A privacy search engine called webXray ran this audit. The founder, Dr. Timothy Libert, literally used to be the lead on cookie compliance at Google. He left, built his own auditing tool, and then turned it on his old employer.

He scanned 7,634 popular websites from a regular California residential internet connection in March 2026. Each site got hit twice — once normally, once with the “don’t track me” signal turned on. Then he compared what cookies got dropped.

The findings were published by 404 Media and went viral. All three companies said the audit was wrong. Google called it a “fundamental misunderstanding.” Classic.

Total ad cookies planted across all sites despite opt-out: 125,106

And those “Accept Cookies” popups? The audit tested the top Google-certified banner providers. All of them — 100% — failed to block tracking cookies even when you declined. One had a 91% failure rate.

Here’s how Google specifically ignores you:

1. Your browser sends a request with sec-gpc: 1 (this is the standard “don’t track me” signal)
2. Google’s server receives it, reads it, acknowledges it…
3. …and responds with a command to create an advertising cookie called IDE with a 2-year expiration

That’s not a bug. That’s code that was written on purpose.

Meta’s play is even lazier. Their tracking pixel — the code they make websites install — has literally zero lines of code checking for the opt-out signal. It just loads, fires a tracking event, and sets a cookie. Every time. No matter what. The audit says the fix would take exactly two lines of code. They just… didn’t write them.

Microsoft does the same thing with a cookie called MUID — a one-year tracker that gets planted regardless of your preferences.

Here’s where it gets real. California has been fining companies for this already:

• Sephora: $1.2M (2022)
• Walt Disney: $2.75M (2026)
• Ford Motor: $375K (2026)
• Healthline Media: $1.55M (2025)

Average fine per site: roughly $1.4 million. Multiply that by the 4,170 sites caught planting ad cookies despite opt-out → $5.8 billion in potential total liability.

Nobody’s collected that yet. But the legal groundwork is there, and California’s AG has explicitly endorsed GPC as the official opt-out mechanism. Ignoring it isn’t just rude — it’s potentially illegal.

The auditor himself:

“This is the Strait of Hormuz in the data economy. If you want to make a change, this is where you cut it off. Anything short of that is theatrical political posture.”

Google’s response: Called it a “fundamental misunderstanding” of how their products work. (The classic “you just don’t get it” defense.)

Privacy advocates: Pointed out that Google was fined $22.5M back in 2012 for the exact same thing — circumventing browser privacy settings in Safari. Fourteen years later, same play, different browser.

The audit tested 11 “Consent Management Platforms” — those are the companies that build the “Accept Cookies” popups you see everywhere. The ones that are supposed to protect you.

100% of them failed. Not some. All of them.

Three were specifically Google-certified:

• Provider A: 77% failure rate, exposed publishers to $1.3B in liability
• Provider B: 90% failure rate
• Provider C: 91% failure rate

So the company making the tracking cookies is also certifying the tools that are supposed to block the tracking cookies. And those tools don’t work. You can’t make this up.

Here’s what you do: That $1.4M average fine per site isn’t just hitting Google. Every small e-commerce store, blog, and SaaS app running Google Ads or Meta Pixel is technically liable too. And they have no idea. Set up a simple service: scan their site with webXray’s open-source tools or similar, generate a report showing what cookies they’re dropping despite opt-out, and charge $200-500 to fix it. Most fixes are literally a few lines of code.

Example: A freelance dev in Portugal started offering “GDPR cookie audits” on Fiverr after the EU started fining sites. He charges €300 per audit, does 3-4 a week using automated scanning tools, and pulls €4,200/month. CCPA is the same play but for California-based sites — and the fines are bigger.

Timeline: 1-2 weeks to set up scanning workflow → first clients within a month via cold email to Shopify store owners

The data from this audit is public. The cookie names are public. The failure rates are public. Build a browser extension that, when you visit any site, checks if it’s honoring your GPC signal or planting ad cookies anyway. Give each site a letter grade (A through F). Think of it like a Glassdoor but for website privacy. Monetize with a freemium model — free grades, paid detailed reports.

Example: A two-person team in Berlin built a Chrome extension called “Cookie Score” after the EU privacy crackdown. Got featured on Product Hunt, hit 40K installs in 3 months, and now sells a B2B version to compliance teams at $99/month per seat.

Timeline: MVP in a weekend using Chrome Extensions API → Product Hunt launch week 3 → iterate based on feedback

California lets individual consumers file complaints when companies violate their opt-out rights. The tools to prove it are free — install Global Privacy Control in your browser, visit a major website, use browser developer tools to check if tracking cookies were set anyway. Screenshot it. File with the California AG. Some privacy lawyers are now running class actions based on exactly this kind of evidence and paying referral fees for documented violations.

Example: A law student in San Diego started systematically documenting CCPA violations using browser dev tools after class. She partnered with a privacy law firm that pays $50-150 per documented, actionable violation report. She submits 20-30 per week working evenings.

Timeline: Same day — install GPC, visit 10 sites, document violations → reach out to privacy attorneys within a week

Marketing agencies run Google Ads and Meta Pixel for hundreds of clients. Every single one of those clients is now potentially liable. Most agencies don’t even know their clients’ sites are dropping illegal cookies. Position yourself as the person who audits their entire client portfolio, fixes the tracking code, and provides ongoing monitoring. Charge monthly retainers. Agencies will pay because a single $1.4M fine from one client would destroy them.

Example: A former digital marketer in Toronto pivoted to “ad compliance consulting” after Canada’s PIPEDA rules tightened. He charges agencies CAD $1,500/month per portfolio (up to 50 client sites), automated most of the scanning, and manages 8 agency accounts pulling CAD $12K/month with about 15 hours of actual work per week.

Timeline: 2 weeks to build your pitch deck + automated scanning pipeline → cold email 50 agencies → close first 2-3 within a month

People go absolutely feral when you show them exactly how they’re being tracked. Screen record yourself: install GPC, visit Amazon or Facebook, open browser dev tools, show the tracking cookie being planted DESPITE your opt-out. Narrate it like you’re catching someone in a lie. This format gets 500K-2M views consistently on TikTok and YouTube Shorts. Monetize with affiliate links to privacy tools like Brave Browser, VPN services, or DuckDuckGo.

Example: A cybersecurity student in Manila started making 60-second “they’re watching you” TikToks showing tracking in real-time. Hit 200K followers in 4 months. Now makes $2,800/month from Brave Browser referrals and NordVPN affiliate links alone — not counting TikTok creator fund payouts.

Timeline: First video tonight → post daily for 2 weeks → affiliate links live by week 3