Big tech fails to opt-out users requesting not to be tracked much of the time, new research says

Several large tech firms are putting ad cookies in user browsers even if they have declined to be tracked, putting them at odds with California law, according to new research.

The audit from privacy organization webXray studied California web traffic in March and found that 194 online advertising services “ignore legally defined, globally standard, opt-out signals endorsed by regulators,” according to the report.

The California Consumer Privacy Act gives consumers the right to decline to have their personal data sold. A mechanism known as Global Privacy Control (GPC) is supposed to trigger the opt-outs for consumers who request them by using a browser extension as an indicator of their preferences. 

California has penalized companies for ignoring GPC in the past, hitting Sephora with a $1.2 million fine In 2022 and Disney with a $2.75 million fine in February.

News of the webXray research was first reported by 404 Media.

Google allegedly ignored consumers' requests to opt-out 86% of the time, the research report says. 

“Google’s failure to honor the GPC opt-out signal is easy to find in network traffic,” the webXray report said. “This non-compliance is easy to spot, hiding in plain sight.” Timothy Libert, who oversaw cookie privacy policy at Google until 2023, is the CEO of webXray.

Images allegedly revealing how Google’s servers respond to opt-out signals with a command to create an advertising cookie are included in the report.

“When Google’s server responds to the network request with the opt-out it explicitly responds with a command to create an advertising cookie named IDE using the ‘set-cookie’ command,” the report said.

A Google spokesperson said in a statement that the report is based on a “fundamental misunderstanding of how our products work. We honor opt-outs provided by advertisers and publishers as required by law.” 

Microsoft failed to honor opt-out requests 50% of the time, the report said. Its method for responding to opt-out signals with improper commands mirrors Google’s system, according to webXray.

A Microsoft spokesperson said in a statement that consumer privacy is a top priority for the company.

“When we receive a GPC signal, we opt the user out of sharing personal data with third parties for personalized advertising, and our advertising systems are designed to reflect that choice,” the statement said. “Certain Microsoft cookies are necessary for operational purposes, and may therefore be placed and read even when a GPC signal is detected.” 

Meta’s opt-out failure rate was 69%, the report said. 

The company’s code “contains no check for globally standard opt-out signals — it loads unconditionally, fires a tracking event, and sets a cookie regardless of the consumer’s privacy preferences,” the report said.

A spokesperson for Meta said in a statement that the research is a “blatant marketing ploy that misrepresents how the Global Privacy Control setting works and Meta's role.” 

“The control setting restricts how data is shared, not collected, and Meta already requires that when using the Meta pixel, advertisers only share with us information they have obtained the right to share,” the statement said.