Audit Finds Google, Microsoft, and Meta Still Tracking Users After Opt-Out

Source: Slashdot

Overview

An independent privacy audit of Microsoft, Meta, and Google web traffic in California found that the companies may be violating state regulations and could face billions in fines. The audit, conducted by privacy‑search engine webXray, reported that 55 % of the sites it checked set advertising cookies in a user’s browser even when the user had opted out of tracking. Each company disputed the research, with Google stating that the findings were based on a “fundamental misunderstanding” of how its product works.

Methodology

The webXray California Privacy Audit examined web traffic on more than 7,000 popular California websites during March. The audit focused on compliance with the California Consumer Privacy Act (CCPA), which allows users to opt out of the sale of their personal information. A key mechanism for opting out is the Global Privacy Control (GPC), a browser extension that signals a user’s desire to be excluded from tracking.

Findings

Google

• Google failed to honor the GPC opt‑out signal 87 % of the time.
• When a browser sends the header sec-gpc: 1 (indicating an opt‑out), Google’s servers still responded with a Set‑Cookie command that created the advertising cookie IDE.
• The audit described this behavior as “non‑compliance… hiding in plain sight.”

Microsoft

• Microsoft’s failure rate for honoring GPC opt‑out signals was 50 % in the traffic examined by webXray.

Meta

• Meta’s failure rate was 69 %.
• The audit noted that Meta instructs publishers to install tracking code that does not check for globally standard opt‑out signals. The code loads unconditionally, fires a tracking event, and sets a cookie regardless of the consumer’s privacy preferences.
• A copy of Meta’s tracking data shown in the audit contained no GPC check at all.