Google, Meta Fail to Honor California Privacy Opt-Outs, New Audit Reveals

An independent audit released in mid-April found that major technology companies, including Google, Meta, and Microsoft, are systematically failing to honor legally mandated user requests to opt out of data tracking, placing them and the thousands of businesses using their services at risk of violating California’s landmark privacy laws. The investigation, conducted in March 2026 by the privacy research firm webXray, revealed stark levels of non-compliance with the Global Privacy Control (GPC) signal, a browser-based tool that allows users to automatically communicate their desire to opt out of the sale or sharing of their personal information. According to the report, Google had the highest failure rate, ignoring the GPC signal in 87% of cases. Meta followed with a 69% failure rate, and Microsoft failed to honor the signal 50% of the time. The audit scanned 7,634 popular websites from a residential California IP address to measure the real-world behavior of online advertising technology. Researchers loaded each website twice: once without the GPC signal enabled (the control) and once with it enabled (the treatment), counting the number of advertising cookies set in each instance. The findings, webXray stated, “reveal major technology companies simply ignore globally defined opt-out signals, raising the spectre of industrial-scale non-compliance with California requirements.” Beyond the tech giants, the audit identified 194 online advertising services that ignored the legally defined opt-out signals. The report also noted that more than half of the thousands of websites scanned failed to prevent tracking cookies despite receiving a GPC request from the user’s browser. Under the California Consumer Privacy Act (CCPA) and the superseding California Privacy Rights Act (CPRA), businesses that collect data from California residents are legally required to honor GPC signals as a valid consumer request to opt out. Enforcement is handled by the California Attorney General’s office and the California Privacy Protection Agency (CPPA). While the webXray audit itself carries no legal weight, it exposes a significant potential liability for companies operating in the state. Regulators have already established a precedent for penalizing this specific type of non-compliance. In 2022, cosmetics retailer Sephora paid a $1.2 million settlement for, among other violations, failing to process GPC opt-out requests. More recently, in 2025, Disney faced a $2.75 million penalty for similar CCPA violations. Particularly concerning, according to the report, was the finding that even websites using Google’s own certified “Cookie Choice Banners” still allowed Google to set advertising cookies after a user had opted out via the GPC signal. This suggests a potential disconnect between the compliance tools offered to website operators and the actual data processing behavior of the underlying advertising platforms. The audit was led by webXray founder Timothy Libert, a privacy expert who previously led cookie policy and compliance at Google from 2021 to 2023. His background also includes 15 years in academia studying digital tracking and consulting for state and national regulators, lending significant weight to the report’s findings. His firm, webXray, now advises companies on legal compliance and assists law firms in identifying privacy violations. For the thousands of small and mid-sized businesses that rely on advertising platforms from Google, Meta, and others to reach customers, this audit presents a hidden but substantial risk. Liability under the CCPA and CPRA does not stop with the ad-tech provider; it extends to the website operator that deploys the tracking technology. If a third-party script on a company’s website fails to honor an opt-out signal, the company itself can be held responsible for the non-compliant data sharing. This audit serves as a stark reminder that regulatory compliance is not merely a matter of policy documents and privacy banners. In our experience, many businesses believe they are compliant because they use well-known, mainstream tools, but this report shows that the technical reality can be very different. This gap between perceived and actual compliance creates a silent liability on the balance sheet. Fines and legal fees are the obvious consequences, but the erosion of customer trust from a public compliance failure can inflict even greater long-term financial damage. We view this as a critical issue of financial risk management. Proactively auditing third-party data flows and validating that opt-out mechanisms function as intended is no longer optional. C&S Finance Group LLC helps clients navigate these complex regulatory environments to protect their financial health, and you can learn more at csfinancegroup.com. Following the publication of webXray's findings, all eyes will be on California's regulators. The report provides a potential roadmap for enforcement actions by the Attorney General or the CPPA. It may also fuel class-action lawsuits against non-compliant companies and prompt businesses to conduct more rigorous technical audits of their own websites and the vendors they rely upon.