Audit Finds Google, Microsoft, and Meta Still Tracking Users After Opt-Out - Slashdot

Audit Finds Google, Microsoft, and Meta Still Tracking Users After Opt-Out - Slashdot
Close
binspam
dupe
notthebest
offtopic
slownewsday
stale
stupid
fresh
funny
insightful
interesting
maybe
offtopic
flamebait
troll
redundant
overrated
insightful
interesting
informative
funny
underrated
descriptive
typo
dupe
error
181711388
story
alternative_right
shares a report from 404 Media:
An
independent privacy audit
of Microsoft, Meta, and Google web traffic in California found that the companies may be violating state regulations and racking up billions in fines. According to the audit from privacy search engine
webXray
, 55 percent of the sites it checked set ad cookies in a user's browser even if they opted out of tracking. Each company disputed or took issue with the research, with Google saying it was based on a "fundamental misunderstanding" of how its product works.
The webXray California Privacy Audit viewed web traffic on more than 7,000 popular websites in California in the month of March and
found that most tech companies ignore when a user asks to opt-out of cookie tracking
. California has stringent and well defined privacy legislation thanks to its California Consumer Privacy Act (CCPA) which allows users to, among other things, opt out of the sale of their personal information. There's a system called Global Privacy Control (GPC), which includes a browser extension that indicates to a website when a user wants to opt out of tracking.
According to the webXray audit, Google failed to let users opt out 87 percent of the time. "Google's failure to honor the GPC opt-out signal is easy to find in network traffic. When a browser using GPC connects to Google's servers it encodes the opt-out signal by sending the code 'sec-gpc: 1.' This means Google should not return cookies," the audit said. "However, when Google's server responds to the network request with the opt-out it explicitly responds with a command to create an advertising cookie named IDE using the 'set-cookie' command. This non-compliance is easy to spot, hiding in plain sight."
The audit said that Microsoft fails to opt out users in the same way and has a failure rate of 50 percent in the web traffic webXray viewed. Meta's failure rate was 69 percent and a bit more comprehensive. "Meta instructs publishers to install the following tracking code on their websites. The code contains no check for globally standard opt-out signals -- it loads unconditionally, fires a tracking event, and sets a cookie regardless of the consumer's privacy preferences," the audit said. It showed a copy of Meta's tracking data which contains no GPC check at all.
You may like to read:
Chrome Now Lets You Turn AI Prompts Into Repeatable 'Skills'
Does a Gas-Guzzler Revival Risk Dead-End Futures for US Automakers?
Americans' Junk-Filled Garages Are Hurting EV Adoption, Study Says
Americans are Buying Twice as Many Hybrids as Fully Electric Vehicles. Is The Next Step Synthetic Fuels?
EV Sales Keep Growing In the US, Represent 20% of Global Car Sales and Half in China
China Is Mass-Producing Hypersonic Missiles For $99,000
Submission: Google, Microsoft, Meta All Tracking You Even When You Opt Out
California Ghost-Gun Bill Wants 3D Printers To Play Cop, EFF Says
Audit Finds Google, Microsoft, and Meta Still Tracking Users After Opt-Out
More
Reply
Audit Finds Google, Microsoft, and Meta Still Tracking Users After Opt-Out
Comments Filter:
All
Insightful
Informative
Interesting
Funny
The Fine Print:
The following comments are owned by whoever posted them. We are not responsible for them in any way.
New Samsung cell phones have Google connections.
Score:
, Insightful)
by
Futurepower(R)
( 558542 )
writes:
on Tuesday April 14, 2026 @05:24PM (
#66093882
Homepage
New Samsung cell phones have many connections to Google.
There need to be laws limiting Google's invasions to user devices.
Fewer than 1 of a hundred ads are interesting to me. Maybe 1 in a thousand.
Reply to This
Parent
Share
Flag as Inappropriate
Re:
Score:
by
whitroth
( 9367 )
writes:
There are zero ads that I will buy from. I will NEVER buy from geckos or llamas, for example.
Re:
Score:
by
sziring
( 2245650 )
writes:
The issue is you need to add a cookie stating you opted out, otherwise it has no idea if you actually did. Now if there was a blanked browse option like robots.txt to state you opt-out of x,y,z or all cookies that would be smarter but less money for them.
Well Duh!
Score:
, Insightful)
by
oldgraybeard
( 2939809 )
writes:
on Tuesday April 14, 2026 @04:13PM (
#66093768
"Still Tracking Users After Opt-Out" The only deluded individuals here are the ones thinking they were not ignoring this? But never mind, it is just monopolies being monopolies!
Reply to This
Share
Flag as Inappropriate
Re:Well Duh!
Score:
, Informative)
by
gweihir
( 88907 )
writes:
on Tuesday April 14, 2026 @08:43PM (
#66094166
I have verified this a few times when doing IT security audits. Turns out when Google detects Chrome being used, they do all kinds of illegal (in the EU) stuff. Not so much with other browsers, not even chromium ones.
Reply to This
Parent
Share
Flag as Inappropriate
Re:
Score:
by
AmiMoJo
( 196126 )
writes:
Have you documented it? I'd like to submit a legal complaint.
Re:
Score:
by
gweihir
( 88907 )
writes:
Sorry, the reports are all confidential. But try, for example, playing an embedded YouTube video without being logged in on Chrome, on a Chromium browser and on Firefox and then check what persistent cookies were set. (Permitted under the GDPR: Only ones that do not allow tracking.) This was a few years back though. Since I do not use Chrome, I have not re-tested it.
Re:
Score:
by
AmiMoJo
( 196126 )
writes:
I will do some tests. Thanks for the pointer.
Re:
Score:
by
gweihir
( 88907 )
writes:
You are welcome. I found the problems to be pretty obvious when I last tried.
Re:
Score:
by
Vlad_the_Inhaler
( 32958 )
writes:
What about the Evil Bit? How do they handle that? (nowadays usage of a Google domain should act as a substitute).
Re:
Score:
by
GoJays
( 1793832 )
writes:
Don't worry, I'm sure the courts will hand Google the equivalent of a $20 fine and say "Play nice okay? Or next time it will be $25." with no other legal recourse.
Guessing the explanation
Score:
, Funny)
by
fahrbot-bot
( 874524 )
writes:
on Tuesday April 14, 2026 @04:17PM (
#66093774
... 55 percent of the sites it checked set ad cookies in a user's browser even if they opted out of tracking.
Each company disputed or took issue with the research, with Google saying it was based on a "fundamental misunderstanding" of how its product works.
There are a few, simple reasons for this. We have to track you (a) so we know if we're not suppose to track you, (b) so we know if our not tracking is working and track how well it's working and (c) in case you change your mind we want all your data retroactively. All the tracking data from when we're not tracking you is stored in a separate database that no one has access to, except when we track statistics on how well the non-tracking is working -- pinky swear.
Reply to This
Share
Flag as Inappropriate
Re:
Score:
by
im_thatoneguy
( 819432 )
writes:
Don't even have to go very far. The company responses say exactly what's going on. (d) the law doesn't say we can't create cookies unrelated to ad tracking.
âoeGlobal Privacy Controls only restricts certain uses of third-party data and allows website operators to override GPC signals, and we offer the Limited Data Use feature to help websites indicate what permissions they have. When data is transmitted to us with the LDU flag, we restrict the use of that dataâ
we opt the user out of sharing personal data with third parties for personalized advertisingâ a Microsoft spokesperson said. âoeCertain Microsoft cookies are necessary for operational purposes, and may therefore be placed and read even when a GPC signal is detected.â
This could go either way...
Score:
, Interesting)
by
swillden
( 191260 )
writes:
shawn-ds@willden.org
on Tuesday April 14, 2026 @04:39PM (
#66093802
Journal
It's possible the companies are flagrantly ignoring the opt out indication.
It's also possible that webXray is confusing ad/tracking cookies with cookies required for normal site operation, viewing any set-cookie command as a violation.
Based on my experience working at Google, I'm betting on the second possibility. But, we'll see. Either we'll hear some stories about the companies being fined, or sued, or prosecuted (depending how the law works), or this will just quietly disappear when someone educates webXray.
Reply to This
Share
Flag as Inappropriate
Re:
Score:
by
ozzymodus12
( 8111534 )
writes:
If only we had some sort of legal penalty for this.
Re:
Score:
, Informative)
by
drinkypoo
( 153816 )
writes:
It's also possible that webXray is confusing ad/tracking cookies with cookies required for normal site operation
There is no such thing. Everything done with cookies can be done some other way EXCEPT for tracking, e.g. with hidden form variables or additional arguments in a request.
Re:
Score:
by
swillden
( 191260 )
writes:
It's also possible that webXray is confusing ad/tracking cookies with cookies required for normal site operation
There is no such thing. Everything done with cookies can be done some other way EXCEPT for tracking, e.g. with hidden form variables or additional arguments in a request.
It can be, sure, but it's less reliable and more painful to work with.
Re: This could go either way...
Score:
by
drinkypoo
( 153816 )
writes:
That's ok. I'm sure Google has some competent programmers who could do it.
aww
Score:
by
drinkypoo
( 153816 )
writes:
did I hurt someone's feefees? someone with sockpuppets?
Re:
Score:
by
swillden
( 191260 )
writes:
That's ok. I'm sure Google has some competent programmers who could do it.
No one can make session tracking with form variables or URL arguments as reliable as it is with cookies.
Re:
Score:
by
drinkypoo
( 153816 )
writes:
No one can make session tracking with form variables or URL arguments as reliable as it is with cookies.
That's OK, a user might have to occasionally log in a little more. It's a small price to pay to prevent ubiquitous tracking.
Re:
Score:
by
Talchas
( 954795 )
writes:
You can't do login in any remotely realistic way with that. For starters, you couldn't have bookmarks or type in the url and be logged in consistently (whenever your login cookie would change at all, all of your old links would break, and you probably want it to change for security reasons). On top of that, now any referrer leak is a security issue where you give away your account, instead of just a privacy leak.
And no, "replace every single link with a POST form request" is not reasonable, starting with
Re:
Score:
by
drinkypoo
( 153816 )
writes:
And no, "replace every single link with a POST form request" is not reasonable, starting with the issue that now you can't hit back.
Yes, you can. I regularly use a webapp where most links are driven with javascript, and the back button works fine both on links where they are and those where they aren't. This is kind of amazing given the general incompetence of the web app in question, like how actually doing that will at times lead to the creation of duplicate data because they apparently don't track whether forms have been used already. But that's not because they don't use cookies, because they do. It's just made by Accenture and they
Re:
Score:
by
Pinky's Brain
( 1158667 )
writes:
Presumably they silo all the data from "sec-gpc: 1" responses for internal use, because the lawyers said that was okay and the mere presence of the tracker on the third party site did not constitute share or sale of their personal information by that third party (with contributory infringement on their part).
As the law says, "cookies concern the collection of personal information and not the sale or sharing of personal information".
Re:
Score:
by
swillden
( 191260 )
writes:
If the law is about sale or sharing, not collection, then Google doesn't have to change anything, because Google doesn't sell or share data. That would be wasteful; Google's ad business is all about monetizing the data at Google, not giving someone else a chance to monetize it.
How to check your browser's GPC
Score:
by
Anonymous Coward
writes:
You can check if your browser is sending GPC in the top banner
here
[globalprivacycontrol.org] or seeing GPC header and JavaScript settings
here
[vercel.app].
The
Privacy Badger extension by the EFF
[privacybadger.org] adds GPC to your browser if it's missing
native support
[globalprivacycontrol.org], like Chrome or Edge.
Re:
Score:
by
Bu11etmagnet
( 1071376 )
writes:
> this will just quietly disappear when someone educates webXray
"Nice business you have here. It would be a shame if something happened to it."
[youtube.com]
Re:
Score:
by
swillden
( 191260 )
writes:
> this will just quietly disappear when someone educates webXray
"Nice business you have here. It would be a shame if something happened to it."
[youtube.com]
Incredibly unlikely. If the claimed violations are legitimate, and webXray reported them to the state
plus
the attempt to lean on them, Google would get slammed, hard, both legally and in the press. No way in hell Google would risk that.
Re:
Score:
by
sabbede
( 2678435 )
writes:
Somehow, I suspect the second. If for no other reason than 404 seems not to know about due diligence.
"spectre of ... non-compliance"
Score:
by
Pinky's Brain
( 1158667 )
writes:
Before you get outraged, do take care about what you rage.
The moment you read something like "spectre of
... non-compliance", you have to know you're reading rage bait trying to be careful not to get into libel territory.
Re:"spectre of ... non-compliance"
Score:
, Funny)
by
fahrbot-bot
( 874524 )
writes:
on Tuesday April 14, 2026 @05:35PM (
#66093918
The moment you read something like "spectre of
... non-compliance",
...
Really hoping that's not the screenplay for next James Bond film.
Reply to This
Parent
Share
Flag as Inappropriate
How about a fine per cookie?
Score:
, Insightful)
by
Required Snark
( 1702878 )
writes:
on Tuesday April 14, 2026 @04:42PM (
#66093808
It only has to be one cent. They would notice real quickly.
Reply to This
Share
Flag as Inappropriate
Re:
Score:
by
stabiesoft
( 733417 )
writes:
Or maybe the 250 grand(per infringement) that the MPAA wants to fine you for violating copyright, splashed right up with an FBI warning on every video disc I've ever watched.
Re:
Score:
by
rsilvergun
( 571051 )
writes:
You would have to get voters to put politicians in office that agree to those fines and that don't just allow the courts to quietly renegotiate them down to zero.
About 40% of voters are currently super super concerned about trans girls in sports having suddenly become big fans of women's sports in the last couple of years after spending their whole lives ignoring them.
Eventually they'll forget about that and move on to some other pointless moral panic and continue to ignore there ever worsening econ
Obligatory..
Score:
, Funny)
by
sit1963nz
( 934837 )
writes:
on Tuesday April 14, 2026 @04:54PM (
#66093832
I am shocked...shocked I tell you.
Reply to This
Share
Flag as Inappropriate
Re: Obligatory..
Score:
by
LindleyF
( 9395567 )
writes:
Your cookies, sir.
Thinly Veiled Advertisement
Score:
by
emmjayell
( 780191 )
writes:
Hi,
This research ties back to a product page, which provides no information aside from an option to talk to someone about a demo.
If they give me a free eval copy, I'll take this comment down.
Auto opt out?
Score:
by
Shakes Fist
( 10502847 )
writes:
[mozilla.org]
seems legit
Self-regulation must be binding
Score:
by
NotEmmanuelGoldstein
( 6423622 )
writes:
First, does the cookie actually record what one does, or is it a "config" file?
Second, "too big to care" corporations failed to regulate their "do not track" self-regulation. It's why, promises like this need to be legally binding: Not something corporations secretly cancel their compliance to, then shrug-off when caught.
EFF Privacy Badger adds GPC to your browser
Score:
, Informative)
by
Anonymous Coward
writes:
on Tuesday April 14, 2026 @06:25PM (
#66093992
The
Privacy Badger extension by the EFF
[privacybadger.org] adds GPC to your browser if you're not using one that
supports it natively
[globalprivacycontrol.org]. Chrome and Edge need the extension.
You can see whether the signal is disabled by checking the banner
here
[globalprivacycontrol.org] or, for more details,
here
[vercel.app].
Reply to This
Share
Flag as Inappropriate
Caught red-handed
Score:
by
gweihir
( 88907 )
writes:
Now skewer them. They really deserve it.
google should have never bought doubleclick
Score:
by
FudRucker
( 866063 )
writes:
on Tuesday April 14, 2026 @07:54PM (
#66094120
When google got into the advertising business they became insanely corrupt and considering all the other stuff they do it is a conflict of interest, android phones, search engine & chrome browser all that stuff is tempting for an advertising business to build in spyware to datamine users, fuck Google they need to be split up three ways or more
Reply to This
Share
Flag as Inappropriate
Related Links
Top of the:
day
week
month
384
comments
Does a Gas-Guzzler Revival Risk Dead-End Futures for US Automakers?
377
comments
Americans' Junk-Filled Garages Are Hurting EV Adoption, Study Says
363
comments
Americans are Buying Twice as Many Hybrids as Fully Electric Vehicles. Is The Next Step Synthetic Fuels?
323
comments
EV Sales Keep Growing In the US, Represent 20% of Global Car Sales and Half in China
314
comments
China Is Mass-Producing Hypersonic Missiles For $99,000
next
California Ghost-Gun Bill Wants 3D Printers To Play Cop, EFF Says
139
comments
previous
Chrome Now Lets You Turn AI Prompts Into Repeatable 'Skills'
22
comments
Slashdot Top Deals
The decision doesn't have to be logical; it was unanimous.
Close
Working...