Main points
- The study found that Google, Meta, and Microsoft ignore tracking opt-outs, installing cookies even after users opt out.
- Despite privacy legislation, tech giants continue to violate the rules, considering fines as part of operating costs.
Google, Meta and Microsoft continue to collect data despite your prohibitions / Collage 24 Channel/Unsplash
The modern internet offers users a wealth of tools to protect their privacy, but the reality is much more complicated. A new study of the activities of the world's largest technology corporations has questioned the effectiveness of the features that are supposed to guarantee our anonymity online.
Privacy settings don't protect your data: how did you find out?
An independent audit of network traffic has revealed a disturbing trend in the work of such giants as Google, Meta and Microsoft. The study, conducted by webXray, indicates that these corporations may be violating local privacy regulations, potentially threatening them with billions in fines in Europe, the United States and other countries and regions. Experts found that more than 55 percent of the analyzed resources continued to install advertising cookies in users' browsers even after their users refused to be tracked, writes 404 Media.
The audit analyzed traffic from more than 7,000 popular resources during March. Despite the presence of strict legislation, including the California Consumer Privacy Act, most technology companies simply ignore people's desire to protect their information.
Even using the Global Privacy Control system, which signals to sites through a special extension that the user does not want to be tracked, does not guarantee results. Google showed the worst performance, ignoring opt-out requests in 87 percent of cases, according to a webXray study on the Global Privacy Audit website.
Technically, this process seems fairly transparent to experts: when a browser sends a signal to opt out of tracking via code, Google's servers should stop sending cookies. Instead, they directly respond with a command to create an advertising ID for the IDE, which is a clear violation that is easy to spot in network traffic.
Similar problems were also recorded at Microsoft, where the rate of ignoring the rejections reached 50 percent. Meta showed an even worse result at 69 percent, and this company's tracking code does not contain mechanisms to check for privacy signals at all, loading and collecting data under any conditions.
No one is afraid of fines
webXray founder Timothy Liebert was previously at Google, where he was responsible for cookie policy. He left the company in 2023 due to differences with management over priorities.
Liebert said his immediate superiors believed the company’s interests were the primary concern, not its users. He also recalled discussions with senior engineers who saw no significant difference between paying taxes and paying fines for breaking the law.
The current situation is such that large technology players consider multi-billion dollar fines as part of operating expenses, effectively replacing the tax burden.
Regulators often rely on companies’ word of mouth, without requiring public reporting on actual privacy compliance. Liebert likens the situation to a fox being let into a henhouse, where it promises only to count eggs and not harm the birds.
An important aspect of the audit was examining the cookie consent banners we see on websites every day. Google certifies these consent management platforms, but the audit found that none of them work perfectly. In some cases, the opt-out failure rate was as high as 90-91 percent.
What do corporations themselves think about this?
Despite the evidence presented, all three corporations dispute the audit results:
- Google claims that the report is based on a misunderstanding of their products.
- Meta assures that it adheres to restrictions on data use under certain conditions.
- Microsoft refers to the fact that some cookies are critically necessary for the operation of services.
What can be done about this?
webXray experts propose a simple technical solution to this problem, which consists in adding just one line of code. Instead of ignoring the rejection signal, company servers could show users a status that the content is unavailable for legal reasons, which would automatically block the installation of unwanted cookies. This would allow us to move from symbolic political gestures to real protection of private data in the digital economy.
But for the users themselves, this decision looks questionable, because if they do not want to work with cookies, they simply will not be able to receive content.