'Stop selling or sharing my personal information': Research finds that Big Tech could be tracking you even when you've opted out

News
By published

Explicit requests not to be tracked are being ignored

Hands on a laptop with overlaid logos representing network security
(Image credit: Thapana Onphalai via Getty Images)
  • webXray audit finds Google, Microsoft, and Meta ignoring Global Privacy Control signals
  • Despite legal requirements in California and other states, 55% of sites still set ad cookies after opt‑outs
  • Report highlights Google’s 86% failure rate, Microsoft’s one‑year tracking cookie, and Meta’s continued event logging; potential $5.8B liability projected

Big tech companies such as Google, Microsoft, and Meta, are completely ignoring people’s explicit requests not to be tracked, or to have their browsing data sold to third parties. This is according to a new forensic audit recently conducted by webXray, a search engine for analyzing internet tracking, traffic, and content.

Earlier this year, webXray published the March 2026 California Privacy Audit, in which it said that even when users explicitly invoke the Global Privacy Control (GPC), 194 online advertising services were still setting tracking cookies.

GPC is a browser signal that tells websites users don’t want their data sold or shared. While this is a technical standard, there are certain US laws requiring companies to honor it. For example, laws like the California Consumer Privacy Act, or the California Privacy Rights Act, have made GPC legally binding, with regulators in the country saying a valid GPC signal must be treated as an opt-out request.

Article continues below

Major liability exposure

According to Cybernews, GPC has legal authority in four US states as of today, and even in those territories - some companies are ignoring it entirely.

While working on the California Privacy Audit, webXray analyzed “thousands” of popular websites in California and found that more than half (55%) set ad cookies despite user opt-outs. Among them is Google, with a failure rate of 86%.

When a user invokes GPC, the company allegedly creates a two-year “IDE” advertising cookie. Microsoft, on the other hand, returns a one-year “MUID” tracking cookie, while Meta records tracking events regardless of the user’s privacy settings.

So far, none of the companies called out in the report have commented on the findings.

They soon might, however, since the report’s authors believe there is grounds for a class-action lawsuit here. In fact, they project a potential aggregate liability exposure of $5.8 billion across the industry.

Via Cybernews

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.