- webXray audit finds Google, Microsoft and Meta ignoring global privacy governance signals
- Despite legal requirements in California and other states, 55% of sites still set advertising cookies after opt-out.
- The report highlights Google’s 86% failure rate, Microsoft’s one-year tracking cookie, and Meta’s ongoing event logging; A potential liability of $5.8 billion is projected.
Big tech companies like Google, Microsoft, and Meta are completely ignoring people’s explicit requests not to be tracked or to sell their browsing data to third parties. This is what emerges from a new forensic audit recently carried out by webXray, a search engine for analyzing Internet tracking, traffic and content.
Earlier this year, webXray published the March 2026 California Privacy Audit, which said that even when users explicitly invoke the Global Privacy Control (GPC), 194 online advertising services were still setting tracking cookies.
GPC is a browser signal that tells website users that they do not want their data to be sold or shared. While this is a technical standard, there are certain US laws that require companies to follow it. For example, laws like the California Consumer Privacy Act or the California Privacy Rights Act have made GPC legally binding, and regulators in the country say that a valid GPC signal should be treated as an opt-out request.
Article continues below.
Important Disclaimer
According to Cybernews, GPC has legal authority in four US states today, and even in those territories; some companies ignore it completely.
While working on the California Privacy Audit, webXray analyzed “thousands” of popular websites in California and found that more than half (55%) were setting advertising cookies despite users opting out. Among them is Google, with a failure rate of 86%.
When a user invokes GPC, the company supposedly creates a two-year-old “IDE” advertising cookie. Microsoft, on the other hand, returns a one-year “MUID” tracking cookie, while Meta records tracking events regardless of the user’s privacy settings.
So far, none of the companies mentioned in the report have commented on the findings.
However, they could soon do so, as the report’s authors believe there are grounds for a class-action lawsuit in this case. In fact, they project a potential total liability exposure of $5.8 billion industry-wide.
Through cyber news
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
