AI-Enhanced Compliance Report

https://sfchronicle.com · CMP: Unknown / Not detected ⚠ AI analysis incomplete

Post Accept Baseline

3 FAIL 0 PASS 7 MANUAL

C3 analysis errors:

ANTHROPIC_API_KEY not set. C3 analysis requires this environment variable.

Consent State Screenshots — assessed by AI for K.1/K.2/K.3

Default Starting State

Post Accept Baseline

Detailed Findings

🤖 = AI-assessed · 👁 = Vision (screenshot) · HIGH MEDIUM LOW = risk level from legal analysis

BAS. Default Tracking Baseline 0 FAIL 0 PASS 0 MANUAL

BAS.1 Advertising and analytics tracking active by default (opt-out right context)

ℹ INFO

0 advertising/tracking cookie(s) and 0 tracker global(s) active by default (none detected). Under CCPA/CPRA, this is the default state consumers have the right to opt out of via the DNSSPI link or GPC signal. The presence of tracking by default is not itself a violation — the violation is failure to provide a working opt-out mechanism.

total_cookies_default	ad_tracking_cookies	tracker_globals_active	tracking_scripts_active
7	0	[]	0

BAS.2 CCPA relationship classification: Sale, Sharing, and Service Provider vendors

ℹ INFO

SALE (§1798.140(ad)): 0 vendor(s) — none detected. SHARING/cross-context behavioural (§1798.140(ah)): 0 vendor(s) — none detected. SERVICE PROVIDER (on-behalf processing): 0 vendor(s) — none detected. Sale and Sharing relationships are subject to the consumer opt-out right under CPRA §1798.120 and must be disclosed in the privacy policy.

sale_vendors	sharing_vendors	service_provider_vendors	sale_cookie_count	sharing_cookie_count	service_provider_cookie_count
[]	[]	[]	0	0	0

DNS. Do Not Sell or Share Link (CPRA §1798.135(a)) 1 FAIL 0 PASS 1 MANUAL

DNS.1 'Do Not Sell or Share My Personal Information' opt-out link present

✗ FAIL

No 'Do Not Sell or Share My Personal Information' link detected. Cal. Civ. Code §1798.135(a) requires a clear and conspicuous link on every page where personal information is collected. The link must use the specified statutory phrase or the IAB-approved alternative 'Your Privacy Choices'.

found	text	location	href
False

Recommendation: Add a 'Do Not Sell or Share My Personal Information' link to the footer of every page where PI is collected (at minimum the homepage). The link should open an opt-out mechanism — not just a privacy policy. Consider using the IAB OPT-OUT icon alongside the link for recognition.

DNS.3 'Limit the Use of My Sensitive Personal Information' link present (CPRA §1798.135(a)(2))

☐ MANUAL

No 'Limit the Use of My Sensitive Personal Information' link detected. Based on the site's apparent business type, SPI collection likelihood is assessed as LOW — this obligation likely does not apply unless the site collects precise geolocation, health, financial, biometric, or other sensitive data categories (CPRA §1798.140(ae)) as part of its core operations. Manual review recommended to confirm whether SPI is processed and whether this link is required.

lspi	spi_likelihood
{'found': False, 'text': '', 'location': '', 'href': ''}	LOW

Recommendation: Confirm whether you process any sensitive personal information categories per §1798.140(ae). If not (e.g. you only collect name, email, order history), this link is not required. If you do process SPI (e.g. precise location for delivery tracking), add the link alongside your DNSSPI link.

GPC. Global Privacy Control Compliance 1 FAIL 0 PASS 2 MANUAL

GPC.1 Site signals GPC opt-out receipt via US Privacy string or GPP

✗ FAIL

US Privacy string: (none). GPP: (none).

__usprivacy	__gpp	note
(not detected)	(not detected)	No __usprivacy or __gpp cookie or API detected with GPC header active. Site may not be recognising the Sec-GPC: 1 header or navigator.globalPrivacyControl JS property.

Recommendation: Configure the CMP to read the Sec-GPC: 1 request header and the navigator.globalPrivacyControl JS property (set to true) and treat them as an automatic opt-out of sale and sharing. CPRA §1798.135(b) prohibits requiring additional consumer action when a valid opt-out signal is present. CMP platforms (OneTrust, Sourcepoint, Didomi) have built-in GPC support that must be explicitly enabled.

GPC.2 Advertising/tracking cookies suppressed after GPC opt-out vs default baseline

☐ MANUAL

Default (no opt-out): 0 advertising/tracking cookie(s). After GPC opt-out signal: 0 advertising/tracking cookie(s). No advertising cookies detected in the default baseline — cannot assess suppression.

default_baseline_ad_cookies	after_gpc_signal_ad_cookies	cookies_suppressed
0	0	0

GPC.3 Advertising pixel scripts (Meta, TikTok, LinkedIn etc.) suppressed after GPC opt-out

☐ MANUAL

No advertising pixels detected in the default baseline — cannot assess suppression.

default_ad_pixels	after_gpc_ad_pixels	pixels_suppressed	pixels_still_active	gtm_gtag_present
[]	[]	[]	[]	False

GPC.4 Third-party tracking script load — default vs after GPC opt-out (informational)

ℹ INFO

Default baseline: 0 tracking script(s) active. After GPC opt-out: 0 tracking script(s). Reduction of 0. Script-level suppression is informational — scripts may be loaded but not execute tracking functionality depending on runtime logic.

default_tracking_scripts	after_gpc_tracking_scripts	scripts_suppressed
0	0	0

USP. IAB US Privacy / GPP Framework 0 FAIL 0 PASS 2 MANUAL

USP.1 IAB US Privacy / GPP framework participation (opt-out signalling infrastructure)

ℹ INFO

No IAB opt-out signalling framework detected with GPC active. Sites using a CCPA-compliant CMP (OneTrust, Sourcepoint, Didomi) should emit a USP or GPP string that reflects the consumer's current opt-out status, including when the GPC signal is present.

__usprivacy_string	__gpp_string	framework_detected	decoded
(not present)	(not present)	No IAB opt-out framework detected	(see above)

Recommendation: Implement an IAB GPP-compliant CMP to provide industry-standard opt-out signalling. The GPP (Global Privacy Platform) string communicates the consumer's opt-out status to ad tech vendors downstream in the supply chain. Without this, downstream partners may continue processing data for advertising even after an opt-out.

USP.2 __usprivacy string signals opt-out when GPC header is active

☐ MANUAL

__usprivacy during GPC session: None. No __usprivacy string detected during GPC session.

us_privacy_during_gpc	opt_out_bit
(not detected)	(n/a)

Recommendation: When the Sec-GPC: 1 header is present, the __usprivacy string should be set to 1YN- or 1YY- (opt-out bit = 'Y' at position 3). CPRA §1798.135(b) and the IAB US Privacy Technical Specification both require businesses to reflect GPC opt-out in the US Privacy string.

USP.3 __usprivacy string signals opt-out after manual DNSSPI opt-out flow

☐ MANUAL

Opt-out flow could not be completed automatically (no DNSSPI link found, no confirmation button detected, or opt-out requires form input / account authentication). Manual verification required.

OPT. Opt-Out Flow 1 FAIL 0 PASS 2 MANUAL

OPT.1 DNSSPI link leads to a functional opt-out destination

✗ FAIL

DNSSPI link not found — opt-out flow cannot be assessed.

OPT.2 Opt-out completable without requiring account creation or login

☐ MANUAL

Could not confirm opt-out was completable without authentication. Manual review required. CPRA §1798.135(a) prohibits requiring consumers to create an account as a condition of exercising opt-out rights.

opt_out_button_clicked
False

OPT.3 Opt-out preference is recorded and honoured on reload

☐ MANUAL

Opt-out flow could not be completed automatically. Manual review required.

us_privacy_before	us_privacy_after	baseline_ad_cookies	post_optout_ad_cookies	baseline_pixels	post_optout_pixels	opt_out_clicked
(not detected)	(not detected)	0	0	[]	[]	False

Component 3 — AI analysis via Claude · ← Home