A Legal Minefield that Puts Users at Risk
In March of 2026, webXray audited the most popular websites from California and found that 194 online advertising services ignore legally defined, globally standard, opt-out signals endorsed by regulators.
More concerning is that Cookie Choice Banners certified by Google fail to prevent Google from setting cookies after users opt out with a globally standard signal.
Our findings reveal major technology companies simply ignore globally defined opt-out signals, raising the spectre of industrial-scale non-compliance with California requirements.
This audit is provided as a public service by webXray. webXray’s technology is peer-reviewed, trusted by courts, academic researchers, and the press. webXray is led by Dr. Timothy Libert, former lead of cookie policy and compliance at Google.
The CCPA gives every consumer the right to tell a business: stop selling or sharing my personal information. When a consumer sends a clear opt-out signal, cookies used for selling and sharing user data should not be set.
"A consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer's personal information."
The California AG has endorsed Global Privacy Control (GPC) as the mechanism for consumers to exercise this right at scale. Under regulation, businesses must honor it. In 2022, the AG fined Sephora $1.2M for ignoring GPC. In 2025, Disney paid $2.75M — the largest CCPA settlement ever.
"Under law, [the Global Privacy Control opt-out signal] must be honored by covered businesses as a valid consumer request to stop the sale or sharing of personal information."
At webXray we are experts in tracking technologies, and we work closely with in-house counsel, defense, plaintiff firms, and regulators. However, we are not lawyers ourselves, thus nothing in this report represents a legal conclusion.
"webXray was not founded to supplant the role of lawyers, courts, or judges. We were founded to provide clear, accurate, forensic data, without fear or favor. We believe that by filling this gap we can enhance outcomes for all consumers, businesses, and regulators."
— Dr. Timothy Libert, Founder and CEO, webXray
Many major technology companies have been fined repeatedly for failing to respect consumer's privacy choices, yet their code is found on thousands of websites popular in California. Unsurprisingly, these companies do not honor globally standard opt-out signals from Californians.
Google’s failure to honor the GPC opt-out signal is easy to find in network traffic. When a browser using GPC connects to Google’s servers it encodes the opt-out signal by sending the code “sec-gpc: 1”. This means Google should not return cookies.
However, when Google’s server responds to the network request with the opt-out it explicitly responds with a command to create an advertising cookie named IDE using the “set-cookie” command. This non-compliance is easy to spot, hiding in plain sight.
When Google’s ad server receives traffic with Sec-GPC: 1, all it has to do is return a 451 Unavailable For Legal Reasons status code to indicate the content cannot be served due to the consumer’s legally defined opt-out. No cookie is set in this condition.
Google has been subject to repeated privacy enforcement actions by the U.S. Federal Trade Commission, the California Attorney General, and France’s CNIL. Several of these were specifically related to cookies:
“Google placed advertising tracking cookies on consumers’ computers…by circumventing the Safari browser’s default cookie-blocking setting”
Google runs a vast array of services touching all corners of the web. The following services were found setting cookies despite consumer opt-out. Click a cookie name to view the official disclosure.
See methodology section for note on test_cookie.
Microsoft’s advertising network fails to honor GPC opt-out signals in the same way. When a browser with GPC enabled visits a website running Microsoft’s tracking pixel, the request to Microsoft’s server includes “sec-gpc: 1”. This means Microsoft should not return cookies.
However, Microsoft’s server responds by setting the Microsoft User Identifier (MUID) cookie — a one-year advertising tracker on the .bing.com domain. This non-compliance is easy to spot, hiding in plain sight.
When Microsoft’s ad server receives traffic with Sec-GPC: 1, all it has to do is return a 451 Unavailable For Legal Reasons status code to indicate the content cannot be served due to the consumer’s legally defined opt-out. No cookie is set in this condition.
Microsoft has been subject to repeated privacy enforcement actions by the U.S. Federal Trade Commission, Ireland’s Data Protection Commission, and France’s CNIL. In fact, Microsoft was specifically sanctioned for failing to obtain parental consent for processing of children’s data:
“Microsoft knew that certain users were children but nonetheless continued to collect personal information, such as telephone numbers, before notifying parents of Microsoft’s information collection practices and before obtaining parental consent.”
Microsoft operates multiple advertising platforms across the web. The following services were found setting cookies despite consumer opt-out: Click a cookie name to view the official disclosure.
Meta instructs publishers to install the following tracking code on their websites. The code contains no check for globally standard opt-out signals — it loads unconditionally, fires a tracking event, and sets a cookie regardless of the consumer’s privacy preferences.
Despite the fact that Meta publishes this code online, where it may be viewed by anybody, to date nobody has asked why it omits checks for the Global Privacy Control signal.
There is no reference to navigator.globalPrivacyControl, no conditional loading, and no mechanism for the script to respect a consumer’s opt-out preference.
It is easy for Meta and websites to ensure the code doesn’t get executed when users opt out. Below we show this can be done with only two additional lines of code.
Meta has been subject to repeated privacy enforcement actions by the U.S. Federal Trade Commission, the Texas Attorney General, Ireland’s Data Protection Commission, and France’s CNIL. One of these was specifically related to cookies:
“Facebook’s Desktop Privacy Settings Failed to Disclose That Users’ Privacy Choices Would Be Undermined by Default Settings That Allowed Facebook to Share Users’ Data with Third-Party Developers.”
Meta operates tracking technologies across its family of products. The following services were found setting cookies despite consumer opt-out:
The companies above represent only a fraction of what webXray observed. Across the full audit:
The full dataset is available to webXray Search subscribers.
Much to the annoyance of consumers, so-called "Cookie Banners" have taken over the web. Such banners supposedly give users the option to exercise their legal rights. Google, the biggest company setting cookies despite globally standard opt-out signals, even "certifies" Consent Management Platforms (CMPs). This clear conflict of interest led us to ask: do these CMPs actually work?
By measuring what happens when an opt-out signal is sent to a website, we were able to find out, and the findings are clear: no Google-certified CMP we evaluated works 100% of the time, and all of them are often found to fail to prevent Google from setting cookies despite globally standard opt-out signals being present.
In the interest of responsible disclosure, we have anonymized the CMP vendor identities.
“One of the most trusted names in privacy tooling, this market leader protects more sites than any other CMP in our sample.”
“One of the oldest and most trusted names in privacy compliance, this company has a long arc of evolution in the consent management space.”
“This vendor claims to offer high cookie opt-in rates on their banners. Our research shows users are definitely getting advertising cookies on the sites of this CMP: but not because they opted in, because the CMP is failing.”
The CMPs above represent only a fraction of what webXray observed. Across the full audit:
The full dataset is available to webXray Search subscribers.
What does opt-out non-compliance cost? We calculated the potential aggregate liability exposure by examining every public enforcement action where failure to honor globally standard opt-out signals was explicitly cited.
Sources: Sephora, Healthline, Tractor Supply, PlayOn, Ford, Disney
We multiplied the average fine from six public opt-out enforcement actions by the 4,170 sites in this audit that set advertising cookies despite the opt-out signal.
Actual liability per site depends on the number of affected consumers, the duration of non-compliance, and whether the conduct is deemed intentional (raising the statutory penalty from $2,500 to $7,500 under Cal. Civ. Code §1798.155).
Why does webXray catch cookie compliance gaps the CMPs don’t? The answer is simple: we are the only tool trusted by scientists and the courts.
Unlike most CMPs we aren’t new to this game. We published the first audit of one million websites in 2015, which we followed up with the first audit of HIPAA compliance gaps in the United States. All of this work was peer-reviewed by the world’s best scientists, leading to over 1,000 academic citations.
Our research lineage is why we’ve been cited in Supreme Court filings, worked on some of the world’s biggest cookie consent and liability cases, and been used to audit all of Google’s cookies worldwide. The audits webXray produces are timely, accurate, and legally defensible.
When major litigation reaches the courtroom, only webXray can provide the volume and quality of evidence needed to advance a case. In the pending case, In re Meta Pixel Healthcare Litigation (3:22-cv-03580), webXray was used to identify hundreds of HIPAA-covered entities allowing the Meta Pixel to be set.
Leading privacy litigation firms use webXray Search to find forensic-grade evidence of every cookie, vendor, and data flow on over one million sites, driving litigation outcomes today.
Access Search TodayWhen it is time to provide evidence of due diligence, compliance, and push back on bogus filings, webXray Audit has your back. We provide litigation-grade audits for both proactive monitoring and incident response.
Request an AuditAll CMPs we have evaluated are failing. webXray Audit can help you find and remediate root causes.
Request an AuditAdtech vendors that don’t comply with privacy regulation risk extinction. webXray Audit can ensure your disclosures are accurate and help you identify sites where CMP integrations fail.
Request an AuditWe’ve been working at the intersection of law and technology for over a decade, and we’re not stopping here. California is only the first chapter in a new series of audits webXray will be conducting across the globe.
Our future audits intend to focus on sectors and regions with much stricter data protection laws than the CCPA.
Subscribe to our newsletter to be updated when the next audit drops.
This audit was conducted using webXray, a forensic privacy analysis platform used in federal and state litigation, academic research, and regulatory investigations.
Sec-GPC: 1 header sent) and without.consent_management classification appears in its network traffic.child_ids field in our data recipient database. For example, “Google” includes AdSense, Google Marketing Platform, YouTube, and all other Google subsidiaries.test_cookie as a Functionality cookie. However, this cookie is used by Google Marketing Platform to facilitate advertising functions, thus webXray classifies the cookie under advertising and marketing.The companies featured in this audit have a documented history of privacy enforcement actions. All fines listed below are from official regulatory and court records. European fines sourced from the GDPR Enforcement Tracker.
Given the fact that these are estimates and the exchange rate between USD and EUR has fluctuated over time, we assume a 1:1 exchange rate and calculate totals as such.
Google / Alphabet (Total: $2.318B)
| Year | Authority | Action | Amount |
|---|---|---|---|
| 2012 | FTC (US) | Safari cookie tracking | $22.5M |
| 2013 | 37 US States + DC | Safari cookie tracking settlement | $17M |
| 2019 | CNIL (France) | Ad personalization consent | €50M |
| 2019 | FTC (US) | YouTube COPPA violation | $170M |
| 2020 | CNIL (France) | Advertising cookies without consent | €100M |
| 2020 | DPA (Sweden) | Right to erasure | €5M |
| 2020 | DPA (Belgium) | Data subject rights | €0.6M |
| 2021 | CNIL (France) | Cookies without consent | €150M |
| 2022 | AEPD (Spain) | Data transfers, right to erasure | €10M |
| 2022 | Texas AG (US) | Data privacy rights | $1.375B |
| 2023 | California AG (US) | Location tracking | $93M |
| 2025 | CNIL (France) | Gmail ads and cookie violations | €325M |
| Total | $2.318B | ||
Meta / Facebook (Total: $9.304B)
| Year | Authority | Action | Amount |
|---|---|---|---|
| 2019 | FTC (US) | Cambridge Analytica | $5B |
| 2021 | Irish DPC | WhatsApp transparency | €225M |
| 2022 | Irish DPC | Security measures | €17M |
| 2022 | CNIL (France) | Facebook cookie consent | €60M |
| 2022 | Irish DPC | Instagram children’s data | €405M |
| 2022 | Irish DPC | Facebook data scraping | €265M |
| 2023 | Irish DPC | Behavioral advertising | €390M |
| 2023 | Irish DPC | EU-US data transfers | €1.2B |
| 2024 | Irish DPC | Passwords in plaintext | €91M |
| 2024 | Irish DPC | Data security | €251M |
| 2024 | Texas AG (US) | Biometric data | $1.4B |
| Total | $9.304B | ||
Microsoft (Total: $390M)
| Year | Authority | Action | Amount |
|---|---|---|---|
| 2022 | CNIL (France) | Bing advertising cookies | €60M |
| 2023 | FTC | Xbox COPPA violation | $20M |
| 2024 | Irish DPC | LinkedIn targeted advertising | €310M |
| Total | $390M | ||