Audit: Big Tech Often Ignores CA Privacy Law Opt-Out Requests

The California Consumer Privacy Act, enacted in 2020, gave residents a legal right to block the sale or sharing of their personal data through a simple browser setting called Global Privacy Control (GPC). While the law applies to any entity that processes California users' information, enforcement has been uneven, leaving many online advertisers to rely on voluntary compliance. As privacy‑focused browsers and extensions gain market share, the GPC signal has become a de‑facto standard for expressing opt‑out preferences at scale, prompting regulators to scrutinize whether tech giants truly respect it.

WebXray’s recent audit, which scanned over 7,600 popular websites from a California residential IP, revealed stark gaps in adherence. Google ignored GPC signals on 86% of requests, even issuing the IDE advertising cookie despite the "sec‑gpc: 1" header that should suppress tracking. Meta followed with a 69% failure rate, largely due to publisher‑installed code that bypasses GPC checks. Microsoft performed marginally better, honoring opt‑outs roughly half the time but still setting its MUID cookie on bing.com. These practices expose the firms to further CCPA enforcement actions, adding to the $2.32 billion, $9.3 billion and $390 million in fines they have already paid for privacy violations.

For security and compliance teams, the audit underscores the need for continuous validation of privacy controls. Regular testing of GPC handling, third‑party ad‑tech audits, and treating privacy telemetry like security logs can surface hidden non‑compliance before regulators intervene. As state and federal privacy legislation converges, firms that proactively align runtime behavior with declared privacy policies will mitigate legal risk and preserve consumer confidence, turning compliance into a competitive advantage.