A new report from an independent audit agency based in California shows that cookie consent pop-ups that have appeared on websites in the past few years and claim to allow users to "choose" whether to be tracked by ads are actually useless in many cases - even if users explicitly click "deny", large advertising technology companies including Google, Microsoft and Meta will still plant tracking cookies as usual, and will pay fines that may reach billions of dollars as a "lower cost" option.

The March 2026 audit report released by the audit agency webXray pointed out that technology giants generally ignored users' cookie rejection signals when California users visited websites and continued to track user behavior through cross-site cookies. Google, Microsoft and Meta all dispute this conclusion. These cookie pop-ups were created in response to European privacy regulations, which require websites to obtain explicit consent from users before serving ads or tracking cookies.

After years of users complaining about “obscure content and inducing clicks” and “people basically don’t read directly,” European regulators have recently pushed to simplify cookie rules, but webXray’s latest audit found that the real situation is still not optimistic. In a sample test of California users, 55% of websites still set cookies after users click "Deny", and 78% of cookie consent pop-ups do not technically implement the user's choice, but are just decoration. webXray estimates that if current rules are strictly followed, these advertising technology companies may need to pay about $5.8 billion in fines, but they seem to prefer to "track first and then let the fines count the costs."

The audit results show that on websites using Google or Microsoft advertising networks, even if the system explicitly receives a user rejection signal, the advertising technology component will still issue instructions to place cookies on the user's device. webXray tracked this behavior through public network traffic records and believed that the relevant companies barely concealed it, but continued to track it openly. In terms of specific data, Microsoft's advertising network ignored about half of the "disavow" signals and continued to track users on 35% of customer websites, with an estimated fine of about $390 million.

Google's situation is even more serious: the audit said it ignored 86% of rejection requests and continued to record user behavior on 77% of its websites, corresponding to potential fines of $2.31 billion. At the same time, Meta's implementation has been criticized for "not looking at rejection signals at all": its tracking code technically does not seem to check the user's unified opt-out instructions at all. Of those sites that detect exit signals, 69% still choose to ignore them, and 21% continue to track them. webXray estimates that Meta may have paid as much as $9.3 billion in fines for this.

Timothy Libert, founder and CEO of webXray, previously worked as a privacy engineer at Google. He said in an interview with 404 Media that during his tenure, company executives often did not clearly distinguish between "taxes" and "penalties." This meant that in some business decisions, fines were regarded as a predictable and acceptable operating cost, rather than a compliance risk that must be avoided.

Faced with the audit conclusions, the three major companies all rebutted, saying that the report "misunderstood" how their technology was implemented. Microsoft stated that some cookies are critical to website functionality and cannot simply be regarded as advertising tracking tools; while Meta emphasized that under certain technical configurations, the website itself can override or modify the unified exit signal, implying that part of the responsibility lies with the website operator rather than its platform code itself. However, in webXray’s view, there is a clear gap between the current actual implementation results and the original intention of supervision, which means that even if users patiently read the pop-up window and choose “reject”, their privacy rights are still difficult to truly protect.