Your cookie banner is live. Your preference center exists. But is any of it actually working? We brought together a compliance officer, a former OneTrust solutions engineering leader, and our team to break down what separates a defensible consent program from a liability.
A broken cookie banner might be riskier than having no banner at all.
That observation, from compliance attorney and fractional CISO Milou Lammers during a recent FLLR panel discussion, captures the uncomfortable reality facing most organizations today. Consent management has moved well beyond the "just put a banner on the site" era. Enforcement is active, plaintiff’s attorneys are sending demand letters at scale, and regulators are pulling apart programs that were built once and never touched again.
We hosted a live discussion with Milou (CEO and Founder of Compliance Council) and Ethan Sailers (FLLR’s Vice President, formerly Global Director of Solutions Engineering for consent and preference management at OneTrust for eight years) to dig into what it actually takes to build a consent and preference program that holds up under pressure.
Here’s what we covered, and what you should be thinking about right now.
The Check-the-Box Era Is Over
If your marketing team’s answer to "Do we have a cookie banner?" is "Yes," but nobody can tell you when it was last tested, you have a problem. The distinction between organizations checking a box and those building a real consent program is one of the clearest signals of privacy maturity we see across our client base.
Milou put it bluntly: when she vets third-party vendors on behalf of her clients, a consent banner that’s visibly broken tells her more about a company’s compliance posture than almost anything else. It signals that nobody is watching, nobody is testing, and the program was likely set up once and forgotten.
The baseline has shifted. As Ethan explained, durable execution now means solving for the spirit of the law, not just its letter. Organizations that treat consent management as a strategic initiative (one that unlocks speed and ROI) are pulling ahead of those still debating whether they need a banner at all.
The question is not "Are we compliant?" It’s "Is our program defensible, and does it actually work?"
Trust Is the Foundation, Not the Feature
Every panelist came back to the same theme: trust is the core operating principle of a successful consent program, not a marketing tagline.
Milou builds compliance programs from scratch for early-stage startups, and her approach starts with positioning compliance as a sales enablement tool rather than a cost center. When your customers trust you, contracts close faster. When your compliance posture is visible and defensible, enterprise buyers stop asking for extra due diligence. That reframing changes everything about how an organization invests in its program.
Ethan reinforced this with a stat worth repeating: research suggests that 88-90% of customers who trust a brand will repurchase. That directly impacts market value. When you bring those kinds of hard objectives to the table instead of abstract compliance goals, it’s much easier to align stakeholders across digital, marketing, IT, and legal.
The bottom line: if your compliance program’s only KPI is "we passed the audit," you’re leaving significant business value on the table.
Start Strategic, Not Comprehensive
One of the most common mistakes we see is organizations trying to tackle everything at once. Build the whole compliance program on day one. Cover every regulation. Deploy every module.
It worked maybe five years ago. It does not work now.
The regulatory landscape is too fragmented, especially in the U.S. where the state-specific model means a company operating in North Carolina can suddenly face California’s requirements when they close their first deal there. Milou described spending significant time peeling apart old compliance layers where one GRC tool was swapped for another, templates didn’t overlap, and gaps compounded over time.
Ethan’s recommendation: start with a defensible position. Understand where your gaps are, commit to doing the right thing, then build a strategic roadmap. The goal is not to be compliant with every applicable law on day one (an increasingly unrealistic standard for any company). The goal is to demonstrate that you’re aware of your shortcomings and have documented plans to address them.
Regulators, for the most part, are willing to work with companies that show good faith effort and clear milestones. What they will not tolerate is a program that was built once and never revisited.
GPC and Universal Opt-Out: What You Actually Need to Know
Global Privacy Control (GPC) remains one of the most misunderstood requirements in consent management. For years, most organizations treated it as a browser signal that simply turned off cookies. What we’re seeing from regulators now is a much broader interpretation: if you receive a GPC signal and you know who the individual is, you need to process a full opt-out across all downstream systems.
Ethan walked through the practical reality of this. When someone with GPC enabled lands on your website, you can honor that signal for third-party tracking fairly easily through your consent management platform technology. The complexity hits when you need to process the broader opt-out. If that individual has an account with you, and you’re passing their data through something like the Meta Conversion API for retargeting, that could constitute a sale of data. But at the moment they first hit your site, you may not know enough about them to connect the dots.
The practical approach we recommend (and what Ethan has seen work across hundreds of implementations): provide clear notice that you’ve detected GPC and opted the user out of everything you can at that point. Then ask them to sign in or provide an email address if they want the broader opt-out applied across all channels. This respects the spirit of the law without creating a privacy issue of its own through aggressive identity resolution.
Once you have that opt-out signal, it needs to flow everywhere: your CDP (Segment, mParticle, Adobe), your mobile apps, connected TV, IoT devices. Cross-domain, cross-device consent orchestration is where most implementations get complicated, and it’s where we spend a significant amount of time with clients.
Continuous Monitoring Is Not Optional (But It’s Not What You Think)
The set-it-and-forget-it model is dead. Milou was direct about this: if your compliance program was set up two years ago, it’s out of date.
But "continuous monitoring" can mean very different things. For some organizations, it’s logs going into a Google Drive folder that nobody ever opens. That is not monitoring. That is liability documentation waiting to be discovered.
What actually works is a rhythm of structured reviews. Test your consent banner quarterly. Verify that your tag governance is catching new trackers as marketing teams deploy them. Confirm that your preference center still reflects your current data practices. These are not heroic efforts. They’re operational hygiene.
We’re also seeing the compliance enforcement landscape get more aggressive. Plaintiff’s attorneys are sending out hundreds of demand letters targeting digital compliance gaps. State regulators are issuing enforcement actions. What used to be theoretical risk is now a measurable cost. Companies that have a documented, consistent review cadence are in a significantly stronger position when those letters arrive.
AI Changes the Equation (In Both Directions)
AI is already being embedded into compliance workflows. The initial use case was straightforward: use AI to interpret regulatory requirements and surface what applies to a given organization. What we’re seeing now is a shift toward using AI for better data insights, faster remediation, and more agile scanning of unstructured PII.
But the panel also flagged the flip side: how are organizations handling consent for AI training and data processing?
Milou’s advice was pointed. She recommended that organizations focus on the actual language in their consent notices. What did users actually agree to? Nested policies and vague disclosures are likely to get pulled apart as case law develops. If you’re collecting data today without knowing exactly how it will be used in future AI initiatives, you should be raising that as a documented risk, ideally within your GRC platform, as part of your quarterly risk review process.
Ethan reinforced the urgency from a data architecture perspective: if you don’t tag and classify data at the point of ingestion with the right consent signals, you can end up with broad datasets where you don’t know what you can and cannot do with the information. The worst-case scenario is training a model on data that was collected without proper notice, then facing a penalty that requires deleting the entire model.
The bottom line: consent management and AI governance are converging. Organizations that are thoughtful about this intersection now will avoid costly retroactive compliance work later.
What You Should Do This Quarter
Based on the patterns we’re seeing across our client base (and the insights from this discussion), here are the moves that matter right now:
Test your consent banner and preference center. Not just whether it loads, but whether it’s actually blocking non-essential tracking before consent is given. Verify it across browsers and devices. If you haven’t tested in over 90 days, you’re overdue.
Audit your GPC implementation. Are you detecting the signal? Are you providing clear notice? Are you processing the broader opt-out when you can identify the user? This is one of the most common gaps we find.
Map your consent signal flow. Trace where opt-out preferences actually go once captured. Does the signal reach your CDP, your email platform, your ad tech stack? Gaps in this chain are where enforcement actions start.
Document your AI data practices. If you’re collecting data that might feed AI initiatives (even if you’re not sure yet), raise it in your risk review process. Make it a recorded, active decision. This protects you later.
Review your consent language. Compare what your privacy notice says against what you’re actually doing with data. Misalignment here is where regulators and plaintiff’s attorneys will focus.
Need a Second Opinion on Your Consent Program?
FLLR Consulting is the #1 most recommended OneTrust implementation partner, with 1,000+ compliance technology implementations across privacy, consent, GRC, vendor risk, and AI governance. We help organizations build consent and preference programs that are defensible, scalable, and actually adopted by the teams that need to use them.
Whether you need a targeted consent health check, a full implementation, or ongoing managed services to keep your program current, our senior practitioners are ready to help.
Get in touch or reach out to our team directly on LinkedIn.
About the Panelists
Milou Lammers is the CEO and Founder of Compliance Council and Cyber Council, a cybersecurity and privacy attorney, and fractional Chief Compliance Officer for technology startups. She also hosts the Socializing Security podcast.
Ethan Sailers is the Vice President at FLLR Consulting. Previously, he spent eight years at OneTrust as Global Director of Solutions Engineering for consent and preference management, and has served on working groups with the Interactive Advertising Bureau (IAB).
Nik Fuller is the CEO and Co-Founder of FLLR Consulting, leading the firm’s strategy across privacy, GRC, marketing governance, and AI governance consulting.
