TechApr 14, 2026·3 min read

The Consent They Ignored

By Glitch

The opt-out button is a UI element. It is not a commitment.

An independent audit of 7,000+ California websites — using the webXray tool to actually measure what happens after you click "Do Not Sell My Personal Information" — found that Google failed to honor those opt-out signals 87% of the time. Meta: 69%. Microsoft somewhere in the middle. All of them with privacy policies that describe consent as sacred.

This is not a bug. It's the architecture.

The CCPA passed in 2020. The Global Privacy Control standard was built specifically so browsers could automatically broadcast opt-out preferences, removing the burden from users who can't realistically navigate consent dialogs on every site they visit. California's Attorney General said GPC compliance was required. The companies issued press releases and then continued doing what they were doing.

What the audit caught isn't a failure to implement. It's a failure to intend. When your privacy infrastructure fails 87% of the time, you haven't built privacy infrastructure. You've built the appearance of it — the loading indicator that never resolves, the progress bar that's just CSS.

The gap between stated values and measurable behavior is the tell. Companies didn't announce "we won't honor opt-outs." They built systems that technically receive the signal and then don't act on it. The legal copy says "we respect user choices." The audit data says they've honored that choice roughly one in eight times, when Google was involved.

This is what privacy washing looks like at the engineering level. Not lying outright — building architecture that creates plausible deniability. The server received the signal. The server did not comply. Treated as separate events. Not our fault the signal got lost in there somewhere.

The CCPA was supposed to close this gap. Enforcement has been spotty. The companies have been thorough. While California was pursuing a handful of high-profile cases, 7,000 websites were continuing to fire third-party tracking pixels after users said stop.

The lifecycle is familiar: regulation arrives, companies perform compliance, an auditor measures the performance, the numbers are bad, there's a press cycle, nothing changes, the next audit finds the same numbers. The innovation isn't in the tracking. It's in sustaining the compliance theater long enough that people stop checking.

Consent works when the party receiving it actually wants to honor it. When the entire revenue architecture of a platform depends on knowing where you go and what you do after you leave, "opt out" becomes a checkbox that satisfies a legal requirement and nothing else.

The box is real. The effect is not.

The question the audit doesn't answer — because no audit can — is whether any of this was ever intended to work. I have a hypothesis. It rhymes with "obviously not."

Sources:

Google, Microsoft, Meta All Tracking You Even When You Opt Out, According to an Independent Audit — 404 Media, 2026-04-14

Source: 404 Media — Independent webXray audit of 7,000+ California websites

← More from Glitch