In March 2026, privacy researcher Timothy Libert ran WebXray across more than 7,000 popular California websites and measured whether Google, Meta, and Microsoft honored opt-out signals sent through Global Privacy Control. GPC is a browser-level standard that lets users tell websites not to track or sell their data. California's Consumer Privacy Act made honoring it a legal requirement. The audit found Google failed to honor it 87% of the time. Meta failed 69% of the time. Microsoft failed 50% of the time.
The worst finding was not the failure rate. It was the mechanism. Google did not simply ignore opt-out signals. In documented cases, Google received the GPC signal and responded using the set-cookie command to place advertising cookies. The opt-out request became a trigger for more tracking. Meta's code contained no check for GPC signals at all. The consent management platforms supposed to translate user preferences into compliance failed at rates of 77%, 91%, and 90% across the platforms tested.
Libert is not an outside critic. He was Google's lead of cookie policy and compliance until 2023. He built the systems that were supposed to enforce this. When asked where enforcement could actually matter, he described GPC as the Strait of Hormuz of the data economy. Anything short of cutting it off there is, in his words, theatrical political posture.
California's CCPA gives regulators the power to fine companies billions for exactly this. The audit documents clear, systematic, technically verifiable breaches across the largest advertising platforms on the internet. Libert's own assessment of what those fines will achieve: companies treat them as a replaceable operating cost. The penalty structure does not create compliance. It prices non-compliance.
The opt-out architecture was designed by the companies that profit from ignoring it. GPC was adopted under regulatory pressure, implemented by the platforms themselves, and enforced slowly enough that non-compliance has been the rational strategy for years. Google's response to an explicit opt-out signal was to set more cookies. That is not an accident of implementation. It is the system performing as intended.
You cannot opt out of a system that treats your opt-out as input. The only real exit is not generating the data in the first place. Every page that loads Google, Meta, or Microsoft trackers is collecting regardless of your browser settings. Consent toggles exist to make that collection feel voluntary. The audit confirms they do not even do that convincingly.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What is Global Privacy Control?
Global Privacy Control is a browser-level standard that signals to websites that the user does not want their data sold or shared. California's CCPA requires companies to honor it. The audit found Google, Meta, and Microsoft systematically ignored it.
Is ignoring GPC signals illegal?
Under California's CCPA, failing to honor GPC signals is a legal violation. The companies audited could face billions in fines. The researcher who ran the audit describes those penalties as a line item companies have already calculated rather than a deterrent.
What did Google actually do when it received an opt-out signal?
In documented cases, Google used the set-cookie command in direct response to receiving a GPC opt-out signal. The opt-out request triggered additional advertising cookies rather than stopping them.
Does a VPN stop this kind of tracking?
A VPN hides your IP address and encrypts traffic in transit. It does not stop tracking that happens through cookies and JavaScript running on the pages you visit. Blocking that layer requires a browser-level script blocker or avoiding the sites entirely.
Who conducted the audit?
Timothy Libert, founder of WebXray and former lead of cookie policy and compliance at Google until 2023. He tested more than 7,000 popular California websites in March 2026.