Google Fails Your “Don’t Track Me” Button 87% of the Time — And an X-Ray Tool Just Proved It
OKAY SO you know that little “opt out of tracking” thing you click and then feel safe? Yeah. Turns out it’s mostly decoration.
A free website-scanner called webXray checked 7,000+ California sites. 55% still dropped ad-tracking cookies AFTER people opted out. Google’s failure rate: 87%. Meta: 69%. Microsoft: 50%. Estimated legal exposure if this holds up in court: $5.8 BILLION.
This one’s wild because it’s not a leak or a hack — it’s the companies quietly ignoring the “leave me alone” flag your own browser is waving at them. An independent audit caught it red-handed and published the receipts. Full write-up is on 404 Media, with more detail over at Cybernews. (I went down a rabbit hole on this for two hours and honestly I’m still a little heated.)

🧩 Dumb Mode Dictionary (read this first, takes 20 seconds)
| Scary Word | What It Actually Means |
|---|---|
| Cookie | A tiny tracking file a website sticks on your device so it remembers (and follows) you |
| Opt out | You clicking “no thanks, don’t track me” |
| GPC (Global Privacy Control) | An automatic “leave me alone” flag your browser waves at every site — it’s a real thing, legally binding in California |
| webXray | A free tool that “x-rays” any website and shows you every tracker hiding in it |
| CCPA | California’s privacy law — the one with actual fines attached |
📖 So what actually happened here?
A privacy researcher ran the free scanner webXray across more than 7,000 popular websites in California — the one state where ignoring your opt-out is straight-up illegal.
The result? On 55% of sites, the ad cookies got set anyway. Even when the browser politely sent the legal “don’t sell my data” signal.
The sneakiest part: when Google’s server “responds” to your opt-out, it literally sends back a command to create a tracking cookie called IDE in the same breath. Like saying “sure, I’ll stop” while pickpocketing you. (I’m not even mad, that’s kinda impressive.)
📊 The receipts (per-company failure rates)
| Company | How often it ignored your opt-out |
|---|---|
| 87% of the time | |
| 69% | |
| 50% | |
| ~$5.8 billion in potential fines |
Source breakdown covered by SearchEngineWorld. Half. HALF of the internet ignored a legal signal. Let that sit.
🗣️ What the companies are saying (spoiler: 'nuh uh')
- Google: says the whole thing is a “fundamental misunderstanding” of how their product works. (Classic.)
- Meta & Microsoft: also disputed it, took issue with the method.
- The auditor’s mic-drop line: “This is the Strait of Hormuz in the data economy. If you want to make a change, this is where you cut it off. Anything short of that is theatrical political posture.”
Translation: the opt-out button is the choke point. And right now it’s leaking like a screen door on a submarine.
🧠 Why this is bigger than 'ads are annoying'
Here’s the thing nobody’s saying out loud: the opt-out button being broken is a business opportunity, not just a scandal.
Every small business running a website in California (and soon other states) is now technically sitting on the same liability. Most of them have NO idea their site is leaking. They just pasted some ad code years ago and forgot about it.
The tool that caught Google — webXray — is free. Anyone can run it. Which means anyone can walk up to a business, x-ray their site, and go “uh, you’ve got a problem… want me to fix it?” (You see where I’m going with this.)
Cool. So Big Tech’s “Stop Tracking Me” Button Is Basically A Prop… Now What The Hell Do We Do? ಠ_ಠ

🍪 The Cookie Snitch
Run the free webXray scan on a local business’s website. It spits out every tracker leaking after opt-out. You turn that into a one-page “you’re exposed to fines” report and offer to clean it up. You’re not selling fear — you’re selling a fix nobody knew they needed.
Example: A 24-year-old marketing freelancer in Lagos, Nigeria cold-emails small Shopify boutiques, attaches a screenshot of their leaking cookies from a free webXray scan, charges $150 per audit + $300 to fix. Landed 6 clients in a month.
Timeline: First paid audit in ~10 days. Works great for 4-6 months until the tool gets popular in your area and everyone’s site is already clean.
🪟 The Patch Window Sprint
Right now there’s a gap. Regulators are circling, lawyers are sharpening, but most website owners haven’t fixed anything yet. Be the person who installs a properly-behaving opt-out setup (that actually honors GPC) before the enforcement wave hits. Early = premium pricing.
Example: A 27-year-old web dev in Manila, Philippines offers agencies a “GPC compliance retrofit” — sets up cookie handling that genuinely respects the signal, hands over a proof report. Charges $500 per site, did 10 in eight weeks.
Timeline: Cash in the first 2 weeks. The window closes once compliance plugins go mainstream (6-9 months), so sprint now.
📡 The Leak Leaderboard
Public webXray scans reveal WHICH industries leak the most — dating apps, health sites, whatever. Turn that into a weekly “who’s secretly tracking you” ranking. Pick one juicy niche. Privacy tools (VPNs, blockers) will pay to sponsor an audience that literally cares about tracking.
Example: A 22-year-old in Berlin, Germany runs a niche newsletter scanning mental-health websites weekly, ranking the worst offenders. Privacy Badger and VPN brands slid into the sponsor slots. Small list, but every subscriber is a buyer.
Timeline: First sponsor around 500 subscribers (~2 months of weekly posts). Plateaus if you don’t rotate niches.
📖 The GPC Cheat-Sheet Anchor
When news creates a new confusing term, the FIRST person to write the plain-English guide owns the Google result forever. Write “The Complete GPC Guide for Shopify Owners” (or WordPress, or whatever). It ranks, it never stops sending you leads, and every reader is a potential audit customer.
Example: A 25-year-old in Pune, India published a dead-simple GPC-for-WordPress walkthrough as a blog post + a GitHub gist of the config. Ranked page-one in six weeks, now funnels free traffic straight into a $99 setup service.
Timeline: SEO is slow — 6-10 weeks to rank, but then it’s a lead faucet for a year+. Most durable play on this list.
🕳️ The Signal Flipper
Wild fact: most normal people don’t even have this “leave me alone” flag turned ON in their browser. Sell a done-for-you privacy starter pack — a simple walkthrough + the right browser and extensions set up so tracking actually gets blocked. Non-techy folks will happily pay to not think about it.
Example: A 23-year-old in São Paulo, Brazil sells a $9 “Privacy Starter Pack” on Gumroad — a 10-minute video showing exactly which toggles to flip and which free tools to install. Sells 40-60 copies a week off TikTok clips.
Timeline: First sales within days if you post clips. Needs constant content to keep selling — it’s a volume game, not a set-and-forget.
🛠️ Follow-Up Actions
| Want to… | Do this |
|---|---|
| See what’s tracking YOU right now | Run webXray on your favorite sites |
| Turn on the “leave me alone” flag | Enable Global Privacy Control in your browser |
| Auto-block trackers free | Install Privacy Badger from the EFF |
| Understand the law you can charge to fix | Read the CCPA basics |
| Read the full audit story | 404 Media’s report |
Quick Hits
| You Want | Do This |
|---|---|
| Run a free webXray scan | |
| Turn on GPC + Privacy Badger | |
| Audit local sites, sell the fix | |
| Write the plain-English GPC guide first | |
| “The opt-out button is theater, fam” |
The button was never broken. It was working exactly how they wanted it to.
!