What Is the Point of California’s Privacy Laws if Big Tech Ignores Them?

An independent review of Microsoft, Meta and Google web traffic in California in March found the tech companies may have violated state regulations around internet privacy.

The audit, by webXray, also said that nearly 200 online advertising services ignored “legally defined, globally standard, opt-out signals” around data sharing, along with more than half of nearly 7,000 websites in California, despite user requests to opt-out of cookie tracking, the most visible opt-out mechanism the laws require.

This is despite the California Consumer Privacy Act, as expanded by the California Privacy Rights Act and other state privacy legislation, enforced by both the state attorney general’s office and the California Privacy Protection Agency.

“Our findings reveal major technology companies simply ignore globally defined opt-out signals, raising the spectre of industrial-scale non-compliance with California requirements,” the report’s website states.

Businesses that sell or share your personal information are legally required to honor the Global Privacy Control, a “stop selling or sharing my data” switch available on web browsers, or as a browser extension.

The company that conducted the audit, webXray, was founded by Timothy Libert, a privacy expert who led cookie policy and compliance at Google offices in Sunnyvale from 2021 to 2023. Libert spent 15 years in academia studying the topic and worked as a consultant for national and state regulators before his time at Google.

webXray, his current venture, functions as a white-hat hacker outfit for hire, advising Silicon Valley companies on legal compliance and scouring the internet for privacy violations for law firms pursuing class action suits.

“Ask the average Californian if they feel they have more privacy now than before the CCPA was passed. I think the answer’s going to be no. And as somebody who has the ability, knowledge and background to measure it, I’m going to say scientifically, the answer is also no,” Libert told KQED.

According to the webXray audit, Google failed to let users opt out 86% of the time, Meta 69% and Microsoft 50%.

“Google’s failure to honor the [Global Privacy Control] opt-out signal is easy to find in network traffic,” the report noted, concluding, “This non-compliance is easy to spot, hiding in plain sight.”

“Consumer privacy is a top priority for us, and we remain committed to transparency and compliance with applicable privacy requirements,” a Microsoft spokesperson said by email. “As outlined in our Privacy Statement, when we receive a GPC signal, we opt the user out of sharing personal data with third parties for personalized advertising, and our advertising systems are designed to reflect that choice.

Certain Microsoft cookies are necessary for operational purposes, and may therefore be placed and read even when a GPC signal is detected.”

“This report is based on a fundamental misunderstanding of how our products work. We honor opt-outs provided by advertisers and publishers as required by law,” a Google spokesperson wrote KQED.

“This is a blatant marketing ploy that misrepresents how the Global Privacy Control setting works and Meta’s role,” a spokesperson for the company said in an emailed statement. “The control setting restricts how data is shared, not collected, and Meta already requires that when using the Meta pixel, advertisers only share with us information they have obtained the right to share. Meta further encourages websites to use our Limited Data Use feature so they can clearly indicate to us when they have permission to share certain information – and when we get information identified that way, we restrict its use.”

Libert disagreed, arguing as he did in his audit that “just adding a couple lines of code” would bring the companies into compliance with California law. “Their claims that I ‘misunderstood’ anything are farcical. I wrote the cookie policy,” he said.

Under the CCPA, each violation carries a $2,500 fine, or $7,500 if intentional. The companies, he said, are wealthy enough to pay fines and shrug them off without changing how they do business. “If you make them change the code, the whole system falls apart, and that’s what they’re terrified of,” he said.

A spokesperson for the California Department of Justice declined to comment on the specific issues raised by the report, but wrote in an email, “We always welcome reporting about potential CCPA violations — anyone interested in reporting a potential violation to our office can go to oag.ca.gov/report.”

The California Privacy Protection Agency declined to comment.

The state attorney general’s office has settled with a wide variety of companies in gaming, health and automotive industries; conducted sweeps of location data, streaming apps and devices and surveillance pricing; and formed information-sharing partnerships with other state regulators.

The largest privacy settlement specifically under the CCPA reached by Attorney General Rob Bonta’s office was a $2.75 million settlement with the Walt Disney Company, announced Feb.11, 2026.

According to 404 Media, Microsoft, Meta, and Google have collectively paid billions in fees for previous privacy violations similar to the ones found during the audit.

“I don’t really see that shifting the needle,” Libert said, adding the agencies’ actions provide only a “veneer of enforcement.”

State legislators, meanwhile, said they are working to address the apparent lack of accountability by big tech companies.

“Companies that refuse to comply with the law should face real consequences,” state Sen. Josh Becker, D-Menlo Park, said.

Becker is the author of multiple bills giving Californians more power over their data, including the still-pending Expanding Privacy Rights Act, SB 923.

One of those laws, the Delete Act, allowed residents to request that all registered companies that buy and sell your data delete your personal information. Data brokers must begin honoring these requests by Aug. 1, 2026.

“I don’t think we’re nibbling around the edges” of the ad-surveillance economy Becker told KQED. “The Delete Act fundamentally gets to the heart of it.”

However, he added, he acknowledged the challenges of fighting for this cause at the state level, versus the federal or even international.

“Ultimately, all this is about reclaiming control over our data. When someone searches for medical care, manages their finances, looks for a job — that information is deeply personal, it should not be tracked, sold or weaponized without their consent,” Becker said.