Privacy: Google, Meta, and Microsoft allegedly ignore user opt-out signals
![Image [Roads of surveillance]. 6– Policies, Laws and Responses: Who Regulates Surveillance?](https://incyber.org//wp-content/uploads/2026/02/media-episode-5-885x690.png)
An audit conducted by webXray found that hundreds of online advertising actors continue to deploy tracking cookies even when users enable the Global Privacy Control (GPC), a signal intended to refuse data sharing. Based on the analysis of thousands of websites accessible from California, the study highlights a structural issue: more than half of the sites reviewed fail to respect this explicit user choice.
GPC is legally recognized in several US states, including California through the California Consumer Privacy Act. In principle, this signal requires companies to stop selling or sharing personal data. In practice, the audit shows that some of the largest players in the digital advertising ecosystem do not comply.
The observed practices differ across platforms. Google reportedly shows a particularly high rate of non-compliance, continuing to set advertising cookies despite the signal. Microsoft appears to follow a similar approach with its own tracking identifiers, while Meta does not appear to check for the signal at all in some of its tracking tools.
Beyond the technical dimension, the legal implications are significant. Failure to respect user preferences could expose the industry to billions of dollars in potential penalties. More broadly, the findings further undermine the credibility of online consent mechanisms, already criticized for their opacity and limited effectiveness.