A recent independent audit conducted by privacy technology firm webXray has revealed that major technology companies, including Google, Microsoft, and Meta, are actively tracking users who have explicitly opted out of data sharing.
The findings suggest widespread, industrial-scale non-compliance with the California Consumer Privacy Act (CCPA), potentially exposing these corporations and website publishers to billions of dollars in legal liability.
The investigation found that 55% of the evaluated websites continued to set advertising cookies even after users activated privacy protections.
Furthermore, cookie choice banners that are certified by Google consistently failed to prevent the company from setting trackers following a user’s opt-out request.
According to the California Privacy Audit report, 194 online advertising services are currently ignoring globally standard opt-out signals endorsed by regulators.
The Technical Mechanics of Opt-Out Failures
The audit, led by former Google cookie policy lead Dr. Timothy Libert, highlights specific technical failures across the advertising networks of these tech giants.
| Technology Company | Opt-Out Failure Rate | Number of Ads Cookies Set Despite Opt-Out | Estimated Average Fine Per Violation | Total Potential Aggregate Liability | Past Privacy Fines Paid to Date |
|---|---|---|---|---|---|
| 86% – 87% | 11,021 | $1,387,617 | $5.8 Billion (Total estimate across all 4,170 audited sites) | $2.318 Billion | |
| Microsoft | 50% | 7,550 | $1,387,617 | $5.8 Billion (Total estimate across all 4,170 audited sites) | $390 Million |
| Meta | 69% | 1,293 | $1,387,617 | $5.8 Billion (Total estimate across all 4,170 audited sites) | $9.304 Billion |
Instead of honoring the Global Privacy Control (GPC) signal, these platforms continue to deploy long-term tracking cookies.
- Google’s Tracking Mechanism: When a browser sends the “sec-gpc: 1” opt-out signal to Google’s servers, the company experiences an 87% failure rate in honoring the request. Rather than blocking trackers, Google’s network responds with a command to set the “IDE” advertising cookie, which follows users across Google’s ad network for two years.
- Microsoft’s Ad Network: Microsoft demonstrates a 50% opt-out failure rate. Similar to Google, when Microsoft receives the GPC signal, its servers deploy the “MUID” (Microsoft User Identifier) cookie on the Bing domain, tracking users across the web for one year.
- Meta’s Pixel Vulnerability: Meta’s tracking pixel experiences a 69% failure rate. Forensic analysis shows that the JavaScript code Meta instructs publishers to install lacks any mechanism to check for the “navigator.globalPrivacyControl” signal. Consequently, the pixel loads unconditionally, firing tracking events regardless of consumer preferences.
Proposed Technical Solutions and CMP Flaws
The webXray report emphasizes that remediation requires minimal technical effort. For Google and Microsoft, ad servers receiving the GPC signal could simply return a “451 Unavailable For Legal Reasons” status code, ensuring no cookies are set.
For Meta, adding just two lines of conditional code to check for the GPC signal would prevent the pixel from executing when users opt out.
The audit also exposed critical flaws in Consent Management Platforms (CMPs). Across the 11 CMP vendors evaluated, researchers found a 100% failure rate in completely blocking ad cookies after an opt-out.
This highlights a concerning reality where privacy tools designed to protect consumers are effectively allowing third-party tracking to bypass user consent.
The failure to respect consumer privacy choices carries severe financial consequences under California law.
The California Attorney General has explicitly endorsed the GPC as a valid consumer request to stop the sharing of personal information. Previous enforcement actions demonstrate the state’s willingness to penalize non-compliance.
For instance, Sephora was fined $1.2 million in 2022 for ignoring GPC signals, while Disney paid a record $2.75 million settlement in 2025.
By analyzing public enforcement actions, webXray calculated an average fine of nearly $1.4 million per violation.
When multiplied by the thousands of California-popular websites identified in the audit that set advertising cookies despite opt-out signals, the potential aggregate liability exposure reaches a staggering $5.8 billion.
With statutory penalties ranging from $2,500 to $7,500 per violation under the CCPA, the financial risk for publishers and ad-tech vendors remains substantial if these compliance gaps are not addressed.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
