Audit Claims Google, Microsoft and Meta Track Californians Even After Opt-Outs

April 14, 2026
aiprivacybusinesslaw
Bright and modern Google Store entrance with clear glass facade in Mountain View, California.
Photo by Abhishek Navlakha on Pexels

What webXray says

It has been reported that an independent audit by privacy search engine webXray examined web traffic on more than 7,000 popular California sites in March and found widespread failures to respect opt-out signals. Allegedly, 55% of the sites set advertising cookies even when a user signaled they didn’t want tracking. If true, those lapses could run afoul of California’s CCPA — and that, it has been reported, opens the door to billions in potential fines. Feels like a gut punch, doesn’t it? You click “opt out” and hope the internet keeps its side of the bargain.

The technical details

The audit focused on Global Privacy Control (GPC), the browser signal that tells sites a user wants to opt out. It has been reported that webXray found Google ignored the GPC signal 87% of the time — citing network traces where a browser sends “sec-gpc: 1” but Google’s response still sets an IDE advertising cookie. Microsoft’s failure rate was allegedly about 50%, and Meta’s was 69% — the audit claims Meta’s tracking code “loads unconditionally,” firing events and setting cookies without checking for GPC at all. The companies have disputed or criticized the research; Google told press the report is based on a “fundamental misunderstanding” of how its product works.

Who’s behind the report

webXray is run by Timothy Libert, a former Google lead on cookie policy and compliance who left the company in 2023. Libert told 404 Media that fines haven’t been an effective deterrent: “In many ways fines have come to replace taxes,” he said, arguing enforcement is failing and regulators lack a clear picture of what’s happening under the hood. His insider credentials add weight to the findings, but they also make this a high-stakes he-said, they-said in the privacy world.

Why it matters

The audit also flags a potential conflict of interest: Google runs a CMP (consent management platform) Partner Program that certifies the very banners users rely on to opt out. Do those CMPs actually work? The report raises that question loud and clear. Regulators, privacy lawyers and everyday users now face a choice — trust tech giants’ explanations, or push for deeper audits and stricter enforcement. Who watches the watchers? For many Californians, the answer feels increasingly urgent.

Sources: 404media.co, Hacker News