A new audit from webXray has found that Google, Microsoft, and thousands of other websites are systematically ignoring California's privacy opt-out law, exposing the industry to billions in potential fines as regulators accelerate enforcement.
The findings are stark. Researchers from webXray, led by a former Google privacy engineer, visited more than 7,000 popular websites from a California internet address while broadcasting a privacy control signal under the California Consumer Privacy Act. The law is clear: businesses must honor that signal and stop tracking. Most didn't. Google continued tracking users in 86% of cases. Microsoft failed to honor the signal in 50% of instances. Third-party ad tools sold as CCPA-compliant ignored opt-out requests more than 90% of the time. As The Markup reported on April 21, the audit suggests major companies are simply not trying to comply.
The timing matters. California entered 2026 with updated CCPA regulations that took effect January 1, including mandatory privacy risk assessments for companies using automated decision-making technology, expanded consumer access rights, and a more aggressive enforcement posture from the California Privacy Protection Agency. That posture is not theoretical. February's $2.75 million settlement with Disney and ABC, the largest CCPA penalty to date, established that opt-out failures cascading across devices and services will be treated as distinct violations. PlayOn Sports paid $1.1 million in March for forcing users to accept tracking before accessing purchased tickets. Honda paid $632,500 in January. Combined 2026 enforcement penalties already exceed $4.2 million in the first quarter alone.
WebXray estimates that fining every non-compliant website it identified would produce penalties in the billions. That number is academic for now, but it signals the exposure sitting quietly on the books of thousands of companies that have treated CCPA compliance as a checkbox exercise.
What This Means for Startups
For tech founders, the audit lands at a critical moment. California's 2026 CCPA updates specifically expanded oversight of automated decision-making, which captures AI products, recommendation engines, personalisation systems, and anything that profiles users in ways that carry significant consequences. If your product collects data, trains on it, or shares it with third parties via analytics SDKs or advertising integrations, the audit's findings almost certainly describe your stack. The Disney settlement made one architectural point unavoidable: opt-out signals must propagate across every device, service, and third-party integration connected to a user's account. A toggle that only applies to one session or one service is not compliance.
Investors are paying attention. Privacy compliance has moved from a due diligence footnote to a first-order question in fundraising, particularly for AI companies whose core product involves processing personal data at scale. A startup with undisclosed data-sharing arrangements or non-functional opt-out flows carries regulatory liability that sophisticated investors now quantify explicitly. The Disney settlement and webXray audit give them the precedents and the methodology to do so.
Build Consent Into the Architecture
The practical lesson from the audit isn't just legal. It's a product design argument. Companies that embed consent propagation into their data infrastructure now, rather than retrofitting it after a regulatory demand letter, build faster and cheaper than those that don't. A federal privacy standard remains absent, leaving a patchwork of state obligations that is only growing. Virginia, Colorado, Texas, and Oregon have their own frameworks. The EU AI Act adds another layer for any company with European users. Building for California's requirements today means building for the direction the entire regulatory environment is heading. The companies that treat CCPA compliance as an engineering problem rather than a legal one will be the ones still standing when enforcement reaches scale. The window to get ahead of it is narrowing fast.
Also read: Australia's teen social media ban collapses under simple workarounds • Disneyland's facial recognition opt-out sets the standard for AI identity products • Blue Origin's New Glenn is grounded after its first real customer mission ended with a satellite in the wrong orbit
