Seems like opting out of website cookies doesn't actually guarantee you are opted out of website cookies
If you click on almost any major website, you'll surely have notice that you get asked about cookies. These files store your preferences and help companies track your data. However, it turns out that even if you decline to use them, there's a good chance you're still being tracked.
A recent audit from webXray has found that "major technology companies simply ignore globally defined opt-out signals" (via TechSpot). The report states that it observed 194 online advertising services ignore standard opt-out services, plus cookie banners certified by Google that reportedly "fail to prevent Google from setting cookies after users opt out with a globally standard signal."
webXray studied 242 ad tech vendors in total, which means an 80% failure rate to adequately opt-out users, according to the report.
The analysis shows that 55% of sites set ad cookies despite users opting out, and 78% of cookie banners failed to protect their users. It argues that companies' liability exposure racks up to a whopping $5.8 Billion.
webXray has examined Google's own cookie system and reckons that when it sends an encoded cookie, it then reportedly responds by creating a new advertising cookie named IDE. The report says, "This non-compliance is easy to spot, hiding in plain sight," and makes the case that Google should instead respond to encrypted cookies with a 451 code, stating "unavailable for legal reasons." webXray states that Google failed to adequately opt-out users in 86% of cookies, with over 11,000 cookies set, despite user preferences.
Today we release our California Privacy Audit. Top: Google, Meta, and Microsoft set cookies despite presence of Global Privacy Control opt-outs, 100% of Google-Certified Cookie Banners failed to provide full protection, with major vendors failing:https://t.co/zJKHaQ42vgApril 14, 2026
Microsoft and Meta are also highlighted in the report. It's claimed that both companies fail to adequately respect cookie opt-out requests. It states Microsoft creates a new MUID cookie, even when sent an encoded one, and reports it failing to opt-out users in 50% of attempts. This means that over 7,500 cookies were sent, despite opting out.
The report argues Meta's Pixel tracking code fails to check for opt-out signals, with it getting a 59% opt-out failure rate in testing. That works out to over 1,200 cookies set despite opting out.
webXray concludes that cookies are now a "legal minefield that puts users at risk", and one can hope the worry of legal fees and other penalties will eventually correct the problem.