Privacy Audit Finds Google, Meta, and Microsoft Ignore Opt-Out Signals Across Thousands of Sites
A webXray audit of 7,587 California websites found that Google fails to honor Global Privacy Control opt-out signals 87% of the time, Meta 69%, and Microsoft 50%. The findings expose a systemic gap between consent infrastructure and actual tracking behavior — with direct consequences for cookie-based ad measurement.
A sweeping privacy audit published on April 14 by webXray, the privacy research firm led by former Google cookie compliance lead Dr. Timothy Libert, found that the advertising industry's three largest data collectors — Google, Meta, and Microsoft — routinely ignore legally mandated opt-out signals from California consumers. The audit scanned 7,587 of the most popular websites in California and found that 55% of them set advertising cookies in users' browsers even after those users sent a Global Privacy Control signal requesting not to be tracked.
The implications for ad measurement are immediate. If the platforms that power most digital attribution, conversion tracking, and audience measurement are collecting data from users who have explicitly opted out, then the measurement infrastructure built on that data is operating on a foundation that regulators are actively fining companies for using.
The Audit: What webXray Found
As 404 Media reported, the webXray audit tested each of the 7,587 websites twice — once with Global Privacy Control enabled and once without — to measure whether advertising cookies were blocked when a user signaled an opt-out preference. The Global Privacy Control is a browser-level signal, endorsed by the California Attorney General and required to be honored under the California Consumer Privacy Act and the California Privacy Rights Act.
The failure rates were stark. Google failed to honor opt-out signals 87% of the time, meaning its tracking infrastructure continued setting cookies on nearly 9 out of 10 websites even when users explicitly requested not to be tracked. Meta's failure rate was 69%, and Microsoft's was 50%. Across all services audited, 194 online advertising services were found to ignore the legally defined opt-out signal.
Consent Management Platforms Are Failing Too
The audit also examined consent management platforms — the tools websites deploy to give users cookie choice banners. webXray tested three CMP providers certified by Google and found opt-out failure rates of 77%, 90%, and 91%. No Google-certified CMP evaluated worked 100% of the time, and all were found to regularly fail to prevent Google from setting cookies despite the presence of a standard opt-out signal.
This finding is particularly damaging because CMPs are the mechanism through which most publishers claim CCPA and CPRA compliance. If the consent tools themselves cannot reliably enforce opt-out preferences, then the entire consent-based data collection framework that underpins digital advertising measurement is compromised — not in theory, but in practice, at scale.
Enforcement Is Accelerating
The audit arrives as California regulators are ramping up enforcement against companies that fail to honor privacy opt-outs. Six public enforcement actions have explicitly cited opt-out non-compliance, with fines ranging from $375,700 to $2.75 million.
The most significant is the record $2.75 million settlement with Disney announced in early 2026. Investigators found that Disney's opt-out toggles only applied to the specific streaming service and device a consumer was using, that webform opt-outs were limited to Disney's own advertising platforms while third-party tracking pixels continued sharing data, and that GPC signals were honored only on the device used to make the request rather than across all user devices.
In March 2026, the California Privacy Protection Agency announced enforcement actions against Ford and PlayOn Sports totaling nearly $1.5 million. Ford's violation stemmed from requiring email verification before processing opt-out requests, resulting in valid requests going unprocessed. PlayOn Sports was fined $1.1 million for using third-party cookies, persistent trackers, and metapixels to target behavioral advertising to ticketholders — including students at California schools.
Why This Matters for Measurement
The webXray audit is not merely a privacy story. It is a measurement integrity story. Consider the chain of dependencies: advertisers run campaigns that are measured by platforms like Google Ads, Meta Ads Manager, and Microsoft Advertising. Those platforms use cookies and tracking pixels to attribute conversions, build audience segments, and optimize delivery. If those cookies are being set on users who opted out of tracking, the resulting measurement data includes signals that should not exist under California law.
This creates several concrete problems for measurement teams. First, attribution models trained on data that includes non-consented tracking will overstate reach and potentially misattribute conversions. When regulators force compliance — and the trajectory of enforcement suggests they will — the sudden removal of non-consented data will create a measurement discontinuity that looks like a performance decline but is actually a correction.
Second, any incrementality test, media mix model, or lift study that uses platform-reported conversions as a dependent variable is indirectly affected. If the platform's conversion data is inflated by non-consented tracking, the incremental lift calculations are built on a biased baseline.
Third, the CMP failure rates raise questions about first-party data strategies. Many publishers have invested heavily in consent-based data collection as an alternative to third-party cookies. If the consent infrastructure itself is unreliable, first-party data quality is compromised at the point of collection.
What Measurement Teams Should Do Now
Audit your consent infrastructure. Do not assume your CMP is working correctly. The webXray audit found failure rates above 75% for Google-certified CMPs. Test your own implementation by sending a GPC signal and verifying that advertising cookies are actually blocked — not just that a consent banner is displayed.
Quantify your exposure to non-consented data. Pull reports segmenting campaign performance by California versus non-California audiences. If California performance metrics shift significantly after consent enforcement tightens, you have a data quality problem that needs to be addressed before it becomes an audit liability.
Stress-test your models against data removal. If 10-15% of your tracked conversions in California were removed overnight due to consent enforcement, how would your attribution models, MMMs, and incrementality baselines change? Running that scenario now is better than discovering it during a regulatory action.
Accelerate privacy-safe measurement adoption. Aggregated measurement APIs, modeled conversions, and privacy-enhancing technologies like clean rooms exist specifically for this scenario. The webXray audit is a concrete reminder that cookie-based measurement in privacy-regulated markets is not just strategically risky — it is legally precarious.
Dr. Libert, who resigned from Google after leading its internal cookie policy and compliance team, designed webXray's audit methodology specifically to test whether the ad tech industry's consent infrastructure works as advertised. The answer, based on 7,587 websites and 194 advertising services, is that it does not — and the measurement systems built on top of it are exposed.
Sources & References
- [1]
- [2]
- [3]
- [4]
- [5]