Growing tired of OneTrust? Let's break you free

The 5 questions that expose fake privacy integrations

Privacy integrations aren't all equal. Here are the five questions that separate real automation from theater, before you sign the contract.
The Five Questions That Expose Fake Privacy Integrations
Read time
6 min read
Last updated
July 9, 2026
Need an easy-to-use consent management solution?

Ketch makes consent banner set-up a breeze with drag-and-drop tools that match your brand perfectly. Let us show you.

Book a 30 min Demo
Need an easy-to-use consent management solution?
Book a 30 min Demo
Ketch is simple,
automated and cost effective
Book a 30 min Demo
Summarize this blog post with:

The five questions that separate a real privacy integration from vendor theater: (1) Who's actually building the integration — the vendor or your engineers? (2) What consumer privacy right does it cover — the easy DSR requests, or the hard consent opt-outs? (3) How does it identify the person — email only, or every system-native ID? (4) Can the vendor prove the integration fired, with a downstream log? (5) Does it keep working over time, with monitoring and alerts? A sixth question — can the vendor give an honest breakdown of automated vs. manual "integrations" — reveals whether their total integration count is real.

"We integrate with that" is the biggest lie in privacy tech.

Every data privacy management software vendor has an integrations page. It is a wall of logos, arranged in a tidy grid, and it is built to do one thing: end the conversation. "Yes, we integrate with that." Potential buyer checks the box, and moves to the next eval question.

I'm begging you: don't move on. Your future self will thank you.

The vendor list of system/app integrations is the most misleading artifact in a privacy software evaluation. "Integration" has been stretched to cover everything from a real-time API call to an automated email to a human requesting a manual task to be completed. Both of these things earn a logo on the list, and they are not remotely the same product. The difference between them is the difference between a privacy program that works, and one that only looks like it does.

I have sat through a lot of these evaluations on both sides of the table. The integrations conversation almost always goes the same way:

The vendor claims the integration exists. The buyer assumes the obvious meaning of the word. Nobody checks the gap between the two until implementation, when the gap turns out to be $$$ engineering work the buyer never budgeted for.

By that time, the contract is signed and the leverage is gone.

So this is an article about how to check. How to tell, before you sign, whether a given integration is real or whether you are buying a manual human task in disguise.

You cannot run a compliant privacy program without functioning integrations

It is tempting to treat integrations as plumbing. A technical detail to sort out after the important decisions are made. That is a critical mistake. Integrations are required to comply with privacy regulations and enforcer expectations.

Capturing a choice and honoring a choice are two different jobs

An opt-out or deletion request are examples of consumer privacy choices. Capturing those choices is the easy part, and just about any tool on the market can do it well. (See my other rant, "the infuriating success of the cookie banner," for more details on this.)

Honoring those opt-outs and requests is the hard part, and it's the part that actually matters. What we're talking about here is the difference between data collection, and data processing.

  • Data collection = intake the opt-out or deletion request
  • Data processing = apply the opt-out or deletion request to affected data

The opt-out or request means nothing until it flows into systems and apps that process personal data: CRM, CDP, ad platforms, databases. THAT is what an integration is supposed to do. It is the mechanism that turns a privacy choice or request into a privacy outcome.

Consumer privacy regulations like the CCPA refer to this requirement as a flow-down obligation. In the context of deletion and opt-out requests, businesses must notify and/or update downstream vendors wherever relevant consumer data is processed.

Do this well and you scale; skip it, and incur the costs

Implement integrations correctly, and your program scales with software. Do it wrong (or not at all) and it scales with headcount, because somewhere a person is manually forwarding requests, logging into god knows how many consoles, and hoping nothing was missed.

One of our customers, a quick-service restaurant business north of $10B in revenue, automated 95% of its data subject request activity and now runs the entire program with half the operational staff it used to need. That is what real integration buys.

An integration that captures a choice but never carries it downstream is an unaddressed liability, sitting in a system you told a regulator you could control.

Five questions to ask your privacy software vendor or partner

Here are the five critical questions about integrations, and exactly why you must address each one. HubSpot, Segment, Snowflake, you name it: ask these questions about any integration that matters to you, and you'll quickly find out if your vendor's list of integrations is real or theatre.

  1. Who's actually building this integration?
  2. What does the integration do, and for which consumer privacy rights?
  3. How does the integration know who the person/consumer is?
  4. Can you prove that the integration actually did its job?
  5. Does the integration keep working?
  6. (Bonus) Can you give me an honest integration count?

1. Who's actually building this integration?

This is the first and most clarifying question, because when you trace it all the way through, the honest answer is rarely the vendor. It's you.

The spectrum of integration ownership

When a vendor says the word "integration" to you, there are a few things they might mean.

The vendor owns the connection end-to-end and you configure it with clicks. The vendor hands your engineers an API and a set of docs and wishes you luck.

The vendor "fires a webhook" when something happens (a polite way of saying it notifies your engineering team, and then your engineering team writes the code). The vendor's software triggers an email to a human being at the destination company and waiting for them to act.

Three of those four are you doing the work. Only the first is the vendor doing the work.

Webhooks and APIs: real flexibility, or passing the buck in disguise?

Be especially alert to the webhook and its respectable-looking cousin, "here's our API." 👀

Neither is a bad thing on its own. A webhook or an open API is exactly what you want when your own developers have a specific, custom case they've decided to build for, and want programmatic control on their own terms. That's an intentional choice your team makes because it serves a need only you can see.

The problem? Lots of systems and apps should not require a custom build. When your vendor says "we fire a webhook" or "we expose an API," that's vendor speak for: here are the parts, now you assemble. It sounds like a feature, but they're transferring the work and the liability to your team.

Let's use Facebook as an example. There is NO good reason you should have to write code to connect a privacy platform to Facebook. Facebook is a commodity destination that nearly every business needs, and building and maintaining an integration should be the privacy vendor's job.

Another common failure point: tag management system (TMS) integrations

Most privacy vendors will read the tags out of your tag manager (like GTM) and present them in a tidy interface for you to classify. That is genuinely useful, and almost every vendor can do it. But classifying a tag isn't the same as enforcing the rule.

In most products, after your privacy team finishes classifying, someone on your side still has to go into the tag manager and hand-build the consent trigger that actually gates the tag. The platform read your tags. It didn't write the rule back. That last step, the one that does the actual work, is yours, forever, every time a tag changes. If you're not sure how exposed you are here, a tracker and cookie scan will show you exactly what's firing without a corresponding enforcement rule.

Ask: "Walk me through the individual integration setup, step-by-step. If you have APIs and webhooks that's great, but it's not enough information for me to understand the integration setup LOE. To make this connection do its job, does someone on my side have to write and maintain code?"

2. What consumer privacy right(s) is this integration built for?

All consumer privacy rights are not created equal. Many vendors solve for the easy ones and obfuscate the harder ones.

Broadly, there are two categories of rights to worry about when it comes to integrating with your systems and apps.

The easy 80%: DSR requests (access and delete rights requests)

Access and deletion requests are the obvious reason to integrate with data systems. Pull the data, return it or delete it, confirm. Many vendors can do this for most systems. If a vendor is going to be good at anything, it will be this. So when a vendor's integration story leans heavily on access and delete, they are showing you the part of the test everyone passes.

The harder consumer right that no one tackles: consent opt-outs, specifically Do Not Sell/Share (DNS)

Do Not Sell/Share (DNS) and consumer opt-outs is the #1 most-enforced consumer privacy right today. (See Honda, Disney, and SlingTV for evidence, per California's official CCPA enforcement guidance.) Regulators require businesses to give consumers a frictionless, one-click right to opt-out of sell/share.

When we say "consent integration" we're talking about exactly this: complying with the right to opt-out. (As opposed to access/delete integrations, defined above.)

Most vendors define "consent integration" as blocking a tag in the browser. Consumer opts out of sell/share; brand stops firing associated tags/trackers. The problem? Blocking a tag from collecting future data does nothing about the consumer's data already sitting inside business systems.

Privacy regulations require you to reach into downstream data processing systems to stop processing that consumer's data. You cannot do that by blocking a script on your own website.

You do it with a server-to-server API call into the platform, using the identifier that platform knows the person by, that changes how the already-collected data is allowed to be used. That is a real consent integration. It is hard to build, and very few vendors do it.

Three signs of nonexistent consent orchestrations

When a vendor's consent integration story doesn't hold up, it usually falls into one of three patterns:

  • Tag blocking dressed up as orchestration. Stopping a script from firing gets rebranded as a full consent solution, even though it only affects future collection on that one device. Consider an advertising audience in Facebook. When a consumer opts-out of data collection, stopping the Facebook tag from firing on the website does nothing to affect their data already IN Facebook. You need to reach into the system.
  • A human in the loop, not an API. The vendor's software emails someone at the downstream company, often the privacy@ inbox, and waits for them to act. This is not a practical mechanism at scale, and it raises an obvious question: if the vendor can genuinely integrate, why route opt-outs to an email inbox? A bulk email solution is not software.
  • A consent string and nothing more. The most sophisticated dodge is telling you an industry consent framework covers your obligations. It doesn't, for two reasons. 1) Not every data system in your stack speaks that framework, so coverage is partial by construction. 2) A consent string is a notification the receiving system can choose to honor or ignore. A framework signal is a useful input. It is not the same as reaching into a system and effectuating purpose limitation. (For deeper comprehension on this, read our article on IAB framework limitations.)

Ask: "Show me, live, an opt-out request reaching one of my actual downstream systems through an API, using that system's own identifier, with no custom code, and show me the data actually change on the other side."

3. How does the integration know who the person is?

This is the question buyers almost never ask. It is the one that quietly kills more implementations than any other.

Most vendors assume email is the universal key. The whole integration model rests on the idea that you opt out [email protected] and the platform fans that email out to every connected system.

The problem is simple: many data systems do not rely on email to identify a person's data.

Your analytics tool knows a device ID. Your CDP knows an anonymous ID it generated. Your messaging platform knows its own internal ID.

None of these IDs is the email. If your privacy vendor centers consumer identity on email, you will never be successful in achieving comprehensive opt-out or deletion requirements.

The reason this matters so much is that nobody discovers the gap during the sales cycle. It surfaces months later, when the opt-out that looked like it worked turns out to have reached almost nothing, because the identifier never matched. Getting the right identifier is real work, and it has to happen at the moment consent is established, by capturing whatever identifiers are present on the page and tying them together.

When you stack up privacy vendors, you'll see three generalized answers to this challenge.

  • Worst case: the vendor simply cannot do it - email is the only identifier. Integrations will only work for the small slice of your users you happen to have an email for.
  • Better than nothing: the vendor will give your engineers an API to pass the identifier in, which means your team does the work of collecting and supplying it.
  • Best case: the vendor that does the work of picking up those identifiers itself, by configuration, so that every downstream call goes out keyed to the identifier each system actually understands.

Ask: "A consumer opts out and I need to suppress them in a system that uses a device ID, not an email. How does your platform get that device ID, and who does the work to connect it?"

4. Can you prove the integration actually did its job?

This is the requirement that regulators care about the most, and almost no one asks about.

Look closely at the enforcement record and a pattern jumps out. Targeted companies had something that looked like an opt-out mechanism. There was an opt-out webform. There was a banner. On the integrations page, the connection existed. What they could not produce was evidence that a specific person's choice actually changed what happened to their data downstream, and in plenty of cases the honest reason they could not produce it is that it never did.

That is the theater this whole piece is about, and proof is how it gets exposed. Without a downstream record, you cannot tell a real integration from a convincing imitation, and neither can a regulator. The missing proof is not a separate problem from the broken integration. It is the thing that lets a broken integration pass for a working one, right up until someone asks.

So an integration you cannot produce a record for is, for regulatory purposes, an integration that did not happen. The question is not whether the call goes out. It is whether, when a regulator or a plaintiff's attorney asks you to prove that this named person's opt-out reached this named system, you can answer.

Most platforms can show you a browser cookie with a timestamp. Almost none can show you the downstream API log: which identifier was sent to which system, whether the call succeeded, and if it failed, why. That log is the difference between a defense and a settlement.

Ask: "A regulator asks me to prove this specific person's opt-out reached this specific ad platform. Can you produce that record, with the identifier and the result of the call, in thirty seconds, without filing a support ticket?"

5. Does the integration keep working?

Integrations are not a one-time install. Unfortunately, there are many minor actions that can inadvertently cause an integration to stop working.

Destination systems change their APIs. You add a new tag. You republish a banner.

Any of these can quietly break a connection that worked perfectly on the day you went live. Some platforms even turn routine privacy operations into breakage by design, wiping stored preferences every time the configuration is republished, so that fixing a typo in your banner silently un-suppresses every person who had opted out.

The right question is not "does it work?" Any vendor can show you a demo that works. The right question is, "how do I know if it's still working next quarter?" Someone, or something, has to watch the connection and flag for issues.

Ask: "Six months from now, if this integration silently stops firing, how do I find out? Who monitors it, and do I get an alert, or do I get a fine?"

6. (Bonus) Can you give me an honest integration count?

Once you have the first five questions answered, it's time to revisit where we started this article: that impressive-looking list of all the integrations your vendor claims to have.

A vendor's total number of integrations is nearly always a blended number, quietly combining three very different things:

True, automated API connections that do the work for you. Integrations your own engineers have to build. "Direct contact" connections where the software emails a human at the vendor and waits, sometimes for a week or two, for them to act.

If your goal is scalable automation, only the first category counts. The other two are headcount and hope, wearing the costume of automation. When a vendor leans on the size of the number, that is the moment to make them decompose it.

Ask: "Of that total, how many are fully automated API connections, how many require my team to build something, and how many are 'you notify a human and wait'? Give me the breakdown for the specific systems in my stack, not the total."

Beware the demo that works too well

There is one more trap, and it is the one I most want buyers to internalize, because it is invisible by design.

The demo is theater. When you sit in a proof of concept and watch an opt-out flow beautifully into your CDP in real time, you are watching a result. You are not necessarily watching the product.

It is common, almost standard, for a vendor's sales engineer to hand-build a one-off bridge behind the scenes to make that moment land. A custom script. A bit of glue code. A manual step off-screen. The opt-out really does reach the system, live, in front of you, but none of it is the productized, configurable integration that ships to customers. You are being shown what is possible with the vendor's engineering effort, and you will be sold what is available with yours.

This is not always nefarious. Sometimes the SE is genuinely trying to show you the art of the possible. But the effect on your evaluation is the same either way. You see custom code do the work, and you hear "integration," and you connect the two, and you are wrong.

The defense is simple and you should use it every time. Ask, directly: "Is what I just saw the standard, configurable integration that every customer gets, or was anything built specifically for this demo?" Then ask to watch it set up from scratch, in the admin interface, by configuration, with no one touching code. Then ask for the answer in writing. A real integration survives all three. Theater does not.

The scorecard and questions you take into the room

The question A real integration Fake integrations, exposed
Who does the work? Vendor owns it, you configure with clicks You build it, or a webhook hands it to your engineers
What does it do? Server-to-server API that changes downstream processing Blocks a tag, passes a string, or emails a vendor
How does it know who? Vendor collects the system-native identifier for you Email only, or your engineers pass the ID
Can you prove it? Per-user downstream log: identifier, result, reason A browser cookie timestamp
Does it last? Monitored, with alerts when it drifts or breaks No monitoring, fails silently
Is the count honest? Automated API connections, named and verifiable A blended headline number

Take these questions into your next vendor conversation, verbatim. The quality of the answers will tell you more than any wall of logos.

  1. Walk me through setup for this integration. After my team configures it, does anyone on my side write code or log into the destination system to finish the job?
  2. When you say you "integrate" with this system, is that a real-time API connection, a webhook, or do you notify a human and wait?
  3. Show me, live, a consent opt-out reaching one of my actual downstream systems through an API, using that system's own identifier, with no custom code.
  4. A consumer opts out and I need to suppress them in a system that keys on a device ID, not an email. How does your platform get that identifier, and who does the work to connect it?
  5. A regulator asks me to prove this specific person's opt-out reached this specific platform. Can you produce that record, with the identifier and the result, in thirty seconds, without a support ticket?
  6. Six months from now, if this integration silently stops firing, how do I find out? Who monitors it, and do I get an alert?
  7. Of your total integration count, how many are fully automated API connections, how many require my team to build something, and how many are "you notify a human and wait"?
  8. Give me the breakdown for my stack. Is everything I just saw in this demo the standard, configurable product that every customer gets, or was anything built specifically for this demo? Put the answer in writing.
  9. For consent specifically, does your integration stop future collection only, or does it also instruct the downstream system to limit processing of data it already holds?
  10. If you rely on an industry consent framework, what happens for the systems in my stack that don't support it?

How we think about integrations at Ketch

I will be direct about this: the scorecard above is the one we built Ketch to pass.

Here's how we approach privacy integrations:

  • We do the integration work, by configuration rather than code.
  • We reach into downstream systems with real API calls that change how a person's data is processed, not just whether a tag fires.
  • We pick up the system-native identifiers at the moment consent is set, so the downstream calls actually match.
  • We keep a server-side, queryable record of what happened to each person across every system, so "prove it" has an answer.
  • We monitor connections continuously, so a broken integration becomes an alert instead of a discovery during enforcement.

None of that is the point of this piece. (Although we're happy to discuss it if you're interested.) The point is that you should demand all of it, from whoever you choose.

Integrations are where privacy programs are won or lost. They deserve more scrutiny than a grid of logos. Ask the questions, watch for the custom code, and make the vendor show you the work.

FAQs

This a sample accordion element needed for script above to work

  1. Who is actually building a privacy integration, the vendor or my team?
    It depends on the vendor. A real integration means the vendor owns the connection end-to-end and you configure it with clicks. If the vendor instead hands you an API, fires a webhook, or emails a human at the destination, your team is doing the engineering work, even though it still gets called an "integration."
  2. What is the difference between DSR integrations and consent opt-out integrations?
    DSR (access and deletion request) integrations pull or delete a person's data from a system on request, and most vendors handle these well. Consent opt-out integrations, especially Do Not Sell/Share, must reach into a downstream system with a server-to-server API call to stop processing data already collected, not just block a tag from firing in the browser. Very few vendors build true consent opt-out integrations.
  3. How does a privacy integration identify the right consumer in a downstream system?
    Systems identify people differently: analytics tools use device IDs, CDPs use anonymous IDs, messaging platforms use internal IDs. A privacy vendor that relies on email alone will fail to suppress consumers in systems that don't use email as an identifier. The best vendors capture system-native identifiers automatically at the moment consent is set.
  4. How can a company prove a privacy opt-out or deletion request actually reached a downstream system?
    A company needs a downstream API log showing which identifier was sent to which system, whether the call succeeded, and the reason if it failed. A browser cookie with a timestamp is not sufficient evidence for regulators; without a per-user downstream record, an integration cannot be verified as having worked.
  5. Why do privacy integrations stop working over time?
    Integrations break when destination systems change their APIs, when new tags are added, or when a consent banner is republished. Some platforms even wipe stored preferences on every republish. Without continuous monitoring and alerts, a broken integration can fail silently for months before anyone notices.
  6. Why does a vendor's total integration count matter?
    Vendors often blend three different things into one integration count: fully automated API connections, integrations customers must build themselves, and manual email-based processes. Only the first category represents true automation; the other two require ongoing engineering time or human labor.
Read time
6 min read
Published
July 8, 2026

Continue reading

Product, Privacy tech, Top articles

Advertising on Google? You must use a Google certified CMP

Sam Alexander
3 min read
Marketing, Privacy tech

3 major privacy challenges for retail & ecommerce brands

Colleen Barry
7 min read
Marketing, Privacy tech, Strategy

Navigating a cookieless future with Google Privacy Sandbox

Colleen Barry
7 min read

Ready to simplify your privacy compliance?
Get started.