A recent privacy audit conducted in California has raised serious concerns about global data protection practices in the tech industry. According to the report, major companies such as Google, Microsoft, and Meta are allegedly ignoring explicit user “opt-out” signals and continuing to enable tracking cookies despite users withdrawing consent.
The March 2026 California Privacy Audit conducted by webXray found that more than 194 online advertising services were still setting cookies even after users had enabled Global Privacy Control (GPC), a legally recognized mechanism under the California Consumer Privacy Act (CCPA) to signal opt-out from data sharing.
The report further revealed that nearly 55% of websites included in the study continued to activate advertising cookies even after receiving opt-out signals. This raises serious questions about transparency and accountability in the digital advertising ecosystem.
FCRF Returns With CDPO, Its Premier Data Protection Certification for Privacy Professionals
Tech Giants Show Highest GPC Signal Failure Rates
The audit’s most striking finding was that Google, Microsoft, and Meta technically receive GPC signals but fail to act on them effectively.
Google reportedly showed up to an 86% failure rate, where its ad servers still activated “IDE” advertising cookies despite receiving the “sec-gpc: 1” signal. The report also noted that Google could technically block such tracking using mechanisms like HTTP 451 responses but does not consistently implement them.
Microsoft’s advertising network was found to activate “MUID” tracking cookies in approximately 50% of cases without user consent being properly honored. Meanwhile, Meta’s tracking pixel system reportedly does not even recognize GPC signals, resulting in automatic data collection as soon as a user visits a webpage.
Expert Analysis Reveals Design-Level Compliance Issues
A researcher commenting on the findings stated, “This is not just a technical flaw, but a design-level compliance failure where user consent is not being prioritized.”
In its preliminary cyber privacy analysis, the Future Crime Research Foundation (FCRF) also expressed concern over the findings. According to researchers associated with the foundation, consent in modern digital advertising systems is often implemented only at the interface level, while backend tracking continues regardless of user preferences. FCRF warns that this structural gap could significantly increase risks of data misuse, unauthorized profiling, and broader cyber privacy threats in the future.
Renowned cyber crime expert and former IPS officer Prof. Triveni Singh stated that such developments weaken the foundation of trust in the digital ecosystem. He noted that when legally recognized opt-out signals are ignored at a technical level, it reflects not just a compliance gap but a deeper governance crisis in data management. He emphasized that stronger technical and legal oversight will be essential going forward.
CMP Systems and Regulatory Implications
The report also highlighted that several Consent Management Platforms (CMPs), widely used for cookie consent control on websites, are themselves ineffective. Even Google-certified CMP systems showed failure rates ranging between 77% and 91% after users opted out.
Experts believe the issue is not purely technical but also regulatory in nature. California regulators have indicated that ignoring GPC signals may be treated as a legal violation, with significant penalties. The estimated total industry liability exposure could reach up to $5.8 billion.
Security specialists suggest that solutions such as server-side tracking controls, conditional script loading, and independent network auditing are necessary to ensure that privacy settings are properly enforced.
The revelations come at a time when global regulations around data privacy and user consent are becoming increasingly strict. However, the report indicates that the current digital advertising ecosystem still prioritizes data-driven advertising economics over user control.
The findings once again raise a critical question: in the modern digital world, is “opt-out” truly effective, or has it become merely a formal option without real enforcement?
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
