Major Platforms Accused of Ignoring Privacy Opt-Out Signals
New research from privacy organization webXray is raising serious questions about whether some of the world's largest technology companies are honoring consumers' requests not to be tracked online. The audit, which examined California web traffic during March, found that 194 online advertising services are ignoring legally defined, globally standard opt-out signals that have been endorsed by regulators.
The findings put these companies at potential odds with the California Consumer Privacy Act (CCPA), which grants consumers the explicit right to decline the sale of their personal data. The mechanism at the center of this dispute is known as Global Privacy Control (GPC) — a browser-based signal, often activated through a browser extension, that communicates a user's preference not to be tracked to the websites and services they visit.
How the GPC Mechanism Is Supposed to Work
When a user enables GPC, websites and their affiliated advertising networks are expected to detect that signal and refrain from placing tracking or advertising cookies in the user's browser. California regulators have taken this requirement seriously, having already penalized companies for ignoring GPC in the past. Sephora was hit with a $1.2 million fine in 2022, and Disney received a $2.75 million fine in February for similar violations. The webXray findings were first reported by 404 Media.
Google's Alleged Non-Compliance
According to the webXray report, Google allegedly ignored consumers' opt-out requests 86% of the time. The report states that Google's failure to honor GPC signals is straightforward to identify by examining network traffic.
"Google's failure to honor the GPC opt-out signal is easy to find in network traffic. This non-compliance is easy to spot, hiding in plain sight."
The report includes images purportedly showing how Google's servers respond to opt-out signals with a command to create an advertising cookie. Specifically, webXray alleges that "when Google's server responds to the network request with the opt-out it explicitly responds with a command to create an advertising cookie named IDE using the 'set-cookie' command."
It is worth noting that Timothy Libert, the CEO of webXray, previously oversaw cookie privacy policy at Google until 2023. A Google spokesperson responded to the findings, calling the report the result of a "fundamental misunderstanding of how our products work," and adding that the company honors opt-outs as required by law.
Microsoft's 50% Failure Rate
The report also flags Microsoft as failing to honor opt-out requests 50% of the time. WebXray alleges that Microsoft's method for responding to GPC signals with improper commands mirrors the approach used by Google.
A Microsoft spokesperson pushed back on the characterization, stating that consumer privacy is a top priority: "When we receive a GPC signal, we opt the user out of sharing personal data with third parties for personalized advertising, and our advertising systems are designed to reflect that choice." The spokesperson did acknowledge that some cookies may still be placed, noting that "certain Microsoft cookies are necessary for operational purposes, and may therefore be placed and read even when a GPC signal is detected."
Meta's 69% Non-Compliance Rate
Meta faces the sharpest language in the webXray report, which claims the company's code "contains no check for globally standard opt-out signals — it loads unconditionally, fires a tracking event, and sets a cookie regardless of the consumer's privacy preferences." WebXray alleges a 69% opt-out failure rate for Meta.
A Meta spokesperson dismissed the research as a "blatant marketing ploy that misrepresents how the Global Privacy Control setting works and Meta's role," arguing that GPC restricts how data is shared, not collected. The spokesperson added that Meta already requires advertisers using the Meta pixel to only share information they have the right to share.
Competing Interpretations of the Law
The dispute between the tech companies and webXray ultimately hinges on competing interpretations of what GPC compliance actually requires. The companies contend that their practices are legally sound, while webXray argues that placing advertising cookies after receiving an opt-out signal is a clear violation of CCPA requirements — regardless of how the data is subsequently used or shared.
- Google: 86% alleged opt-out failure rate; disputes the findings entirely
- Meta: 69% alleged opt-out failure rate; says the research misrepresents GPC's scope
- Microsoft: 50% alleged opt-out failure rate; acknowledges operational cookies may still be set
With California regulators having already demonstrated a willingness to impose substantial fines for GPC non-compliance, these findings could attract renewed regulatory scrutiny toward all three companies. Whether the webXray report leads to formal enforcement action remains to be seen, but the audit adds to a growing body of evidence suggesting that privacy opt-out mechanisms are not functioning as lawmakers intended.
Source: The Record