groundy
culture & society

Google Ignores California's Global Privacy Control 86% of the Time: webXray's 7,000-Site Audit

webXray's March 2026 audit found Google ignored California's GPC opt-out in 86% of cases, with Meta at 69% and Microsoft at 50%, exposing systemic CCPA noncompliance.

10 min···8 sources ↓

The Global Privacy Control is a single HTTP header. Honoring it requires roughly two lines of server-side code. webXray’s March 2026 audit of 7,634 popular California-facing websites1 found that 194 of 242 evaluated ad tech vendors ignored it anyway, setting advertising cookies despite the opt-out signal in 80% of cases:1 125,106 cookie instances across 4,170 sites.1 Google failed 86% of the time.1 Meta failed 69%.1 Microsoft failed 50%.1

The Audit in Numbers: Methodology and Scale

webXray founder Tim Libert designed the test to minimize methodological objections. Each of the 7,634 sites1 was scanned twice from a California residential IP using unmodified Google Chrome: once without GPC enabled, once with Sec-GPC: 1 active. The paired control-and-treatment design isolates the GPC signal as the single variable; any cookie present in the treatment scan but absent in the control is attributable to the opt-out being ignored, not to browser or network differences.

According to CalMatters,2 Libert described the pattern as “industrial-scale non-compliance with California requirements.” He is positioned to make that assessment: before founding webXray, he was a Google privacy engineer who led cookie policy and compliance at the company.

Under California law (Cal. Civ. Code §1798.120(a) and 11 CCR §7025),3 GPC “must be honored by covered businesses as a valid consumer request to stop the sale or sharing of personal information.” The audit is measuring compliance with an existing legal obligation, not a voluntary standard.

How Google, Meta, and Microsoft Failed

Google’s failure is the most technically specific. Its ad server at securepubads.g.doubleclick.net continued setting the two-year IDE cookie when Sec-GPC: 1 was present, according to the audit.1 Additional cookies observed in GPC-enabled scans include __gads, __gpi, _gcl_au, AID, and NID. The IDE cookie is Google’s primary cross-site tracking identifier for Display & Video 360.1 Two years is a long time to be opted out and still tracked.

Meta’s situation is structurally different. The audit found that Meta Pixel code “contains no reference to navigator.globalPrivacyControl, no conditional loading, and no mechanism for the script to respect a consumer’s opt-out preference.” Google at least has compliance infrastructure that is misconfigured; Meta appears not to have implemented the GPC check at all.

Microsoft’s bat.bing.com set the one-year MUID cookie despite GPC, along with _uetsid, _uetvid, and XANDR_PANID. The 50% failure rate1 puts Microsoft between Google and Meta by volume. The presence of XANDR_PANID suggests the failures propagate through Microsoft’s broader ad-tech stack, not just Bing’s own infrastructure.

If you assumed a consent-management platform would catch what the GPC header missed, the audit is instructive:1 all 11 evaluated CMPs failed. Three Google-certified banner providers had failure rates of 77%, 90%, and 91% respectively.1

The CMP failures matter specifically for site operators. Deploying a Google-certified consent banner and treating GPC as covered is a liability assumption, not a compliance posture.

Liability Projection and Class-Action Arithmetic

The $5.8 billion aggregate CCPA liability figure in the webXray report1 is a statistical projection, not an assessed penalty. Libert derived it by averaging fines from six public opt-out enforcement actions, yielding $1,387,617 per case, then multiplying by the 4,170 noncompliant sites observed.1

The arithmetic holds if the CPPA files 4,170 separate enforcement actions, which it will not.1

The CPPA’s largest fine on record is $1,350,000 against Tractor Supply Company,4 announced September 30, 2025, for failing to implement an effective opt-out mechanism including preference signals. [Updated June 2026] That is no longer the only marquee action, and it is no longer the largest. In February 2026 the California Attorney General, who shares CCPA enforcement authority with the CPPA, settled with The Walt Disney Company for $2.75 million, the largest CCPA penalty to date, over GPC signals that Disney honored only on the originating device and never propagated to the logged-in account. Even with that escalation, the math gap stands: a handful of negotiated settlements per year against a population of 4,170 noncompliant sites is not a throughput that closes the audit’s exposure.

The enforcement mechanism that actually threatens Google-scale defendants is plaintiff class-action litigation, not CPPA caseload. The webXray methodology (paired scans, residential IP, unmodified browser, named cookies with specific domains) is designed to be reproducible and admissible. Plaintiff attorneys working privacy class actions can use failure-rate audits as aggregate evidence without reconstructing the methodology from scratch.

What Changed Between the Audit and Now [Updated June 2026]

The audit landed in March 2026 into an enforcement environment that had already started moving, which sharpens its findings rather than softening them.

In September 2025 the CPPA, the California Attorney General, and the Attorneys General of Colorado and Connecticut announced a coordinated multistate compliance sweep aimed specifically at businesses that fail to honor GPC. The regulators’ framing maps onto the audit’s CMP results almost line for line: a cookie banner and a consent mechanism are not enough, and a covered business must automatically capture and respect the signal without requiring any further action from the consumer. The audit measured, at network-request granularity, exactly the failure mode the sweep was built to find. It is rare for a forensic study and a regulatory action to be this well aligned by accident; the audit reads less like a warning shot than like discovery already filed.

The enforcement record behind the sweep is now concrete rather than hypothetical. Beyond Tractor Supply, the CPPA fined youth-sports media company PlayOn Sports $1.1 million on March 3, 2026 for forcing users to accept tracking before they could buy tickets or use the site, with no usable opt-out. Ford settled with the CPPA for $375,703 in March 2026, with the order requiring an audit of every tracking technology on Ford’s properties for GPC handling. Clothing retailer Todd Snyder paid $345,178 for taking 40 days to act on opt-out requests and demanding identity verification before honoring them. None of these defendants are Google-scale, and that is the signal the figures send: the agency is willing to act, but it acts one mid-market company at a time, on negotiated terms, against a population the audit puts at 4,170 noncompliant sites.

The sweep is also not a California-only problem for the vendors named in the audit. Colorado and Connecticut joined the September action, and by 2026 roughly twenty states have comprehensive privacy laws, a growing subset of which require a covered business to honor a universal opt-out signal. webXray tested only from a California residential IP, so its named failure rates are California-specific, but the same vendor code paths serve traffic nationally. A securepubads.g.doubleclick.net request that sets IDE under Sec-GPC: 1 in Los Angeles is running the same logic when the request originates in Denver or Hartford.

Layered on top is a regulatory change that the audit makes newly load-bearing. The revised CCPA regulations that took effect January 1, 2026 require a covered business to provide visible confirmation that an opt-out request, GPC included, was actually processed. That converts what the audit treats as a measurable gap into a documented one: a site that tells a user “your request was honored” while its network traffic still sets IDE or MUID is no longer merely noncompliant, it is contradicting its own interface, in writing, on every page load.

The one development that cuts against this article’s original class-action thesis arrived in June. On June 16, 2026 the U.S. District Court for the Northern District of California denied class certification in Ingraham v. Capital One, a website-tracking suit, on the ground that individualized questions predominated: different tracking technologies collected different data, users encountered different disclosures, and proving injury would require examining each plaintiff’s session. The ruling says nothing about the audit’s accuracy. It complicates the assumption that a reproducible failure-rate audit converts cleanly into a certifiable class. Aggregate evidence that every visitor was tracked is not the same as common proof that every visitor was harmed the same way, and Ingraham is the most recent California decision to draw that line.

The net effect for a site operator is that the regulatory side of the threat is more active than the original framing implied, and the litigation side is more contested. Neither shift makes the underlying behavior compliant.

Vendor Responses vs. the Network Evidence

Google spokesperson Jackie Berté told CalMatters2 the audit is “based on a fundamental misunderstanding of how our products work.” That does not explain why IDE, a cross-site advertising identifier with a two-year lifetime, appears in treatment scans where the only variable is the presence of Sec-GPC: 1.

Microsoft spokesperson Courtney Ramirez characterized certain cookies as “necessary for operational purposes.” Operational necessity is a recognized exemption in some privacy frameworks, but it is not an automatic defense under CCPA’s GPC requirements. Whether XANDR_PANID qualifies as operationally necessary is a legal determination, not a technical one, and one that has not been made.

Meta did not respond to CalMatters.2

Libert’s prior Google employment will predictably be raised as a conflict of interest. The methodology addresses this more effectively than any disclosure: unmodified Chrome, California residential IP, paired scans, named cookies with specific domains. The results are replicable by anyone with a laptop and a VPN exit node in California.

What Compliance and Engineering Teams Should Do Now

GPC compliance cannot be delegated to a CMP and assumed complete. A site that serves Google, Meta, or Microsoft ad tags is, according to this audit, almost certainly out of compliance with California’s GPC requirement regardless of what the consent banner says.

Honoring GPC requires checking navigator.globalPrivacyControl before firing ad scripts and suppressing third-party ad tags when the signal is present. For sites using Google Ad Manager, publisher-side GPC settings need to be verified against actual network traffic, not against documentation. The audit suggests documentation and network behavior are not aligned.

The same structural preference runs across the industry. Atlassian’s decision to enable AI training data collection by default is a recent instance: collect by default, require explicit opt-out, design the opt-out path to be slow or buried. GPC automated the opt-out at browser scale. The ad-tech stack’s response was to not implement the check. California is pushing the signal harder from the other end: AB 566 forces Chrome and Safari to ship opt-out signals by 2027, which means the population sending Sec-GPC: 1 is about to grow by default rather than by extension install, and the failure rates this audit measured will apply to far more traffic.

For compliance teams: the webXray methodology is now public, reproducible, and likely to appear in litigation. Treating GPC as a hard signal is a liability management question, not a best-practice recommendation.

Frequently Asked Questions

How is GPC different from the earlier Do Not Track standard?

Do Not Track (DNT), introduced in 2009, was technically similar, a browser header signaling a privacy preference, but carried no statutory force, and advertisers simply ignored it. GPC has explicit legal backing under CCPA regulation 11 CCR §7025, which treats the signal as a binding consumer opt-out request, and California regulators have already imposed real fines for noncompliance. [Updated June 2026] The record now runs from the $1.35M Tractor Supply settlement through PlayOn Sports ($1.1M), Ford ($375,703), Todd Snyder ($345,178), and the $2.75M Disney settlement, plus a multistate GPC enforcement sweep with Colorado and Connecticut. The technical mechanism is nearly identical to DNT; the enforcement teeth are not.

Does this GPC compliance gap extend beyond California?

The audit tested exclusively from a California residential IP, so its named failure rates are California-specific. However, Colorado and Connecticut have both enacted regulations requiring businesses to honor GPC as a valid opt-out mechanism, meaning the same 4,170 noncompliant sites are likely in violation of multiple state privacy regimes simultaneously. A repeat scan from Denver or Hartford IP addresses would probably yield comparable results.

How reliable is the $5.8B liability figure as a financial estimate?

The projection averages penalties from only six public enforcement actions, a sample too small to account for variance in company size, cooperation level, or violation severity. Applying a single mean uniformly to every site, from a personal blog to a Fortune 500 ad network, obscures more than it reveals. The number is best read as a ceiling benchmark signaling the scale of statutory exposure, not as a prediction of actual fines or settlements.

Will vendors try to claim their tracking cookies are ‘operationally necessary’?

Microsoft has already telegraphed this defense. The CCPA’s service-provider exemption provides a potential legal basis, but only if the data processing is strictly necessary and non-promotional. Advertising identifiers like XANDR_PANID were architected for cross-site ad targeting, a purpose that does not easily fit the exemption’s criteria. Expect the ‘operational necessity’ framing to be the central contested issue in the first wave of GPC class-action filings.

sources · 8 cited

  1. webXray March 2026 California Auditglobalprivacyaudit.orgprimaryaccessed 2026-04-29
  2. CalMatters: Data privacy opt-outscalmatters.orgprimaryaccessed 2026-04-29
  3. California OAG CCPA Regulationsoag.ca.govvendoraccessed 2026-04-29
  4. CPPA Tractor Supply Enforcement Actioncppa.ca.govprimaryaccessed 2026-04-29
  5. CPPA and AGs Announce Multistate GPC Compliance Sweeppaulhastings.comanalysisaccessed 2026-06-26
  6. Escalated CCPA Enforcement: Record $2.75M Disney Settlementnatlawreview.comanalysisaccessed 2026-06-26