Google, Meta, and Microsoft about half the time don't comply with requests to opt out of online tracking per a California law mandate, privacy watchdog finds.
UPDATE
In what appears to be yet another failure of regulatory attempts to honor online users' privacy, three of the top tech firms at least 50% of the time don't honor user requests to opt out of online trackers in California, despite a state law that requires it, an independent audit of websites found.
Google, Meta, and Microsoft may be violating state privacy requirements by not, in practice, honoring user opt-out signals, according to the audit by privacy firm WebXray, which studied California Web traffic in March.
In 2020, California enacted the California Consumer Privacy Act (CCPA), which requires Internet browsers and mobile operating systems let users opt out of the sale or sharing of their personal information. As part of the law, California endorsed the use of the Global Privacy Control (GPC) browser setting or plug-in as the mechanism for consumers to exercise this right at scale, which businesses must honor, according to the audit.
The WebXray audit found that "194 online advertising services ignore legally defined, globally standard, opt-out signals endorsed by regulators," according to the report. Moreover, and "more concerning," according to WebXray, the audit found that Cookie Choice Banners certified by Google fail to prevent Google from setting cookies after users opt out with a GPC signal.
To gather its results, WebXray analyzed 7,634 popular websites scanned from a California residential IP address under two conditions: with GPC enabled and without. "Our findings reveal major technology companies simply ignore globally defined opt-out signals, raising the spectre of industrial-scale non-compliance with California requirements," according to the report.
Google did not immediately respond Wednesday to separate requests by Dark Reading to comments on the findings. However, in comments made in a public report, both Google and Meta argued that their privacy controls were misrepresented, while Microsoft said that consumer privacy is a top priority for the company.
In an emailed statement to Dark Reading, a Microsoft spokesperson said, "Consumer privacy is a top priority for us, and we remain committed to transparency and compliance with applicable privacy requirements. As outlined in our Privacy Statement, when we receive a GPC signal, we opt the user out of sharing personal data with third parties for personalized advertising, and our advertising systems are designed to reflect that choice. Certain Microsoft cookies are necessary for operational purposes, and may therefore be placed and read even when a GPC signal is detected."
Meta called the audit a "marketing ploy" via an email statement: "This is a blatant marketing ploy that misrepresents how the Global Privacy Control setting works and Meta's role. The control setting restricts how data is shared, not collected, and Meta already requires that when using the Meta pixel, advertisers only share with us information they have obtained the right to share. Meta further encourages websites to use our Limited Data Use feature so they can clearly indicate to us when they have permission to share certain information - and when we get information identified that way, we restrict its use."
The audit by WebXray shines a particular light on how three of the top tech companies — Google, Meta, and Microsoft — fare in terms of honoring opt-out requests across thousands of sites in California that use their technology.
Of the three, Google is the worst offender, with an opt-out "failure rate" of 86%, according to the findings, and has paid $2.32 billion so far in privacy fines due to a lack of overall regulatory compliance. The audit delved into the mechanics of the California failure in particular, which the researchers said "is easy to find in network traffic."
"When a browser using GPC connects to Google's servers it encodes the opt-out signal by sending the code 'sec-gpc: 1,'" according to the report. "This means Google should not return cookies."
However, when Google's server responds to the network request with the opt-out, it explicitly responds with a command to create an advertising cookie named IDE using the 'set-cookie' command, according to the findings. "This non-compliance is easy to spot, hiding in plain sight."
"Despite the fact that Meta publishes this code online, where it may be viewed by anybody, to date nobody has asked why it omits checks for the Global Privacy Control signal," according to WebXray.
Microsoft, meanwhile, honors opt-out signals about half the time and has paid $390 million so far in privacy fines overall. The audit found that its advertising network fails to honor GPC opt-out signals in a similar way to Meta. It sets the Microsoft User Identifier (MUID) cookie, an advertising tracker, on the bing.com domain when Microsoft's tracking pixel actually is set not to return a cookie, according to the report.
To help ensure that companies are complying with the CCPA and other privacy regulations when people visit their websites, security professionals should continuously test opt-out signal handling, including GPC and other consent frameworks for websites. They also should audit third-party data flows and ad-tech dependencies; align privacy controls with actual runtime behavior; and treat privacy telemetry like security telemetry in terms of logs, validation, and alerting, according to WebXray.
This article was updated at 4pm ET on April 15 to reflect Microsoft's comments.
Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Fredrick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now!
UPDATE
In what appears to be yet another failure of regulatory attempts to honor online users' privacy, three of the top tech firms at least 50% of the time don't honor user requests to opt out of online trackers in California, despite a state law that requires it, an independent audit of websites found.
Google, Meta, and Microsoft may be violating state privacy requirements by not, in practice, honoring user opt-out signals, according to the audit by privacy firm WebXray, which studied California Web traffic in March.
In 2020, California enacted the California Consumer Privacy Act (CCPA), which requires Internet browsers and mobile operating systems let users opt out of the sale or sharing of their personal information. As part of the law, California endorsed the use of the Global Privacy Control (GPC) browser setting or plug-in as the mechanism for consumers to exercise this right at scale, which businesses must honor, according to the audit.
The WebXray audit found that "194 online advertising services ignore legally defined, globally standard, opt-out signals endorsed by regulators," according to the report. Moreover, and "more concerning," according to WebXray, the audit found that Cookie Choice Banners certified by Google fail to prevent Google from setting cookies after users opt out with a GPC signal.
To gather its results, WebXray analyzed 7,634 popular websites scanned from a California residential IP address under two conditions: with GPC enabled and without. "Our findings reveal major technology companies simply ignore globally defined opt-out signals, raising the spectre of industrial-scale non-compliance with California requirements," according to the report.
Google did not immediately respond Wednesday to separate requests by Dark Reading to comments on the findings. However, in comments made in a public report, both Google and Meta argued that their privacy controls were misrepresented, while Microsoft said that consumer privacy is a top priority for the company.
In an emailed statement to Dark Reading, a Microsoft spokesperson said, "Consumer privacy is a top priority for us, and we remain committed to transparency and compliance with applicable privacy requirements. As outlined in our Privacy Statement, when we receive a GPC signal, we opt the user out of sharing personal data with third parties for personalized advertising, and our advertising systems are designed to reflect that choice. Certain Microsoft cookies are necessary for operational purposes, and may therefore be placed and read even when a GPC signal is detected."
Meta called the audit a "marketing ploy" via an email statement: "This is a blatant marketing ploy that misrepresents how the Global Privacy Control setting works and Meta's role. The control setting restricts how data is shared, not collected, and Meta already requires that when using the Meta pixel, advertisers only share with us information they have obtained the right to share. Meta further encourages websites to use our Limited Data Use feature so they can clearly indicate to us when they have permission to share certain information - and when we get information identified that way, we restrict its use."
Google Scores Highest Failure Rate
The audit is not the first time that researchers found those in the business of overseeing user privacy falling short of compliance with the CCPA. The findings of the WebXray audit follow the results of a 2025 study by the University of California, Irvine, that found half of data brokers online ignore requests to opt out of tracking.The audit by WebXray shines a particular light on how three of the top tech companies — Google, Meta, and Microsoft — fare in terms of honoring opt-out requests across thousands of sites in California that use their technology.
Of the three, Google is the worst offender, with an opt-out "failure rate" of 86%, according to the findings, and has paid $2.32 billion so far in privacy fines due to a lack of overall regulatory compliance. The audit delved into the mechanics of the California failure in particular, which the researchers said "is easy to find in network traffic."
"When a browser using GPC connects to Google's servers it encodes the opt-out signal by sending the code 'sec-gpc: 1,'" according to the report. "This means Google should not return cookies."
However, when Google's server responds to the network request with the opt-out, it explicitly responds with a command to create an advertising cookie named IDE using the 'set-cookie' command, according to the findings. "This non-compliance is easy to spot, hiding in plain sight."
Meta, Microsoft Also Ignore Signals
Meta came in as a close second to Google with an opt-out failure rate of 69%, mainly due to tracking code it instructs its publishers to install that contains "no check for globally standard opt-out signals," according to the audit. So far the company, which owns Facebook and Instagram, has paid $9.3 billion in overall regulatory privacy fines, according to WebXray."Despite the fact that Meta publishes this code online, where it may be viewed by anybody, to date nobody has asked why it omits checks for the Global Privacy Control signal," according to WebXray.
Microsoft, meanwhile, honors opt-out signals about half the time and has paid $390 million so far in privacy fines overall. The audit found that its advertising network fails to honor GPC opt-out signals in a similar way to Meta. It sets the Microsoft User Identifier (MUID) cookie, an advertising tracker, on the bing.com domain when Microsoft's tracking pixel actually is set not to return a cookie, according to the report.
How Security Teams Can Enhance Privacy
WebXray's audit has no legal bearing on its own, and thus its findings should not be taken as legal violations of the CCPA, the firm stressed in its report. However, there is precedent for companies already paying fines for CCPA violations, notably $1.2 million in 2022 and $2.75 million in 2025 by the California Attorney General levied against Sephora and Disney, respectively.To help ensure that companies are complying with the CCPA and other privacy regulations when people visit their websites, security professionals should continuously test opt-out signal handling, including GPC and other consent frameworks for websites. They also should audit third-party data flows and ad-tech dependencies; align privacy controls with actual runtime behavior; and treat privacy telemetry like security telemetry in terms of logs, validation, and alerting, according to WebXray.
This article was updated at 4pm ET on April 15 to reflect Microsoft's comments.
Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Fredrick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now!