Overview
- The webXray audit, published Tuesday, examined traffic on more than 7,000 popular California sites and found 55% set ad cookies after users sent a Global Privacy Control opt-out signal, which California treats as a legal request.
- Google showed an opt-out failure rate of about 86 to 87 percent, Meta 69 percent, and Microsoft 50 percent, with examples that include Google setting an IDE ad cookie after receiving the Sec-GPC: 1 header and Meta’s pixel code loading without a GPC check.
- Google, Meta and Microsoft disputed the findings and said they honor required opt-outs, with Microsoft adding that some cookies are needed for operations even when a GPC signal is present.
- Cookie banners also failed often, as three Google-certified consent platforms that manage users’ choices let Google set cookies in 77 to 91 percent of tests despite an opt-out.
- California’s privacy law requires businesses to honor GPC and allows fines per violation, regulators declined comment on this report, and state senator Josh Becker called for real consequences as broader measures like the Delete Act come online in August 2026.