By rssfeeds-admin 
The California Privacy Audit examined over 4,000 popular U.S. websites and discovered that 55% still set advertising cookies despite visitors activating privacy protections.
Even certified cookie choice banners failed to block tracking. Out of 194 advertising services reviewed, most ignored the Global Privacy Control (GPC) signal, a standard endorsed by regulators to enforce user opt-out rights.
Technical Failures Behind Opt-Out
Led by Dr. Timothy Libert, former head of Google’s cookie policy team, the audit revealed structural compliance failures across multiple ad networks:
- Google: With an 87% failure rate, Google servers routinely ignore the “sec-gpc: 1” signal and instead deploy the persistent “IDE” cookie, tracking users for up to two years across its vast ad network.
- Microsoft: The Bing ads ecosystem showed a 50% failure rate, setting the “MUID” identifier cookie that follows users for one year even after opt-out requests.
- Meta: The Meta Pixel performed worst in terms of design, with a 69% failure rate. Auditors found no check for “navigator.globalPrivacyControl” within its JavaScript code, meaning the pixel triggers tracking regardless of user preferences.
Each violation could cost companies up to $1.4 million in fines based on historical enforcement averages, placing potential total liability at a staggering $5.8 billion.
For context, previous privacy settlements include Sephora’s $1.2 million fine in 2022 and Disney’s $2.75 million in 2025, signaling regulators’ growing intolerance of non-compliant tracking.
The investigation also exposed serious flaws in popular Consent Management Platforms (CMPs).
All 11 evaluated vendors failed to completely prevent cookie placement after users opted out, allowing advertisers to bypass restrictions.
However, WebXray suggests these compliance gaps are easily fixable. Google and Microsoft’s ad servers could respond to GPC requests with a simple “451 Unavailable For Legal Reasons” HTTP status, instantly blocking cookie deployment.
For Meta, a short conditional check within the Pixel script could halt event firing whenever a GPC signal is detected.
These findings highlight systemic weaknesses in online privacy enforcement. Despite advancements in privacy legislation, technical loopholes allow data collection to continue on an industrial scale.
Unless ad-tech giants prioritize transparent consent handling and verifiable GPC compliance, both publishers and advertisers may face mounting legal and reputational risks under California’s stringent privacy regulations.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post New Research Claims Google, Microsoft, and Meta Track Users Even After Opt-Out appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.