Major technology companies, including Google, Meta, and Microsoft, continued tracking users even after receiving legally recognised opt-out signals, according to a recent forensic audit.
The research focused on Global Privacy Control, a browser-based signal designed to communicate a user’s request not to have their data collected or shared. Under privacy laws such as the California Consumer Privacy Act, companies are required to respect such signals. The audit found that these requests were frequently ignored.
According to the findings, Google failed to honour opt-out requests in approximately 86% of tested cases. The report states that the company’s systems still issued commands to set advertising cookies even when an opt-out signal was present.
Meta and Microsoft were also identified in the analysis. The audit reported that Microsoft failed to respect opt-out signals in about 50% of cases, while Meta’s failure rate was higher, with tracking code executing regardless of user preferences in many instances.
The study examined how websites and embedded tracking systems respond to user instructions. Researchers observed that tracking technologies continued to operate after opt-out signals were sent, including the placement of cookies and the transmission of user data to advertising systems.
Google stated that the report reflects a misunderstanding of how its products function and said it complies with legal requirements. Microsoft and Meta issued similar responses, stating that their systems are designed to respect user privacy choices while maintaining necessary operational functions.
The findings are based on network-level analysis, which allows researchers to observe how systems behave in real time when handling privacy signals. This method identified discrepancies between stated policies and actual technical behaviour.
The report adds to existing scrutiny of tracking practices. Previous regulatory actions have penalised companies for failing to provide clear or effective opt-out mechanisms, including fines issued by European data protection authorities over cookie consent practices.
The audit did not specify the total number of users affected, but analysed hundreds of advertising and tracking services embedded across websites. Researchers indicated that the issue involves how third-party tracking infrastructure is integrated into digital platforms, rather than isolated incidents.
The study concludes that opt-out mechanisms, including Global Privacy Control, may not function as intended across the current online advertising ecosystem, based on the observed behaviour of tracking systems during testing.