Google Ignores Your "Do Not Track" Click 87% of the Time — An Audit Just Proved It

:shield: Google Ignores Your “Do Not Track” Click 87% of the Time — An Audit Just Proved It

You clicked “opt out.” Google said “lol noted” and kept watching anyway. An independent privacy audit just caught them red-handed — along with Meta and Microsoft.

An independent audit of 7,000+ websites found that 55% still plant ad-tracking cookies on your browser even AFTER you tell them to stop. Google’s failure rate? 87%. Meta’s? 69%. Microsoft? 50%.

The audit was run by webXray, a privacy research tool, and the results are published at globalprivacyaudit.org. The test was simple: send the standard “please don’t track me” signal that California law requires companies to respect. Then watch what actually happens. Spoiler: they don’t respect it.

Surveillance Camera


🧩 Dumb Mode Dictionary
Term What It Actually Means
GPC (Global Privacy Control) A tiny signal your browser sends that says “don’t sell my data.” It’s the digital version of a “Do Not Disturb” sign — except hotels actually respect those.
Ad cookie A little tracker file websites drop on your browser so advertisers can follow you around the internet like a creepy ex.
Opt-out signal When you click a button or toggle a setting that says “stop tracking me.” Legally binding in California. Apparently optional everywhere else.
IDE cookie Google’s specific advertising tracker. Named like a boring developer tool so nobody asks questions about it.
webXray A privacy research tool that scans websites and catches them lying about privacy. Think of it as a lie detector for websites.
sec-gpc: 1 The actual technical header (a tiny instruction) your browser sends to say “I opted out.” Companies are supposed to read it and obey. They don’t.
🔍 Right, Here's What's Actually Happening

Right, so here’s what’s actually happening under the hood.

When you enable privacy settings in your browser — or use a browser that supports Global Privacy Control — your browser sends a header with every request: sec-gpc: 1. Under California’s privacy laws (CCPA/CPRA), websites are legally required to honor that signal and stop selling your data.

The audit tested what happens when that signal hits Google, Meta, and Microsoft’s tracking code on real websites:

  • Google: Received the “don’t track me” signal, then explicitly sent back commands to create an advertising cookie called “IDE” anyway. 87% of the time.
  • Meta: Their tracking pixel (the Facebook code on millions of websites) doesn’t even CHECK for the opt-out signal. It loads, fires, and drops a cookie no matter what. Every single time. 69% failure rate across tested sites.
  • Microsoft: At 50%, they’re the “best” of the three — which is like being the tallest kid in kindergarten.

As one researcher put it: “This is the Strait of Hormuz in the data economy. If you want to make a change, this is where you cut it off. Anything short of that is theatrical political posture.”

📊 The Receipts
Company Failure Rate What They Did
Google 87% Explicitly created ad cookie “IDE” after receiving opt-out
Meta 69% Tracking code has zero opt-out check — loads unconditionally
Microsoft 50% Inconsistent — sometimes honors, sometimes doesn’t
  • 7,000+ websites audited in California
  • 55% of ALL tested sites set ad cookies despite opt-out
  • Potential fines: Billions under California privacy law (CCPA/CPRA allows $2,500–$7,500 per violation)
  • Google’s response: Claimed the findings are based on a “fundamental misunderstanding” of how their product works

Translation of Google’s response: “We’re not ignoring your privacy. You just don’t understand privacy the way we do.” Cool, thanks Google.

🗣️ What the Timeline's Saying

The reaction has been… predictable.

  • Privacy advocates: “We’ve been saying this for years. Now there’s an audit with receipts.”
  • Google: Disputes the methodology. Says the cookie isn’t doing what the researchers think it’s doing. (It absolutely is.)
  • California AG’s office: Hasn’t commented yet, but enforcement actions under CPRA have been ramping up since 2025.
  • Regular users: “Wait, that button actually doesn’t do anything?”

The uncomfortable truth is that “opt out” buttons have been decorative for years. This audit just proved it with data instead of vibes.

⚖️ Why This Matters More Than You Think

This isn’t just about ads following you around. Here’s the chain:

  1. Tracking cookies build profiles — your health searches, your location, your interests, your habits
  2. Those profiles get sold — to data brokers, advertisers, and anyone with a checkbook
  3. Data brokers sell to anyone — including stalkers, scammers, and governments
  4. Your “opt-out” was supposed to break that chain — and it doesn’t

California’s CPRA law specifically says companies MUST honor GPC signals. Ignoring them isn’t just sketchy — it’s potentially illegal with fines up to $7,500 per intentional violation. Multiply that by millions of users and you’re looking at extinction-level fines.

But here’s the thing that should keep you up at 3 AM: if these three companies — the biggest names in tech — are ignoring the signal, what do you think smaller companies are doing?

🛡️ How to Actually Block Tracking (Since Asking Nicely Doesn't Work)

Since the polite “please don’t track me” approach is clearly decorative, here’s what actually works:

  • uBlock Origin — blocks tracking scripts before they even load. Not the same as an ad blocker. This kills the tracking code at the source.
  • Firefox with Enhanced Tracking Protection set to Strict — blocks third-party cookies by default
  • Brave Browser — aggressive tracker blocking out of the box
  • DNS-level blocking with NextDNS or Pi-hole — blocks tracking domains before your browser even sees them
  • Container tabs (Firefox) — isolate Facebook/Google into their own sandbox so they can’t follow you across sites

The GPC signal is still worth enabling (it creates legal liability for companies that ignore it), but don’t rely on it as your only defense. That’s like locking your front door in a neighborhood where everyone climbs through windows.


Cool. Every button you clicked was a lie. Now What the Hell Do We Do? ( ͡ಠ ʖ̯ ͡ಠ)

Spy Watching

🕳️ The Compliance Snitch

Most small and mid-size businesses running websites have NO IDEA their Google/Meta tracking code is violating California law on their behalf. They installed the pixel years ago and forgot about it. They’re the ones who’ll get fined — not Google.

Scan websites using webXray or browser dev tools, find the violations, then contact the business owner with a report and an offer to fix it. Charge $200–$500 per site for a “privacy compliance audit and remediation.” You’re not selling fear — you’re selling lawsuit insurance.

:brain: Example: 24-year-old web developer in Portugal scans 500 local e-commerce sites with webXray, finds 340 have non-compliant Google/Meta pixels. Sends cold emails with a free 1-page report. Converts 40 clients at €300 each = €12,000 in the first month.

:chart_increasing: Timeline: First client in 3-5 days (business owners panic fast when you mention fines). Market saturates in your city within 8-10 weeks as others copy the play.

📡 The Tracking Canary Service

Companies need proof they’re compliant — not just a one-time fix, but ongoing monitoring. Build a dead-simple service that visits a client’s website once a day, checks if tracking cookies are being set despite GPC, and sends an alert if something breaks.

The tool already exists — you just need to wrap webXray’s open-source code in a cron job (automatic repeating task) and a simple email alert. Charge $29/month per domain. Tiny for a business, passive income for you.

:brain: Example: 20-year-old in the Philippines sets up a VPS (cheap online server) running automated scans for 15 California-based Shopify stores. Takes 2 hours to set up, runs itself. $435/month recurring, growing by 5-10 clients per month through referrals.

:chart_increasing: Timeline: First paying client in 1 week. Builds to $2K/month within 6 weeks. Gets commoditized (copied by bigger players) in 6 months — but by then you’ve locked in annual contracts.

🪟 The Patch Window Bounty Hunter

California’s CPRA allows private citizens to report violations through the AG’s office, and whistleblower-style reports can lead to enforcement actions. There’s a window right now where this audit just dropped, AG enforcement is ramping up, and most websites haven’t fixed anything yet.

Document violations systematically. Use browser extensions like Privacy Badger alongside network traffic analysis to build evidence packages. Submit reports to the California AG’s privacy complaint portal. Some privacy law firms offer bounties for well-documented violation reports that lead to class actions.

:brain: Example: 28-year-old paralegal in Mexico documents 200 US-facing e-commerce sites violating GPC signals, packages evidence with screenshots and HAR files (browser network logs), submits to 3 privacy law firms running class actions. Gets $50 per documented site used in a lawsuit filing = $10,000 payout.

:chart_increasing: Timeline: First evidence package done in 2 weeks. Payout in 30-60 days after law firm uses it. Window closes in ~4 months as companies start patching.

🎰 The Anti-Tracking Extension Hustle

Here’s the weird gap: uBlock Origin is amazing but intimidating for normal people. Privacy Badger is simpler but misses things. There’s room for a browser extension that does ONE thing: shows a giant red/green badge telling you whether the current site is actually honoring your opt-out or lying to your face.

No settings. No configuration. Just a traffic light icon. Green = they’re respecting your privacy. Red = they’re ignoring it. Build it with the WebExtensions API — you literally just need to check for known tracking cookies after GPC is sent. Monetize through a “report this site” premium feature or a compliance dashboard for businesses.

:brain: Example: 19-year-old CS student in Brazil builds the extension in a weekend using the tracking cookie database from webXray’s research. Posts to Reddit r/privacy, gets 15,000 installs in the first week. Adds a $3/month pro tier for detailed reports. 200 pro users = $600/month from a weekend project.

:chart_increasing: Timeline: MVP (basic working version) in 2-3 days. First 1,000 users in 1 week if you hit the right subreddits and HN. Revenue starts week 3. Google might remove it from Chrome Web Store within 3 months (conflict of interest much?) — so ship on Firefox first.

🎣 The Corporate Shame List

Public pressure works when fines don’t. Create a public, searchable database of the worst privacy offenders — ranked by how aggressively they track you after you opt out. Think “haveibeenpwned but for tracking.”

Scrape the audit data from globalprivacyaudit.org, expand it with your own scans, and build a simple searchable site. Users type in a URL and see exactly which trackers are ignoring their opt-out. Media LOVES these shame lists — one viral tweet and you’re getting backlinks from every tech outlet. Monetize through sponsored “privacy-friendly alternatives” listings.

:brain: Example: 22-year-old in Nigeria builds the site using free Cloudflare hosting, populates it with 5,000 scanned sites. Posts the link in a Twitter thread about the audit. Thread gets 2M views. Within a week, three privacy-focused VPN companies want to sponsor the “recommended alternatives” section at $500/month each.

:chart_increasing: Timeline: Site live in 3 days. First viral moment within 1 week if you time it with the news cycle. Sponsorship revenue in 2-3 weeks. Sustains as long as you keep scanning — but the SEO value alone is worth it long-term.

🛠️ Follow-Up Actions
Step Action Tool/Link
1 Enable GPC in your browser right now Global Privacy Control
2 Install uBlock Origin uBlock Origin
3 Check if your favorite sites are lying globalprivacyaudit.org
4 Switch to Firefox or Brave Firefox / Brave
5 Set up DNS-level blocking NextDNS or Pi-hole
6 File a complaint if you’re in California CA AG Complaint Portal

:high_voltage: Quick Hits

Want to… Do this
:shield: Stop Google tracking you Install uBlock Origin + enable GPC in browser settings
:magnifying_glass_tilted_left: Check if a site is lying about privacy Run it through webXray or check the audit results
:money_bag: Make money from this mess Scan local business sites for violations, sell compliance fixes
:mobile_phone: Protect your phone too Use Firefox Focus or Brave on mobile with tracking protection on max
:balance_scale: Hit them where it hurts File complaints with the California AG — each violation = up to $7,500 in fines

Your “opt out” button is a placebo. The only real opt-out is making their code never load in the first place.

[Source: 404 Media | Audit data: Global Privacy Audit]

2 Likes