Your Privacy Opt-Out Is Being Ignored by Google, Microsoft, and Meta
A bombshell independent audit has caught some of the world’s biggest technology companies red-handed — continuing to track users who have explicitly asked them to stop.
Conducted by privacy technology firm webXray, the investigation uncovered what researchers describe as widespread, industrial-scale disregard for the California Consumer Privacy Act (CCPA). The findings could expose these corporations — and the website publishers that work with them — to a combined legal liability of billions of dollars.
Among the most alarming statistics: 55% of the websites evaluated kept setting advertising cookies even after users switched on privacy protections. To make matters worse, cookie consent banners certified by Google itself consistently failed to stop the company from placing trackers after users opted out.
According to the California Privacy Audit report, a total of 194 online advertising services are currently ignoring opt-out signals that have been formally endorsed by regulators.
How Each Tech Giant Is Failing Users
The audit was led by Dr. Timothy Libert — a former Google cookie policy lead — and zeroes in on specific technical breakdowns within the ad networks of each company.
| Technology Company | Opt-Out Failure Rate | Ad Cookies Set Despite Opt-Out | Avg. Fine Per Violation | Total Potential Liability | Privacy Fines Paid to Date |
|---|---|---|---|---|---|
| 86% – 87% | 11,021 | $1,387,617 | $5.8 Billion (across all 4,170 audited sites) | $2.318 Billion | |
| Microsoft | 50% | 7,550 | $1,387,617 | $5.8 Billion (across all 4,170 audited sites) | $390 Million |
| Meta | 69% | 1,293 | $1,387,617 | $5.8 Billion (across all 4,170 audited sites) | $9.304 Billion |
Rather than honoring the Global Privacy Control (GPC) signal — a standardized browser-level opt-out mechanism — all three platforms continue deploying long-term tracking cookies. Here is exactly what the researchers found:
- Google: When a browser sends the “sec-gpc: 1” opt-out signal to Google’s servers, the company fails to honor it 87% of the time. Instead of blocking trackers, Google’s network responds by planting its “IDE” advertising cookie — one that silently follows users across Google’s ad network for two full years.
- Microsoft: Microsoft fares only slightly better, with a 50% opt-out failure rate. When its servers receive the GPC signal, they still deploy the “MUID” (Microsoft User Identifier) cookie via the Bing domain, tracking users across the web for up to one year.
- Meta: Meta’s tracking pixel fails to respect opt-outs 69% of the time. Forensic analysis revealed that the JavaScript code Meta tells publishers to install has no built-in mechanism to check for the “navigator.globalPrivacyControl” signal at all — meaning the pixel fires tracking events unconditionally, regardless of what a user has chosen.
Simple Fixes Exist — But Aren’t Being Used
One of the most troubling takeaways from the webXray report is just how straightforward the fixes would be. For Google and Microsoft, ad servers that receive a GPC opt-out signal could simply return a “451 Unavailable For Legal Reasons” status code, which would prevent any cookies from being set. For Meta, inserting just two lines of conditional code into its tracking pixel would stop it from loading when a user has opted out.
The audit also turned its lens on Consent Management Platforms (CMPs) — the third-party tools many websites use to manage cookie consent. Across all 11 CMP vendors examined, researchers found a 100% failure rate in fully blocking advertising cookies after a user opted out. These are tools specifically designed to protect consumer privacy, and none of them were doing the job.
The Legal and Financial Stakes Are Enormous
The consequences of ignoring user privacy choices are not just ethical — they carry severe financial risk under California law. The California Attorney General has formally recognized the GPC as a valid legal request to stop the sharing of personal information, and the state has already shown it will act on non-compliance.
Sephora was hit with a $1.2 million fine in 2022 for ignoring GPC signals. Disney paid a record $2.75 million settlement in 2025. Using these and other public enforcement actions as a baseline, webXray calculated an average penalty of nearly $1.4 million per violation.
Multiply that figure across the thousands of California-facing websites identified in the audit that are still setting advertising cookies despite user opt-outs, and the total potential liability climbs to a staggering $5.8 billion. Under the CCPA, individual violations can be penalized anywhere between $2,500 and $7,500 — meaning publishers and ad-tech vendors who fail to close these compliance gaps are sitting on a significant legal time bomb.