Audit reveals Google, Meta and Microsoft track you after opt-out

When California users tell websites to stop tracking them, Google ignores that request 86% of the time. That is the key takeaway from a forensic audit conducted by webXray, a non-profit organisation monitoring privacy, in March 2026.

The group analysed web traffic on many of the most popular sites online and discovered that 194 advertising services were deploying tracking cookies even after the user had opted out using their right.

The Global Privacy Control (GPC) is a user signal sent through browsers informing websites that a user is unwilling to have his or her personal data sold or used for advertisement purposes. This is legally binding in California.

Under the California Consumer Privacy Act (CCPA), businesses are required by law to honour it as a valid do-not-sell request the moment a user's browser sends the sec-gpc:1 header.

There are currently four US states where GPC enjoys statutory authority. Not abiding by it in the state of California is not just a policy mistake; it is now a punishable offence under CCPA regulations. The latest CCPA violations have led to stiff penalties being handed out to companies.

The findings of the audit conducted by Dr Timothy Libert, who once headed Google’s cookie policy, identify three separate patterns of GPC non-compliance.

When Google's ad servers receive the GPC signal, they routinely disregard it and respond by creating a two-year IDE advertising cookie on the user's device. Microsoft's tracking network receives the same signal and unconditionally returns a one-year MUID cookie regardless.

Meta's tracking pixel contains no code to check for GPC at all. It fires unconditionally, recording tracking events irrespective of whatever privacy settings a user has enabled.

WebXray also found that no Google-certified Consent Management Platform it evaluated works correctly 100% of the time, meaning even the industry's own compliance infrastructure is failing at its stated purpose.

The audit's authors calculate a potential aggregate liability exposure of $5.8 billion across the 194 non-compliant advertising services identified.

That figure is based on existing CCPA penalty structures applied to the scale of violations documented, and it represents a significant legal risk for companies that have so far treated GPC compliance as optional.

55% of all audited California websites were found setting advertising cookies despite active user opt-outs.