60% of users reject (Advance Metrics, 2023). Opt-in frameworks average around 84% consent while opt-out frameworks often exceed 95% (etracker benchmarks). Consent Management Platform adoption rose from about 5% of websites before GDPR to roughly 42% by the end of 2023 (Advance Metrics, 2023). The context is that headline acceptance rates are highly sensitive to interface design, and high rates achieved by burying the reject option carry regulatory risk under GDPR’s requirement for freely given consent. The limitation is that these consent benchmarks come from commercial CMP vendors and measurement firms whose samples and definitions differ, so cross-study comparison should be cautious.

Regulation Awareness and Legal Framework

Awareness of privacy law is rising and correlates with both trust and willingness to share, while the U.S. framework remains a state-by-state patchwork.

53% of consumers said they are aware of their country’s privacy laws in 2024, up from 36% in 2019 (Cisco 2024). 81% of privacy-aware consumers felt their data was protected versus 44% of those unaware of the laws (Cisco 2024). 20 U.S. states had enacted comprehensive consumer privacy laws by early 2026, up from one in 2018 (IAPP tracker). For the first time in five years, 2025 saw no new comprehensive state privacy law enacted, though eight states amended existing laws (IAPP, 2025). The takeaway for marketers is that compliance obligations now scale with the number of states a customer base touches, and awareness gains mean consumers increasingly expect rights such as opt-out of sale. The limitation is that the state count changes frequently as legislation and effective dates shift, so any fixed number should be dated.

GDPR and CCPA Enforcement

Enforcement is where privacy risk becomes financial, and both European and California regulators have escalated activity.

European authorities issued approximately EUR 1.2 billion in GDPR fines in 2025, closely matching the 2024 total (DLA Piper, January 2026). Cumulative GDPR fines since 2018 reached about EUR 5.88 billion (DLA Piper, January 2026). The single largest GDPR fine remains the EUR 1.2 billion penalty imposed on Meta by Ireland’s Data Protection Commission in May 2023 for unlawful EU-to-U.S. data transfers (Irish DPC, 2023). In California, the Attorney General secured its largest CCPA settlement to date, $1.55 million from Healthline Media, on July 1, 2025, over failure to honor opt-out-of-sale requests and unlawful sharing of health-related data (California OAG, 2025). Earlier CCPA settlements included $1.2 million from Sephora in 2022 and $375,000 from DoorDash in February 2024 (California OAG). The context is that enforcement has moved from headline mega-fines toward routine settlements targeting opt-out failures and tracking-technology misuse, which are exactly the mechanisms marketing teams operate. The limitation is that enforcement totals and currency conversions vary by source and reporting date, and pending appeals can alter final figures.

Original Synthesis

The following three insights combine the verified public datasets above. Each states its formula, inputs, and limitations, and none should be read as precise.

1. The Awareness-Trust Gap

Formula: subtract the share of privacy-unaware consumers who feel protected from the share of privacy-aware consumers who feel protected. Inputs: Cisco 2024 (81% of aware consumers feel protected; 44% of unaware consumers feel protected). Result: a 37-percentage-point protection gap tied purely to awareness of the law. Insight: informing consumers about their rights is itself a trust lever, independent of any change to actual data practices. Limitation: this is a cross-sectional correlation from a single survey wave; it does not prove that raising awareness causes higher trust.

2. The Concern-to-Consent Conversion Ratio

Formula: divide the average cookie banner acceptance rate by the share of adults who are concerned about company data use. Inputs: Advance Metrics (31% average acceptance) and Pew 2023 (81% concerned). Result: roughly 0.38, meaning fewer than four in ten of the concern-weighted population accept tracking under a neutral banner. Insight: the gap between stated concern and observed acceptance quantifies the privacy paradox and shows how much banner design, not attitude, drives measured consent. Limitation: the two inputs come from different populations (global CMP traffic versus U.S. adults) and different years, so the ratio is directional, not a population statistic.

3. Enforcement Intensity per Year Since GDPR

Formula: divide cumulative GDPR fines by the number of full enforcement years. Inputs: DLA Piper January 2026 (about EUR 5.88 billion cumulative since May 2018, roughly seven and a half years). Result: an average of roughly EUR 780 million in fines per year across the GDPR era. Insight: annual enforcement now runs above that long-run average (about EUR 1.2 billion in both 2024 and 2025), signaling that recent years are heavier than the historical mean. Limitation: cumulative totals are front-loaded by a small number of very large fines such as the Meta penalty, so the yearly average masks high variance.

Tables

Table 1: Consumer Privacy Attitudes, United States, 2023

MetricShare of U.S. adultsYear
Concerned about company data use81%2023
Concerned about government data use71%2023
Feel little/no control over company-collected data73%2023
Feel little/no control over government-collected data79%2023
Understand little/nothing about company data use67%2023
Agree to privacy policies without reading56%2023

Source: Pew Research Center, “How Americans View Data Privacy,” October 18, 2023, n=5,101 U.S. adults. Link

Table 2: Cisco Consumer Privacy Survey Selected Metrics, 2024

MetricValueYear
Aware of national privacy laws53% (up from 36% in 2019)2024
Say strong laws increase comfort sharing with AI59%2024
Aware consumers who feel data is protected81%2024
Unaware consumers who feel data is protected44%2024
Will not buy from an untrusted organization75%+2024
GenAI users entering personal/confidential data30%2024

Source: Cisco 2024 Consumer Privacy Survey, 2,600 consumers across 12 countries. Link

Table 3: Selected Privacy Enforcement Actions

ActionAmountAuthorityDate
Meta EU-US data transfer fineEUR 1.2 billionIrish DPC (GDPR)May 2023
Healthline Media settlement$1.55 millionCalifornia AG (CCPA)July 2025
Sephora settlement$1.2 millionCalifornia AG (CCPA)August 2022
DoorDash settlement$375,000California AG (CCPA/CalOPPA)February 2024
Total GDPR fines, 2025~EUR 1.2 billionEU supervisory authorities2025
Cumulative GDPR fines since 2018~EUR 5.88 billionEU supervisory authoritiesthrough Jan 2026

Sources: Irish DPC and IAPP (Meta); California OAG (Healthline, Sephora, DoorDash); DLA Piper GDPR Fines and Data Breach Survey, January 2026 (GDPR totals). Link

Charts to build

  • Chart 1: “U.S. privacy concern versus perceived control, 2023.” Data needed: Pew 2023 concern and control percentages for company and government. Source: Pew Research Center. Insight: concern outpaces control across both targets. Citation-worthy because it visualizes the powerlessness gap in one image.
  • Chart 2: “First-party data investment intent, 2022 versus 2024.” Data needed: IAB 41% (2022) and 71% (2024). Source: IAB State of Data. Insight: near-doubling of first-party focus. Citation-worthy as a clean before/after on the data shift.
  • Chart 3: “Cookie acceptance rate by banner design.” Data needed: 31% average, 60% reject when reject-all is prominent. Source: Advance Metrics. Insight: design, not attitude, drives consent. Citation-worthy for compliance and UX audiences.
  • Chart 4: “GDPR fines by year, 2018 to 2025.” Data needed: annual and cumulative totals. Source: DLA Piper. Insight: enforcement has plateaued at a high level near EUR 1.2 billion per year. Citation-worthy for risk and legal press.
  • Chart 5: “U.S. states with comprehensive privacy laws, 2018 to 2026.” Data needed: cumulative state count by year. Source: IAPP. Insight: patchwork growth from 1 to 20 states. Citation-worthy for compliance planning.

Inline chart: First-party data investment intent

2022   41%
2024   71%

Source: IAB State of Data 2024. Share of brands, agencies, and publishers growing or planning to grow first-party datasets. Link

Methodology

Source-selection criteria prioritized primary and official sources: the Pew Research Center for U.S. consumer attitudes, the Cisco Consumer Privacy Survey for cross-national attitudes, the IAB State of Data report for industry practice, DLA Piper and the IAPP for enforcement and legislative tracking, and official government pages (California OAG, Irish DPC) for specific actions. Secondary or vendor sources (Advance Metrics, etracker, McKinsey) were used only for metrics not available from primary bodies, and each is labeled by publisher and year. Inclusion required a named publisher, a datable figure, and a retrievable URL. Where multiple sources reported the same event (for example the Meta fine), the primary regulator or the closest reporting to it was cited. Conflicting or non-comparable numbers were kept separate rather than blended, and derived figures in Original Synthesis show their formulas and inputs. Data limitations: most consumer figures are self-reported and subject to social-desirability bias; survey samples and geographies differ; consent-rate benchmarks come from commercial measurement firms with varying definitions; and the regulatory environment changes frequently. Date of last update: July 1, 2026.

Source Quality

Tier 1 (primary, government, official bodies): Pew Research Center; California Office of the Attorney General; Irish Data Protection Commission; IAPP state and enforcement trackers.

Tier 2 (credible market research and trade bodies): Cisco Consumer Privacy Survey; IAB State of Data 2024; DLA Piper GDPR Fines and Data Breach Survey; McKinsey and Company.

Tier 3 (reputable measurement firms and expert commentary): Advance Metrics; etracker consent benchmarks; law-firm client alerts summarizing enforcement.

Most Quotable Statistics

  • “81% of U.S. adults are concerned about how companies use their data.” (Pew Research Center, 2023)
  • “More than 75% of consumers won’t buy from an organization they don’t trust with their data.” (Cisco, 2024)
  • “First-party data investment intent nearly doubled from 41% to 71% in two years.” (IAB, 2024)
  • “The average cookie banner acceptance rate is about 31%.” (Advance Metrics, 2023)
  • “European regulators issued roughly EUR 1.2 billion in GDPR fines in 2025.” (DLA Piper, 2026)

Data Limitations

Consumer statistics are self-reported and overstate protective behavior relative to actual conduct, as shown by the 56% who accept policies unread. Survey populations differ: Pew is U.S.-only, Cisco is 12 countries, and McKinsey waves span different years. Consent-rate figures come from commercial CMP and analytics vendors whose sampling and definitions are not standardized. Enforcement totals depend on reporting dates and currency conversion, and pending appeals can change final amounts. The cookie and state-law situations change frequently, so any specific count or timeline should be treated as a snapshot dated to mid-2026.

Recommended Dataset Fields

For a downloadable CSV, recommended columns are: metric_name; value; unit (percent, currency, count); geography; year; publisher; source_type (Tier 1/2/3); sample_size; methodology_note; source_url; date_accessed; uncertainty_flag.

Press Summary

Consumer privacy concern remains near record highs, with 81% of U.S. adults worried about how companies use their data and 73% feeling they have little control over it, per Pew Research Center’s 2023 survey of 5,101 adults. Yet concern does not equal refusal: 60% of buyers will share more data for personalized benefits (McKinsey), and more than 75% simply refuse to buy from brands they do not trust (Cisco 2024). The marketing data foundation is shifting toward consented first-party data, with intent to grow first-party datasets nearly doubling from 41% to 71% in two years (IAB), even after Google decided in April 2025 to keep third-party cookies in Chrome. Enforcement keeps rising: EU regulators issued about EUR 1.2 billion in GDPR fines in 2025, and California secured its largest CCPA settlement, $1.55 million from Healthline, in July 2025. All figures are attributed and dated; consumer numbers are self-reported and the regulatory picture changes often.

Suggested Headlines

  • 81% of Americans Are Worried About Corporate Data Use, But Most Still Trade Data for Value
  • First-Party Data Intent Nearly Doubled in Two Years, Even as Google Keeps Cookies
  • The 31% Problem: Why Cookie Consent Rates Undercut Marketing Data
  • EUR 1.2 Billion a Year: GDPR Enforcement Settles Into a High Plateau
  • 20 States, One Patchwork: The Real Compliance Cost of U.S. Privacy Law

FAQ

How many Americans are concerned about how companies use their data?

81% of U.S. adults are very or somewhat concerned, per Pew Research Center, 2023. Source

Do consumers feel in control of their data?

No. 73% feel they have little or no control over data companies collect, per Pew Research Center, 2023. Source

Are consumers willing to share data for personalization?

Yes, conditionally: 60% of buyers will share more data for personalized benefits, per McKinsey, 2022. Source

What is the average cookie consent acceptance rate?

About 31% on average, ranging from 4% to 85% by banner design, per Advance Metrics, 2023. Source

Did Google actually remove third-party cookies?

No. In April 2025 Google confirmed it will not deprecate third-party cookies in Chrome and will keep existing controls, per IAPP. Source

Are marketers still shifting to first-party data despite the cookie reprieve?

Yes. 71% of brands, agencies, and publishers are growing first-party datasets, up from 41% two years earlier, per IAB State of Data 2024. Source

How much are GDPR fines totaling now?

About EUR 1.2 billion in 2025 and roughly EUR 5.88 billion cumulatively since 2018, per DLA Piper, January 2026. Source

What is the largest GDPR fine ever?

EUR 1.2 billion, imposed on Meta by Ireland’s DPC in May 2023 for unlawful EU-to-U.S. data transfers, per IAPP. Source

What is the largest CCPA settlement to date?

$1.55 million from Healthline Media, announced July 1, 2025, per the California Attorney General. Source

How many U.S. states have comprehensive privacy laws?

20 states as of early 2026, up from one in 2018, per the IAPP US State Privacy Legislation Tracker. Source

For related research on consent-based data strategy and measurement, see CO Consulting. If your team needs help translating these benchmarks into a first-party data and consent roadmap, you can book a consultation.

Cite this research

CO Consulting. "Data Privacy and Consent in Marketing Statistics for 2026" christopholivierconsulting.com, 2026. https://christopholivierconsulting.com/data-privacy-marketing-statistics/


Related research