In a significant challenge to consumer privacy, an in-depth audit reveals Google, Microsoft, and Meta are not fully respecting privacy opt-out requests. The investigation, detailed in the March 2026 California Privacy Audit by webXray, indicates that 194 advertising services are installing tracking cookies despite users activating the Global Privacy Control (GPC).
Audit Uncovers Widespread Non-Compliance
Dr. Timothy Libert, who formerly led Google’s cookie policy, spearheaded the research analyzing web traffic on numerous popular websites in California. The study uncovers extensive non-compliance with the California Consumer Privacy Act (CCPA), with 55% of evaluated sites setting ad cookies even after user opt-outs.
The audit reveals technical methods employed by these companies to circumvent privacy settings. When users enable GPC, their browsers send a sec-gpc: 1 network request header, which should signal businesses to halt personal data sharing. However, the audit highlights significant breaches.
How Major Companies Bypass Privacy Controls
Google’s ad servers, with an 86% failure rate, ignore the sec-gpc: 1 signal and proceed to create a two-year “IDE” advertising cookie. Researchers suggest that Google could address this issue by returning an HTTP 451 status code.
Microsoft, with a 50% failure rate, follows a similar pattern, returning a one-year “MUID” tracking cookie despite the GPC signal. Meanwhile, Meta’s tracking pixel, embedded in websites, fails to detect the GPC signal entirely, leading to a 69% failure rate.
Concerns Over Consent Management Platforms
The audit also raises alarms about Consent Management Platforms (CMPs), revealing that most cookie banners fail to protect users adequately. Even Google-certified Cookie Choice Banners frequently fail, with opt-out failure rates between 77% and 91% across major vendors.
California regulators have asserted that neglecting the GPC is punishable, with recent enforcement actions under the CCPA resulting in significant penalties. The audit estimates a potential $5.8 billion liability across the industry due to these violations.
Strategies for Mitigation and Compliance
To combat these privacy threats and avoid fines, companies are advised to adopt several strategies. Configuring ad servers to detect the sec-gpc: 1 header and block requests can prevent tracking payloads. Additionally, website administrators should conditionally load third-party scripts by checking the navigator.globalPrivacyControl before execution. Finally, organizations should not rely solely on third-party consent banners but actively monitor network requests for compliance.
Stay updated with our latest cybersecurity coverage by following us on Google News, LinkedIn, and X. Contact us to feature your stories.
