Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
from Colin LetcherCalMatters
This story was originally published by CalMatters. Sign up for their newsletters.
A new audit found that websites on the Internet may not be complying with California privacy law by ignoring the requirement not to track visitors who set privacy controls.
The report by researchers from webXray, a firm led by a former Google privacy engineer, said the findings suggest large companies may simply be ignoring the law and may point to “industrial-scale noncompliance with California requirements.”
The stakes are potentially high. WebXray estimates that if the California Privacy Protection Agency fined all the websites it found not complying with the law, it could result in billions of dollars in penalties.
“While we have no comment on the finding of this particular report,” Tom Kemp, the agency’s executive director for privacy protection, said in a statement, “we appreciate that the report gives visibility to the importance of opt-out rights.”
Under California law, businesses are required to comply with a signal called the Global Privacy Watch. If users browse the web with the controls turned on—either through a browser setting or a third-party tool—it tells websites not to sell or share their personal information.
California’s consumer privacy law requires businesses to acknowledge the control and not track the people who use it. The State Privacy Agency fines companies millions for not complying with controlsamong other violations.
To find out if the law was actually being followed, the researchers visited more than 7,000 popular websites from an Internet address in California. According to the report, major tech companies continue to track users even with the alert turned on.
Google continued to track users 86 percent of the time despite receiving the alert, according to the report. When visitors travel to the websites while using the signal, the sites still often set a cookie from Google to track those visitors.
Similarly, according to the report, Microsoft failed to honor the alert 50% of the time.
The report found that trackers from Facebook’s parent company Meta didn’t just ignore the alert — they failed to check for it at all, resulting in tracking 69 percent of the time despite the alert.
All of these failures can be fixed with slight changes to the tracking code to accommodate the signal, the engineers said in the report.
“They’re not making any significant effort to comply,” said Tim Liebert, founder and CEO of webXray.
The report also found that third-party tools that claim to help businesses place ads that comply with the law still often fail to comply with the anti-tracking signal. In one case, a product failed to honor those requests more than 90 percent of the time, the report found.
Tech companies dispute the idea that they are not following the law.
“As stated in our Privacy Policy, when we receive a GPC signal, we refuse to share user personal data with third parties for personalized advertising, and our advertising systems are designed to reflect that choice,” Microsoft spokesperson Courtney Ramirez said in a statement. “Some Microsoft cookies are necessary for operational purposes and therefore may be set and read even when a GPC signal is detected.”
Jackie Berte, a Google spokeswoman, said the company complied with the law and that the audit was “based on a fundamental misunderstanding of how our products work.”
A spokesperson for Meta did not immediately respond to a request for comment.
“The idea that I don’t get something wrong is a blatant lie,” Liebert said, pointing to his work on Google’s cookie policy.
“I would say that when I was there, I knew more about it than anybody else,” he added.
This article was originally published on CalMatters and is republished under Creative Commons Attribution-NonCommercial-No Derivatives license.