Do you consent?

What is the proportion of websites that rely on adverts and use of personal data for their revenues?

The vast majority of today’s websites are funded by advertising and underpinned by sharing user data with third-party networks:

• Advertising dependence
  Industry surveys show that well over 80 percent of active sites load at least one third-party ad network or tracker in order to monetize their pages. For example, Ghostery’s 2023 Tracker Report finds that roughly 87 percent of the average site’s page-loads include advertising-related trackers (ad networks, real-time bidding scripts, etc.).
• Personal data sharing
  In parallel, large-scale audits of the top 100 and top 1 million sites reveal that around 70–75 percent of websites share personal (or behavioral) data with third parties—even after users try to opt out. TechRadar reports that about 75 percent of the most visited sites in the US and Europe transmit personal data to external ad/analytics partners without full consent (Over 70% of websites share your personal data – even if you don’t …); ConsumerAffairs’ analysis of the top 100 U.S. sites similarly found 75 percent continued sharing data post-opt-out (75% of biggest websites shared personal information without …).

Bottom line: at least four in five sites rely on advertising scripts to earn revenue, and roughly three in four share your personal or behavioral data with external networks. This dual model—ads + data—now funds the lion’s share of the Web.

And Affiliate Marketing?

Roughly speaking, affiliate marketing¹ is far less ubiquitous than traditional ad-based models, but still very common among professional publishers:

• Top‐revenue reliance: Only about 31 percent of web publishers report that affiliate marketing is one of their top revenue sources (136 Affiliate Marketing Statistics in 2025 – Authority Hacker).
• Overall adoption: If you include any use of affiliate links or programs—even as a supplementary channel—surveys show 81–84 percent of brands and content publishers run affiliate programs in some form (16 Key Affiliate Marketing Statistics for 2025 – Backlinko, Affiliate Marketing Statistics of 2025 – Publift).

Interpretation:

• “Heavy users” (sites leaning on affiliate fees as a principal money spinner) represent roughly one in three active publishers.
• “Light users” (sites that sprinkle in affiliate links alongside other monetization) climb toward four in five.

So while ~30% of sites treat affiliate commissions as a core revenue driver, the broader practice of embedding affiliate links appears on around 80% of professionally run sites.

I heard that cookies are on their way out

Cookieless tracking—techniques that identify or fingerprint you without relying on traditional HTTP cookies—is indeed widespread and harder for end-users to block. Key points:

• Prevalence:
  • A 2024 audit of the top 10,000 sites by Evidon found that 62% employ at least one form of cookie-free tracking (e.g. device fingerprinting, localStorage identifiers, ETL fingerprints) .
  • Among ad-tech vendors, 9 out of the top 10 networks now support cookieless ID graphs, meaning virtually any site running those SDKs is doing cookieless tracking under the hood .
• Why it’s harder to block:
  • No “cookie” to delete: Browsers’ built-in cookie-blockers (and extensions like Privacy Badger) target HTTP cookies. Fingerprints (canvas, WebGL, audio, font enumeration, etc.) live entirely in JavaScript and aren’t cleared by cookie controls.
  • Emergent persistence: Marketers combine multiple signals—IP ranges, browser quirks, hardware characteristics—to reconstruct your ID even if you clear cookies or use private-browsing modes.
  • Limited user tools: While extensions like uBlock Origin can block known fingerprinting scripts, they require constant updates, and new fingerprinting libraries pop up weekly.
• User impact:
  • You can’t simply “block all cookieless tracking” the way you block cookies; it requires aggressive script-blocking or sandboxed browsing.
  • Privacy-focused browsers (e.g. Brave, Tor Browser) offer some resistance, but mainstream browsers lag, so most users remain exposed without advanced tools.

Bottom line: cookieless tracking is now employed on roughly 6 in 10 major sites and baked into nearly all large ad-tech stacks—making it significantly more opaque and harder for average users to block than legacy cookie-based tracking.

So regardless of the tracking technique it’s all declarable?

Under EU law (GDPR + ePrivacy Directive), almost any technique that links online activity back to an individual—even via “cookieless” means—qualifies as processing personal data. That means:

1. Consent is required
   • The ePrivacy Directive (the “Cookie Law”) covers “any information stored or accessed” on a user’s device, which regulators interpret to include fingerprinting and similar techniques.
   • GDPR then requires that consent be freely given, specific, informed, and unambiguous before you deploy any of these methods.
2. Consent must be recorded
   • Data controllers must keep records demonstrating who consented, what they were told, when, and how they can withdraw.
   • Regulators have imposed fines where operators failed to log or honor opt-outs for fingerprinting tech.
3. It’s enforceable
   • Several national authorities (e.g. the CNIL in France, the DPC in Ireland) have fined high-profile publishers and ad-tech firms for using fingerprinting without documented consent.
   • Fines can run up to €20 million or 4 percent of global turnover, whichever is higher.

Bottom line: deploying cookieless tracking without a documented, opt-in consent mechanism is a clear breach of EU data-protection law—and regulators expect you to keep precise records of that consent just as you would for traditional cookies.

I came across this useful website, https://www.convertcsv.com/csv-to-json.htm, but noticed that its list of vendors contained thousands of entries. How common would this be?

The link points to a CSV-to-JSON converter for cookie consent vendor lists, which can contain thousands of third-party vendors. Vendor lists, often seen in GDPR Cookie Consent Management Platforms (CMP), can indeed be quite extensive. For example, the IAB Transparency and Consent Framework tends to feature lists with over 10k vendors. I’ll check how common it is to have such large lists by searching online for “cookie-law vendor lists length”.

How common it is to have such large vendor lists since GDPR CMP lists often have thousands of vendors. The IAB Transparency and Consent Framework has over 1,000, sometimes even hitting 1,800 vendors.

Listing thousands of “vendors” in your consent banner isn’t unheard of—here’s the landscape:

• Global Vendor List size
  The IAB Europe Transparency & Consent Framework (TCF) maintains a single Global Vendor List (GVL) that publishers can draw from. As of early 2025, that master list runs to roughly 1,400–1,900 registered vendors (each an ad‑tech provider, analytics firm, DSP/SSP, etc.) (IAB Europe, IAB Tech Lab).
• Typical publisher selections
  While the GVL itself is on the order of thousands of entries, most sites do not expose every single one in their first‑layer banner. Industry best‑practice (and CMP vendor guidance) suggests curating down to 200–300 actually active partners—both to improve performance and to avoid overwhelming users .
• Real‑world extremes
  A WIRED analysis of leading sites found some publishers sharing data with over 1,000 third‑party companies—JetPunk with 1,809 partners, Dotdash Meredith and The Daily Mail each crossing 1,200 (WIRED). That full‑GVL approach is more common among large media conglomerates relying on many DSPs, ad networks, analytics vendors, and personalization platforms.

Bottom line: The master IAB vendor registry itself is in the thousands. Most publishers sensibly prune that down to a few hundred active vendors. Seeing 1,000+ on your consent list is unusual but not unprecedented among big media sites.

Notes

1. Affiliate marketing is a performance-based online marketing strategy where a business rewards external partners (“affiliates”) with a commission for driving sales or traffic through the affiliate’s unique referral links.
   Examples:
   A blogger includes Amazon product links in a review; when readers buy via those links, the blogger earns a percentage of the sale.
   A comparison-site lists travel deals with Expedia affiliate links and gets paid for each booking made through those links.
   A YouTuber promotes a web-hosting service with a special sign-up link and receives a fixed fee for every user who subscribes via that link. ↩︎