The Global Privacy Control is a single HTTP header. Honoring it requires roughly two lines of server-side code. webXray’s March 2026 audit of 7,634 popular California-facing websites1 found that 194 of 242 evaluated ad tech vendors ignored it anyway, setting advertising cookies despite the opt-out signal in 80% of cases:1 125,106 cookie instances across 4,170 sites.1 Google failed 86% of the time.1 Meta failed 69%.1 Microsoft failed 50%.1
The Audit in Numbers: Methodology and Scale
webXray founder Tim Libert designed the test to minimize methodological objections. Each of the 7,634 sites1 was scanned twice from a California residential IP using unmodified Google Chrome: once without GPC enabled, once with Sec-GPC: 1 active. The paired control-and-treatment design isolates the GPC signal as the single variable; any cookie present in the treatment scan but absent in the control is attributable to the opt-out being ignored, not to browser or network differences.
According to CalMatters,2 Libert described the pattern as “industrial-scale non-compliance with California requirements.” He is positioned to make that assessment: before founding webXray, he was a Google privacy engineer who led cookie policy and compliance at the company.
Under California law (Cal. Civ. Code §1798.120(a) and 11 CCR §7025),3 GPC “must be honored by covered businesses as a valid consumer request to stop the sale or sharing of personal information.” The audit is measuring compliance with an existing legal obligation, not a voluntary standard.
How Google, Meta, and Microsoft Failed
Google’s failure is the most technically specific. Its ad server at securepubads.g.doubleclick.net continued setting the two-year IDE cookie when Sec-GPC: 1 was present, according to the audit.1 Additional cookies observed in GPC-enabled scans include __gads, __gpi, _gcl_au, AID, and NID. The IDE cookie is Google’s primary cross-site tracking identifier for Display & Video 360.1 Two years is a long time to be opted out and still tracked.
Meta’s situation is structurally different. The audit found that Meta Pixel code “contains no reference to navigator.globalPrivacyControl, no conditional loading, and no mechanism for the script to respect a consumer’s opt-out preference.” Google at least has compliance infrastructure that is misconfigured; Meta appears not to have implemented the GPC check at all.
Microsoft’s bat.bing.com set the one-year MUID cookie despite GPC, along with _uetsid, _uetvid, and XANDR_PANID. The 50% failure rate1 puts Microsoft between Google and Meta by volume. The presence of XANDR_PANID suggests the failures propagate through Microsoft’s broader ad-tech stack, not just Bing’s own infrastructure.
The Consent-Management Charade: CMP Failure
If you assumed a consent-management platform would catch what the GPC header missed, the audit is instructive:1 all 11 evaluated CMPs failed. Three Google-certified banner providers had failure rates of 77%, 90%, and 91% respectively.1
The CMP failures matter specifically for site operators. Deploying a Google-certified consent banner and treating GPC as covered is a liability assumption, not a compliance posture.
Liability Projection and Class-Action Arithmetic
The $5.8 billion aggregate CCPA liability figure in the webXray report1 is a statistical projection, not an assessed penalty. Libert derived it by averaging fines from six public opt-out enforcement actions, yielding $1,387,617 per case, then multiplying by the 4,170 noncompliant sites observed.1
The arithmetic holds if the CPPA files 4,170 separate enforcement actions, which it will not.1
The CPPA’s largest GPC-adjacent fine on record is $1,350,000 against Tractor Supply Company,4 announced September 30, 2025, for failing to implement an effective opt-out mechanism including preference signals. One enforcement action, one mid-market retailer. The CPPA has finite staff and a case queue that cannot match ad-tech scale.
The enforcement mechanism that actually threatens Google-scale defendants is plaintiff class-action litigation, not CPPA caseload. The webXray methodology (paired scans, residential IP, unmodified browser, named cookies with specific domains) is designed to be reproducible and admissible. Plaintiff attorneys working privacy class actions can use failure-rate audits as aggregate evidence without reconstructing the methodology from scratch.
Vendor Responses vs. the Network Evidence
Google spokesperson Jackie Berté told CalMatters2 the audit is “based on a fundamental misunderstanding of how our products work.” That does not explain why IDE, a cross-site advertising identifier with a two-year lifetime, appears in treatment scans where the only variable is the presence of Sec-GPC: 1.
Microsoft spokesperson Courtney Ramirez characterized certain cookies as “necessary for operational purposes.” Operational necessity is a recognized exemption in some privacy frameworks, but it is not an automatic defense under CCPA’s GPC requirements. Whether XANDR_PANID qualifies as operationally necessary is a legal determination, not a technical one, and one that has not been made.
Meta did not respond to CalMatters.2
Libert’s prior Google employment will predictably be raised as a conflict of interest. The methodology addresses this more effectively than any disclosure: unmodified Chrome, California residential IP, paired scans, named cookies with specific domains. The results are replicable by anyone with a laptop and a VPN exit node in California.
What Compliance and Engineering Teams Should Do Now
GPC compliance cannot be delegated to a CMP and assumed complete. A site that serves Google, Meta, or Microsoft ad tags is, according to this audit, almost certainly out of compliance with California’s GPC requirement regardless of what the consent banner says.
Honoring GPC requires checking navigator.globalPrivacyControl before firing ad scripts and suppressing third-party ad tags when the signal is present. For sites using Google Ad Manager, publisher-side GPC settings need to be verified against actual network traffic, not against documentation. The audit suggests documentation and network behavior are not aligned.
The same structural preference runs across the industry. Atlassian’s decision to enable AI training data collection by default is a recent instance: collect by default, require explicit opt-out, design the opt-out path to be slow or buried. GPC automated the opt-out at browser scale. The ad-tech stack’s response was to not implement the check.
For compliance teams: the webXray methodology is now public, reproducible, and likely to appear in litigation. Treating GPC as a hard signal is a liability management question, not a best-practice recommendation.
Frequently Asked Questions
How is GPC different from the earlier Do Not Track standard?
Do Not Track (DNT), introduced in 2009, was technically similar—a browser header signaling a privacy preference—but carried no statutory force, and advertisers simply ignored it. GPC has explicit legal backing under CCPA regulation 11 CCR §7025, which treats the signal as a binding consumer opt-out request, and the CPPA has already imposed real fines for noncompliance, beginning with the $1.35M Tractor Supply settlement. The technical mechanism is nearly identical; the enforcement teeth are not.
Does this GPC compliance gap extend beyond California?
The audit tested exclusively from a California residential IP, so its named failure rates are California-specific. However, Colorado and Connecticut have both enacted regulations requiring businesses to honor GPC as a valid opt-out mechanism, meaning the same 4,170 noncompliant sites are likely in violation of multiple state privacy regimes simultaneously. A repeat scan from Denver or Hartford IP addresses would probably yield comparable results.
How reliable is the $5.8B liability figure as a financial estimate?
The projection averages penalties from only six public enforcement actions—a sample too small to account for variance in company size, cooperation level, or violation severity. Applying a single mean uniformly to every site, from a personal blog to a Fortune 500 ad network, obscures more than it reveals. The number is best read as a ceiling benchmark signaling the scale of statutory exposure, not as a prediction of actual fines or settlements.
Will vendors try to claim their tracking cookies are ‘operationally necessary’?
Microsoft has already telegraphed this defense. The CCPA’s service-provider exemption provides a potential legal basis, but only if the data processing is strictly necessary and non-promotional. Advertising identifiers like XANDR_PANID were architected for cross-site ad targeting, a purpose that does not easily fit the exemption’s criteria. Expect the ‘operational necessity’ framing to be the central contested issue in the first wave of GPC class-action filings.