Websites Break California Privacy Law at ‘Industrial Scale,’ Survey Finds

California’s Consumer Privacy Act introduced the Global Privacy Control (GPC) as a universal opt‑out mechanism, requiring websites to cease selling or sharing personal data when the signal is present. The recent webXray audit, which accessed sites from a California IP address, provides the first large‑scale measurement of GPC compliance, revealing that many high‑traffic domains still set tracking cookies despite clear user preferences. By quantifying the gap between legal requirements and technical implementation, the study underscores a critical oversight in the industry’s privacy infrastructure.

The audit’s headline figures are stark: Google’s tracking scripts ignored the GPC signal on 86% of pages, Microsoft’s on 50%, and Meta’s on 69%. These numbers suggest that, rather than a handful of outliers, non‑compliance is embedded in the core advertising and analytics stacks of the biggest platforms. Both Google and Microsoft defended their practices, citing operational necessities and nuanced interpretations of the law, while Meta remained silent. If the California Privacy Protection Agency were to levy fines at the statutory maximum—up to $7,500 per violation—the cumulative penalty could climb into the billions, creating a financial incentive for rapid remediation.

For businesses that rely on third‑party ad tech, the findings serve as a warning signal. Companies must audit their own code and vendor integrations to ensure GPC detection is correctly implemented, or risk secondary liability. Regulators, meanwhile, may tighten enforcement and issue clearer guidance on what constitutes “necessary” cookies. As privacy legislation proliferates nationwide, the audit highlights a broader industry challenge: aligning sophisticated tracking ecosystems with evolving consumer‑centric privacy norms while avoiding costly legal exposure.