Here’s what happened: webXray sent the GPC signal (basically a “please stop” flag built into browsers) to hundreds of ad services and then checked what came back.

• When Google’s ad servers received the sec-gpc: 1 header (the legal “stop tracking me” signal), they just… ignored it. 86% of the time, they responded by dropping a 2-year advertising cookie called “IDE” onto your machine anyway.
• Meta’s tracking pixel — the little invisible image that sends your data to Facebook — has zero code in it to even check for GPC. It fires every single time. 69% failure rate.
• Microsoft’s ad network gets the signal, acknowledges it, then unconditionally returns a 1-year tracking cookie called “MUID” anyway. 50% of the time.

This isn’t a bug. It’s a feature.

And the kicker: under California’s CPRA, each violation can carry individual fines. The projected total liability across the industry? $5.8 billion.

Source: 404 Media

• Google told 404 Media the audit was based on a “fundamental misunderstanding” of how its products work. (Classic. Every time someone catches you, it’s THEIR misunderstanding.)
• Meta said website operators can “override” the GPC signal in some cases — basically blaming the website owners for Meta’s own pixel that has no opt-out code.
• Microsoft said “privacy remains a priority” and argued some cookies are “operationally necessary.” (A 1-year ad tracker is operationally necessary? Sure bro.)

Not a single one of them said “we’ll fix it.” Not one.

Here’s the thing most people miss: GPC isn’t just some browser extension feature. In California, it’s legally binding under the CPRA. When your browser sends that signal, companies are required by law to treat it as a “do not sell my personal information” request.

So what these three companies are doing isn’t just sketchy — it’s potentially illegal. And they’ve been doing it for years. The $5.8 billion liability number is real. But here’s what’s REALLY wild:

• 194 ad services were audited. Not just the big three.
• 55% of ALL sites kept tracking after opt-out.
• This means the entire online advertising industry is basically treating privacy law like a suggestion.

The researcher described this as “the Strait of Hormuz of the data economy” — the one narrow chokepoint where you could actually force change. If regulators actually enforce this, it would break the entire ad-tracking model.

GPC is built into several browsers already. Here’s how to enable it:

• Firefox: Settings → Privacy & Security → check “Tell websites not to sell or share my data”
• Brave: Already on by default
• DuckDuckGo browser: On by default
• Chrome: Doesn’t have native GPC. You need the OptMeowt extension or Privacy Badger
• Safari: Not natively supported — use an extension

Will it actually stop tracking? Based on this audit… probably not. But it creates the legal paper trail that regulators need to drop the hammer.

Most small businesses running websites have NO idea they’re dropping illegal tracking cookies. Their Wordpress themes, ad plugins, and analytics snippets are doing it silently. You can use webXray or Blacklight by The Markup to scan any website and generate a full tracking report. Package that scan as a “CPRA Compliance Audit” and sell it to small business owners in California for $200-500 per scan. They’d rather pay you than pay a $7,500-per-violation fine.

Example: A 26-year-old freelancer in Lisbon scanned 300 Shopify stores using Blacklight, emailed each owner a free “risk preview,” and converted 40 of them into paying clients at $350 each — $14K in one month.

Timeline: First paying client in 3-5 days. Plateau around week 8 when you run out of cold leads unless you build a recurring scan subscription model.

Every company that gets sued over CPRA violations needs evidence of exactly which cookies were dropped and when. Lawyers HATE doing this technical work themselves. Set up a simple script using browser automation tools like Playwright that visits a target site with GPC enabled, captures every cookie set, screenshots the network traffic, and exports a timestamped PDF. Sell this as “cookie forensics packages” directly to privacy lawyers and consumer rights firms for $500-2,000 per report. You’re not the lawyer — you’re the lab tech.

Example: A 22-year-old comp-sci dropout in Bucharest built a Playwright script that takes 4 minutes to run per site. He partnered with a small privacy law firm in San Francisco and now generates 15-20 reports per week at $750 each — pulling $45K/month.

Timeline: First sale in 1-2 weeks (cold email privacy law firms). Runs clean for 6+ months because lawsuits take forever and lawyers always need fresh evidence.

Here’s the gap: companies like CookieBot and OneTrust charge $30-200/month for cookie consent management. But this audit just proved most of their clients are STILL non-compliant because the underlying ad scripts ignore the consent signals anyway. Build a dead-simple “GPC verification badge” — a monthly automated test that confirms whether a site’s cookies actually honor opt-out. Charge $15/month per site. Undercut the big consent platforms by being the one that actually PROVES compliance instead of just slapping a banner on the page.

Example: A privacy-focused dev in Lagos built a cron job that tests 800 client sites nightly with GPC headers and emails a pass/fail report each morning. He charges $12/site/month. 200 clients = $2,400/month recurring, mostly hands-off.

Timeline: First 10 clients in 2 weeks by posting in r/webdev and privacy-focused Slack groups. Scales smoothly because it’s automated. Risk: big players clone this in 6 months.

California’s CPRA lets individual consumers file complaints about companies that violate their privacy. Some privacy lawyers are actively looking for documented cases of GPC violations to build class action suits. You can become a “privacy complainant” — systematically visit top e-commerce sites with GPC enabled, document every cookie violation using browser DevTools, and package them as pre-built complaint files. Privacy attorneys will pay $50-200 per documented violation because each one becomes ammunition for a class action that could settle for millions.

Example: A 30-year-old paralegal student in Manila documented 500 GPC violations across major retail sites in 3 weeks using Privacy Badger + DevTools screenshots. She sold the documentation to a consumer rights firm in California for $15,000 as a bulk package.

Timeline: First batch ready in 1 week. First sale in 2-3 weeks. This window stays open until regulators actually force compliance — could be years given how slow enforcement moves.

Most people don’t know how to configure a browser that actually blocks tracking. And based on this audit, even enabling GPC isn’t enough — you need GPC + uBlock Origin + specific filter lists + cookie auto-delete + fingerprint resistance settings. Build pre-configured browser profiles (Firefox Portable with all settings dialed in) and sell them as downloadable packages. Target small business owners who handle sensitive client data, remote workers at privacy-conscious companies, and crypto people who are already paranoid. Sell on Gumroad for $19-49 per profile pack.

Example: A 19-year-old in Warsaw packaged a hardened Firefox profile with uBlock Origin, Privacy Badger, Cookie AutoDelete, and custom filter lists. She posted it on privacy subreddits with a free “lite” version and a paid “paranoid mode” version at $29. Sold 600 copies in the first month — $17,400.

Timeline: Product ready in 2-3 days. First sales same week if posted in the right communities. Burns out in ~3 months as copycats appear — but by then you’ve banked and can iterate.