Waivern Consent Analyser ← Home Log

CCPA / CPRA Compliance Report · CCPA/CPRA (California)

CCPA/CPRA analysis mode — California Consumer Privacy Act (opt-out regime). Tracking at page load is permitted until the consumer exercises their GPC opt-out signal or DNSSPI right — pre-consent GDPR checks are not applicable and have been suppressed or reframed as informational inventory data. Primary compliance findings are in the DNS, GPC, and USP sections.

Consent Compliance Report

2026-03-31 16:48:56 UTC · https://sfchronicle.com · CMP: Unknown / Not detected AI off

📍 Analysis ran from: 🇺🇸 Santa Clara, California, United States · IP: 52.52.202.228 · Amazon.com, Inc. · Results reflect how this site presents to this location.

Post Accept All — CCPA tracking baseline

3 FAIL 0 PASS 7 MANUAL · 4 warn 0 err

CCPA Opt-Out Mechanism

Opt-out mechanism	Not found
Session E: opt-out clicked	✗ Not clicked — manual review needed
GPC signal: US Privacy string	Not implemented (no IAB US Privacy framework)
GPC signal: GPP string	Not detected
Default tracking: cookies	7 total (0 ad/tracking)
Default tracking: JS globals	`none detected`

Screenshots

Default Starting State — no consent interaction

Post Accept All — CCPA tracking baseline

Section M — Summary

Category	Result
Dnsspi Link Present	✗ FAIL
Dnsspi Link Prominent	— N/A
Lspi Link Present	☐ MANUAL
Gpc Signal Detected	✗ FAIL
Ad Cookies Suppressed Gpc	☐ MANUAL
Ad Pixels Suppressed Gpc	☐ MANUAL
Us Privacy Framework	ℹ INFO
Usp Reflects Gpc Optout	☐ MANUAL
Usp Reflects Manual Optout	☐ MANUAL
Optout Destination Functional	✗ FAIL
Optout No Login Required	☐ MANUAL
Optout Preference Recorded	☐ MANUAL

Run Log 34 entries · ⚠ 4 warning(s) · raw JSON

elapsed	level	session	message
0.0s	▶ STEP	MAIN	Run 8736a833 started {"url": "https://sfchronicle.com"}
0.0s	· INFO	MAIN	Detecting probe server location
0.2s	· INFO	MAIN	Probe location {"ip": "52.52.202.228", "city": "Santa Clara", "region": "California", "country": "United States", "country_code": "US", "org": "Amazon.com, Inc.", "latitude": 37.3924, "longitude": -121.9623}
0.2s	▶ STEP	MAIN	Starting analysis of https://sfchronicle.com {"mode": "CCPA"}
1.8s	· INFO	MAIN	Chromium launched {"headless": true}
2.1s	· INFO	PREFLIGHT	Navigating to https://sfchronicle.com
10.7s	⚠ WARN	PREFLIGHT	Network did not reach idle state — proceeding after load event. Normal for sites with persistent connections (websockets, polling).
10.7s	▶ STEP	A	Session A start (CCPA baseline — no banner interaction)
10.7s	· INFO	A	Navigating to https://sfchronicle.com
19.0s	⚠ WARN	A	Network did not reach idle state — proceeding after load event. Normal for sites with persistent connections (websockets, polling).
22.0s	· INFO	A	Capturing CCPA baseline state
22.2s	· INFO	A	CCPA baseline captured {"baseline_cookies": 7, "baseline_ad_cookies": 0, "baseline_tracking_storage": 0, "baseline_tracker_globals": [], "baseline_unblocked_scripts": 0, "baseline_capture_error": null}
22.3s	▶ STEP	A	Session A complete — CCPA baseline captured {"pre_consent_cookies": 7, "pre_consent_ad_cookies": 0, "pre_consent_tracking_storage": 0, "pre_consent_tracker_globals": [], "pre_consent_unblocked_scripts": 0, "pre_consent_capture_error": null, "baseline_cookies": 7, "baseline_ad_cookies": 0, "baseline_tracking_storage": 0, "baseline_tracker_globals": [], "baseline_unblocked_scripts": 0, "baseline_capture_error": null}
22.3s	▶ STEP	DNSSPI	Scanning for DNSSPI / LSPI opt-out links
22.3s	· INFO	DNSSPI	Navigating to https://sfchronicle.com
30.6s	⚠ WARN	DNSSPI	Network did not reach idle state — proceeding after load event. Normal for sites with persistent connections (websockets, polling).
30.6s	· INFO	DNSSPI	Waiting for CMP banner (up to 12s before scroll)
45.7s	· INFO	DNSSPI	Link not found on homepage — trying privacy sub-pages
56.3s	· INFO	DNSSPI	DNSSPI/LSPI scan complete {"dnsspi_found": false, "dnsspi_text": "", "dnsspi_via_cmp": false, "lspi_found": false, "lspi_text": ""}
56.3s	▶ STEP	D	Session D start (GPC signal injection)
56.3s	· INFO	D	Navigating to https://sfchronicle.com
64.6s	⚠ WARN	D	Network did not reach idle state — proceeding after load event. Normal for sites with persistent connections (websockets, polling).
66.7s	· INFO	D	GPC state captured {"gpc_cookies": 7, "gpc_ad_cookies": 0, "gpc_tracking_storage": 0, "gpc_tracker_globals": [], "gpc_unblocked_scripts": 0, "gpc_capture_error": null}
66.7s	· INFO	D	Privacy strings probed {"us_privacy": null, "gpp": null}
66.8s	▶ STEP	D	Session D complete {"gpc_cookies": 7, "gpc_ad_cookies": 0, "gpc_tracking_storage": 0, "gpc_tracker_globals": [], "gpc_unblocked_scripts": 0, "gpc_capture_error": null}
66.8s	▶ STEP	E	Session E start (opt-out flow)
66.8s	· INFO	E	Session E skipped — no DNSSPI link found by DNSSPI scan
66.8s	▶ STEP	E	Session E complete {"opt_out_completed": false, "us_privacy_after": null}
66.9s	· INFO	MAIN	Browser closed
66.9s	▶ STEP	MAIN	Analysis complete {"error_count": 0}
66.9s	▶ STEP	C1	Running Component 1 HAR analysis
66.9s	· INFO	C1	HAR analysis complete — 0 FAIL item(s) {"total_requests": 121, "phases": ["pre_consent"], "phase_strategy": {"accept": "not_detected", "reject": "not_detected"}, "fail_items": []}
67.0s	▶ STEP	CHECKS	Running CCPA/CPRA browser-state checks
67.0s	· INFO	CHECKS	Browser checks complete — 3 FAIL item(s) {"fail_items": ["DNS.1", "GPC.1", "OPT.1"], "mode": "ccpa"}

Detailed Findings

BAS. Default Tracking Baseline 0 PASS 0 MANUAL

BAS.1 Advertising and analytics tracking active by default (opt-out right context)

ℹ INFO

0 advertising/tracking cookie(s) and 0 tracker global(s) active by default (none detected). Under CCPA/CPRA, this is the default state consumers have the right to opt out of via the DNSSPI link or GPC signal. The presence of tracking by default is not itself a violation — the violation is failure to provide a working opt-out mechanism.

total cookies default	7
ad tracking cookies	0
tracker globals active	none
tracking scripts active	0

BAS.2 CCPA relationship classification: Sale, Sharing, and Service Provider vendors

ℹ INFO

SALE (§1798.140(ad)): 0 vendor(s) — none detected. SHARING/cross-context behavioural (§1798.140(ah)): 0 vendor(s) — none detected. SERVICE PROVIDER (on-behalf processing): 0 vendor(s) — none detected. Sale and Sharing relationships are subject to the consumer opt-out right under CPRA §1798.120 and must be disclosed in the privacy policy.

sale vendors	none
sharing vendors	none
service provider vendors	none
sale cookie count	0
sharing cookie count	0
service provider cookie count	0

DNS. Do Not Sell or Share Link (CPRA §1798.135(a)) 1 FAIL 0 PASS 1 MANUAL

DNS.1 'Do Not Sell or Share My Personal Information' opt-out link present

✗ FAIL

No 'Do Not Sell or Share My Personal Information' link detected. Cal. Civ. Code §1798.135(a) requires a clear and conspicuous link on every page where personal information is collected. The link must use the specified statutory phrase or the IAB-approved alternative 'Your Privacy Choices'.

found: False · text: · location: · href:

Recommendation: Add a 'Do Not Sell or Share My Personal Information' link to the footer of every page where PI is collected (at minimum the homepage). The link should open an opt-out mechanism — not just a privacy policy. Consider using the IAB OPT-OUT icon alongside the link for recognition.

DNS.3 'Limit the Use of My Sensitive Personal Information' link present (CPRA §1798.135(a)(2))

☐ MANUAL

No 'Limit the Use of My Sensitive Personal Information' link detected. Based on the site's apparent business type, SPI collection likelihood is assessed as LOW — this obligation likely does not apply unless the site collects precise geolocation, health, financial, biometric, or other sensitive data categories (CPRA §1798.140(ae)) as part of its core operations. Manual review recommended to confirm whether SPI is processed and whether this link is required.

lspi	spi_likelihood
{'found': False, 'text': '', 'location': '', 'href': ''}	LOW

Recommendation: Confirm whether you process any sensitive personal information categories per §1798.140(ae). If not (e.g. you only collect name, email, order history), this link is not required. If you do process SPI (e.g. precise location for delivery tracking), add the link alongside your DNSSPI link.

GPC. Global Privacy Control Compliance 1 FAIL 0 PASS 2 MANUAL

GPC.1 Site signals GPC opt-out receipt via US Privacy string or GPP

✗ FAIL

US Privacy string: (none). GPP: (none).

usprivacy: (not detected) · gpp: (not detected) · note: No __usprivacy or __gpp cookie or API detected with GPC header active. Site may not be recognising the Sec-GPC: 1 header or navigator.globalPrivacyControl JS property.

Recommendation: Configure the CMP to read the Sec-GPC: 1 request header and the navigator.globalPrivacyControl JS property (set to true) and treat them as an automatic opt-out of sale and sharing. CPRA §1798.135(b) prohibits requiring additional consumer action when a valid opt-out signal is present. CMP platforms (OneTrust, Sourcepoint, Didomi) have built-in GPC support that must be explicitly enabled.

GPC.2 Advertising/tracking cookies suppressed after GPC opt-out vs default baseline

☐ MANUAL

Default (no opt-out): 0 advertising/tracking cookie(s). After GPC opt-out signal: 0 advertising/tracking cookie(s). No advertising cookies detected in the default baseline — cannot assess suppression.

default baseline ad cookies: 0 · after gpc signal ad cookies: 0 · cookies suppressed: 0

GPC.3 Advertising pixel scripts (Meta, TikTok, LinkedIn etc.) suppressed after GPC opt-out

☐ MANUAL

No advertising pixels detected in the default baseline — cannot assess suppression.

default ad pixels	none
after gpc ad pixels	none
pixels suppressed	none
pixels still active	none
gtm gtag present	False

GPC.4 Third-party tracking script load — default vs after GPC opt-out (informational)

ℹ INFO

Default baseline: 0 tracking script(s) active. After GPC opt-out: 0 tracking script(s). Reduction of 0. Script-level suppression is informational — scripts may be loaded but not execute tracking functionality depending on runtime logic.

default tracking scripts: 0 · after gpc tracking scripts: 0 · scripts suppressed: 0

USP. IAB US Privacy / GPP Framework 0 PASS 2 MANUAL

USP.1 IAB US Privacy / GPP framework participation (opt-out signalling infrastructure)

ℹ INFO

No IAB opt-out signalling framework detected with GPC active. Sites using a CCPA-compliant CMP (OneTrust, Sourcepoint, Didomi) should emit a USP or GPP string that reflects the consumer's current opt-out status, including when the GPC signal is present.

usprivacy string: (not present) · gpp string: (not present) · framework detected: No IAB opt-out framework detected · decoded: (see above)

Recommendation: Implement an IAB GPP-compliant CMP to provide industry-standard opt-out signalling. The GPP (Global Privacy Platform) string communicates the consumer's opt-out status to ad tech vendors downstream in the supply chain. Without this, downstream partners may continue processing data for advertising even after an opt-out.

USP.2 __usprivacy string signals opt-out when GPC header is active

☐ MANUAL

__usprivacy during GPC session: None. No __usprivacy string detected during GPC session.

us privacy during gpc: (not detected) · opt out bit: (n/a)

Recommendation: When the Sec-GPC: 1 header is present, the __usprivacy string should be set to 1YN- or 1YY- (opt-out bit = 'Y' at position 3). CPRA §1798.135(b) and the IAB US Privacy Technical Specification both require businesses to reflect GPC opt-out in the US Privacy string.

USP.3 __usprivacy string signals opt-out after manual DNSSPI opt-out flow

☐ MANUAL

Opt-out flow could not be completed automatically (no DNSSPI link found, no confirmation button detected, or opt-out requires form input / account authentication). Manual verification required.

OPT. Opt-Out Flow 1 FAIL 0 PASS 2 MANUAL

OPT.1 DNSSPI link leads to a functional opt-out destination

✗ FAIL

DNSSPI link not found — opt-out flow cannot be assessed.

OPT.2 Opt-out completable without requiring account creation or login

☐ MANUAL

Could not confirm opt-out was completable without authentication. Manual review required. CPRA §1798.135(a) prohibits requiring consumers to create an account as a condition of exercising opt-out rights.

opt out button clicked: False

OPT.3 Opt-out preference is recorded and honoured on reload

☐ MANUAL

Opt-out flow could not be completed automatically. Manual review required.

us privacy before	(not detected)
us privacy after	(not detected)
baseline ad cookies	0
post optout ad cookies	0
baseline pixels	none
post optout pixels	none
opt out clicked	False

run_id: 8736a833 · raw log · ⬇ report JSON · all runs · ← Home

🤖 AI-Enhanced Analysis

Add regulatory citations, risk ratings, enforcement precedents, and a remediation roadmap using Claude AI. Results are cached — generation only runs once per report.

🤖 View AI Report