California opt‑out ignored

An independent audit found that California web users were still being tracked after sending a legally recognized opt-out signal on more than half of tested sites. (globalprivacyaudit.org) The audit, published April 14, tested more than 7,000 popular websites from a California internet address in March 2026. WebXray said 55% of sites still set advertising cookies after the browser sent the Global Privacy Control signal. (themarkup.org) Global Privacy Control is a browser setting or extension that tells a site not to sell or share a person’s data. California regulators have said businesses covered by the California Consumer Privacy Act must treat that signal as a valid opt-out request. (cppa.ca.gov) WebXray said 194 advertising services ignored the signal, and it logged 125,106 advertising cookies set anyway. The report said Google tracking persisted in 86% of cases, Meta in 69%, and Microsoft in 50%. (globalprivacyaudit.org) The findings land after California regulators already made Global Privacy Control an enforcement target. In September 2025, the California Privacy Protection Agency joined California, Colorado, and Connecticut attorneys general in a multistate sweep focused on businesses that failed to honor the signal. (cppa.ca.gov) California has already extracted settlements over similar conduct. The state fined Sephora $1.2 million in 2022 for failing to process Global Privacy Control signals, and webXray noted Disney paid $2.75 million in 2025 in the largest California Consumer Privacy Act settlement to date. (globalprivacyaudit.org) The audit also pointed at a second pressure point: cookie consent banners. WebXray said 78% of cookie banners it tested failed to stop tracking after an opt-out, including banners certified under Google’s consent program. (globalprivacyaudit.org) That leaves liability spread across both publishers and the ad-tech code running on their pages. WebXray estimated aggregate exposure at $5.8 billion if the California Privacy Protection Agency fined every site it found out of compliance. (themarkup.org) The companies named in the audit pushed back on the conclusions. Reporting cited by other outlets said Google, Microsoft, and Meta disputed or took issue with the findings, with Google saying the researchers misunderstood how its products and cookies work. (404media.co) For California users, the dispute is now moving from browser settings to enforcement files. The state privacy agency said this week that the report adds visibility to the importance of opt-out rights, while the audit gives regulators and plaintiffs a fresh map of where those signals appear to fail. (themarkup.org)