A new independent privacy audit claims that opting out of tracking still does not reliably stop ad tech from doing its thing. That is the headline, and it is a rough one.
According to reporting from 404 Media, the audit examined web traffic across more than 7,000 popular websites in California and found that 55% of the sites tested still set advertising cookies even when users had opted out through a recognized privacy signal. The companies named most directly were Google, Microsoft, and Meta, all of which disputed the findings. For site owners, this is not just another privacy story. It is another reminder that the tracking stack sitting on your pages may be doing things you did not intend, did not verify, and may not be able to explain to users with a straight face.
What the audit says
The report, cited by 404 Media, came from webXray and focused on how websites and ad systems respond to the Global Privacy Control, or GPC, signal. GPC is meant to tell websites and vendors that a user wants to opt out of the sale or sharing of personal data.
The findings were blunt:
- 55% of tested sites still set ad cookies after opt-out
- Google allegedly failed to honor the opt-out signal 87% of the time
- Meta’s reported failure rate was 69%
- Microsoft’s reported failure rate was 50%
The audit also argued that some consent systems certified to help users manage cookie choices did not fully stop cookies from being set. That matters because many publishers assume their consent banner is handling the compliance side of things. The audit suggests that assumption deserves a second look.
Why this matters to site owners
Most site owners are not wiring ad cookies by hand. They are adding a tag manager, a conversion pixel, an analytics package, a consent platform, maybe a remarketing script or three, and trusting that the stack behaves the way the dashboard says it behaves.
That trust has always been a little fragile. Stories like this make it weaker.
If the audit is right, then the risk is not limited to the platforms. Publishers, ecommerce stores, lead-gen sites, media brands, and local businesses may all be sending data or allowing cookies to be set after a user has tried to opt out. The legal exposure is one part of the problem. The reputational piece is just as bad. Users are tired of being told they are in control when the machinery keeps rolling behind the curtain.
The platform response
None of the three companies accepted the audit’s framing.
Google told 404 Media the report was based on what it called a “fundamental misunderstanding” of how its products work, and said it honors opt-out signals as required by law. Meta said the audit mischaracterized how GPC works and argued that website operators can override the signal in some cases. Microsoft said privacy remains a priority and stated that certain cookies are operationally necessary even when a GPC signal is present.
That is the familiar privacy script. The audit says cookies were set. The companies say the situation is more nuanced. Regulators get handed a thicket of definitions, edge cases, and implementation details, while normal users get a cookie banner and a shrug.
Where this gets uncomfortable for publishers
Publishers have spent years being told to add more code for more insight, more attribution, more personalization, more revenue, more audience data. The result is that many sites now resemble patch panels held together by marketing promises and third-party scripts.
That creates a real problem. If your privacy controls depend on vendors behaving perfectly, then your compliance posture is only as strong as the weakest script on the page.
That is not a technical footnote. It is the whole problem.
What you should do right now
If you run a website, this story is a good reason to audit your stack.
- Review every analytics, advertising, and remarketing tag on your site
- Check what fires before and after consent choices are made
- Verify how your consent platform handles GPC signals
- Test key templates, not just your home page
- Remove scripts you no longer need
- Stop assuming a vendor badge or certification means the implementation is clean
Site owners do not need to wait for a courtroom to tell them the obvious. If users opt out, they expect tracking to stop. Not mostly stop, not stop after a redirect, not stop unless a vendor has a different interpretation. Stop.
The larger point
The web has spent years building privacy interfaces that feel precise and behave like fog. This audit, if it holds up under scrutiny, cuts straight through that performance.
For marketers, publishers, and SEO professionals, the lesson is simple. You cannot treat privacy controls as decorative front-end furniture. They are part of the product. If the promise on the banner does not match what the network traffic shows, that gap will not stay hidden forever.
Users already distrust the modern web. Stories like this are how that distrust gets earned.
Sources:
As the CEO and founder of Pubcon and WebmasterWorld., Brett Tabke has been instrumental in shaping the landscape of online marketing and search engine optimization. His journey in the computer industry has spanned over three decades and has made him a pioneering force behind digital evolution. Full Bio
Visit Pubcon.com