• webXray audit finds Google, Microsoft, and Meta ignoring Global Privacy Control signals
• Despite legal requirements in California and other states, 55% of sites still set ad cookies after opt‑outs
• Report highlights Google’s 86% failure rate, Microsoft’s one‑year tracking cookie, and Meta’s continued event logging; potential $5.8B liability projected

Big tech companies such as Google, Microsoft, and Meta, are completely ignoring people’s explicit requests not to be tracked, or to have their browsing data sold to third parties. This is according to a new forensic audit recently conducted by webXray, a search engine for analyzing internet tracking, traffic, and content.

Earlier this year, webXray published the March 2026 California Privacy Audit, in which it said that even when users explicitly invoke the Global Privacy Control (GPC), 194 online advertising services were still setting tracking cookies.

GPC is a browser signal that tells websites users don’t want their data sold or shared. While this is a technical standard, there are certain US laws requiring companies to honor it. For example, laws like the California Consumer Privacy Act, or the California Privacy Rights Act, have made GPC legally binding, with regulators in the country saying a valid GPC signal must be treated as an opt-out request.

Article continues below

Major liability exposure

According to Cybernews, GPC has legal authority in four US states as of today, and even in those territories – some companies are ignoring it entirely.

While working on the California Privacy Audit, webXray analyzed “thousands” of popular websites in California and found that more than half (55%) set ad cookies despite user opt-outs. Among them is Google, with a failure rate of 86%.

When a user invokes GPC, the company allegedly creates a two-year “IDE” advertising cookie. Microsoft, on the other hand, returns a one-year “MUID” tracking cookie, while Meta records tracking events regardless of the user’s privacy settings.

So far, none of the companies called out in the report have commented on the findings.

They soon might, however, since the report’s authors believe there is grounds for a class-action lawsuit here. In fact, they project a potential aggregate liability exposure of $5.8 billion across the industry.

Via Cybernews

The best antivirus for all budgets

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.