Google Ignores Your 'Do Not Track' 87% of the Time — Here's the Proof

:magnifying_glass_tilted_left: Google Ignores Your ‘Do Not Track’ 87% of the Time — Here’s the Proof

You clicked “opt out.” They clicked “lol no.” An ex-Google privacy engineer just proved it with receipts.

An independent audit of 7,000+ California websites found that Google, Meta, and Microsoft are still tracking you after you explicitly asked them to stop. Google’s failure rate? 87%. And they have the nerve to call it a “misunderstanding.”

The audit was run by webXray, founded by a guy who literally led cookie compliance at Google’s Sunnyvale office for two years. He knows exactly what he’s looking at. And what he found is ugly.

Surveillance Camera


🧩 Dumb Mode Dictionary
Term What It Actually Means
GPC (Global Privacy Control) A browser signal that says “don’t track me.” Big Tech says “cute.”
CCPA California’s privacy law. Has teeth. Mostly unused teeth.
sec-gpc: 1 The actual code your browser sends. Google sees it, then drops a cookie anyway.
IDE cookie Google’s advertising tracking cookie. The one they set AFTER you opt out.
CMP (Consent Management Platform) Those annoying “Accept Cookies” banners. They also don’t work.
webXray The privacy audit tool built by an ex-Google engineer who got tired of the BS.
📖 The Backstory — Who Ran This Audit

A guy named Timothy Libert spent 15 years in academia studying web privacy. Then he worked as a consultant for national and state regulators. Then Google hired him to lead cookie policy at their Sunnyvale office from 2021 to 2023.

He left. Built webXray. And turned the same tools he used for Google… against Google.

Between you and me, this is the most dangerous type of whistleblower — the one who knows where all the bodies are buried because he helped dig the holes.

📊 The Numbers — How Bad Is It
Company Opt-Out Failure Rate What They Do
Google 87% Receives your opt-out signal, then explicitly sets an ad cookie named IDE anyway
Meta 69% Their tracking code has zero GPC checks. It loads unconditionally. Period.
Microsoft 50% Claims some cookies are “necessary for operations” despite your opt-out
Cookie Consent Banners 77-91% Google-certified banners that fail to block Google’s own cookies

55% of ALL sites checked were setting ad cookies after users opted out. That’s not a bug. That’s a business model.

⚙️ How Google Does It — The Technical Play

Here’s what happens when you browse with GPC enabled:

  1. Your browser sends sec-gpc: 1 → “I do not consent to tracking”
  2. Google receives this signal → acknowledges it
  3. Google responds with set-cookie: IDE=... → drops an ad tracking cookie anyway

That’s it. It’s not hidden. It’s not encrypted. It’s right there in the network traffic. Libert calls it “hiding in plain sight.”

And those cookie consent banners that Google certifies? Three CMP companies tested. Failure rates: 77%, 91%, and 90%. The banners are theater.

🗣️ What Each Company Said
  • Google: “This report is based on a fundamental misunderstanding of how our products work.”
  • Meta: “This is a marketing ploy that mischaracterizes how GPC works.”
  • Microsoft: Claims they honor GPC but some cookies are “necessary for operational purposes.”

Translation → “We don’t think the law applies to us.”

Meanwhile, 194 online ad services were caught ignoring opt-out signals across the audit. Google, Meta, and Microsoft are just the biggest fish.

💰 The Fines — Already Stacking Up
Company Fine Year
Sephora $1.2M 2022
Healthline $1.55M 2025
Tractor Supply $1.35M 2025
PlayOn Sports $1.1M 2026
Ford $375.7K 2026
Disney $2.75M 2026

Six enforcement actions so far. All small fry. Libert’s take: “In many ways fines have come to replace taxes.” The big guys pay, shrug, and keep tracking.

But here’s the angle → at $2,500-$7,500 per violation under CCPA, and millions of California users, Google alone could theoretically owe billions. Nobody’s pulled that trigger yet.


Cool. So Your Privacy Settings Are Decorative. Now What the Hell Do We Do? ( ͡ಠ ʖ̯ ͡ಠ)

VPN Privacy

🔧 Hustle 1: Build a Privacy Audit Dashboard for Small Businesses

Most small business owners in the EU, Brazil, and California have no idea their sites are dropping illegal cookies. Here’s what you do: take the webXray methodology, wrap it in a simple SaaS dashboard, and charge $49/month for continuous monitoring. Show them exactly which trackers are violating GDPR/CCPA on their site → they’ll pay to avoid fines.

:brain: Example: A freelance dev in Lisbon built a GDPR cookie scanner for Portuguese e-commerce shops using Puppeteer + a Headless Chrome crawler. He charges €39/month per domain. 47 clients in 8 months → roughly €1,800/month. His pitch? “The regulator fined a bakery chain €50K last year. My tool costs less than your electricity bill.”

:chart_increasing: Timeline: 2-3 weeks to build MVP with Puppeteer. Start selling in week 4. Break even by month 2.

💼 Hustle 2: Become a GPC Compliance Consultant

Between you and me, there are maybe 200 people on earth who actually understand how GPC signals work at the network level. Most law firms doing CCPA work have zero technical staff. Here’s what you do: learn to read browser network traffic (it’s not hard — DevTools → Network tab), document GPC failures on a client’s site, and sell compliance reports to privacy attorneys at $500-$1,500 per audit.

:brain: Example: A cybersecurity student in Toronto started offering “CCPA readiness audits” to California-facing startups via Upwork. She uses browser DevTools and a proxy to capture cookie behavior. Charges $750 per report. Did 6 in her first month while still in school. The law firms she works with now refer clients directly.

:chart_increasing: Timeline: 1 week to learn the methodology. First client in week 2 via cold outreach to privacy law firms.

📱 Hustle 3: Launch a 'Privacy Score' Browser Extension

People want to know which sites respect their opt-out and which don’t. Here’s what you do: build a lightweight browser extension that checks whether a site honored GPC in real-time. Show a red/green score. Monetize with a freemium model — free for basic scores, $3.99/month for detailed reports and alerts. The webXray audit just gave you all the proof you need for marketing.

:brain: Example: A pair of developers in Warsaw built a Chrome extension that grades websites on GDPR compliance. They launched on Product Hunt, got 4,000 installs in the first week, and converted 8% to their paid tier within 60 days → ~$1,280/month recurring. They’re now expanding to Firefox and adding a B2B API.

:chart_increasing: Timeline: 3-4 weeks for a Chrome extension MVP. Launch on Product Hunt month 2. Revenue by month 3.

🎓 Hustle 4: Create a 'Privacy Engineering' Course for Devs

Developers are the ones implementing these tracking scripts. Most have no idea they’re making their employer liable for millions. Here’s what you do: build a course on Udemy or Gumroad that teaches web devs how to implement CCPA/GDPR-compliant tracking. Use the webXray findings as case studies. Price it at $29-$49. Target dev communities in India, Southeast Asia, and Eastern Europe where compliance freelancing is booming.

:brain: Example: A privacy engineer in Bangalore created a 6-hour Udemy course called “Web Privacy Compliance for Developers” after the GDPR wave. He uses real network traffic examples. 2,300 students at $19.99 average → ~$46K total revenue over 18 months. His secret? He posts free 10-minute breakdowns on YouTube that funnel to the paid course.

:chart_increasing: Timeline: 2-3 weeks to record. Upload month 1. First sales within days if you nail the YouTube funnel.

💰 Hustle 5: Sell 'Opt-Out Verification' to Class Action Lawyers

CCPA lawsuits are coming. Lawyers need technical evidence that companies ignored opt-out requests. Here’s what you do: set up a documented, reproducible testing environment that captures network traffic showing GPC violations. Package this as expert witness testimony or technical exhibits. Lawyers pay $2,000-$10,000 per case for this kind of documentation.

:brain: Example: A forensic analyst in São Paulo pivoted from cybercrime investigations to privacy litigation support after Brazil’s LGPD kicked in. He provides technical reports showing tracking violations for consumer rights organizations. Three cases in six months at R$15,000 each (~$3,000 USD). One of his reports was cited in a landmark ruling against a telecom.

:chart_increasing: Timeline: Immediate if you already have networking/forensics skills. First engagement within 2-4 weeks of outreach to privacy-focused law firms.

🛠️ Follow-Up Actions
Want To… Do This
Test your own browser Install Global Privacy Control extension, open DevTools → Network, look for set-cookie responses after GPC
Read the full audit Visit globalprivacyaudit.org/2026/california
Check if YOUR site is compliant Run your domain through webXray’s free scanner
Find privacy law firms hiring Search “CCPA litigation” on LinkedIn → filter by “Posted this week”
Learn GPC implementation Read the GPC spec at globalprivacycontrol.org — it’s short and readable

:high_voltage: Quick Hits

Want… Do…
:magnifying_glass_tilted_left: See who’s tracking you right now Open DevTools → Network → filter by set-cookie → count the trackers
:shield: Actually block tracking Use Firefox + uBlock Origin + GPC extension. Chrome is the fox guarding the henhouse
:briefcase: Sell compliance audits Learn to read HTTP headers. That’s literally the whole skill
:mobile_phone: Build a privacy product The browser extension market is wide open — 4 billion Chrome users, barely any privacy scoring tools
:money_bag: Make money from this mess Privacy litigation is a $4B industry. Technical experts are the bottleneck

Google saw your opt-out signal 87 times out of 100 and dropped a cookie anyway. That’s not a bug — that’s an ad budget.

5 Likes