The Markup, now a part of CalMatters, uses investigative reporting, data analysis, and software engineering to challenge technology to serve the public good. Sign up for Klaxon, a newsletter that delivers our stories and tools directly to your inbox.

A new audit has found that websites across the internet may be failing to abide by California privacy law, ignoring a requirement to not track visitors who set a privacy control. 

The report, from researchers at webXray, a firm headed by a former Google privacy engineer, said the findings suggest major companies may be simply ignoring the law, and could point to “industrial-scale noncompliance with California requirements.”

The stakes are potentially high. WebXray estimates that if the California Privacy Protection Agency fined all of the websites it found failing to comply with the law, it could result in billions of dollars in penalties. 

“While we don’t have comment on the finding of this specific report,” Tom Kemp, executive director of the privacy protection agency, said in a statement, “we do appreciate that the report brings visibility to the importance of opt out rights.” 

Under California law, businesses are required to respect a signal called the Global Privacy Control. If users navigate the web with the control turned on — either through a setting in the browser or a third-party tool — it tells websites not to sell or share their personal information.

The California Consumer Privacy Act requires businesses to acknowledge the control and to not track people who use it. The state privacy agency has fined companies millions for failing to honor the control, among other violations. 

To understand whether the law is truly being respected, the researchers visited more than 7,000 popular websites from a California internet address. According to the report, major tech companies continued to track users, even with the signal turned on.

Google continued to track users in 86% of cases despite receiving the signal, according to the report. When visitors traveled to the websites while using the signal, the sites still frequently set a cookie from Google to follow those visitors.

Similarly, according to the report, Microsoft failed to honor the signal in 50% of instances. 

The report found that trackers from Facebook parent company Meta don’t just ignore the signal — they fail to check for it at all, leading to tracking 69% of the time despite the signal. 

All of those failures could be remedied with slight changes to the tracking code to respect the signal, the engineers said in the report. 

“They don’t make any substantive effort to comply,” said Tim Libert, founder and chief executive of webXray. 

The report also found that third-party tools that purport to help businesses place advertisements that comply with the law still frequently failed to honor the anti-tracking signal. In one case, a product did not honor those requests more than 90% of the time, the report found. 

The tech companies dispute the idea that they are failing to abide by the law. 

“As outlined in our Privacy Statement, when we receive a GPC signal, we opt the user out of sharing personal data with third parties for personalized advertising, and our advertising systems are designed to reflect that choice,” Courtney Ramirez, a Microsoft spokesperson, said in a statement. “Certain Microsoft cookies are necessary for operational purposes, and may therefore be placed and read even when a GPC signal is detected.” 

Jackie Berté, a spokesperson for Google, said the company complies with the law and that the audit was “based on a fundamental misunderstanding of how our products work.”

A spokesperson for Meta didn’t immediately respond to a request for comment. 

“The idea that I misunderstand anything is a demonstrable falsehood,” Libert said, pointing out his work on cookie policy at Google. 

“I would assert that, when I was there, I knew more about it than anybody else,” he added.