New audit says Google, Microsoft, and Meta still track users after privacy opt-outs

Home » News
Yash Shield
News
Reading time icon 4 min. read

Calendar icon Published on

Google

A new California privacy audit says many major ad-tech services still set tracking cookies even after users send a legally recognized opt-out signal. The research, published by webXray, found that 194 online advertising services ignored the Global Privacy Control, or GPC, during tests on popular California websites.

That matters because California treats GPC as a valid request to stop the sale or sharing of personal information. The California Attorney General’s office says businesses covered by the law must honor that signal.

BEST SPRING 2026 DEALS
Editor's Choice
Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.
Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

In the audit, webXray said 55% of tested sites still set ad cookies after an opt-out request. It also said Google failed to honor the signal 86% of the time, Meta 69%, and Microsoft 50%.

What the research claims

webXray says it audited popular California websites in March 2026 and looked for whether ad-tech services responded to the sec-gpc: 1 browser signal by stopping ad-cookie behavior. The report argues that many companies did not.

The audit also says Google-certified cookie banners often failed to stop Google cookies after users opted out. According to webXray, tested failure rates across three major Google-certified consent vendors ranged from 77% to 91%.

The core claim is not that every cookie becomes illegal after GPC. The narrower issue is whether companies stop selling or sharing personal information for cross-context behavioral advertising after receiving that opt-out signal, which California says they must do.

How each company responded

Microsoft disputed the findings. In a statement to KQED, a Microsoft spokesperson said the company opts users out of sharing personal data with third parties for personalized advertising when it receives a GPC signal, while adding that some Microsoft cookies are necessary for operational purposes and may still be placed or read.

Google also rejected the report’s conclusion. A Google spokesperson told KQED that the audit was based on what the company called a misunderstanding of how Google’s products work, and said Google honors opt-outs provided by advertisers and publishers as required by law.

Meta pushed back as well. A Meta spokesperson told KQED that the audit misrepresented how GPC works, arguing that the setting restricts how data is shared, not collected, and pointing to Meta’s Limited Data Use feature for websites. webXray founder Timothy Libert rejected those arguments and said the non-compliance was visible in network traffic.

California’s privacy guidance says businesses cannot sell or share personal information after receiving a valid opt-out request unless the user later authorizes it again. The Attorney General’s office also says Californians can file complaints if a business’s opt-out method is not working.

The audit estimates potential aggregate liability at $5.8 billion across the industry, though that figure is webXray’s projection, not a regulator’s announced enforcement total. That distinction matters. The report highlights legal exposure, but regulators have not announced penalties tied to this audit.

California officials have not publicly endorsed the audit’s conclusions in detail. KQED reported that the California Department of Justice declined to comment on the specific issues raised, while the California Privacy Protection Agency also declined comment.

Key findings at a glance

ItemWhat the sources say
Audit publisherwebXray
Audit timingMarch 2026
Main claim194 ad services ignored legally recognized opt-out signals
Sites still setting ad cookies after opt-out55%
Reported failure ratesGoogle 86%, Meta 69%, Microsoft 50%
Legal basis citedCalifornia requires covered businesses to honor GPC as a valid opt-out request

What site owners and users should watch

  • Do not assume a cookie banner alone proves compliance.
  • Check whether your site actually suppresses ad-tech requests when GPC is enabled.
  • Audit network traffic, not just banner settings.
  • Review whether third-party tags still load after an opt-out signal.
  • Treat regulator-recognized opt-out signals as binding privacy controls in California.

FAQ

What is Global Privacy Control?

It is a browser-based opt-out signal that California recognizes as a valid request to stop the sale or sharing of personal information.

Did the audit say companies tracked users after opt-out?

Yes. webXray said many ad services still set tracking cookies even after users enabled GPC.

Did Google, Microsoft, and Meta agree with the audit?

No. All three pushed back in statements reported by KQED.

Does GPC ban every cookie?

No. The legal issue centers on stopping the sale or sharing of personal information, especially for cross-context behavioral advertising. Some operational cookies may still exist depending on the service and use case.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages