Audit Finds Google, Microsoft, and Meta Still Tracking Users After Opt-Out

California’s privacy regime, anchored by the California Consumer Privacy Act (CCPA), grants users the right to block the sale of their personal data through mechanisms like the Global Privacy Control (GPC). While the law is state‑level, its enforcement has national repercussions because many digital advertisers rely on California’s massive user base. The GPC signal, a simple HTTP header, tells compliant servers to refrain from dropping tracking cookies, a cornerstone of modern ad tech. Yet the audit shows that the signal is often ignored, highlighting a gap between regulatory intent and technical implementation.

The webXray audit, which monitored real‑world traffic across more than 7,000 high‑traffic sites, uncovered stark differences among the three tech giants. Google’s ad‑serving infrastructure set its IDE cookie in 87% of GPC‑enabled requests, effectively nullifying the user’s opt‑out. Microsoft’s failure rate sat at 50%, while Meta’s tracking scripts fired unconditionally in 69% of cases, bypassing any GPC check. These patterns suggest that existing privacy controls are either not integrated into core ad delivery pipelines or are deliberately overridden, exposing the firms to potential CCPA violations that could translate into billions of dollars in fines.

Beyond the immediate legal risk, the findings send a warning to the broader digital‑advertising ecosystem. Brands that rely on third‑party tags must audit their own implementations to ensure compliance, lest they inherit liability from upstream providers. Meanwhile, regulators are likely to scrutinize enforcement actions more closely, possibly expanding the scope of penalties for non‑compliance. Companies that proactively adopt privacy‑by‑design principles, incorporate GPC checks, and transparently report on compliance will not only mitigate risk but also strengthen consumer confidence in an increasingly privacy‑conscious market.