Audit: Big Tech Often Ignores CA Privacy Law Opt-Out Requests

CYBER RISK DATA PRIVACY ENDPOINT SECURITY VULNERABILITIES & THREATS NEWS Audit: Big Tech Often Ignores CA Privacy Law Opt-Out Requests Google, Meta, and Microsoft about half the time don't comply with requests to opt out of online tracking per a California law mandate, privacy watchdog finds. Elizabeth Montalbano,Contributing Writer April 15, 2026 5 Min Read SOURCE: DESIGNER491 VIA ALAMY STOCK PHOTO In what appears to be yet another failure of regulatory attempts to honor online users' privacy, three of the top tech firms at least 50% of the time don't honor user requests to opt out of online trackers in California, despite a state law that requires it, an independent audit of websites found.  Google, Meta, and Microsoft may be violating state privacy requirements by not, in practice, honoring user opt-out signals, according to the audit by privacy firm WebXray, which studied California Web traffic in March.  In 2020, California enacted the California Consumer Privacy Act (CCPA), which requires Internet browsers and mobile operating systems let users opt out of the sale or sharing of their personal information. As part of the law, California endorsed the use of the Global Privacy Control (GPC) browser setting or plug-in as the mechanism for consumers to exercise this right at scale, which businesses must honor, according to the audit. Related:Prepping for 'Q-Day': Why Quantum Risk Management Should Start Now The WebXray audit found that "194 online advertising services ignore legally defined, globally standard, opt-out signals endorsed by regulators," according to the report. Moreover, and "more concerning," according to WebXray, the audit found that Cookie Choice Banners certified by Google fail to prevent Google from setting cookies after users opt out with a GPC signal. To gather its results, WebXray analyzed 7,634 popular websites scanned from a California residential IP address under two conditions: with GPC enabled and without. "Our findings reveal major technology companies simply ignore globally defined opt-out signals, raising the spectre of industrial-scale non-compliance with California requirements," according to the report. Google and Microsoft did not immediately respond Wednesday to separate requests by Dark Reading to comments on the findings. However, in comments made in a public report, both Google and Meta argued that their privacy controls were misrepresented, while Microsoft said that consumer privacy is a top priority for the company. Loading... In an emailed statement to Dark Reading, a Meta spokesperson said, "This is a blatant marketing ploy that misrepresents how the Global Privacy Control setting works and Meta's role. The control setting restricts how data is shared, not collected, and Meta already requires that when using the Meta pixel, advertisers only share with us information they have obtained the right to share. Meta further encourages websites to use our Limited Data Use feature so they can clearly indicate to us when they have permission to share certain information - and when we get information identified that way, we restrict its use." Related:War Game Exercise Demonstrates How Social Media Manipulation Works Google Scores Highest Failure Rate The audit is not the first time that researchers found those in the business of overseeing user privacy falling short of compliance with the CCPA. The findings of the WebXray audit follow the results of a 2025 study by the University of California, Irvine, that found half of data brokers online ignore requests to opt out of tracking. The audit by WebXray shines a particular light on how three of the top tech companies — Google, Meta, and Microsoft — fare in terms of honoring opt-out requests across thousands of sites in California that use their technology. Of the three, Google is the worst offender, with an opt-out "failure rate" of 86%, according to the findings, and has paid $2.32 billion so far in privacy fines due to a lack of overall regulatory compliance. The audit delved into the mechanics of the California failure in particular, which the researchers said "is easy to find in network traffic." "When a browser using GPC connects to Google's servers it encodes the opt-out signal by sending the code 'sec-gpc: 1,'" according to the report. "This means Google should not return cookies." Related:Threat Actors Get Crafty With Emojis to Escape Detection However, when Google's server responds to the network request with the opt-out, it explicitly responds with a command to create an advertising cookie named IDE using the 'set-cookie' command, according to the findings. "This non-compliance is easy to spot, hiding in plain sight." Meta, Microsoft Also Ignore Signals Meta came in as a close second to Google with an opt-out failure rate of 69%, mainly due to tracking code it instructs its publishers to install that contains "no check for globally standard opt-out signals," according to the audit. So far the company, which owns Facebook and Instagram, has paid $9.3 billion in overall regulatory privacy fines, according to WebXray. "Despite the fact that Meta publishes this code online, where it may be viewed by anybody, to date nobody has asked why it omits checks for the Global Privacy Control signal," according to WebXray. Microsoft, meanwhile, honors opt-out signals about half the time and has paid $390 million so far in privacy fines overall. The audit found that its advertising network fails to honor GPC opt-out signals in a similar way to Meta. It sets the Microsoft User Identifier (MUID) cookie, an advertising tracker, on the bing.com domain when Microsoft's tracking pixel actually is set not to return a cookie, according to the report. How Security Teams Can Enhance Privacy WebXray's audit has no legal bearing on its own, and thus its findings should not be taken as legal violations of the CCPA, the firm stressed in its report. However, there is precedent for companies already paying fines for CCPA violations, notably $1.2 million in 2022 and $2.75 million in 2025 by the California Attorney General levied against Sephora and Disney, respectively. To help ensure that companies are complying with the CCPA and other privacy regulations when people visit their websites, security professionals should continuously test opt-out signal handling, including GPC and other consent frameworks for websites. They also should audit third-party data flows and ad-tech dependencies; align privacy controls with actual runtime behavior; and treat privacy telemetry like security telemetry in terms of logs, validation, and alerting, according to WebXray. Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now! About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report QKS AI Maturity Matrix Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like CYBER RISK Researchers: Meta, TikTok Steal Personal & Financial Info When Users Click Ads by Nate Nelson MAR 18, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 THREAT INTELLIGENCE Axios Attack Shows How Complex Social Engineering Is Industrialized byAlexander Culafi APR 6, 2026 5 MIN READ ICS/OT SECURITY Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs byElizabeth Montalbano APR 8, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Loading... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE