Vietnam's Corporate Websites and the Consent Gap - Executive Summary

What a scan of 500 major Vietnamese company sites reveals about cookies, beacons, and PDPL risk.

TL;DR

We scanned 500 major Vietnamese company websites. Of the 340 that resolved and returned usable data, 244 were flagged high risk. Google, Meta, and YouTube infrastructure was loading on the majority of sites, in most cases before any consent choice was made. Vietnam's Personal Data Protection Law and Decree 356 have been in force since 1 January 2026. The gap between what these websites claim in their privacy policies and what their browsers are actually doing is now a legal exposure. The practical response is not a longer privacy policy. It is bringing the website under technical, legal, and operational control, and being able to prove it.

“A cookie banner is not compliance if the browser has already called Google, Meta, or YouTube before the user had a real choice.”

What We Found

Most major Vietnamese company websites are quietly running as third-party data environments. The visitor sees a corporate page. The browser tells a different story.

We scanned 500 major Vietnamese company websites. Not all domains resolved or returned usable data, so the final analyzable set was 340 sites. The pattern across those 340 was consistent enough to be called systemic.

• 244 of 340 sites flagged high risk (71.8%)
• 273 loaded tracking beacons (80.3%)
• 203 loaded third-party cookies (59.7%)
• Only 63 had neither (18.5%)

This is not an outlier problem caused by a handful of heavily tagged sites. The median site loaded 2 third-party cookies and 4 beacons. The issue is broad, recurring, and largely ungoverned.

The practical response is scan, classify, block, document, and prove.

What Is Actually Loading On Your Website

Most companies believe they run a corporate website. The browser often shows something closer to a third-party data supply chain.

A beacon is a call the visitor's browser makes to an external server; before the user has clicked anything, before a banner has appeared, before any choice has been made. In this scan, the beacon ecosystem was heavily concentrated around a small number of global platforms.

Google Tag Manager appeared on 65% of the 340 resolved sites. GTM is widely described as a tag container, but it is not neutral from a compliance perspective. Loading GTM means the visitor's browser contacts Google-controlled infrastructure to retrieve the container script. That initial call can already disclose IP address, device data, browser metadata, timestamp, and referring page; before any downstream tag logic runs, before any consent banner is shown.

The same pattern runs through the rest of the top ten. Google Analytics endpoints on 37% of sites. DoubleClick and Google Ad Services pointing to advertising and conversion infrastructure. Meta and Facebook endpoints on over 26% of sites. YouTube on nearly 12%. Google Maps on 9.4%.

These are not exotic tools. They are the standard corporate website toolkit. And in most cases they were running without the governance Vietnam's new data-regulation environment now requires.

The Cookie Story and the YouTube Blind Spot

The cookie data tells the same story, but with one finding that consistently surprises business leaders.

The _ga cookie (Google Analytics) appeared on 28.2% of sites. The _fbp cookie (Meta Pixel) on 19.1%. Those are expected. Most companies at least know those tools exist on their sites, even if they have not governed them properly.

The finding that lands differently is YouTube. YouTube-associated cookies appeared on up to 15% of scanned sites. Not because those companies were running YouTube advertising campaigns. Because they embedded a corporate video on their homepage or product page.

A financial services company embeds a 90-second brand video on its about page. A manufacturer puts a product walkthrough on their homepage. A real estate developer adds a development flythrough to a campaign landing page. In each case, the company believes it is showing content. The browser may also be loading YouTube cookies and making calls to Google infrastructure, from the moment the page loads, regardless of whether the visitor ever presses play.

This is the embedded content blind spot. It is one of the most common and least-governed sources of third-party tracking on Vietnamese corporate websites. Almost no company has it on their compliance inventory. Almost every company with a YouTube embed has the exposure.

Your Sector, Your Exposure

The scan does not name companies. But the patterns are sector-specific. The risk profile depends on what your website does, what your visitors reveal when they use it, and what the third-party tools on your site do with those signals. There is no low-risk sector. There are only different types of exposure.

Banking & finance: Product journeys (loan calculators, card applications, branch locators, investor pages) generate behavioral signals that indicate financial intent. A visitor researching mortgage products or business financing is revealing something meaningful about their circumstances. If those signals are shared with third-party advertising or analytics systems before valid consent is obtained, the issue is not cookie compliance. It is a trust, governance, and regulatory-risk issue that sits alongside the sector's existing data-governance obligations.

Insurance: Quote flows and lead-generation funnels capture health and financial intent signals before a single form field is completed. A visitor exploring life insurance or health cover is revealing personal circumstances through their browsing behavior alone. Meta Pixel and remarketing tags on these pages need strict consent controls and clear vendor disclosure. The commercial value of these tools is obvious. So is the compliance exposure.

Retail & e-commerce: The most aggressive tag users in the scan. Purchase behavior, lifestyle signals, family patterns, and health-related browsing can combine with persistent advertising identifiers to create detailed behavioral profiles. Each campaign page may add new pixels without any compliance review. Retailers should treat every campaign launch as a privacy event, not only a creative one.

Telecom: Large-scale user data surfaces intersecting with infrastructure-level data governance expectations. Even a public-facing product or service page can reveal device preferences, broadband needs, or enterprise connectivity interest. Where telecom websites use third-party analytics, advertising networks, or campaign tracking, those technologies should be assessed against a higher governance standard, one that reflects the sector's position within Vietnam's broader digital infrastructure.

Aviation & travel: Destination interest, travel timing, and mobility patterns are sensitive in context. A website visit can reveal cross-border movement intent, family travel behavior, or business travel patterns. Heavy remarketing stacks on booking flows and campaign pages need cross-border transfer assessment given the international vendor infrastructure involved. The more international the customer journey, the more important the transfer governance becomes.

Consumer brands: Social embeds, video content, contests, and loyalty programs are all tracking surfaces. The risk increases where campaigns involve children, families, health-related products, or lifestyle segmentation. Consumer brands should treat marketing campaigns as privacy events. The creative launch is visible. The data flow behind it is not, until it becomes a compliance problem.

The Legal Environment Changed. Most Websites Did Not.

Vietnam's Personal Data Protection Law and Decree 356 took effect on 1 January 2026. The Data Law took effect on 1 July 2025. The legal environment has changed. Most corporate websites have not.

The PDPL and Decree 356 do not ask whether the marketing team configured the tags correctly. They ask whether the company can prove that every data flow on its website is lawful, disclosed, and documented. That is a materially different standard from having a privacy policy and a banner. A privacy policy describes intentions. A website scan reveals behavior. An audit trail proves control.

The penalty framework reflects how seriously the law treats this:

• Up to 5% of prior year revenue for violations involving cross-border transfer of personal data.
• Up to VND 3 billion for other violations.
• Up to 10x unlawful gains for buying or selling personal data.

When a site loads Google Tag Manager, Google Analytics, Meta Pixel, YouTube embeds, or DoubleClick, those are connections to foreign-controlled infrastructure. They may create cross-border transfer exposure depending on the data flow and implementation. Each connection should be assessed, documented, and controlled.

At 5% of prior year revenue, this is no longer a marketing configuration question. It is a financial risk question. And it is one the browser makes visible to anyone who looks.

The Gap Between the Banner and Compliance

A banner is a user interface component. Compliance is a governed processing model. The two are not the same thing.

The three failures that matter most:

Trackers load before the choice is made. This is the core technical failure and the most common one found in the scan. Many websites display a consent banner while analytics, advertising, and tag-management scripts have already fired. Consider a financial services site with Meta Pixel active on its loan calculator page. The visitor arrives. The pixel fires. Their browsing behavior, the financial product they are researching, how long they spent on the page, whether they started and abandoned a form, has already been disclosed to Meta's advertising infrastructure. The banner appears 800 milliseconds later. It cannot change what already happened. Consent cannot repair a third-party transfer that has already taken place.

There is no audit trail. A banner without a record is not defensible compliance. If a company is ever challenged, it needs to be able to show which banner version was displayed, which vendors and purposes were disclosed at that time, what the user selected, when they selected it, and which tags were allowed or blocked as a result. Without that record, the company may have a banner but no evidence that the banner ever controlled the technology. A banner asks for consent. An audit trail proves whether consent controlled the technology.

Withdrawal is harder than acceptance. If a visitor can accept all tracking in one click but must navigate a privacy policy, a footer link, or a hidden preference center to withdraw, the consent model is structurally unfair, and structurally weak. Withdrawal should be as easy as acceptance. And it should actually stop the processing. Not update a preference screen. Not fire a tag that records the preference. Actually stop the non-essential technology from loading on the next visit.

Five Questions Your Website Should Be Able to Answer Today

The regulator does not announce audits. A browser tab and 30 seconds is all it takes to see what a site is loading. Any visitor, journalist, regulator, or competitor can run the same check at any time, on any page, without the company knowing. The question is not whether the website will be looked at. The question is whether the company finds the answers first, or someone else does.

If your website were audited today?

Could your team answer these five questions right now?

1. What loaded on your homepage this morning?
2. Which vendors received your visitor’s data?
3. Did any of that data leave Vietnam?
4. What did your visitors actually consent to?
5. Where is the evidence?

If the answer to any of these five questions is "I don't know," the exposure is already there. 

The practical response is not a longer privacy policy. It is bringing the website under technical, legal, and operational control, and building the evidence to prove it.

The Five-Step Model

This is the practical model for moving from unmanaged website tracking to accountable compliance. It is not complicated in principle. It does require being done seriously and maintained over time, because website stacks change constantly. Marketing teams add tags. Agencies add pixels. Developers install plugins. Each change can create a new data flow.

Scan: identify every cookie, beacon, pixel, script, embed, and tag across all page templates. Not just the homepage. Campaign pages, product pages, lead-generation forms, booking flows, branch locators, and embedded video pages all need to be included. The goal is to know what the visitor's browser actually loads — not what the privacy policy claims it loads.

Classify: separate necessary, analytics, marketing, embedded media, maps, social, and functional third-party services. Each category needs its own consent and legal-basis assessment. A session cookie and a YouTube embed are not the same category. A Google Maps branch locator and a Meta remarketing pixel are not the same category. The classification drives everything that follows.

Block: non-essential technologies must not load before valid consent is obtained. This is the single most important technical control in the entire model. The tag layer must follow the user's choice, not run ahead of it. A consent banner that appears after the scripts have already fired is not a control. It is a notification.

Document: record the vendor, purpose, legal basis, data categories, cross-border implications, and contract terms for every processing activity the website creates. This inventory should not sit only with the marketing team. It should be visible to legal, compliance, IT security, and vendor-risk owners. And it should be updated every time the website stack changes.

Prove: maintain consent records and an immutable audit trail that shows what the user was shown, what they selected, when they selected it, and which tags were allowed or blocked as a result. This is the evidence layer. Without it, the organization may be able to describe its compliance model but not demonstrate it. A banner asks for consent. An audit trail proves whether consent controlled the technology.

What Companies In Vietnam Should Do Now

The most important finding from this scan is not that Google, Meta, and YouTube are common on Vietnamese corporate websites. That was expected. The important finding is that they remain so prevalent across major corporate sites without the level of governance Vietnam's new data-regulation environment now demands.

That is the gap this report is named for. Not a technology gap. A governance gap.

The website may look first-party to the visitor. The browser often reveals a much wider third-party data supply chain. What loads on the page now matters as much as what is written in the privacy policy, because the browser is an audit surface, and anyone can read it.

The companies that act now are better positioned. Not because enforcement is certain tomorrow, but because the website is the easiest part of a company's data environment to test, and the one most organizations have governed the least. The companies that ignore it may discover too late that the gap between what their privacy policy claimed and what their browser was doing became the evidence used against them.

“Do not claim compliance from the privacy policy. Prove it from the browser.”

Ronni K. Gothard Christiansen
Technical Privacy Engineer & CEO, AesirX.io

Laws and instruments referenced

• Luật Bảo vệ dữ liệu cá nhân (PDPL): Vietnam Personal Data Protection Law, Law No. 91/2025/QH15, issued 26 June 2025, effective 1 January 2026.
• Nghị định 356/2025/NĐ-CP: Decree detailing and guiding implementation of the Personal Data Protection Law, issued 31 December 2025, effective 1 January 2026.
• Luật Dữ liệu: Vietnam Data Law, Law No. 60/2024/QH15, issued 30 November 2024, effective 1 July 2025.
• Nghị định 165/2025/NĐ-CP: Decree detailing and guiding implementation of the Data Law, issued 30 June 2025, effective 1 July 2025.
• Sector-specific rules and supervisory expectations: Relevant sector overlays may apply depending on the organization, including banking, insurance, telecom, aviation, retail, logistics, and other regulated or high-data-volume sectors.

Disclaimer

This article is for informational purposes only and does not constitute legal advice. It is based on a technical scan of resolved and analyzable website behavior and a compliance interpretation of the legal instruments referenced above. The scan results should not be treated as a final legal determination of any individual company’s compliance status.

Organizations should obtain qualified legal advice before making regulatory filings, cross-border transfer assessments, data-classification decisions, or enforcement-risk conclusions. AesirX ComplianceOne and Forseti can support compliance work, evidence management, regulatory mapping, and audit preparation, but they do not replace qualified legal counsel or human review and approval of compliance evidence, assessments, and filings.