Background
When Californians Opt Out of Data Sharing,
Businesses Must Comply
The Law
The CCPA gives every consumer the right to tell a business: stop selling or sharing my personal information. When a consumer sends a clear opt-out signal, cookies used for selling and sharing user data should not be set.
"A consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer's personal information."
The Opt-Out Signal
The California AG has endorsed Global Privacy Control (GPC) as the mechanism for consumers to exercise this right at scale. Under regulation, businesses must honor it. In 2022, the AG fined Sephora $1.2M for ignoring GPC. In 2025, Disney paid $2.75M — the largest CCPA settlement ever.
"Under law, [the Global Privacy Control opt-out signal] must be honored by covered businesses as a valid consumer request to stop the sale or sharing of personal information."
The Role We Play
At webXray we are experts in tracking technologies, and we work closely with in-house counsel, defense, plaintiff firms, and regulators. However, we are not lawyers ourselves, thus nothing in this report represents a legal conclusion.
"webXray was not founded to supplant the role of lawyers, courts, or judges. We were founded to provide clear, accurate, forensic data, without fear or favor. We believe that by filling this gap we can enhance outcomes for all consumers, businesses, and regulators."
— Dr. Timothy Libert, Founder and CEO, webXray
Part I
Big Tech Companies Are Openly Ignoring
Globally Standard Opt-Out Signals
Many major technology companies have been fined repeatedly for failing to respect consumer's privacy choices, yet their code is found on thousands of websites popular in California. Unsurprisingly, these companies do not honor globally standard opt-out signals from Californians.
11,021
Ads Cookies Set
Despite Opt-Out
$2.318B
Privacy Fines
Paid to Date
Forensic Evidence
Anatomy of Google’s Opt-Out Failure
Google’s failure to honor the GPC opt-out signal is easy to find in network traffic. When a browser using GPC connects to Google’s servers it encodes the opt-out signal by sending the code “sec-gpc: 1”. This means Google should not return cookies.
However, when Google’s server responds to the network request with the opt-out it explicitly responds with a command to create an advertising cookie named IDE using the “set-cookie” command. This non-compliance is easy to spot, hiding in plain sight.
Consumer
Visits a news website using a browser with GPC opt-out enabled
Browser sends request to Google
:authority: securepubads.g.doubleclick.net
:path: /gampad/ads?...(ad payload)
sec-gpc: 1 ← opt-out signal
Google responds without honoring the opt-out
set-cookie:
IDE=AHWqTUlVGuLvQqNO9RgCcKcP59WJs-qPBwSIqW-fCnU1yL0fyS9W3-oWAlfH86XJegQ;
expires=Thu, 30-Mar-2028; domain=.doubleclick.net
Two-year tracking cookie stored on consumer’s device
Consumer, Now Tracked
Opt-out not honored; the IDE cookie will follow this user across Google’s ad network for two years
The Fix Google Can Make Today
When Google’s ad server receives traffic with Sec-GPC: 1, all it has to do is return a 451 Unavailable For Legal Reasons status code to indicate the content cannot be served due to the consumer’s legally defined opt-out. No cookie is set in this condition.
:status: 451 Unavailable For Legal Reasons
content-length: 0
Record of Sanction
Google has been subject to repeated privacy enforcement actions by the U.S. Federal Trade Commission, the California Attorney General, and France’s CNIL. Several of these were specifically related to cookies:
“Google placed advertising tracking cookies on consumers’ computers…by circumventing the Safari browser’s default cookie-blocking setting”
Advertising Cookies by Product
Google runs a vast array of services touching all corners of the web. The following services were found setting cookies despite consumer opt-out. Click a cookie name to view the official disclosure.
See methodology section for note on test_cookie.
Google Marketing Platform
7,550
Ads Cookies Set
Despite Opt-Out
$390M
Privacy Fines
Paid to Date
Forensic Evidence
Anatomy of Microsoft’s Opt-Out Failure
Microsoft’s advertising network fails to honor GPC opt-out signals in the same way. When a browser with GPC enabled visits a website running Microsoft’s tracking pixel, the request to Microsoft’s server includes “sec-gpc: 1”. This means Microsoft should not return cookies.
However, Microsoft’s server responds by setting the Microsoft User Identifier (MUID) cookie — a one-year advertising tracker on the .bing.com domain. This non-compliance is easy to spot, hiding in plain sight.
Consumer
Visits a major retailer using a browser with GPC opt-out enabled
Browser sends request to Microsoft
:authority: bat.bing.com
:path: /action/0?ti=5117526&Ver=2&mid=...(tracking payload)
sec-gpc: 1 ← opt-out signal
Microsoft responds without honoring the opt-out
set-cookie:
MUID=194CD3AE77B4663C17EFC48076376712;
expires=Mon, 26-Apr-2027; domain=.bing.com
One-year tracking cookie stored on consumer’s device
Consumer, Now Tracked
Opt-out not honored; the MUID cookie will follow this user across Microsoft’s ad network for one year
The Fix Microsoft Can Make Today
When Microsoft’s ad server receives traffic with Sec-GPC: 1, all it has to do is return a 451 Unavailable For Legal Reasons status code to indicate the content cannot be served due to the consumer’s legally defined opt-out. No cookie is set in this condition.
:status: 451 Unavailable For Legal Reasons
content-length: 0
Record of Sanction
Microsoft has been subject to repeated privacy enforcement actions by the U.S. Federal Trade Commission, Ireland’s Data Protection Commission, and France’s CNIL. In fact, Microsoft was specifically sanctioned for failing to obtain parental consent for processing of children’s data:
“Microsoft knew that certain users were children but nonetheless continued to collect personal information, such as telephone numbers, before notifying parents of Microsoft’s information collection practices and before obtaining parental consent.”
Advertising Cookies by Product
Microsoft operates multiple advertising platforms across the web. The following services were found setting cookies despite consumer opt-out: Click a cookie name to view the official disclosure.
1,293
Ads Cookies Set
Despite Opt-Out
$9.304B
Privacy Fines
Paid to Date
Forensic Evidence
Meta’s Pixel Contains No Opt-Out Check
Meta instructs publishers to install the following tracking code on their websites. The code contains no check for globally standard opt-out signals — it loads unconditionally, fires a tracking event, and sets a cookie regardless of the consumer’s privacy preferences.
Despite the fact that Meta publishes this code online, where it may be viewed by anybody, to date nobody has asked why it omits checks for the Global Privacy Control signal.
No GPC check exists in the code Meta ships
<!-- Facebook Pixel Code --> <script> !function(f,b,e,v,n,t,s) {if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)}; if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0'; n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t,s)}(window, document,'script', 'https://connect.facebook.net/en_US/fbevents.js'); fbq('init', '2588018847923151'); fbq('track', 'PageView'); </script> <noscript><img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2588018847923151&ev=PageView&noscript=1" /></noscript> <!-- End Facebook Pixel Code -->
Pixel loads unconditionally and fires a PageView event
_fbp=fb.1.1775003631827.93807039293183847; domain=.healthcare-provider.com
First-party tracking cookie stored, tied to consumer’s Meta identity
Consumer, Now Tracked
Opt-out never consulted; the pixel reports every PageView back to Meta for ad targeting and audience-building
There is no reference to navigator.globalPrivacyControl, no conditional loading, and no mechanism for the script to respect a consumer’s opt-out preference.
The Fix Meta Can Make Today
It is easy for Meta and websites to ensure the code doesn’t get executed when users opt out. Below we show this can be done with only two additional lines of code.
<script> + if (!navigator.globalPrivacyControl) { !function(f,b,e,v,n,t,s) {if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)}; if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0'; n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t,s)}(window, document,'script', 'https://connect.facebook.net/en_US/fbevents.js'); fbq('init', '2588018847923151'); fbq('track', 'PageView'); + } </script>
Record of Sanction
Meta has been subject to repeated privacy enforcement actions by the U.S. Federal Trade Commission, the Texas Attorney General, Ireland’s Data Protection Commission, and France’s CNIL. One of these was specifically related to cookies:
“Facebook’s Desktop Privacy Settings Failed to Disclose That Users’ Privacy Choices Would Be Undermined by Default Settings That Allowed Facebook to Share Users’ Data with Third-Party Developers.”
Advertising Cookies by Product
Meta operates tracking technologies across its family of products. The following services were found setting cookies despite consumer opt-out:
Full Dataset
The companies above represent only a fraction of what webXray observed. Across the full audit:
242
Ad Tech Vendors
Evaluated
194
Ad Tech Vendors Setting Ads
Cookies Despite Opt-Out
80%
Ad Tech Vendor
Failure Rate
100%
Data Coverage in
webXray Search
The full dataset is available to webXray Search subscribers.
Part II
Google “Certified” Cookie Banners Allow
Google Cookies to be Set After Global Standard Opt-Out
Much to the annoyance of consumers, so-called "Cookie Banners" have taken over the web. Such banners supposedly give users the option to exercise their legal rights. Google, the biggest company setting cookies despite globally standard opt-out signals, even "certifies" Consent Management Platforms (CMPs). This clear conflict of interest led us to ask: do these CMPs actually work?
By measuring what happens when an opt-out signal is sent to a website, we were able to find out, and the findings are clear: no Google-certified CMP we evaluated works 100% of the time, and all of them are often found to fail to prevent Google from setting cookies despite globally standard opt-out signals being present.
In the interest of responsible disclosure, we have anonymized the CMP vendor identities.
“One of the most trusted names in privacy tooling, this market leader protects more sites than any other CMP in our sample.”
23,503
Number of Ads Cookies
Set Despite Opt-Out
$1.3B
Publisher Liability
Exposure
Google Ads Cookies Not Blocked
Google Marketing Platform
“One of the oldest and most trusted names in privacy compliance, this company has a long arc of evolution in the consent management space.”
13,570
Number of Ads Cookies
Set Despite Opt-Out
$305M
Publisher Liability
Exposure
Google Ads Cookies Not Blocked
Google Marketing Platform
“This vendor claims to offer high cookie opt-in rates on their banners. Our research shows users are definitely getting advertising cookies on the sites of this CMP: but not because they opted in, because the CMP is failing.”
11,249
Number of Ads Cookies
Set Despite Opt-Out
$229M
Publisher Liability
Exposure
Google Ads Cookies Not Blocked
Google Marketing Platform
Full Dataset
The CMPs above represent only a fraction of what webXray observed. Across the full audit:
11
CMP Vendors Failing to Block
Ads Cookies After Opt-Out
100%
CMP Vendor
Failure Rate
100%
Data Coverage in
webXray Search
The full dataset is available to webXray Search subscribers.
Part III
The Cost of Failure:
Billions in Outstanding Liabilities
What does opt-out non-compliance cost? We calculated the potential aggregate liability exposure by examining every public enforcement action where failure to honor globally standard opt-out signals was explicitly cited.
Opt-Out Enforcement Actions to Date
Sephora$1,200,0002022
Healthline Media$1,550,0002025
Tractor Supply Co.$1,350,0002025
PlayOn Sports$1,100,0002026
Ford Motor Co.$375,7032026
Walt Disney Co.$2,750,0002026
Average Fine$1,387,617
Sources: Sephora, Healthline, Tractor Supply, PlayOn, Ford, Disney
Projected Aggregate Exposure
We multiplied the average fine from six public opt-out enforcement actions by the 4,170 sites in this audit that set advertising cookies despite the opt-out signal.
Actual liability per site depends on the number of affected consumers, the duration of non-compliance, and whether the conduct is deemed intentional (raising the statutory penalty from $2,500 to $7,500 under Cal. Civ. Code §1798.155).
$1,387,617 avg fine × 4,170 sites
$5.8B
Potential Aggregate Liability
webXray: The Only Courtroom-Validated Auditor
Why does webXray catch cookie compliance gaps the CMPs don’t? The answer is simple: we are the only tool trusted by scientists and the courts.
Unlike most CMPs we aren’t new to this game. We published the first audit of one million websites in 2015, which we followed up with the first audit of HIPAA compliance gaps in the United States. All of this work was peer-reviewed by the world’s best scientists, leading to over 1,000 academic citations.
Our research lineage is why we’ve been cited in Supreme Court filings, worked on some of the world’s biggest cookie consent and liability cases, and been used to audit all of Google’s cookies worldwide. The audits webXray produces are timely, accurate, and legally defensible.
When major litigation reaches the courtroom, only webXray can provide the volume and quality of evidence needed to advance a case. In the pending case, In re Meta Pixel Healthcare Litigation (3:22-cv-03580), webXray was used to identify hundreds of HIPAA-covered entities allowing the Meta Pixel to be set.
For Litigation
Leading privacy litigation firms use webXray Search to find forensic-grade evidence of every cookie, vendor, and data flow on over one million sites, driving litigation outcomes today.
For Enterprise and Defense
When it is time to provide evidence of due diligence, compliance, and push back on bogus filings, webXray Audit has your back. We provide litigation-grade audits for both proactive monitoring and incident response.
The Global Audit Continues
We’ve been working at the intersection of law and technology for over a decade, and we’re not stopping here. California is only the first chapter in a new series of audits webXray will be conducting across the globe.
Our future audits intend to focus on sectors and regions with much stricter data protection laws than the CCPA.
Subscribe to our newsletter to be updated when the next audit drops.
Methodology
This audit was conducted using webXray, a forensic privacy analysis platform used in federal and state litigation, academic research, and regulatory investigations.
Data Collection
- Sample: 7,634 popular websites scanned from a California residential IP address under two conditions: with GPC enabled (
Sec-GPC: 1header sent) and without. - Browser: Unmodified version of Google Chrome, downloaded directly from https://www.google.com/chrome/, used in conjunction with proprietary patent-pending auditing and automation technology.
- Attribution: All observed cookies and network requests were matched against webXray’s proprietary database of 2,000+ data recipients and thousands of known storage items, each classified by purpose (advertising, analytics, consent management, etc.).
- CMP detection: A site is classified as “CMP-equipped” when at least one data recipient with a
consent_managementclassification appears in its network traffic.
How Opt-Out Processing Rates Are Calculated
- Control vs. treatment: Each website is scanned twice — once without GPC (control) and once with GPC enabled (treatment). Advertising cookies are counted as site–cookie pairs (i.e., each distinct cookie observed on each distinct site).
- Sites tracked: A site is counted as “tracked” by a vendor when any network request or cookie is observed going to that vendor, meaning the user’s IP address and other data is sent to the company regardless of whether a cookie is set.
- Vendor families: Ad-tech vendors are grouped by corporate parent using the
child_idsfield in our data recipient database. For example, “Google” includes AdSense, Google Marketing Platform, YouTube, and all other Google subsidiaries. - Vendor failure rates (scorecards): For each vendor (Google, Microsoft, Meta), the failure rate is the number of advertising cookie instances set in the treatment (GPC on) divided by the number set in the control (GPC off). A failure rate of 100% means GPC had no effect; 0% would mean all advertising cookies were removed.
- Ad Tech Vendors Evaluated vs. Setting Cookies: “Evaluated” counts every distinct ad tech vendor in webXray’s reference database whose cookies are classified for advertising and marketing use — the full pool of vendors we can detect. “Setting Ads Cookies Despite Opt-Out” counts how many of those vendors were actually observed setting at least one such cookie on at least one site in the treatment condition. The Ad Tech Vendor Failure Rate is the ratio of the two.
- CMP failure rates: For each CMP, the failure rate shown on the card is the share of sites managed by that CMP where at least one advertising cookie was observed despite GPC being sent. The Full Dataset CMP Vendor Failure Rate is the share of evaluated CMP vendors where at least one such site was observed.
- Proprietary opt-outs are not a substitute: Under 11 CCR §7025, a business must honor the GPC signal directly. In-product privacy controls offered by individual vendors do not satisfy that requirement.
- Cookie classification: Google classifies
test_cookieas a Functionality cookie. However, this cookie is used by Google Marketing Platform to facilitate advertising functions, thus webXray classifies the cookie under advertising and marketing.
How Liability Exposure Is Calculated
- Enforcement baseline: Six public enforcement actions where opt-out non-compliance was explicitly cited: Sephora ($1.2M, 2022), Healthline ($1.55M, 2025), Tractor Supply ($1.35M, 2025), PlayOn Sports ($1.1M, 2026), Ford ($375.7K, 2026), and Disney ($2.75M, 2026).
- Average fine: $1,387,617.
- Aggregate projection: Average fine × sites with advertising cookies despite opt-out signal. Statutory penalties under Cal. Civ. Code §1798.155 are $2,500-$7,500 per violation.
Privacy Fine History
The companies featured in this audit have a documented history of privacy enforcement actions. All fines listed below are from official regulatory and court records. European fines sourced from the GDPR Enforcement Tracker.
Given the fact that these are estimates and the exchange rate between USD and EUR has fluctuated over time, we assume a 1:1 exchange rate and calculate totals as such.
Google / Alphabet (Total: $2.318B)
| Year | Authority | Action | Amount |
|---|---|---|---|
| 2012 | FTC (US) | Safari cookie tracking | $22.5M |
| 2013 | 37 US States + DC | Safari cookie tracking settlement | $17M |
| 2019 | CNIL (France) | Ad personalization consent | €50M |
| 2019 | FTC (US) | YouTube COPPA violation | $170M |
| 2020 | CNIL (France) | Advertising cookies without consent | €100M |
| 2020 | DPA (Sweden) | Right to erasure | €5M |
| 2020 | DPA (Belgium) | Data subject rights | €0.6M |
| 2021 | CNIL (France) | Cookies without consent | €150M |
| 2022 | AEPD (Spain) | Data transfers, right to erasure | €10M |
| 2022 | Texas AG (US) | Data privacy rights | $1.375B |
| 2023 | California AG (US) | Location tracking | $93M |
| 2025 | CNIL (France) | Gmail ads and cookie violations | €325M |
| Total | $2.318B | ||
Meta / Facebook (Total: $9.304B)
| Year | Authority | Action | Amount |
|---|---|---|---|
| 2019 | FTC (US) | Cambridge Analytica | $5B |
| 2021 | Irish DPC | WhatsApp transparency | €225M |
| 2022 | Irish DPC | Security measures | €17M |
| 2022 | CNIL (France) | Facebook cookie consent | €60M |
| 2022 | Irish DPC | Instagram children’s data | €405M |
| 2022 | Irish DPC | Facebook data scraping | €265M |
| 2023 | Irish DPC | Behavioral advertising | €390M |
| 2023 | Irish DPC | EU-US data transfers | €1.2B |
| 2024 | Irish DPC | Passwords in plaintext | €91M |
| 2024 | Irish DPC | Data security | €251M |
| 2024 | Texas AG (US) | Biometric data | $1.4B |
| Total | $9.304B | ||
Microsoft (Total: $390M)
| Year | Authority | Action | Amount |
|---|---|---|---|
| 2022 | CNIL (France) | Bing advertising cookies | €60M |
| 2023 | FTC | Xbox COPPA violation | $20M |
| 2024 | Irish DPC | LinkedIn targeted advertising | €310M |
| Total | $390M | ||