Ad privacy rules getting murky
Journalists and analysts say Google’s new AdID approach and Chrome’s ‘Ad Privacy’ setting are changing how tracking works rather than eliminating it, creating confusion for advertisers ( ). A recent independent California audit also flagged traffic patterns suggesting Microsoft, Meta and Google may be running afoul of state privacy rules, which raises enforcement questions (kqed.org).
Chrome now includes an “Ad privacy” menu that can share browsing-based topics, site-suggested interests, and ad measurement data, even as Google says users can turn those features off in settings. (support.google.com) Google’s help page says Chrome can share up to three topics at a time with sites, deletes topics older than four weeks, and separately stores site-suggested ad data for up to 30 days. Google also says those controls sit alongside cookie settings and a site’s own ad systems, not in place of them. (support.google.com; support.google.com) On Android, Google still provides a user-resettable Advertising ID for apps, and its developer guide says apps can retrieve that identifier whenever they need it and that users can reset it or opt out of ad personalization. The identifier is device-user specific, which means ad targeting in apps still has a standard ID to work with even as browser rules change. (developer.android.com; support.google.com) California’s privacy rules take a different approach: if a resident sends a Global Privacy Control signal, businesses that sell or share personal information are supposed to treat it as a valid opt-out request. The California Attorney General endorsed that signal, and webXray’s audit says cookies used for selling and sharing data should not be set after it appears. (globalprivacyaudit.org; kqed.org) In a March 2026 scan of nearly 7,000 popular California websites, webXray said 55 percent still set ad cookies after users opted out, 78 percent of cookie banners failed to protect users, and 194 advertising services ignored the standard opt-out signal. The audit estimated 125,106 advertising cookies were set despite opt-out requests. (globalprivacyaudit.org) KQED reported on April 14, 2026 that webXray found Google failed to honor opt-outs 86 percent of the time, Meta 69 percent, and Microsoft 50 percent. The same report said California’s privacy law is enforced by both the state attorney general and the California Privacy Protection Agency. (kqed.org; cppa.ca.gov) Google disputed the audit’s conclusions. 404 Media reported Google said the research reflected a “fundamental misunderstanding” of how its product works, while the audit argued Google’s ad cookie behavior was visible in network traffic when browsers sent the Global Privacy Control header. (404media.co; globalprivacyaudit.org) The enforcement backdrop is not theoretical. webXray notes Sephora paid a $1.2 million California settlement in 2022 for ignoring Global Privacy Control, and Disney paid $2.75 million in 2025, which webXray describes as the largest California Consumer Privacy Act settlement to date. (globalprivacyaudit.org) The result is a market where “privacy” often means changing the plumbing of tracking rather than ending it. Browsers, apps, consent banners, and state opt-out signals now overlap, and whether a user is actually tracked can depend on which system is talking to which one. (support.google.com; developer.android.com; kqed.org)
