Palace Resorts — Documented of Privacy Non‑Compliance

Independent technical report • Published 13 Jul 2025

Executive Summary

An independent technical audit of Palace Resorts' U.S. digital properties reveals a pattern of non-compliance with multiple state and federal consumer privacy laws. Testing confirms that the company loads advertising trackers from major ad-tech firms before user consent is possible and ignores legally-recognized browser opt-out signals, in direct violation of the California Privacy Rights Act (CPRA).

The company's California privacy notice (last updated 01 Oct 2022) claims users can opt out by e‑mail, yet provides no "Do Not Sell or Share" link, no "Limit Sensitive Personal Information" link, and only a single e‑mail address for data‑subject requests—all contrary to CPRA regulations.

Compliance Gap Matrix

RequirementLegal StandardObserved at PalaceEvidence
No tracking before consentCPRA Regs §7027; CO CPA Rule 6Ad cookies (TikTok, DoubleClick, Rubicon) set on first load
Honor Global Privacy ControlCPRA Regs §7026; CO CPA Rule 8GPC ignored; same trackers fire
"Do Not Sell or Share" linkCPRA §1798.135Absent; notice instructs e‑mail instead
Limit use of Sensitive PICPRA §1798.121No SPI category or limit link providedSame CA notice
Multiple DSAR methodsCPRA §1798.130(a)(1)E‑mail only; no form / phone

Raw Evidence Files

Evidence captured in Chrome v124, UTC timestamps embedded; see hash file for integrity verification.
The raw data above captures network activity, provided for technical verification. A HAR (HTTP Archive) file is a log of how a browser interacts with a site, showing every tracker that loads and every piece of data requested.

Analysis of Key Violations

1. Systemic Non‑Compliance with the California Privacy Rights Act (CPRA)

Our audit identifies three direct breaches of the CPRA:

  • No "Do Not Sell or Share My Personal Information" link anywhere on the site.
  • No link allowing consumers to limit the use of Sensitive Personal Information.
  • Only a single e‑mail address for data‑subject requests, rather than theinteractive web form + one additional channel required by §1798.130.

Violations may subject Palace Resorts to administrative penalties (up to $7,500 per intentional violation under CPRA).

2. Deceptive Cookie & Vendor Disclosures (CO CPA, CT DPA, FTC)

Palace Resorts' cookie notice omits major ad‑tech partners that load on every visit (doubleclick.net, tiktok.com, mouseflow.com, and more). Colorado's CPA Rule 6 and Connecticut's Gen. Stat. §42‑520 mandate thatall third‑party targeting vendors be disclosed and subject to an opt‑out. Failing to list them is likely deceptive under both state law and the FTC Act §5.

3. Unenforceable and Contradictory Terms of Use

Palace Resorts' Website Terms cite two mutually exclusive "exclusive jurisdiction" clauses (Miami, Florida and Mérida, Mexico), rendering the provision likely unenforceable and creating uncertainty for consumers. Coupled with at least seven overlapping privacy notices, this inconsistency points to a broader lack of legal diligence.

Frequently Asked Questions

Formal Notice to Regulators

A copy of this technical audit and all supporting raw evidence files has been submitted to the following consumer protection and data privacy enforcement agencies:

  • The California Privacy Protection Agency (CPPA)
  • The California Office of the Attorney General
  • The Colorado Office of the Attorney General
  • The Florida Department of Agriculture & Consumer Services
  • The U.S. Federal Trade Commission

Take Action

File your own complaint with the CPPA

This report reflects our good‑faith technical analysis based on captures taken 13 July 2025. If you believe any statement is inaccurate, please contact us.