New Research: Google, Microsoft, Meta Still Track You Post

A new forensic audit has delivered a significant blow to consumer privacy, revealing that tech giants Google, Microsoft, and Meta are systematically ignoring legally defined privacy opt-out signals.

According to the March 2026 California Privacy Audit conducted by webXray, 194 online advertising services are setting tracking cookies even after users explicitly invoke the Global Privacy Control (GPC).

Led by Dr. Timothy Libert, a former lead of Google’s cookie policy, the webXray research analyzed web traffic across thousands of popular websites in California.

The findings expose what researchers identify as industrial-scale non-compliance with the California Consumer Privacy Act (CCPA), noting that 55% of audited sites set ad cookies despite user opt-outs.

How Tracking Bypasses Opt-Outs

The audit highlights the specific technical mechanisms these companies use to bypass privacy preferences. When a user enables GPC, their browser sends a sec-gpc: 1 network request header.

Under California law, businesses must honor this as a valid request to stop sharing personal data, but the audit found glaring failures:

• Google (86% Failure Rate): When Google’s ad servers receive the sec-gpc: 1 signal, they routinely ignore it and respond with a command to create the two-year “IDE” advertising cookie. Researchers note Google could easily fix this by returning an HTTP 451 “Unavailable For Legal Reasons” status code instead.
• Microsoft (50% Failure Rate): Similar to Google, Microsoft’s tracking network receives the GPC signal but unconditionally returns a one-year “MUID” tracking cookie to the consumer’s device.
• Meta (69% Failure Rate): Meta’s tracking pixel snippet, which publishers embed on their websites, contains no code to check for the GPC signal. It fires unconditionally, recording tracking events regardless of the user’s privacy settings.

Perhaps the most concerning discovery is the failure of Consent Management Platforms (CMPs). The audit found that the vast majority of cookie banners actually fail to protect users.

Even worse, Cookie Choice Banners that are officially certified by Google frequently fail to prevent Google from setting cookies after a user opts out. Across three major Google-certified CMP vendors tested by webXray, opt-out failure rates ranged from 77% to 91%.

Regulatory Fallout and Mitigation

California regulators have made it clear that ignoring the GPC is a punishable offense, and recent CCPA enforcement actions have resulted in massive penalties for companies that fail to process opt-outs properly.

The California Privacy Audit projects a potential aggregate liability exposure of $5.8 billion across the industry due to these ongoing violations.

To mitigate these privacy threats and avoid regulatory fines, organizations should implement the following strategies:

• Server-Side Rejection: Ad servers must be configured to detect the sec-gpc: 1 header and immediately drop the request, ensuring no tracking payloads are delivered.
• Conditional Script Loading: Website administrators should wrap third-party tracking scripts in conditional statements that check for navigator.globalPrivacyControl before execution.
• Independent Traffic Auditing: Organizations cannot blindly trust third-party consent banners; compliance teams must actively monitor live network requests to verify that cookies are actually blocked.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.