When California users ask websites to stop tracking them, Google ignores that request 86% of the time. This is the main finding from a forensic audit conducted by WebXray, a non-profit privacy monitoring organization, in March 2026.
The group analyzed web traffic on many of the most popular sites online and found that 194 ad services were deploying tracking cookies even after users opted out of exercising their right.
Global Privacy Control (GPC) is a user signal that notifies websites through browsers that a user is not willing to have their personal data sold or used for advertising purposes. This is legally binding in California.
Under the California Consumer Privacy Act (CCPA), when a user’s browser sends the sec-gpc:1 header, businesses are required by law to honor it as a legitimate do-not-sell request.
There are currently four US states where GPCs have statutory authority. The state of California’s failure to comply is not just a policy mistake; This is now a punishable offense under CCPA rules. The latest CCPA violations have resulted in harsh penalties for companies.
The findings of the audit, conducted by Dr. Timothy Liebert, who once headed Google’s cookie policy, identified three distinct patterns of GPC non-compliance.
When Google’s ad servers receive a GPC signal, they routinely ignore it and respond by placing a two-year IDE advertising cookie on the user’s device. Microsoft’s tracking network receives similar signals and returns a one-year MUID cookie without strings attached.
There is no code for GPC checking in Meta’s tracking pixel. It activates unconditionally, recording tracking events regardless of any privacy settings enabled by the user.
Webxray also found that none of the Google-certified consent management platforms it evaluated work correctly 100% of the time, meaning the industry’s own compliance infrastructure is also failing in its stated purpose.
The authors of the audit calculated a potential aggregate liability exposure of $5.8 billion across the 194 non-compliant advertising services identified.
This figure is based on existing CCPA penalty structures applied at the scale of documented violations, and represents a significant legal risk for companies that have until now considered GPC compliance optional.
55% of all audited websites in California were found to be setting advertising cookies despite active user opt-outs.
