California sites, 133M healthcare records exposed

A new California privacy audit says more than half of popular websites still set advertising cookies after users told them not to track. (globalprivacyaudit.org) (calmatters.org) The audit was published by webXray, led by former Google cookie-policy lead Timothy Libert, after scanning 7,634 sites from a California internet address in March 2026. (globalprivacyaudit.org) California’s law lets residents opt out of the sale or sharing of personal information, and the state recognizes Global Privacy Control, or GPC, as a browser signal that businesses must honor. (cppa.ca.gov) (usenix.org) webXray said 55% of the audited sites still set ad cookies despite that opt-out signal, and 194 advertising services ignored the signal altogether. (globalprivacyaudit.org) The report said Google’s advertising systems ignored the opt-out in 86% of tested cases, Meta in 69%, and Microsoft in 50%. It counted 125,106 advertising cookies set after users had opted out. (globalprivacyaudit.org) The audit also said 78% of cookie banners failed to protect users, including some banners certified by Google that still allowed Google cookies to be set after opt-out. (globalprivacyaudit.org) Google disputed the findings and told 404 Media the audit reflected a “fundamental misunderstanding” of how its product works. (404media.co) The backdrop is a healthcare system that has already shown how expensive and widespread data misuse can become once information escapes. The Department of Health and Human Services’ breach portal data, compiled by HIPAA Journal, showed 725 large healthcare breaches in 2023 exposing 133,068,542 records. (hipaajournal.com) HIPAA Journal’s 2026 update says healthcare breaches peaked in 2023 at 746 incidents affecting 500 or more people, before reported totals started easing in 2024 and 2025. (hipaajournal.com) California regulators have already fined companies for ignoring opt-out signals. Attorney General Rob Bonta announced a $1.2 million Sephora settlement in August 2022 over failures tied to Global Privacy Control. (oag.ca.gov) On February 11, 2026, Bonta announced a $2.75 million Disney settlement, the state’s largest under the California Consumer Privacy Act, over opt-out methods that did not fully stop data sharing. (oag.ca.gov) The thread running through both stories is simple: privacy controls now exist in law, browsers, and settlement terms, but the audits and breach counts show how often the systems behind them still fail. (cppa.ca.gov) (globalprivacyaudit.org) (hipaajournal.com)