Google, Microsoft, Meta All Tracking You Even When You Opt Out, According to an Independent Audit

The California Consumer Privacy Act gives residents a legal right to block the sale of their personal data, and the Global Privacy Control (GPC) browser signal is the technical implementation of that right. webXray’s audit leveraged network‑level monitoring of over 7,000 high‑traffic sites in March, capturing the "sec‑gpc: 1" header that indicates a user’s opt‑out request. By inspecting the response headers, the researchers could directly see whether ad servers honored the signal, providing a clear, reproducible methodology that goes beyond surface‑level cookie banner analysis.

The audit’s headline numbers—Google’s 87% non‑compliance, Microsoft’s 50%, and Meta’s 69%—suggest systematic disregard for a legally binding opt‑out. Under the CCPA, each violation can trigger statutory damages of up to $7,500 per consumer, meaning the cumulative exposure could reach billions of dollars for the three firms. Moreover, the study exposed a conflict of interest: Google‑certified consent management platforms (CMPs) failed to block cookies in 77% to 91% of cases, undermining the very tools meant to enforce user preferences. This raises questions about the efficacy of self‑regulation and the need for stricter oversight by state attorneys general.

All three companies have pushed back, labeling the methodology a misunderstanding of their systems. Yet the audit also offered a simple technical remedy—returning a 451 "Unavailable For Legal Reasons" status when a GPC header is present, which would halt cookie issuance entirely. If regulators adopt such a standard, it could close the compliance gap and restore credibility to privacy‑by‑design promises. For advertisers and publishers, the findings signal a looming shift toward more transparent data practices, as the cost of ignoring opt‑out signals may soon outweigh the benefits of continued tracking.