Study Finds Widespread Non-Compliance With California Privacy Law by Websites

According to the study, summarized in a recent CalMatters report , thousands of websites — including those relying on infrastructure from major technology companies — are failing to honor the Global Privacy Control (GPC), a legally recognized signal that allows users to opt out of the sale or sharing of their personal data under the California Consumer Privacy Act (CCPA).

The findings point to what webXray characterizes as “industrial-scale noncompliance,” with potentially significant regulatory and financial implications. If enforced at scale, penalties for violations could reach into the billions of dollars, according to the firm’s estimates.

To conduct the audit, researchers analyzed more than 7,000 popular websites accessed from a California-based IP address, testing whether those sites respected the GPC signal. The results were stark: tracking technologies associated with major platforms continued to operate in a majority of cases, even when users had explicitly opted out.

Google-linked trackers were found to continue collecting data in 86% of tested instances despite receiving the GPC signal. Microsoft-associated trackers failed to comply roughly half the time, while tools tied to Meta tracked users in 69% of cases, in part because, according to the report, they “fail to check for it at all.”

“They don’t make any substantive effort to comply,” said Tim Libert, founder and CEO of webXray, in comments cited by CalMatters.  Libert, a former Google privacy engineer, argued that the technical fixes required to respect the signal are relatively minor, implying that the failures reflect prioritization decisions rather than engineering constraints.

The report also highlights shortcomings among third-party compliance tools marketed to businesses as privacy-friendly advertising solutions. In one instance, a product failed to honor GPC requests more than 90% of the time, raising concerns about whether companies relying on such vendors may face liability despite outsourcing compliance functions.

Read more: Fragmented Data Regulations Challenge Corporate Compliance Teams

The companies named in the report dispute its conclusions, pointing to what they describe as misunderstandings of their systems and legal obligations.

A Microsoft spokesperson stated that the company does respond to GPC signals by opting users out of third-party data sharing for targeted advertising, but emphasized that “certain Microsoft cookies are necessary for operational purposes” and may still be deployed.  Google similarly rejected the findings, with spokesperson Jackie Berté asserting that the audit was “based on a fundamental misunderstanding of how our products work.”  Meta did not provide comment for the report.

Libert pushed back forcefully on those claims, telling CalMatters, “The idea that I misunderstand anything is a demonstrable falsehood,” adding that his prior work at Google gave him deep expertise in cookie policy implementation.

The California Privacy Protection Agency (CPPA), which is responsible for enforcing the state’s privacy law, declined to comment directly on the report’s findings but acknowledged its broader significance. “We do appreciate that the report brings visibility to the importance of opt out rights,” executive director Tom Kemp said in a statement.

The study underscores a central tension in privacy regulation. While statutory frameworks like the CCPA establish clear user rights, enforcement at scale remains challenging in a digital ecosystem dominated by third-party tracking technologies and opaque adtech supply chains.

For regulators, the findings may intensify pressure to pursue more aggressive enforcement strategies or to clarify compliance expectations, particularly around technical standards like GPC. For businesses, the report serves as a warning that reliance on industry norms or vendor assurances may not be sufficient to meet legal obligations.