Partner Ad Settings: Google Launches Court-Mandated Privacy Controls

On May 10, 2026, a significant shift occurred in the landscape of digital privacy, though you likely didn’t see a press release about it. Without fanfare, Google completed the court-mandated rollout of a new Partner Ad Settings control within its account dashboard. This implementation, while framed as a consumer-facing feature, is the direct byproduct of the In re Google RTB Consumer Privacy Litigation settlement—a legal battle that has finally forced the search giant to pull back the curtain on its opaque real-time bidding (RTB) machinery.

The timing of this release is far from coincidental. It lands alongside a scathing forensic audit from the privacy watchdog webXray, which reveals that the industry’s existing “opt-out” mechanisms are fundamentally broken. For users who have long relied on browser signals to protect their data, the findings are a wake-up call: the automated Global Privacy Control (GPC) is being ignored by the very platforms that claim to respect it. To reclaim any semblance of digital sovereignty, users must now dive into the “siloed” settings of their Google accounts to manually pull the plug on metadata sharing.

The Mandatory Pivot: Understanding the Partner Ad Settings

The new Partner Ad Settings toggle represents a technical concession that Google fought for years to avoid. Unlike the standard “Ad Personalization” settings that control what you see on Google Search or YouTube, this new feature targets the “off-platform” web—the millions of third-party websites and apps that use Google’s Authorized Buyers and Open Bidding technology to fill ad space.

When a user activates the Partner Ad Settings control, Google is legally bound to alter the way it handles your data in the milliseconds-long auctions that occur whenever you load a page. Specifically, the setting is designed to perform “identifier stripping” within the RTB bidstream. This means that for any user who has enabled the control, Google must remove several critical data points from the bid requests sent to thousands of potential advertisers, including:

• Encrypted Google User IDs: The unique alphanumeric strings that allow advertisers to recognize you across different sites.
• Device Advertising IDs: The hardware-level identifiers (such as AAID on Android) used to build long-term profiles.
• Precise IP Addresses: Often used to triangulate location and cross-reference identities.
• Browser Metadata: Detailed “user-agent” strings that contribute to device fingerprinting.

By stripping these identifiers, Google effectively turns your profile into a “ghost” within the auction. Advertisers may still bid to show you an ad based on the context of the page you are reading, but they can no longer link that visit to your historical browsing data or your Google account identity.

The Real-Time Bidding (RTB) Vulnerability

To understand why this setting is so vital, one must understand the mechanics of Real-Time Bidding. RTB is often described as the “biggest data breach in history,” occurring billions of times per day. When you visit a website, your browser sends a request to an ad exchange. The exchange then broadcasts a “bid request” to hundreds or thousands of companies simultaneously, asking who wants to show you an ad.

The danger lies in the fact that even the companies that lose the auction still receive the bid request. This “bidstream data” contains enough metadata to allow these third parties to build shadow profiles of users without their consent. The Partner Ad Settings toggle is the first high-level tool that allows a user to “blind” the entire bidding pool, not just the eventual winner.

The webXray Audit: A Failure of Trust and Signal

While the launch of the new control is a step forward, the concurrent webXray forensic audit suggests that “passive” privacy is currently a myth. The audit, led by Dr. Timothy Libert—a former lead of cookie policy and compliance at Google—analyzed the behavior of tech giants across 7,000 popular websites. The primary focus was the Global Privacy Control (GPC), a browser-level signal that tells every site a user visits: “Do not sell or share my data.”

The results were catastrophic for Big Tech’s credibility. Google exhibited an 86% failure rate in honoring GPC signals. Despite users explicitly broadcasting their desire to opt out, Google’s servers were found to be routinely setting the “IDE” advertising cookie (linked to the doubleclick.net domain) and continuing to broadcast user metadata. The audit highlights that when a browser sends the sec-gpc: 1 header, Google’s system frequently ignores it, responding instead with commands to create tracking cookies that can persist for up to two years.

Meta and Microsoft: A Shared Pattern of Non-Compliance

The audit confirms that the problem is systemic across the “Big Three” ad platforms. While Google was the worst offender, its peers were not far behind:

• Meta (Facebook/Instagram): Showed a 69% failure rate. Researchers found that Meta’s tracking code often lacks a programmatic check for GPC signals entirely, continuing to harvest data by default.
• Microsoft: Showed a 55% failure rate (with some samples as high as 50% for Bing-related tracking). Microsoft’s system was observed setting the “MUID” tracking cookie even when a clear opt-out signal was present.

This “industrial-scale non-compliance” has led auditors to project a potential aggregate liability of $5.8 billion for these firms under the California Consumer Privacy Act (CCPA). This figure is based on the statutory penalties associated with ignoring valid opt-out requests—a precedent set by previous fines against Sephora and Disney.

The Legal Hammer: In re Google RTB Consumer Privacy Litigation

The reason Google is rolling out the Partner Ad Settings today is not a sudden altruistic shift toward user privacy. It is the result of a 2026 settlement in the In re Google RTB Consumer Privacy Litigation. The lawsuit alleged that Google breached its own privacy promises by broadcasting sensitive user data in RTB auctions, despite telling users “Google does not sell your personal information.”

U.S. District Court Judge Yvonne Gonzalez Rogers, who oversaw the case, expressed skepticism throughout the proceedings. In her final approval of the settlement on March 26, 2026, she noted that the relief was “adequate, but by no means excellent,” primarily because the “RTB Control” is an opt-in requirement rather than a default. Under the terms of the settlement, Google was required to implement this control for all U.S. account holders by May 2026, alongside “enhanced disclosures” about exactly what data is being shared with bidders.

Furthermore, the settlement mandates that Google stop the practice of “cookie matching” for users who have the setting enabled. Cookie matching is a technical handshake where Google allows third-party advertisers to sync their own internal tracking IDs with Google’s User ID. By severing this link, Google is effectively dismantling the bridge that allowed advertisers to follow a single user across the disparate corners of the internet.

How to Reclaim Your Metadata: A Step-by-Step Guide

Because the Partner Ad Settings are currently siloed and not integrated into the primary “Privacy Checkup” tool, most users will remain vulnerable unless they perform a manual audit. To secure your account, follow these steps:

1. Log in to your Google Account dashboard.
2. Navigate to the “Data & Privacy” (or “Privacy & Personalization”) tab.
3. Search for “Partner ad settings” or navigate to the “Ads” section.
4. Locate the toggle for “Personalized ads on partner sites” and ensure it is turned OFF.
5. Check for the new sub-option: “Limit metadata sharing in ad auctions” and ensure this is ACTIVATED.

Activating this control does more than just stop “relevant” ads; it changes the network traffic leaving your device. Forensic analysis shows that when this setting is active, the BidRequest objects generated by Google’s ad exchange are stripped of the buyeruid field and the google_user_id field, making it impossible for the 242+ ad tech vendors evaluated in the webXray audit to identify you.

The Financial and Ethical Stakes: Why 2026 is a Turning Point

The findings of the May 2026 audit suggest that the “voluntary” phase of internet privacy is over. With a projected $5.8 billion liability hanging over the industry, regulators are no longer accepting “technical misunderstandings” as an excuse for data leakage. The California Privacy Protection Agency (CPPA) has signaled that it will begin an enforcement sweep targeting businesses that fail to honor the GPC signal.

However, the existence of the Partner Ad Settings highlights a troubling trend: the burden of privacy remains on the consumer. By making these vital controls “opt-in” and hiding them deep within sub-menus, Big Tech companies are betting on user inertia. They know that only a small fraction of their 200 million+ account holders will ever take the time to audit these settings.

Expert Opinion: “The fact that Google had to be sued into providing a simple toggle to stop broadcasting my IP address to thousands of bidders tells you everything you need to know about the current state of the ad-supported web,” says one lead researcher from webXray. “Privacy shouldn’t be an Easter egg hunt.”

Final Thoughts: The End of the Shadow Profile?

The launch of the Partner Ad Settings is a hard-won victory for consumer advocates, but it is not a total solution. As long as the ad-supported ecosystem relies on Real-Time Bidding, there will be an inherent tension between “relevant advertising” and “user anonymity.”

For now, the message to the professional and privacy-conscious user is clear: Do not trust the signal; verify the setting. Even if your browser is set to “Do Not Track” or you have GPC enabled, the webXray audit proves that these signals are being ignored in 86% of cases by the world’s largest ad network. The only way to stop the leakage is to use the very tools Google was forced to build. Use them today, before your metadata is sold in the next 100-millisecond auction.