The cookie consent pop-ups encountered on almost every website aim to give users control over how their data is used. However, a new independent audit report reveals that this system largely fails in practice.
According to webXray's March 2026 analysis, tech giants like Google, Microsoft, and Meta continue to deploy tracking mechanisms even when users reject cookies.
Rejecting is often meaningless
Cookie consent systems, which became widespread with European privacy regulations, theoretically aim to prevent tracking without explicit user permission. However, webXray's findings indicate that this mechanism is severely violated. According to the research, 55% of the audited sites continue to collect data despite users explicitly rejecting cookies. Even more striking is that 78% of cookie banners technically fail to implement user preferences.
The audit found that approximately 200 ad tech services ignored "reject" signals from users in the US. This situation demonstrates that rules, similar to those in Europe, remain ineffective in practice.
Billions of dollars in fines are risked
The report suggests that technology companies knowingly continue these violations and consider potential fines as part of their business model. According to webXray, ad tech companies prefer to risk approximately 5.8 billion dollars in fines rather than comply with the rules.
Analyses conducted via open network traffic reveal that this behavior is not even attempted to be hidden. It is stated that in Google and Microsoft's advertising infrastructures, commands are sent to trigger cookie placement even if the user has explicitly rejected them.
According to the data in the report, Microsoft's systems disregard approximately half of users' cookie rejection signals and continue tracking on 35% of client sites. The estimated cost of this to the company is around 390 million dollars in fines.
On Google's side, the picture is even more striking. According to the audit, the company ignores 86% of cookie rejection requests, and tracking activities remain active on 77% of sites. The potential fine for this situation is calculated to be around 2.31 billion dollars.
Meta's approach differs from the others. According to the report, the company's tracking code, in some cases, doesn't even check the user's cookie rejection preference. The cost of violations detected in this area for Meta could reach up to 9.3 billion dollars.
Timothy Libert, founder and CEO of webXray, who previously worked as a privacy engineer at Google, made a notable assessment. According to Libert, within the company, there is sometimes an approach where a clear distinction is not made between fines and taxes, meaning sanctions are seen as a natural cost of doing business.
Companies' responses were swift
Following the report, the three major technology companies mentioned disputed the findings. Microsoft argued that some cookies are necessary for websites to function properly, while Meta claimed that in some systems, websites could override user preferences. The companies assert that the audit misinterpreted their technologies.
0 Comments: