Apr 15, 2026 · 5 min read
Google Ignores Your Privacy Opt-Out 86% of the Time—and It Is Not Alone
A new audit of California web traffic found that 194 advertising services routinely ignore the Global Privacy Control signal your browser sends on every page load. Google, Meta, and Microsoft are the worst offenders.
What the Audit Found
Research published on April 16, 2026, by privacy organization webXray reveals that the biggest names in online advertising are systematically ignoring legally mandated opt-out signals. The audit, which analyzed California web traffic in March 2026, tested how 194 online advertising services respond to the Global Privacy Control (GPC) signal.
The results are stark:
- Google ignored opt-out requests 86% of the time
- Meta ignored opt-out requests 69% of the time
- Microsoft ignored opt-out requests 50% of the time
The full report is available at globalprivacyaudit.org. It was originally reported by 404 Media and subsequently covered by The Record.
What Is Global Privacy Control
Global Privacy Control is a browser setting that sends a machine readable signal to every website you visit, telling it you do not want your personal data sold or shared. It is built into Firefox, Brave, and DuckDuckGo by default, and available as an extension for Chrome. Under the California Consumer Privacy Act (CCPA), businesses are legally required to treat a GPC signal as a valid opt-out request.
The idea is straightforward: instead of clicking through cookie banners and opt-out forms on every website, your browser tells the site once and the site complies. Eight US states now require businesses to honor GPC signals. The problem, as this audit makes clear, is that most advertising services simply do not.
Why Companies Get Away With It
Enforcement has been slow and penalties have been low relative to the revenue at stake. The most notable CCPA enforcement action for ignoring GPC signals was against Sephora, which paid a $1.2 million fine in 2022. Disney paid $2.75 million in February 2026. For companies generating billions in advertising revenue, these fines amount to rounding errors.
Timothy Libert, the CEO of webXray who led the audit, previously oversaw cookie privacy policy at Google until 2023. His insider perspective lends credibility to the findings: the companies are not unaware of GPC signals. They have the technical infrastructure to detect and honor them. They are choosing not to.
The recent CCPA fine against Ford for ignoring opt-out requests shows that enforcement is expanding beyond the web, but the pace remains far slower than the scale of noncompliance.
The Regulatory Gap
California has raised CPRA fines to $7,988 per intentional violation and eliminated the automatic 30 day cure period that previously gave companies a free pass to fix violations before facing penalties. In theory, this should create meaningful deterrence. In practice, the California Privacy Protection Agency has limited resources compared to the number of companies operating in violation.
The audit identified 194 advertising services ignoring GPC signals. At $7,988 per violation, and with millions of California users sending GPC signals daily, the theoretical liability is enormous. But converting that theoretical liability into actual enforcement requires investigations, proceedings, and political will that have not yet materialized at scale.
Meanwhile, the CCPA's expansion into automated decision making adds new compliance requirements, but the fundamental enforcement gap on opt-out signals remains unresolved. And the recently introduced SECURE Data Act could preempt all 20 state privacy laws with a weaker federal standard that has no private right of action.
Montana is about to test whether that gap closes. As of April 1, 2026, the state's 60-day cure period expired, which means the AG can sue companies that ignore Global Privacy Control signals without giving them a warning first. The same 194-service list that webXray documented in California is now directly actionable in Montana.
What This Means for Your Privacy
If you have enabled GPC in your browser, you are doing the right thing. But this audit confirms what privacy researchers have long suspected: the signal alone is not enough. Advertising companies are receiving your opt-out request and ignoring it on the majority of page loads.
This does not mean GPC is useless. It creates a legal record of your opt-out preference, which matters if and when enforcement actions reach your data. And it does work with some companies, particularly smaller publishers who have less incentive to ignore the law. But for the biggest advertising networks, which handle the vast majority of online tracking, your GPC signal is being treated as a suggestion rather than a legal requirement.
What You Can Do
Given that opt-out signals are being widely ignored, a layered approach to privacy is essential:
- Enable GPC in your browser settings. It is on by default in Firefox, Brave, and DuckDuckGo. For Chrome, install the GPC extension
- Use a tracker blocker. Since companies ignore your opt-out, block their tracking scripts entirely. Extensions like uBlock Origin prevent trackers from loading in the first place
- Block tracking pixels in email. The same advertising companies that ignore GPC on the web also track you through email. Email tracking pixels report your opens, location, and device back to senders
- File complaints. The California Privacy Protection Agency accepts complaints at cppa.ca.gov. Individual complaints may seem small, but they create the record that regulators need to justify enforcement actions
The audit makes one thing clear: trusting companies to respect your privacy preferences voluntarily is not a viable strategy. Until enforcement catches up to noncompliance, the most effective privacy tools are the ones that do not ask for permission.