What Happens After You Click “Reject All” on Pharmacy Websites?

Healthcare organisations are entrusted with some of the most sensitive information people can share. Whether researching medication, managing a chronic condition, or seeking advice on mental health, fertility, or sexual health, users rightly expect their privacy choices to be respected.

But do pharmacy websites actually honour those choices?

To answer that question, I recently collaborated with Ghostery on a new research study examining consent compliance across online pharmacy websites in Europe and the United States.

The study evaluated whether pharmacy websites continued loading analytics, advertising, and tracking technologies after users had explicitly opted out. For European websites, this meant selecting “Reject All” on consent banners. For US websites, it meant expressing an opt-out preference using the Global Privacy Control (GPC) signal.

Why This Matters

Unlike many sectors, pharmacy websites often sit at the intersection of healthcare, e-commerce, and digital advertising. A user’s browsing activity may reveal information about medical conditions, treatments, fertility concerns, mental health interests, or other highly sensitive topics.

Regulators have already demonstrated a growing willingness to investigate how health-related data is handled online. Recent enforcement actions involving healthcare organisations and pharmacy operators show that privacy compliance is increasingly becoming a technical issue, not merely a legal one.

The question is therefore not whether a website displays a privacy banner, but whether the website’s technical behaviour actually reflects the user’s choice.

How The Study Was Conducted

Using the Verified CONSENT audit platform, we tested twenty pharmacy websites across Europe, the UK, and the United States.

Each website was subjected to an automated audit that:

• Simulated a user rejecting tracking or expressing an opt-out preference
• Navigated multiple pages and interactive elements
• Monitored cookies, trackers, and network requests
• Assessed whether tracking technologies continued operating after the opt-out was expressed

The goal was simple: measure actual behaviour rather than stated privacy policies.

Download the Full Report

Download the whitepaper to see the full results, methodology and compliance rankings. (No registration required).

Pharmacy Consent Study Report

What Surprised Me Most

The consent failures themselves were not the most surprising finding.

Over the years, I have audited hundreds of websites across multiple industries. I have learned that privacy failures are often the result of technical complexity rather than malicious intent. Modern websites rely on sprawling ecosystems of analytics platforms, advertising technologies, consent management tools, tag managers, and third-party scripts. Problems occur.

What surprised me was something else entirely.

Before publishing the findings, every organisation included in the study was contacted privately. They were provided with technical evidence, audit reports, and an opportunity to discuss the methodology and findings. The objective was not to publicly criticise organisations, but to give them an opportunity to investigate, remediate issues, and contribute to a constructive discussion.

Some organisations acknowledged receipt of the information.

None substantively engaged with it.

No organisation challenged the methodology. No organisation disputed the findings. No organisation entered into a meaningful discussion about the privacy implications or the technical causes of the issues identified.

For me, that was the most concerning result of the study.

A Question of Trust

Healthcare is built on trust.

Patients trust pharmacies to dispense the correct medication, provide accurate information, and handle sensitive health data responsibly. That trust should extend to digital experiences as well.

When someone visits a pharmacy website, they may be researching fertility treatments, mental health support, addiction services, chronic illnesses, or other deeply personal topics. If they explicitly choose not to be tracked, that choice should be respected.

Equally, if evidence suggests that choice is not being respected, users should be able to expect organisations to take the issue seriously.

The lack of engagement raises uncomfortable questions.

Have privacy controls become little more than compliance theatre for some organisations? Are consent banners being deployed to satisfy legal requirements without sufficient attention being paid to whether they actually work? And when problems are identified, are organisations sufficiently motivated to investigate and resolve them?

The absence of meaningful engagement suggests that consent compliance may be receiving less organisational attention than the sensitivity of the underlying data demands.

The Bigger Issue

This study is not ultimately about cookies, trackers, or consent banners.

It is about whether organisations respect the choices users make.

A privacy preference has little value if it is not technically enforced. A consent banner has little value if nobody verifies that it works. And privacy policies offer limited reassurance if organisations are unwilling to engage when evidence suggests those commitments are not being met.

The pharmacy sector occupies a uniquely sensitive position. People often visit these websites at moments when they are vulnerable, concerned, or seeking answers about their health.

Those users deserve more than symbolic privacy controls.

They deserve confidence that when they say “no”, the technology behind the website listens.

That is the standard we should expect from organisations operating in healthcare. And based on the findings of this study, there is still considerable work to do.

Download the Full Report

Download the whitepaper to see the full results, methodology and compliance rankings. (No registration required).

Pharmacy Consent Study Report