CCPA Is Being Ignored at Scale: What You Can Do

California's Privacy Law Has a Compliance Problem

California's Consumer Privacy Act was supposed to give residents meaningful control over their personal data. But a sweeping new audit of more than 7,000 popular websites tells a different story. Researchers found what they described as "industrial-scale noncompliance" with the CCPA, with many major tech companies systematically ignoring a legally recognized privacy signal built directly into browsers.

The signal in question is called the Global Privacy Control (GPC). When activated, it sends an automatic instruction to every website you visit telling them not to track or sell your personal information. Under the CCPA, honoring this signal is not optional for companies doing business in California. It is a legal requirement. And yet, the audit found that in some cases, tracking continued during 86% of visits even when the GPC signal was active.

That number deserves a moment of reflection. A user could do everything right, activating a legally protected privacy setting, and still have their behavior tracked and their data potentially sold in the overwhelming majority of their browsing sessions.

Why Legal Protections Alone Are Not Enough

Privacy laws like the CCPA represent genuine progress. They establish rights, create enforcement mechanisms, and shift the burden onto companies to justify their data practices. But this audit illustrates a gap that privacy advocates have long warned about: a law is only as effective as its enforcement.

When noncompliance is this widespread and this systematic, it suggests companies have calculated that the risk of regulatory penalties is lower than the value of the data they collect. That is a structural problem, not an individual one. No amount of carefully reading cookie banners or clicking "reject all" fixes a system where the tracking infrastructure continues running in the background regardless.

This matters beyond California, too. While the CCPA only applies to California residents, the websites violating it serve users everywhere. The same tracking technologies, ad networks, and data brokers operate globally. If major companies are willing to ignore a state law with real teeth, the situation in jurisdictions with weaker protections is likely worse.

What This Means For You

The practical takeaway from this audit is uncomfortable but important: you cannot rely on legal frameworks alone to protect your privacy while browsing the web. Corporate compliance is inconsistent at best and, according to this research, negligible at worst when it comes to honoring your stated preferences.

This does not mean privacy laws are worthless. Regulatory pressure, fines, and public accountability do move the needle over time. But in the meantime, your actual browsing behavior is likely being tracked far more extensively than any consent banner or opt-out setting would suggest.

The tools that provide more reliable protection work at a technical level rather than a policy level. A browser extension that blocks third-party trackers does not ask a company to honor your preferences. It simply prevents the tracking code from loading in the first place. Similarly, a VPN encrypts your internet connection and masks your IP address, which is one of the primary identifiers used to build profiles of your behavior across different websites. Neither approach depends on corporate goodwill or regulatory enforcement.

Browser-level privacy controls have also become more sophisticated. Firefox and browsers built on privacy-first principles block many tracking scripts by default. The GPC signal itself is a browser setting worth enabling, not because companies are reliably honoring it (this audit makes clear they are not), but because it creates a documented record of your stated preferences, which can matter in enforcement actions.

Practical Steps to Protect Your Privacy Now

Given what this audit reveals, here are concrete actions that provide real protection rather than policy-dependent promises:

• Enable the Global Privacy Control in your browser settings. It may not always be honored, but it adds a layer of legal standing and is increasingly supported by privacy-focused browsers.
• Use a tracker-blocking browser extension such as uBlock Origin or a privacy-focused browser that blocks third-party scripts by default. These work regardless of whether a site honors your opt-out preferences.
• Consider a VPN for general browsing, particularly on networks you do not control. A VPN does not block trackers directly, but it does prevent your ISP and network-level observers from building a picture of your activity, and it masks the IP address that ties your sessions together across sites.
• Audit your browser's privacy settings periodically. Third-party cookies, fingerprinting protections, and tracker blocking are often disabled by default in mainstream browsers.
• Be skeptical of cookie consent banners. Research consistently shows that many sites continue tracking regardless of the option selected.

The CCPA was a meaningful step toward holding companies accountable for how they handle personal data. But this audit confirms what many privacy researchers have argued for years: legal rights and technical realities are two very different things. Understanding that gap, and taking steps to close it with the tools available to you, is the most reliable path to meaningful privacy protection right now.