An independent privacy audit of Microsoft, Meta, and Google web traffic in California found that the companies may be violating state regulations and racking up billions in fines. According to the audit from privacy search engine webXray, 55 percent of the sites it checked set ad cookies in a user’s browser even if they opted out of tracking. Each company disputed or took issue with the research, with Google saying it was based on a “fundamental misunderstanding” of how its product works.

The webXray California Privacy Audit viewed web traffic on more than 7,000 popular websites in California in the month of March and found that most tech companies ignore when a user asks to opt-out of cookie tracking. California has stringent and well defined privacy legislation thanks to its California Consumer Privacy Act (CCPA) which allows users to, among other things, opt out of the sale of their personal information. There’s a system called Global Privacy Control (GPC), which includes a browser extension that indicates to a website when a user wants to opt out of tracking. 

According to the webXray audit, Google failed to let users opt out 87 percent of the time. “Googleʼs failure to honor the GPC opt-out signal is easy to find in network traffic. When a browser using GPC connects to Googleʼs servers it encodes the opt-out signal by sending the code ‘sec-gpc: 1.’ This means Google should not return cookies,” the audit said. “However, when Googleʼs server responds to the network request with the opt-out it explicitly responds with a command to create an advertising cookie named IDE using the ‘set-cookie’ command. This non-compliance is easy to spot, hiding in plain sight.”

The audit said that Microsoft fails to opt out users in the same way and has a failure rate of 50 percent in the web traffic webXray viewed. Meta’s failure rate was 69 percent and a bit more comprehensive. “Meta instructs publishers to install the following tracking code on their websites. The code contains no check for globally standard opt-out signals—it loads unconditionally, fires a tracking event, and sets a cookie regardless of the consumerʼs privacy preferences,” the audit said. It showed a copy of Meta’s tracking data which contains no GPC check at all.

webXray is an independent technology company that runs a search engine that lets people look for privacy violations on the internet. Its founder Timothy Libert is the former lead of cookie policy and compliance at Google. Libert told 404 Media he felt his job at Google was to protect its users but that his bosses didn’t agree. He left the company in 2023 and started webXray. 

“Shortly before I left my boss told me, direct quote, my job is to protect the company. There was another time I got into a very serious ontological discussion with a fairly senior engineer about what the difference was between taxes and fines and they didn’t understand there was a difference,” he said.

Microsoft, Meta, and Google have collectively paid billions in fees for previous privacy violations similar to the ones Libert and webXray found during the audit. According to Libert, the big tech companies don’t fear these fines. “In many ways fines have come to replace taxes,” he said. “What I’m trying to show here is, ‘How is enforcement failing?’ What we’re trying to do here is put people in the regulatory and legal community who work on these issues to have an understanding of what’s actually going on under the hood.”

One of the things going on under the hood revealed in the audit is how cookie banners work. Anyone who uses the internet has seen these annoying pop-ups that ask users how they want to handle cookies issued from the site. These are called consent management platforms (CMP). Google, one of the premier purveyors of cookies, runs a service called the CMP Partner Program that certifies CMPs.

“This clear conflict of interest led us to ask: do these CMPs actually work?” the audit said. “By measuring what happens when an opt-out signal is sent to a website, we were able to find out, and the findings are clear: no Google-certified CMP we evaluated works 100% of the time, and all of them are often found to fail to prevent Google from setting cookies despite opt-out signals being present.”

webXray said it tested three CMP companies and found opt-out failure rates of 77 percent, 91 percent, and 90 percent. “It does not work. It fails. It lets Google, specifically the party who said that this will work, it lets them set cookies,” Libert said.

Google, Meta, and Microsoft all disputed the audit. “This report is based on a fundamental misunderstanding of how our products work. We honor opt-out provided by advertisers and publishers as required by law,” a Google spokesperson told 404 Media.

“This is a marketing ploy that mischaracterizes how GPC works and Meta's role," Meta told 404 Media. “GPC only restricts certain uses of third-party data and allows website operators to override GPC signals, and we offer the Limited Data Use feature to help websites indicate what permissions they have. When data is transmitted to us with the LDU flag, we restrict the use of that data, as specified in our State-Specific Terms.”

“Consumer privacy is a top priority for us, and we remain committed to transparency and compliance with applicable privacy requirements. As outlined in our Privacy Statement, when we receive a GPC signal, we opt the user out of sharing personal data with third parties for personalized advertising, and our advertising systems are designed to reflect that choice,” a Microsoft spokesperson said. “Certain Microsoft cookies are necessary for operational purposes, and may therefore be placed and read even when a GPC signal is detected.”

“In my view this stuff isn’t complicated. You say, ‘don’t set the cookie.’ They set the cookie,” Libert said. “The regulators see a fox going into the henhouse and the fox says, ‘I’m just here to count the eggs, not to eat any chickens.’ And they take them at their word. They don’t make them produce any public record.”

When caught, governments levy fines against companies and the companies pay. Libert said that isn’t enough. “They can just pay fines forever,” he said.

Key to the audit is that Libert and his team provided a simple solution to the violations. According to webXray, it’s as easy as adding one line of code. “When Microsoftʼs ad server receives traffic with Sec-GPC: 1, all it has to do is return a 451 Unavailable For Legal Reasons status code to indicate the content cannot be served due to the consumerʼs legally defined opt-out. No cookie is set in this condition,” the audit said.

“This is the Strait of Hormuz in the data economy. If you want to make a change, this is where you cut it off. Anything short of that is theatrical political posture,” Libert said.