An independent privacy audit published on April 14, 2026, has found that Google, Meta, and Microsoft continued to set advertising cookies on users' browsers even after those users explicitly opted out of tracking - potentially violating California's privacy law and exposing thousands of websites to aggregate liability estimated at $5.8 billion.

The audit, conducted in March 2026 by webXray, a privacy analysis company, reviewed web traffic across more than 7,000 popular websites accessed from a California residential IP address. It found that 55 percent of the sites checked set advertising cookies despite a user-initiated opt-out signal. The research was reported by 404 Media on April 14, 2026, and the full methodology and findings are detailed in the webXray California Privacy Audit report.

What the opt-out signal is - and why it matters

At the centre of the audit is a mechanism called Global Privacy Control (GPC). The California Attorney General has endorsed GPC as a valid opt-out mechanism under the California Consumer Privacy Act (CCPA), the state's stringent privacy law that grants consumers the right to stop the sale or sharing of their personal information. GPC works through a browser extension, or browser-level setting, that sends a specific HTTP header - "Sec-GPC: 1" - to any server the browser contacts. When that signal is present, covered businesses are required by law to treat it as a formal opt-out request.

The California AG fined Sephora $1.2 million in 2022 for ignoring GPC signals. In February 2026, Walt Disney settled for $2.75 million - the largest CCPA settlement on record at that point - for opt-out failures across Disney+ and Hulu. And in March 2026, PlayOn Sports was fined $1.1 million for similar violations. Against that backdrop, the webXray audit directly examines whether the three companies whose code appears on the largest share of the web are doing any better.

They are not, according to the audit.

Google: 86 percent opt-out failure rate

According to the webXray California Privacy Audit, Google failed to honour the GPC opt-out signal 86 percent of the time across the sites examined. The audit describes the mechanism of failure in precise technical terms.

"Google's failure to honor the GPC opt-out signal is easy to find in network traffic. When a browser using GPC connects to Google's servers it encodes the opt-out signal by sending the code 'sec-gpc: 1.' This means Google should not return cookies," the audit said. "However, when Google's server responds to the network request with the opt-out it explicitly responds with a command to create an advertising cookie named IDE using the 'set-cookie' command. This non-compliance is easy to spot, hiding in plain sight."

The audit also quantified the scale: 11,021 advertising cookies were set by Google despite opt-out signals being present. These cookies originate across multiple Google products. The audit lists cookies from Google's core advertising services - including __gads, __gpi, __gsas, _gcl_au, AID, FPAU, and FPGSID - as well as from Google Marketing Platform products (APC, DSID, FLC, and the IDE cookie specifically named in the network traffic evidence) and YouTube, where __Secure-YNID and VISITOR_INFO1_LIVE were observed despite opt-out.

The audit noted that Google's tracked presence extends to 77 percent of the websites in the sample, making it by far the most widely distributed tracking presence of any vendor reviewed. According to the report, Google generated $307 billion in advertising revenue in 2024 and has paid $2.318 billion in privacy fines to date across regulators including the US Federal Trade Commission, the California Attorney General, France's CNIL, and others.

The proposed fix, according to webXray, requires no architectural change. When Google's ad server receives traffic containing the Sec-GPC: 1 header, it only needs to return an HTTP 451 status code - "Unavailable For Legal Reasons" - rather than setting any cookie. No cookie is stored in that condition.

Microsoft: 50 percent failure rate, one-year tracker

Microsoft's failure rate sits at 50 percent, according to the audit. The mechanism is structurally identical to Google's. When a browser sends a request to Microsoft's bat.bing.com server with the Sec-GPC: 1 header, the server responds by setting the MUID cookie - a one-year advertising tracker on the .bing.com domain.

"Microsoft's advertising network fails to honor GPC opt-out signals in the same way," the audit said of the pattern. The audit documented 7,550 advertising cookies set by Microsoft despite opt-out, across 35 percent of the sites tracked. Microsoft's total privacy fines to date stand at $390 million, including a 2022 CNIL fine of €60 million for Bing advertising cookies and a 2024 Irish Data Protection Commission fine of €310 million for LinkedIn targeted advertising.

Microsoft's response, relayed to 404 Media, drew a distinction between advertising cookies and operational ones: "Certain Microsoft cookies are necessary for operational purposes, and may therefore be placed and read even when a GPC signal is detected." The audit's position is that operational necessity does not apply to the MUID advertising tracker.

Microsoft's advertising properties found setting cookies despite opt-out span Microsoft Advertising (including _uetmsclkid, _uetsid, _uetvid, MUID, and SRM_B), Microsoft Clarity (ANONCHK, MR, SM), and LinkedIn (li_fat_id, li_sugr, UserMatchHistory).

Meta: 69 percent failure rate, no opt-out check in the code

Meta's situation is distinct from Google and Microsoft in a technically important way. The other two companies at least receive the GPC signal and then fail to act on it. Meta's tracking code - the Facebook Pixel, which the audit estimates is present on over 5.8 million websites - contains no check for the GPC signal at all.

"Meta instructs publishers to install the following tracking code on their websites. The code contains no check for globally standard opt-out signals - it loads unconditionally, fires a tracking event, and sets a cookie regardless of the consumer's privacy preferences," the audit said.

The audit reproduced a copy of Meta's published pixel snippet, pointing out that there is no reference to navigator.globalPrivacyControl anywhere in the code. The pixel loads, fires a PageView event, and sets the _fbp cookie regardless of browser privacy settings. The audit documented 1,293 advertising cookies set by Meta despite opt-out, across 21 percent of the sites tracked. Meta's failure rate across those sites was 69 percent.

Meta has paid $9.304 billion in privacy fines since 2019, the largest total of the three companies reviewed. That figure includes a $5 billion FTC settlement in 2019 related to the Cambridge Analytica case, a €1.2 billion Irish Data Protection Commission fine in 2023 for EU-US data transfers, and a $1.4 billion Texas Attorney General settlement in 2024 for biometric data.

The fix webXray proposes for Meta requires two lines of code: wrapping the existing pixel initialisation function in a conditional check for navigator.globalPrivacyControl, so that the pixel does not load when a user has the flag set.

Meta's response to 404 Media characterised the audit as "a marketing ploy that mischaracterizes how GPC works and Meta's role," adding that "GPC only restricts certain uses of third-party data and allows website operators to override GPC signals."

A second major finding in the audit involves consent management platforms (CMPs) - the cookie banners that have become ubiquitous across websites. Google operates a service called Cookiebot that certifies CMPs, creating what the audit describes as a clear conflict of interest: the company that sets more advertising cookies than any other also certifies the tools that are supposed to stop it from doing so.

"This clear conflict of interest led us to ask: do these CMPs actually work?" the audit said. "By measuring what happens when an opt-out signal is sent to a website, we were able to find out, and the findings are clear: no Google-certified CMP we evaluated works 100% of the time, and all of them are often found to fail to prevent Google from setting cookies despite opt-out signals being present."

The audit tested three Google-certified CMP providers, anonymised in the report. Cookie Banner Provider A, described as managing 1,239 sites, had an opt-out failure rate of 77 percent and a publisher liability exposure of $1.3 billion. Provider B, managing 244 sites, failed 90 percent of the time, with a projected $305 million exposure. Provider C, managing 182 sites, had a 91 percent failure rate and $229 million in projected exposure.

Across all 11 CMP vendors evaluated in the audit, every single one failed to block advertising cookies after users opted out. The CMP vendor failure rate was 100 percent.

This finding is especially relevant for publishers and advertisers. Sites that have implemented a certified CMP and believe they are therefore compliant may still be generating liability, because the tools they rely on are not functioning as described. PPC Land has covered California's privacy enforcement actions in detail, including the Healthline case where a misconfigured opt-out mechanism was found to be transmitting data to dozens of advertising companies even after users had employed multiple opt-out methods simultaneously.

The financial exposure

The webXray report calculates potential aggregate liability by applying the average fine from six public CCPA opt-out enforcement actions to the 4,170 sites in the audit that set advertising cookies despite the opt-out signal. The six enforcement actions used as a baseline are: Sephora ($1.2 million, 2022), Healthline Media ($1.55 million, 2025), Tractor Supply Co. ($1.35 million, 2025), PlayOn Sports ($1.1 million, 2026), Ford Motor Co. ($375,703, 2026), and Walt Disney Co. ($2.75 million, 2026). The average across those cases is $1,387,617.

Multiplied across 4,170 non-compliant sites, the resulting estimate is $5.8 billion in potential aggregate liability. The audit cautions that actual liability per site will depend on the number of affected consumers, the duration of non-compliance, and whether conduct is deemed intentional - a distinction that matters because California Civil Code §1798.155 raises the statutory penalty from $2,500 to $7,500 per violation when intent is established.

Who conducted the audit and why

webXray was founded by Dr. Timothy Libert, described in the report as the former lead of cookie policy and compliance at Google. Libert left Google in 2023. According to his account, relayed in the 404 Media report, a manager told him directly before his departure that his job was to protect the company rather than its users.

"Shortly before I left my boss told me, direct quote, my job is to protect the company. There was another time I got into a very serious ontological discussion with a fairly senior engineer about what the difference was between taxes and fines and they didn't understand there was a difference," Libert said.

The company positions itself as a forensic privacy analysis platform. Its methodology has been peer-reviewed and cited in academic research over 1,000 times. The audit notes it has been used in federal and state litigation, including the pending case In re Meta Pixel Healthcare Litigation (3:22-cv-03580), where webXray was used to identify hundreds of HIPAA-covered entities allowing the Meta Pixel to be set.

The audit methodology is explicit: each of the 7,634 websites was scanned twice using an unmodified version of Google Chrome downloaded from Google's own servers - once with GPC enabled and once without - from a California residential IP address. Advertising cookies are counted as site-cookie pairs, and vendor failure rates represent the number of cookie instances set in the GPC-on condition divided by those set in the GPC-off condition.

Context for the marketing community

For advertisers, publishers, and compliance teams, the findings arrive at a moment of heightened regulatory focus. California's updated CCPA requirements took effect on January 1, 2026, expanding contractual obligations for data transfers and adding new categories of sensitive information. PPC Land has tracked a series of enforcement actions that together suggest California regulators are coordinating pressure across business sectors simultaneously.

Google has made a number of moves in its consent and measurement infrastructure in recent months. In April 2026, Google published changes consolidating consent authority under its Ads Consent Mode settings, effective June 15, 2026. That change removes Google Signals from co-controlling advertising data collection and routes authority exclusively through Ads-side Consent Mode - a structural shift that may affect how the company's GPC compliance is ultimately assessed.

Meanwhile, European courts have delivered a string of rulings on Meta's tracking infrastructure that parallel the webXray findings. A German court in February 2026 found Meta's Business Tools violated GDPR and awarded €1,500 per affected user, specifically noting that the current tracking implementation violates data protection by design requirements. Earlier, researchers disclosed in June 2025 that Meta Pixel had been tracking Android users via localhost port connections, bypassing cookie-clearing, incognito mode, and standard Android permission controls.

Libert frames the core problem as one of regulatory enforcement architecture rather than technical difficulty. The fixes, he argues, are trivial to implement. The barrier is not complexity but accountability.

"In my view this stuff isn't complicated. You say, 'don't set the cookie.' They set the cookie," Libert told 404 Media. "The regulators see a fox going into the henhouse and the fox says, 'I'm just here to count the eggs, not to eat any chickens.' And they take them at their word. They don't make them produce any public record."

On the structural incentive that sustains non-compliance, he was equally direct: "They can just pay fines forever," he said. And on what he believes a real solution would require: "This is the Strait of Hormuz in the data economy. If you want to make a change, this is where you cut it off. Anything short of that is theatrical political posture."

All three companies disputed the findings. Google said the report was based on "a fundamental misunderstanding of how our products work" and that it honours opt-outs "as required by law." Microsoft said it had systems designed to reflect GPC choices for personalized advertising, noting that certain cookies remain necessary for operational purposes. Meta called the audit "a marketing ploy."

The webXray California Privacy Audit is publicly available. The full dataset - covering 242 ad tech vendors evaluated, of which 194 were found setting advertising cookies despite opt-out, for an 80 percent ad tech vendor failure rate - is available to webXray Search subscribers.

Timeline

Summary

Who: webXray, a privacy analysis company founded by Dr. Timothy Libert, former lead of cookie policy and compliance at Google, conducted the audit. Google, Meta, and Microsoft are the primary subjects. The California Attorney General's office and the California Privacy Protection Agency are the relevant enforcement authorities.

What: An independent forensic audit found that 55 percent of over 7,000 popular California websites set advertising cookies despite users having activated the Global Privacy Control opt-out signal. Google failed to honour the signal 86 percent of the time (11,021 cookies set despite opt-out), Microsoft 50 percent of the time (7,550 cookies), and Meta 69 percent of the time (1,293 cookies). All 11 Google-certified consent management platforms evaluated also failed to block Google cookies after opt-out. Total potential aggregate liability is estimated at $5.8 billion.

When: The audit data was collected in March 2026. The findings were published on April 14, 2026. The California enforcement context stretches from Sephora's 2022 fine through the Disney and PlayOn settlements in early 2026.

Where: The audit focused exclusively on websites popular with California residents, scanned from a California residential IP address. The legal framework is California's CCPA and implementing regulations, including 11 CCR §7025, which requires businesses to honour GPC signals directly.

Why: The audit was produced as a public service by webXray to provide regulators, legal teams, and compliance professionals with forensic-grade evidence of opt-out non-compliance at scale. Libert argues that existing fines have not changed company behaviour because companies treat penalties as a cost of doing business. The audit aims to put factual technical evidence into the hands of those who could structure enforcement differently.

Share this article
The link has been copied!