If you think clicking “opt out” on a Google, Meta, or Microsoft service actually stops them from tracking you, a new independent audit suggests you may want to think again.
A privacy audit conducted by webXray — a privacy-focused research tool — analyzed web traffic in California and found that all three tech giants may be routinely failing to honor user opt-out requests. The findings point to potential violations of California’s privacy regulations, including the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), which give consumers the explicit right to opt out of the sale or sharing of their personal data.
The scale of the alleged non-compliance is significant: according to the audit, Google failed to honor opt-out requests 87% of the time, Meta failed 69% of the time, and Microsoft had a failure rate of 50%. In each case, the companies were still setting advertising cookies in users’ browsers despite those users having opted out of tracking.
Each of the three companies disputed the findings. Google called the research a “fundamental misunderstanding” of how its product works. However, the data raises serious questions for any business relying on these platforms’ consent mechanisms to satisfy their own compliance obligations.
What the Audit Means for California Businesses
Under the CCPA and CPRA, businesses operating in California — or serving California residents — are required to respect consumer opt-out signals, including Global Privacy Control (GPC). If a third-party vendor like Google, Meta, or Microsoft fails to honor those opt-outs after a consumer exercises their right, businesses that embed these tools on their websites could find themselves exposed to regulatory scrutiny as well.
The California Privacy Protection Agency (CPPA) has the authority to fine companies up to $7,500 per intentional violation. As webXray founder Tim Libert noted, “In many ways fines have come to replace taxes” — a pointed observation about how regulators are beginning to treat chronic non-compliance as a revenue stream rather than an anomaly.
A Whistleblower’s Perspective
Tim Libert brings an unusual perspective to this research. Before founding webXray, he served as the former lead of cookie policy and compliance at Google — a position he left in 2023. He told 404 Media that he believed his job was to protect users, but that his bosses held a different view. Shortly before his departure, his manager told him directly: “My job is to protect the company.”
That tension — between user privacy and corporate interest — lies at the heart of many compliance failures we see across the industry. It’s also a reminder that having a compliance function on paper is not the same as having a compliance culture in practice.
Why This Matters for Your Privacy Program
This audit is a wake-up call for any organization that relies on consent management tools or third-party pixels without regularly auditing their behavior. Here’s what compliance professionals and business owners should take away:
Consent is not a one-time checkbox. Deploying a consent banner does not mean your obligations are fulfilled. You need to verify that your third-party vendors are actually honoring the consent signals you pass to them.
Vendor accountability matters. Under privacy regulations like CCPA, you are responsible for ensuring that your service providers and contractors handle data in accordance with the law. If Google or Meta isn’t honoring opt-outs, and those tools are on your site, you could share in the liability.
Regular audits are essential. The webXray findings were only possible because someone actively monitored the data flowing from these platforms. Businesses should conduct periodic technical audits of their own web properties to confirm that data flows align with stated consent preferences.
Document everything. If you do conduct audits, keep records. Demonstrating that you took reasonable steps to verify compliance can be a critical defense in the event of a regulatory investigation.
webXray Audits Shining a Light on Privacy Gaps
The webXray audit is part of a growing trend of independent researchers and regulators shining a light on the gap between what Big Tech says about privacy and what actually happens under the hood. For businesses, this is both a warning and an opportunity.
The warning: passive compliance — relying on platform promises and default settings — is not enough. The opportunity: organizations that invest in robust, auditable consent management and vendor oversight will be better positioned as enforcement ramps up.
At Captain Compliance, we help businesses protect themselves from privacy lawsuits when they are not compliant with our suite of data privacy software tools that are using by millions a month. Businesses love us and we offer tools ranging from consent management and cookie scanning to ongoing compliance monitoring, our tools are designed to give you — and your users — real confidence that privacy promises are being kept.
