A new forensic audit has revealed that tech giants such as Google, Meta, and Microsoft are systematically ignoring even legally defined privacy opt-out signals and tracking you anyway. It’s a big blow to consumer privacy.

According to the March 2026 California Privacy Audit conducted by webXray, 194 online advertising services are setting tracking cookies even after users explicitly invoke the Global Privacy Control (GPC).

GPC is a set of web technologies that can be used to inform websites that a user does not want their information sold or used by ad trackers. It’s intended to have legal force under privacy laws.

The research, led by Dr. Timothy Libert, a former lead of Google’s cookie policy, analyzed web traffic across thousands of popular websites in California.

The findings expose what researchers identify as industrial-scale non-compliance with the California Consumer Privacy Act, noting that 55% of audited sites set ad cookies despite user opt-outs.

It’s a legal minefield that puts users at risk, webXray, a privacy auditor, said.

As of now, GPC has legal authority in four states, and in California, GPC is a valid do-not-sell-my-personal-information signal as per the California Consumer Privacy Act, which stipulates that websites are legally required to respect a signal sent by users preferring to opt out of having their personal data sold.

In other words, when a user enables GPC, their browser sends a sec-gpc: 1 network request header, and under California law, businesses must honor this as a valid request to stop sharing personal data.

But they don’t, the audit has found. Google’s failure rate is a staggering 86%, for example.

The audit authors project a potential aggregate liability exposure of $5.8 billion across the industry.

When Google’s ad servers receive the sec-gpc: 1 signal, they routinely ignore it and respond with a command to create the two-year “IDE” advertising cookie.

Similar to Google, Microsoft’s tracking network also receives the GPC signal but – unconditionally – returns a one-year “MUID” tracking cookie to the consumer’s device.

Finally, Meta’s tracking pixel snippet contains no code whatsoever to check for the GPC signal: it works unconditionally, recording tracking events regardless of the user’s privacy settings.

“The CCPA gives every consumer the right to tell a business: stop selling or sharing my personal information. When a consumer sends a clear opt-out signal, cookies used for selling and sharing user data should not be set,” said webXray.

According to the auditor, the so-called “Cookie Banners” supposedly give users the option to exercise their legal rights. Google even certifies Consent Management Platforms (CMPs).

However, “no Google-certified CMP we evaluated works 100% of the time, and all of them are often found to fail to prevent Google from setting cookies despite globally standard opt-out signals being present,” webXray points out.

The Cybernews community is talking about this. Be a part of the conversation.

Are fines incoming? Well, ignoring the GPC is a punishable offense, and recent CCPA enforcement actions have indeed resulted in massive penalties for companies that fail to process opt-outs properly.

The audit authors project a potential aggregate liability exposure of $5.8 billion across the industry.

---

Unlock more exclusive Cybernews content on YouTube.