California privacy audit finds failures

A California-backed audit found that many popular websites still track people after they turn on a browser privacy signal that state law says businesses must honor. (themarkup.org) The audit came from webXray, led by former Google privacy engineer Timothy Libert, after researchers tested more than 7,000 popular websites from a California internet address in March 2026. webXray said the results point to “industrial-scale” noncompliance. (globalprivacyaudit.org) (themarkup.org) The signal at issue is Global Privacy Control, a browser setting or extension that works like a universal “do not sell or share my data” switch. California’s attorney general says covered businesses must treat it as a valid opt-out request. (oag.ca.gov) (law.cornell.edu) webXray said Google tracking still appeared in 86% of tested cases after the signal was sent, Microsoft in 50%, and Meta tracking in 69% because its code often did not check for the signal at all. The audit also said 55% of sites set advertising cookies despite the opt-out and counted 125,106 ad cookies set after users opted out. (themarkup.org) (globalprivacyaudit.org) The findings land after California regulators and the attorney general have already made Global Privacy Control an enforcement priority. Attorney General Rob Bonta’s office fined Sephora $1.2 million in August 2022 for failing to process opt-out requests sent through the signal. (oag.ca.gov) On February 11, 2026, Bonta announced a $2.75 million settlement with Disney, which his office called the largest California Consumer Privacy Act settlement to date. The state said Disney had to change its opt-out systems so requests fully stopped the sale or sharing of personal information. (oag.ca.gov) Tom Kemp, executive director of the California Privacy Protection Agency, did not endorse the audit’s legal conclusions, but said the report “brings visibility to the importance of opt out rights.” The Markup reported that webXray estimated potential penalties could reach billions of dollars if every failing site were fined. (themarkup.org) For websites and apps, the weak point is often not the privacy policy but the code that runs analytics, ad tech, and consent banners. webXray said 78% of cookie banners it examined failed to protect users after opt-out, including some Google-certified banner setups. (globalprivacyaudit.org) California’s rule is narrower than a blanket ban on all data collection: the regulation says businesses that receive the signal must treat it as a request to stop the sale or sharing of personal information for that browser, device, and linked profile. That puts pressure on companies to make sure third-party trackers actually listen when a user says no. (law.cornell.edu)