'Stop selling or sharing my personal information': Research finds that Big Tech could be tracking you even when you've opted out

Earlier this year, webXray published the March 2026 California Privacy Audit, in which it said that even when users explicitly invoke the Global Privacy Control (GPC), 194 online advertising services were still setting tracking cookies.

GPC is a browser signal that tells websites users don’t want their data sold or shared. While this is a technical standard, there are certain US laws requiring companies to honor it. For example, laws like the California Consumer Privacy Act, or the California Privacy Rights Act, have made GPC legally binding, with regulators in the country saying a valid GPC signal must be treated as an opt-out request.

Major liability exposure

According to Cybernews, GPC has legal authority in four US states as of today, and even in those territories - some companies are ignoring it entirely.

While working on the California Privacy Audit, webXray analyzed “thousands” of popular websites in California and found that more than half (55%) set ad cookies despite user opt-outs. Among them is Google, with a failure rate of 86%.

When a user invokes GPC, the company allegedly creates a two-year “IDE” advertising cookie. Microsoft, on the other hand, returns a one-year “MUID” tracking cookie, while Meta records tracking events regardless of the user’s privacy settings.

So far, none of the companies called out in the report have commented on the findings.

They soon might, however, since the report’s authors believe there is grounds for a class-action lawsuit here. In fact, they project a potential aggregate liability exposure of $5.8 billion across the industry.

Via Cybernews