Have you activated the opt-out? Google, Meta, and Microsoft still track you: the data from the California Privacy Audit 2026
Google, Microsoft, and Meta continue to set advertising cookies even when users activate the Global Privacy Control (GPC), ignoring the opt-out signal that California law requires to be respected. This is the main conclusion from the California Privacy Audit by webXray, published in April 2026, which analyzed 7,634 popular websites in California during March, simulating browsing sessions both with GPC enabled and without.
What the law says, what companies do
The California Consumer Privacy Act (CCPA) grants consumers the right to prohibit companies from selling and sharing their personal data. The technical reference mechanism, the Global Privacy Control, has been explicitly recognized by the California Attorney General as a binding signal that companies are legally required to respect. In 2022, Sephora was fined $1.2 million for ignoring it; in 2026, Disney signed the largest CCPA settlement ever, paying $2.75 million. In the first months of 2026 alone, California authorities have already issued three significant enforcement actions with total penalties exceeding $4.2 million.
Despite this context, the audit certifies that 55% of the analyzed sites set advertising cookies after the browser sent the GPC signal. A total of 125,106 advertising cookies were counted as being set in violation of the opt-out by 194 advertising services out of 242 evaluated, resulting in an overall failure rate of 80%.
Google: clear non-compliance in network traffic
The section on Google is the most detailed and technically direct. When a browser with GPC enabled connects to Google's advertising servers, the HTTP request includes the header sec-gpc: 1, which signals the rejection of tracking. Google’s server response ignores this header and returns a set-cookie command that sets the IDE cookie, an advertising tracker valid for two years on the domain doubleclick.net. The observed failure rate for Google is 77% out of the total instances of advertising cookies: GPC has virtually no effect on the majority of cookies that Google sets. In absolute numbers, the audit revealed 11,021 Google advertising cookies set despite the opt-out signal.
The technical solution proposed by webXray is straightforward: return an HTTP code 451 Unavailable For Legal Reasons when the server receives a request with sec-gpc: 1, without setting any cookies. An option that Google could implement today without overhauling its infrastructure. The company has taken a stance stating that the audit's conclusions are based on a “fundamental misunderstanding” of how its products operate, without providing technical details to support this position. Google has accumulated $2.318 billion in privacy penalties overall, among FTC, CNIL, Texas AG, and California AG.
Microsoft: same problem, same ignored solution
The failure mechanism for Microsoft is identical. The tracking pixel sent to bat.bing.com, even in the presence of sec-gpc: 1, responds by setting the MUID (Microsoft User Identifier) cookie on the domain .bing.com with a duration of one year. The failure rate for Microsoft is 35%, with 7,550 cookies set despite the opt-out. Here too, the technical fix would simply require responding with code 451 instead of the set-cookie command. Microsoft has totaled $390 million in privacy penalties, among CNIL, FTC, and Irish DPC (the latter for the LinkedIn advertising issue).
Meta: the Pixel doesn't even include the control
The situation for Meta is, if possible, even more critical from a legal standpoint. The code of the Meta Pixel, which Meta distributes and instructs publishers to install on their sites, does not contain any control for the GPC signal. There is no reference to navigator.globalPrivacyControl, no conditional loading: the pixel loads unconditionally, tracks the PageView, and sets a cookie regardless of user preferences. webXray shows that only two additional lines of code would be needed to make the pixel compliant: a simple if (!navigator.globalPrivacyControl) that incorporates the entire script initialization. The failure rate for Meta is 21%, with 1,293 cookies set despite the opt-out. Meta has accumulated a total of $9.304 billion in global privacy penalties.
The CMPs certified by Google: none work
The audit dedicates a specific section to the Consent Management Platforms (CMPs) certified by Google, the cookie banners that dominate every website. The result is clear: none of the 11 CMPs evaluated effectively block Google’s advertising cookies after the GPC signal is sent, leading to an overall failure rate of 100%. The largest CMP in the sample manages 1,239 sites and has contributed to 23,503 advertising cookies being set despite the opt-out, with an estimated legal exposure of $1.3 billion for publishers using it. webXray identifies this as a conflict of interest: Google is simultaneously the main advertising operator that ignores the opt-out and the entity that certifies the compliance tools that publishers adopt for protection.
The aggregate exposure: $5.8 billion
To calculate the potential overall exposure, webXray took the six CCPA enforcement actions where non-compliance with the opt-out was explicitly cited as the reason: Sephora ($1.2M, 2022), Healthline Media ($1.55M, 2025), Tractor Supply ($1.35M, 2025), PlayOn Sports ($1.1M, 2026), Ford ($375,703, 2026) and Disney ($2.75M, 2026). The resulting average fine is $1,387,617. Multiplying this figure by the 4,170 sites that set advertising cookies despite the opt-out yields an estimated aggregate exposure of $5.8 billion. CCPA penalties for intentional violations can reach $7,500, making the estimate conservative should regulators decide to qualify the conduct of the three companies as deliberate.
Since January 1, 2026, new CCPA rules have gone into effect, requiring companies to conduct mandatory cybersecurity audits, privacy risk assessments, and specific rules for automated decision-making systems. A regulatory context that has already produced concrete effects: in the first months of the year alone, CalPrivacy has initiated three major sanction proceedings. webXray finally specifies that the Californian audit is the first in a series of global audits: the next will target jurisdictions with even stricter privacy laws than the CCPA.