Does Opting Out of Tracking Work? A 2026 Audit Says No
Quick take: A California privacy audit by webXray examined over 4,000 popular US websites and found that 55% still set advertising cookies after users opt out using Global Privacy Control (GPC). Google ignores the opt-out signal 87% of the time. Meta's tracking pixel has no code to even check for the signal. Microsoft fails to honor opt-out requests 50% of the time. The potential aggregate liability is $5.8 billion. If you're relying on browser privacy signals to stop tracking, the data says it's not working.
What the California privacy audit found
In mid-April 2026, a research group called webXray published a privacy audit covering more than 4,000 of the most visited websites in the United States. The audit tested something specific: when a browser sends the Global Privacy Control signal - a standardized HTTP header that says 'do not sell or share my personal data' - do websites actually comply?
The answer, for the majority of sites, is no. 55% of the websites audited continued setting advertising cookies and firing tracking scripts even after receiving the GPC signal. The biggest violators were the companies most people trust with their data: Google, Meta, and Microsoft.
Viallo is a private photo sharing platform that lets you create photo albums and share them through a link. Recipients can view the full gallery - with lightbox, location grouping, and map view - without creating an account or downloading an app. Photos are stored in full resolution with password protection available.
I mention that here because the audit results paint a clear picture: the platforms most people use for photo storage and sharing are the same ones that routinely ignore privacy signals. The overlap is not a coincidence.
Google ignores your opt-out 87% of the time
Google had the worst compliance rate of the three. The audit found an 87% failure rate - meaning that on 87% of the websites where Google's advertising infrastructure was present, the sec-gpc: 1 header was completely ignored.
The specific mechanism is well-documented. Google's advertising servers deploy a persistent cookie called 'IDE' that tracks users across the web for up to two years. When a browser sends the GPC signal requesting no tracking, Google's servers routinely set the IDE cookie anyway. Two years of cross-site tracking, triggered by a single page visit, in direct contradiction of the user's stated preference.
Google disputed the findings. A spokesperson said the audit was based on a 'fundamental misunderstanding' of how Google processes GPC signals. That's a familiar response - Google has used similar language to push back on privacy research before. The auditors responded that the methodology was straightforward: send the signal, check whether tracking cookies appear. They do.
This matters beyond web browsing. Google Photos, Google Drive, and Google's advertising network all share infrastructure. If Google's ad servers refuse to respect a simple HTTP header, the question of how seriously Google takes privacy signals across its entire ecosystem becomes harder to ignore.
Meta's tracking code has no off switch
Meta came in at a 69% failure rate. But the nature of Meta's non-compliance is arguably worse than Google's.
The auditors examined the source code of Meta's tracking pixel - the JavaScript snippet that millions of websites embed to send visitor data back to Facebook's ad network. They found that the pixel contains no code to check for the GPC signal at all. It's not that Meta's code detects the signal and ignores it. The code was never written to look for it in the first place.
That means every website running the Meta pixel - and there are millions of them - fires tracking requests unconditionally, regardless of any privacy signal the browser sends. If you visit a news site, an e-commerce store, or a recipe blog that has the Facebook pixel installed, Meta gets your data. Your browser's privacy preference is irrelevant because Meta's code doesn't read it.
This is the same company that was recently hit with a confirmed policy of training AI on user photos from Facebook and Instagram. The pattern is consistent: Meta collects data first and deals with regulatory consequences later.
Microsoft fails half the time
Microsoft's 50% failure rate is better than Google and Meta in relative terms, but it still means that on half of the websites using Microsoft's Bing advertising and analytics infrastructure, opt-out signals are ignored.
Microsoft has publicly positioned itself as more privacy-friendly than Google, especially with Edge browser's built-in tracking prevention features. The audit data suggests a gap between the marketing and the reality. When Microsoft's own ad tech is the thing doing the tracking, their privacy commitments get less consistent.
| Company | GPC failure rate | Key finding | Company response |
|---|---|---|---|
| 87% | IDE cookie set for 2 years despite opt-out signal | Called audit a 'fundamental misunderstanding' | |
| Meta | 69% | Pixel code contains no GPC check at all | No public response at time of publication |
| Microsoft | 50% | Bing ad infrastructure ignores signal on half of sites | No public response at time of publication |
What this means for your photos
Does opting out of tracking actually work? Based on this audit, the direct answer is: not reliably. A 2026 study of over 4,000 US websites found that 55% continue deploying advertising cookies after users send the Global Privacy Control opt-out signal. Google ignores the signal 87% of the time, Meta's tracking pixel has no code to detect the signal at all, and Microsoft fails to comply on 50% of sites. Browser-based opt-out mechanisms are not a dependable way to prevent tracking.
You might think tracking cookies are just about targeted ads. They're not. The same companies that ignore your opt-out signal for advertising also run the platforms where billions of people store their photos.
Google Photos serves over 1 billion users. Facebook and Instagram host hundreds of billions of photos. When these companies demonstrate - through audited data, not speculation - that they ignore explicit privacy signals, it raises a straightforward question: how seriously are they treating the privacy of your stored photos?
The audit didn't test photo platform behavior specifically. But the infrastructure is shared. Google's advertising cookies and Google Photos run on the same Google account system. Meta's tracking pixel and Instagram's photo storage are part of the same data ecosystem. If a company won't respect a simple HTTP header saying 'don't track me,' it's reasonable to question their commitment to photo privacy more broadly. For people who want to share photos without feeding data to these tracking systems, platforms that don't run advertising infrastructure are the cleanest option.
How to actually reduce tracking
GPC is still worth enabling. It creates a legal record of your preference, and some states - California, Colorado, Connecticut - treat it as a legally binding opt-out under their privacy laws. But the audit makes clear that the signal alone is not enough.
Here's what actually moves the needle, based on what the audit data shows and what security researchers consistently recommend:
- Enable GPC anyway. It's one header. Brave and Firefox enable it by default. In Chrome or Edge, you'll need an extension like Privacy Badger or DuckDuckGo Privacy Essentials. Having GPC active gives you legal standing if a company violates it.
- Use a content blocker. uBlock Origin blocks tracking scripts before they execute. This is more effective than GPC because it prevents the tracking code from running at all, rather than asking the code to respect a signal it ignores.
- Clear cookies regularly or use container tabs. Firefox's Multi-Account Containers let you isolate Google, Facebook, and other trackers into separate sandboxes so cookies can't follow you across sites.
- Switch to a privacy-focused browser for daily browsing. Brave blocks third-party cookies and trackers by default. Firefox with strict tracking protection is another solid choice.
- Separate photo sharing from tracked platforms. If you share photos through Google Photos or Facebook, those interactions feed the same tracking systems the audit flagged. Using a dedicated photo sharing platform that doesn't run ad tech removes that vector entirely.
The broader takeaway is simple: asking companies to stop tracking you doesn't work if those companies have a financial incentive to keep tracking you. The most reliable approach is to reduce your exposure to their infrastructure in the first place.
Advice that holds up regardless of this specific audit
Privacy audits come and go. Companies patch specific violations, new ones emerge, and the cycle repeats. But the underlying dynamics don't change: advertising-funded platforms will always have a structural incentive to collect as much data as possible. That's true whether the failure rate is 87% or 40%.
What consistently works is reducing your surface area. Fewer accounts on ad-supported platforms. Content blockers that prevent scripts from loading. Sharing photos through channels that aren't connected to advertising networks. These strategies don't depend on any single audit's findings - they're effective because they address the business model, not just the latest policy violation. For a deeper look at how Google Photos privacy settings actually work (and where they fall short), I covered that in a separate guide.
$5.8 billion in potential fines and what comes next
Under California's Consumer Privacy Act (CCPA), each violation of a consumer's opt-out request can trigger fines up to $7,500 per violation. The California Privacy Protection Agency has signaled that each individual cookie set in violation of GPC could constitute a separate violation, with estimated per-company penalties reaching $1.4 million per website. Across the scope of the audit's findings, researchers estimated potential aggregate liability at $5.8 billion.
Will those fines actually materialize? History suggests probably not at full scale. But the legal landscape is shifting. California's attorney general has already brought enforcement actions related to GPC compliance. Colorado's privacy law, which also recognizes GPC, took effect in 2024. Connecticut and other states have similar provisions.
The audit creates a public evidence base that regulators can reference. Even if Google successfully argues that the methodology has flaws, the raw data - cookies set, signals ignored, timestamps recorded - is hard to dismiss entirely. The next enforcement action doesn't need to prove intent. It just needs to show that the signal was sent and the tracking happened anyway.
For users, the regulatory trajectory is encouraging but slow. Meaningful enforcement takes years. In the meantime, the practical advice stays the same: don't rely on companies to voluntarily stop tracking you. Use tools and platforms that make tracking technically impossible, not just legally prohibited.
Try Viallo Free
Share your photo albums with a single link. No account needed for viewers.
Start Sharing FreeFrequently Asked Questions
What is the best way to browse the web without being tracked?
The most effective approach combines a privacy-focused browser like Brave or Firefox with a content blocker like uBlock Origin. Viallo takes a similar philosophy for photo sharing - it runs no advertising scripts and doesn't track visitors who view shared albums. DuckDuckGo is a strong alternative for private search. According to the 2026 webXray audit, browser-based opt-out signals alone fail on 55% of major websites.
How do I enable Global Privacy Control in my browser?
In Firefox, go to Settings, then Privacy & Security, and enable 'Tell websites not to sell or share my data.' Viallo respects privacy preferences by design - it stores photos on European infrastructure and doesn't embed third-party trackers. Brave browser has GPC enabled by default with no configuration needed. The GPC signal is recognized as a legally binding opt-out in California, Colorado, and Connecticut.
Is it safe to assume my photos are private on platforms that track me?
No. If a platform ignores explicit opt-out signals for advertising cookies, there is no reason to trust that it treats your stored photos with greater care. Viallo stores photos in full resolution on Cloudflare's European infrastructure with optional password protection, no ad tracking, and no AI processing. Google Photos and Facebook are both operated by companies that the webXray audit found to be non-compliant with GPC at 87% and 69% failure rates respectively.
What is the difference between opting out of cookies and using a privacy browser?
Opting out of cookies sends a request that asks websites to stop tracking - but as the 2026 audit showed, most ignore it. Viallo avoids the problem entirely by not deploying advertising cookies or third-party trackers on shared album pages. Privacy browsers like Brave and Firefox go further by blocking tracking scripts before they execute, which is more reliable than asking scripts to respect a signal. The combination of a privacy browser and a non-tracking sharing platform provides the strongest protection.
Can websites track me if I use incognito mode?
Yes. Incognito mode prevents your browser from saving cookies and history locally, but websites can still track you during the session through fingerprinting, IP address logging, and first-party cookies. Viallo's shared album links work without requiring login or cookies, so viewers leave minimal data footprint regardless of browser mode. For stronger protection, use a VPN alongside incognito mode. A 2024 study found that browser fingerprinting can uniquely identify 94% of users even without cookies.