Major technology firms are routinely placing advertising cookies on user browsers even after those users have formally requested not to be tracked, according to a new report from the privacy organization webXray.
The audit, which examined California web traffic in March, determined that 194 online advertising services are ignoring Global Privacy Control (GPC) signals. These signals are designed to act as a standardized, legally recognized indicator of a consumer’s desire to opt out of data sharing under the California Consumer Privacy Act.
Researchers found that Google failed to honor opt-out requests 86% of the time. The report claims this non-compliance is easily observable in network traffic.
“When Google’s server responds to the network request with the opt-out it explicitly responds with a command to create an advertising cookie named IDE using the ‘set-cookie’ command,” the report stated. The document includes images that allegedly capture these servers issuing commands to create tracking cookies immediately after receiving an opt-out signal.
Industry responses to audit findings
Google denied the findings, with a spokesperson stating the report relies on a "fundamental misunderstanding of how our products work." The company maintained that it honors opt-outs provided by publishers and advertisers as required by law.
Meta’s performance in the audit was similarly scrutinized, with researchers reporting a 69% failure rate. The study alleged that Meta’s code "contains no check for globally standard opt-out signals" and instead loads trackers unconditionally. A Meta spokesperson dismissed the report as a "blatant marketing ploy" that misrepresents the company's data collection practices, arguing that their tools restrict how data is shared rather than how it is collected.
Microsoft, which the report found failed to honor opt-outs 50% of the time, cited operational requirements for its cookie usage. A spokesperson for the company stated, "Certain Microsoft cookies are necessary for operational purposes, and may therefore be placed and read even when a GPC signal is detected."
The findings are particularly relevant given California's history of enforcement. The state has previously issued significant fines for ignoring GPC signals, including a $1.2 million settlement with Sephora in 2022 and a $2.75 million penalty against Disney earlier this year.
The research, which was first reported by 404 Media, was overseen by Timothy Libert, the CEO of webXray and a former Google employee who previously managed cookie privacy policy at the tech giant.
