Back to Blog

Google Ignores Your Privacy Opt-Out 86% of the Time, Audit Reveals

April 16, 2026 11 min read Privacy, Tracking, Big Tech

Your browser has a setting that tells websites: "Do not track me. Do not sell my data." It sends a single HTTP header, Sec-GPC: 1, with every request. Under California law, businesses are legally required to honor it. It is not a suggestion. It is a legally binding opt-out.

A new audit by webXray reveals what happens in practice. After scanning over 7,000 popular California websites, the researchers found that Google ignores the opt-out signal 86% of the time. Microsoft ignores it 50% of the time. Meta ignores it 69% of the time. These companies place tracking cookies on your browser even after you explicitly told them not to.

The fix is trivially simple. The technology exists. The law is clear. They just choose not to comply.

What Is Global Privacy Control?

Global Privacy Control (GPC) is a browser signal that automatically tells every website you visit that you do not want your personal data sold or shared. When you enable GPC, your browser includes the HTTP header Sec-GPC: 1 in every request.

Think of it as an automatic "Do Not Sell My Data" button that fires on every website, without you having to click anything.

GPC vs Do Not Track: What Changed

You might remember Do Not Track (DNT), the browser signal introduced in 2009. It was a polite request to websites: "Please don't track me." The industry responded with a collective shrug. DNT was never legally binding, and virtually every website ignored it. By 2019, most browsers had abandoned it.

GPC is different in one crucial way: it has legal teeth.

Feature Do Not Track (DNT) Global Privacy Control (GPC)
Launched 2009 2020
HTTP header DNT: 1 Sec-GPC: 1
Legally binding No Yes (CA, CO, CT)
Enforcement None $8.5M+ in fines since 2022
Industry compliance Near zero Low, but improving under pressure
Standard W3C (abandoned) W3C (active)

In January 2021, the California Attorney General issued guidance that GPC is a legally valid consumer opt-out under the CCPA. The California Privacy Rights Act (CPRA) reinforced this. As of January 2026, updated regulations from the California Privacy Protection Agency (CPPA) further confirm: businesses must honor GPC signals.

The Audit: 7,000 Websites, Massive Non-Compliance

In March 2026, webXray audited the most popular websites visited by Californians. They sent requests with the Sec-GPC: 1 header enabled and tracked which advertising services respected the signal and which ones ignored it.

The results are damning:

Company GPC Ignored What They Did
Google 86% Set tracking cookies despite opt-out signal
Meta 69% Continued tracking via Meta Pixel
Microsoft 50% Placed advertising cookies after opt-out

Overall, 194 advertising services were found to ignore legally defined opt-out signals. And 55% of the websites audited set advertising cookies in users' browsers even when the GPC signal was active.

Perhaps most embarrassing for Google: the audit found that cookie consent banners certified by Google fail to prevent Google itself from setting cookies after users opt out.

What this means: If you are browsing from California with GPC enabled, Google is still tracking you on 86 out of every 100 websites you visit. Your legally binding opt-out signal is being ignored by the largest advertising company in the world. And their own certified consent tools don't stop it.

The Technical Fix Is Embarrassingly Simple

The webXray researchers point out that honoring GPC requires almost no engineering effort. When an advertising server receives a request with the Sec-GPC: 1 header, it simply needs to:

  1. Check for the Sec-GPC: 1 header in the incoming request
  2. Return HTTP status 451 Unavailable For Legal Reasons instead of the tracking pixel or cookie
  3. Do not set any cookies

That's it. A few lines of code at the edge of the ad server. No architectural changes. No complex logic. Just: if the user says no, respect the no.

What is HTTP 451? Status code 451 (Unavailable For Legal Reasons) was approved by the IETF in 2015. Its name references Ray Bradbury's novel Fahrenheit 451. It indicates that a resource cannot be served due to legal restrictions. In this context, it would signal that the ad content cannot be delivered because the user has legally opted out of tracking.

Here is what a compliant response would look like:

// Incoming request from user's browser:
GET /ads/tracker.js HTTP/1.1
Host: ads.example.com
Sec-GPC: 1

// Compliant response:
HTTP/1.1 451 Unavailable For Legal Reasons
Content-Length: 0
// No cookie set. No tracking. Done.

Google, Microsoft, and Meta have some of the best engineering teams on the planet. They build self-driving cars, train large language models, and operate infrastructure at a scale most companies cannot comprehend. Implementing a GPC check on their ad servers is not a technical challenge. It is a business decision to not comply.

How Big Tech Responds

All three companies deny the findings. Their responses follow a familiar pattern: deflect, redefine, and minimize.

Google

"This report is based on a fundamental misunderstanding of how our products work. We respect opt-outs offered by advertisers and publishers, as the law requires."

Note the wording: Google says it respects opt-outs "offered by advertisers and publishers", not opt-outs signaled by users. The GPC signal comes from the user's browser. Google is reframing the responsibility: it is not Google's job to honor the user's signal, it is the advertiser's job. The law disagrees.

Microsoft

"User privacy is a top priority. We disable sharing personal data with third parties for personalized advertising when users signal their preference via GPC. However, some Microsoft cookies are necessary for operational purposes and may be placed and read even when a GPC signal is detected."

Microsoft's defense is the "operational cookies" exception. Some cookies are genuinely needed for a website to function (session cookies, authentication tokens). But the audit specifically measured advertising cookies, not functional ones. When 50% of advertising cookies are still placed after a GPC opt-out, the "operational" excuse doesn't hold.

Meta

"This is a blatant marketing stunt that misrepresents how GPC works and Meta's role. GPC limits how data is shared, not collected. Advertisers are responsible for only sharing information they have the right to share when using the Meta Pixel."

Meta makes a distinction between collection and sharing. The Meta Pixel collects data on every website that embeds it. Meta argues GPC only restricts sharing that data with third parties, not collecting it in the first place. This is a creative legal interpretation. The CCPA defines "sale" broadly to include making personal information available for monetary or other valuable consideration.

The Law Is Clear (and the Fines Are Real)

Enforcement against GPC non-compliance has been escalating steadily:

Company Fine Year Violation
Sephora $1.2M 2022 Failed to honor GPC opt-out, sold data without disclosure
Healthline $1.55M 2025 GPC non-compliance
Tractor Supply $1.35M 2025 Largest CPPA fine, GPC and opt-out violations
Honda $632K 2025 Opt-out non-compliance
PlayOn Sports $1.1M 2026 GPC non-compliance
Ford $376K 2026 Opt-out non-compliance
Disney $2.75M 2026 GPC non-compliance

In September 2025, California, Colorado, and Connecticut launched a joint investigative sweep specifically targeting GPC compliance. Three states, coordinating enforcement, focused on whether businesses actually honor opt-out signals. The message is clear: regulators are paying attention.

But the fines are pocket change for Big Tech. The webXray researchers calculated that Google, Microsoft, and Meta have paid a combined $12.1 billion in privacy-related fines over the years. That sounds like a lot until you realize it is a rounding error on their annual revenue. Google alone made $307 billion in 2023. A few million in CCPA fines is simply the cost of doing business.

How to Enable GPC in Your Browser

Firefox (built-in)

Go to Settings > Privacy & Security and enable "Tell websites not to sell or share my data." Alternatively, navigate to about:config and set privacy.globalprivacycontrol.enabled to true.

Brave (enabled by default)

Brave sends the GPC signal automatically. No configuration needed. You can verify it under Settings > Shields.

DuckDuckGo Browser (enabled by default)

The DuckDuckGo browser and extension send GPC by default on all platforms.

Chrome (via extension)

Chrome does not support GPC natively. Install the DuckDuckGo Privacy Essentials or Privacy Badger extension to add GPC support.

Safari (via extension)

Safari does not support GPC natively. Install a GPC-compatible privacy extension from the App Store.

Verify it works: Visit globalprivacycontrol.org and look for a green indicator that says "GPC signal detected." If you see it, your browser is sending the opt-out signal. Then visit myip.foo to check what else your browser reveals about you, like your DNS queries and WebRTC leaks.

GPC Alone Is Not Enough

Even with GPC enabled, your browser still reveals a lot about you. GPC tells websites not to sell your data, but it does not prevent them from seeing your data in the first place.

What GPC Does Not Protect

  • Your IP address. Every website sees your public IP, which reveals your approximate location and ISP. Check yours at myip.foo
  • Browser fingerprinting. Your screen resolution, installed fonts, timezone, language, and hardware profile create a unique fingerprint that can track you without cookies
  • DNS queries. Your ISP can see every domain you visit unless you use encrypted DNS. Test for DNS leaks
  • WebRTC leaks. Your browser's WebRTC functionality can expose your real IP address even when using a VPN. Test for WebRTC leaks

For real privacy, you need to combine GPC with additional layers:

  1. Enable GPC in your browser (opt-out signal)
  2. Use a VPN to mask your IP address and encrypt your traffic. A VPN like NordVPN hides your real IP from every website you visit
  3. Use encrypted DNS (DNS-over-HTTPS or DNS-over-TLS) to prevent your ISP from logging your browsing
  4. Block WebRTC leaks with a browser extension or the myip.foo WebRTC blocker
  5. Use a privacy-focused browser like Firefox or Brave that offers built-in tracking protection beyond just GPC

Privacy tip: Check what your connection reveals right now at myip.foo. Your IP address, ISP, and approximate location are visible to every website, even with GPC enabled. A VPN like NordVPN combined with GPC gives you both legal protection (opt-out signal) and technical protection (encrypted tunnel).

The European Perspective

GPC is primarily a US mechanism (California, Colorado, Connecticut), but the concept matters globally. In the EU, the GDPR and ePrivacy Directive already require explicit consent before placing tracking cookies. European users should not see tracking cookies unless they actively click "Accept" on a consent banner.

In practice, the situation is similar. Big Tech routinely pushes the boundaries of European privacy law. Dark patterns in consent banners, pre-checked boxes, and "legitimate interest" claims are the European equivalent of ignoring GPC in the US.

The core problem is the same on both sides of the Atlantic: the advertising business model is fundamentally incompatible with user privacy. Tracking is not a bug. It is the product.

Common Questions

What is Global Privacy Control (GPC)?

GPC is a browser signal (Sec-GPC: 1 HTTP header) that tells websites you do not want your data sold or shared. It is built into Firefox, Brave, and DuckDuckGo, and available via extensions for Chrome and Safari. Under California law (CCPA/CPRA), businesses must honor this signal.

Is GPC legally binding?

Yes, in California, Colorado, and Connecticut. The California AG endorsed GPC in 2021. Updated CPPA regulations (January 2026) confirm businesses must honor it. Companies that ignore GPC face fines: Sephora paid $1.2M, Tractor Supply $1.35M, Disney $2.75M.

How do I enable GPC?

Firefox: Settings > Privacy & Security > "Tell websites not to sell or share my data." Brave and DuckDuckGo: enabled by default. Chrome and Safari: install the DuckDuckGo Privacy Essentials or Privacy Badger extension. Verify at globalprivacycontrol.org.

Why do Google, Microsoft, and Meta ignore GPC?

According to the webXray audit (March 2026), Google ignores GPC 86% of the time, Meta 69%, Microsoft 50%. All three deny the findings. Google says it "respects opt-outs offered by advertisers." Meta calls the audit a "marketing stunt." Microsoft says some cookies are "necessary for operations." The fines for non-compliance are currently too small to change behavior.

What is the difference between GPC and Do Not Track?

Do Not Track (DNT) was a voluntary, non-binding browser signal from 2009 that the industry ignored. GPC is its successor, launched in 2020, with legal backing in California, Colorado, and Connecticut. Companies that ignore GPC face real enforcement actions and fines.

Conclusion

The webXray audit confirms what privacy advocates have long suspected: Big Tech treats privacy laws as a suggestion, not a requirement. Google ignores your legally binding opt-out signal 86% of the time. Meta, 69%. Microsoft, 50%. The technical fix is trivial. The law is clear. They simply choose not to comply because the fines are insignificant compared to the advertising revenue they would lose.

Key takeaways:

  • Global Privacy Control (GPC) sends a Sec-GPC: 1 header telling websites not to sell your data
  • GPC is legally binding in California, Colorado, and Connecticut
  • Google ignores GPC 86% of the time, Meta 69%, Microsoft 50% (webXray audit, March 2026)
  • Google's own certified cookie consent banners fail to prevent Google from placing tracking cookies
  • The technical fix is simple: return HTTP 451 instead of a tracking cookie when GPC is detected
  • Enforcement is escalating: $8.5M+ in GPC-related fines, a three-state joint investigation sweep
  • But current fines are pocket change for Big Tech ($12.1B in total privacy fines vs $307B annual revenue for Google alone)
  • GPC alone is not enough: your IP address, browser fingerprint, DNS queries, and WebRTC leaks still expose you
  • Combine GPC with a VPN, encrypted DNS, and a privacy-focused browser for real protection

Privacy should not require you to outsmart billion-dollar companies. A signal that says "don't track me" should mean "don't track me." Until that is reality, assume you are being tracked, and protect yourself accordingly.

Protect your privacy beyond GPC:

  1. Enable GPC in your browser (Firefox, Brave, or via extension)
  2. Check what your IP reveals at myip.foo
  3. Test for DNS leaks exposing your browsing
  4. Test for WebRTC leaks bypassing your VPN
  5. Block WebRTC with the myip.foo extension
  6. Encrypt your traffic with a VPN like NordVPN

Related Articles