Waivern Consent Analyser ← Home Log

CCPA / CPRA Compliance Report · CCPA/CPRA (California)

CCPA/CPRA analysis mode — California Consumer Privacy Act (opt-out regime). Tracking at page load is permitted until the consumer exercises their GPC opt-out signal or DNSSPI right — pre-consent GDPR checks are not applicable and have been suppressed or reframed as informational inventory data. Primary compliance findings are in the DNS, GPC, and USP sections.

Consent Compliance Report

2026-04-06 16:11:38 UTC · https://www.wisetack.com · CMP: Enzuzo CMP AI off

📍 Analysis ran from: 🇺🇸 Santa Clara, California, United States · IP: 52.52.202.228 · Amazon.com, Inc. · Results reflect how this site presents to this location.

Post Manual Opt-Out — DNSSPI flow complete

2 FAIL 4 PASS 5 MANUAL · 0 warn 0 err

CCPA Opt-Out Mechanism

Opt-out mechanism	CMP banner — Decline non-essential cookies
Session E: opt-out clicked	✓ Yes — confirmed functional
GPC signal: US Privacy string	Not implemented (no IAB US Privacy framework)
GPC signal: GPP string	Not detected
Default tracking: cookies	14 total (0 ad/tracking)
Default tracking: JS globals	`GoogleAnalyticsObject, _hjSettings, _hsq, dataLayer, ga, google_tag_manager, gtag, hj, lintrk`

Screenshots

Default Starting State — no consent interaction

Post Accept All — CCPA tracking baseline

Post Manual Opt-Out — DNSSPI flow complete

Section M — Summary

Category	Result
Dnsspi Link Present	✓ PASS
Dnsspi Link Prominent	✓ PASS
Lspi Link Present	☐ MANUAL
Gpc Signal Detected	✗ FAIL
Ad Cookies Suppressed Gpc	☐ MANUAL
Ad Pixels Suppressed Gpc	✗ FAIL
Us Privacy Framework	ℹ INFO
Usp Reflects Gpc Optout	☐ MANUAL
Usp Reflects Manual Optout	☐ MANUAL
Optout Destination Functional	✓ PASS
Optout No Login Required	✓ PASS
Optout Preference Recorded	☐ MANUAL

Run Log 44 entries · ✓ Clean run · raw JSON

elapsed	level	session	message
0.0s	▶ STEP	MAIN	Run c1818d47 started {"url": "https://www.wisetack.com"}
0.0s	· INFO	MAIN	Detecting probe server location
0.4s	· INFO	MAIN	Probe location {"ip": "52.52.202.228", "city": "Santa Clara", "region": "California", "country": "United States", "country_code": "US", "org": "Amazon.com, Inc.", "latitude": 37.3924, "longitude": -121.9623}
0.4s	▶ STEP	MAIN	Starting analysis of https://www.wisetack.com {"mode": "CCPA"}
12.4s	· INFO	MAIN	Chromium launched {"headless": true}
14.9s	· INFO	PREFLIGHT	Navigating to https://www.wisetack.com
23.0s	· INFO	PREFLIGHT	Network idle reached
23.3s	▶ STEP	A	Session A start (CCPA baseline — no banner interaction)
23.6s	· INFO	A	Navigating to https://www.wisetack.com
25.4s	· INFO	A	Network idle reached
28.4s	· INFO	A	Capturing CCPA baseline state
28.9s	· INFO	A	CCPA baseline captured {"baseline_cookies": 14, "baseline_ad_cookies": 0, "baseline_tracking_storage": 2, "baseline_tracker_globals": ["ga", "gtag", "dataLayer", "google_tag_manager", "GoogleAnalyticsObject", "hj", "_hjSettings", "_hsq", "lintrk"], "baseline_unblocked_scripts": 4, "baseline_capture_error": null}
29.3s	▶ STEP	A	Session A complete — CCPA baseline captured {"pre_consent_cookies": 14, "pre_consent_ad_cookies": 0, "pre_consent_tracking_storage": 2, "pre_consent_tracker_globals": ["ga", "gtag", "dataLayer", "google_tag_manager", "GoogleAnalyticsObject", "hj", "_hjSettings", "_hsq", "lintrk"], "pre_consent_unblocked_scripts": 4, "pre_consent_capture_error": null, "baseline_cookies": 14, "baseline_ad_cookies": 0, "baseline_tracking_storage": 2, "baseline
29.3s	▶ STEP	DNSSPI	Scanning for DNSSPI / LSPI opt-out links
29.3s	· INFO	DNSSPI	Navigating to https://www.wisetack.com
31.4s	· INFO	DNSSPI	Network idle reached
31.4s	· INFO	DNSSPI	Waiting for CMP banner (up to 12s before scroll)
43.4s	· INFO	DNSSPI	CMP banner is CCPA opt-out mechanism: "Decline non-essential cookies"
43.4s	· INFO	DNSSPI	DNSSPI/LSPI scan complete {"dnsspi_found": true, "dnsspi_text": "Decline non-essential cookies", "dnsspi_via_cmp": true, "lspi_found": null, "lspi_text": ""}
43.4s	▶ STEP	D	Session D start (GPC signal injection)
43.5s	· INFO	D	Navigating to https://www.wisetack.com
45.4s	· INFO	D	Network idle reached
47.4s	· INFO	D	GPC state captured {"gpc_cookies": 19, "gpc_ad_cookies": 0, "gpc_tracking_storage": 2, "gpc_tracker_globals": ["ga", "gtag", "dataLayer", "google_tag_manager", "GoogleAnalyticsObject", "hj", "_hjSettings", "_hsq", "lintrk"], "gpc_unblocked_scripts": 4, "gpc_capture_error": null}
47.4s	· INFO	D	Privacy strings probed {"us_privacy": null, "gpp": null}
47.7s	▶ STEP	D	Session D complete {"gpc_cookies": 19, "gpc_ad_cookies": 0, "gpc_tracking_storage": 2, "gpc_tracker_globals": ["ga", "gtag", "dataLayer", "google_tag_manager", "GoogleAnalyticsObject", "hj", "_hjSettings", "_hsq", "lintrk"], "gpc_unblocked_scripts": 4, "gpc_capture_error": null}
47.7s	▶ STEP	E	Session E start (opt-out flow)
47.7s	· INFO	E	Opt-out via CMP banner — navigating to site
47.7s	· INFO	E	Navigating to https://www.wisetack.com
49.8s	· INFO	E	Network idle reached
49.8s	· INFO	E	Opt-out button found on attempt 1: "decline non-essential cookies"
49.8s	· INFO	E	US Privacy before opt-out click: (not found)
49.8s	· INFO	E	Opt-out button clicked via JS: "decline non-essential cookies"
51.8s	· INFO	E	Post-opt-out privacy strings captured {"us_privacy_before": null, "us_privacy_after": null, "gpp_after": null, "opt_out_clicked": true}
51.8s	· INFO	E	Reloading page to verify opt-out state
51.8s	· INFO	E_verify	Navigating to https://www.wisetack.com
55.2s	· INFO	E_verify	Network idle reached
58.3s	· INFO	E	Post-opt-out state captured {"post_optout_cookies": 18, "post_optout_ad_cookies": 1, "post_optout_tracker_globals": ["GoogleAnalyticsObject", "_hjSettings", "_hsq", "dataLayer", "ga", "google_tag_manager", "gtag", "hj", "lintrk"]}
59.4s	▶ STEP	E	Session E complete {"opt_out_completed": true, "us_privacy_after": null}
59.5s	· INFO	MAIN	Browser closed
59.6s	▶ STEP	MAIN	Analysis complete {"error_count": 0}
59.6s	▶ STEP	C1	Running Component 1 HAR analysis
59.7s	· INFO	C1	HAR analysis complete — 1 FAIL item(s) {"total_requests": 117, "phases": ["pre_consent"], "phase_strategy": {"accept": "not_detected", "reject": "not_detected"}, "fail_items": ["B.1"]}
59.8s	▶ STEP	CHECKS	Running CCPA/CPRA browser-state checks
59.8s	· INFO	CHECKS	Browser checks complete — 2 FAIL item(s) {"fail_items": ["GPC.1", "GPC.3"], "mode": "ccpa"}

Detailed Findings

BAS. Default Tracking Baseline 0 PASS 0 MANUAL

BAS.1 Advertising and analytics tracking active by default (opt-out right context)

ℹ INFO

0 advertising/tracking cookie(s) and 9 tracker global(s) active by default (GoogleAnalyticsObject, _hjSettings, _hsq, dataLayer, ga, google_tag_manager…). Under CCPA/CPRA, this is the default state consumers have the right to opt out of via the DNSSPI link or GPC signal. The presence of tracking by default is not itself a violation — the violation is failure to provide a working opt-out mechanism.

total cookies default	14
ad tracking cookies	0
tracker globals active	GoogleAnalyticsObject_hjSettings_hsqdataLayergagoogle_tag_managergtaghjlintrk
tracking scripts active	5

BAS.2 CCPA relationship classification: Sale, Sharing, and Service Provider vendors

ℹ INFO

SALE (§1798.140(ad)): 0 vendor(s) — none detected. SHARING/cross-context behavioural (§1798.140(ah)): 4 vendor(s) — Google Ads, Google Ads (DoubleClick), LinkedIn Insight, LinkedIn Insight Tag. SERVICE PROVIDER (on-behalf processing): 1 vendor(s) — HubSpot (CRM/marketing). Sale and Sharing relationships are subject to the consumer opt-out right under CPRA §1798.120 and must be disclosed in the privacy policy.

sale vendors	none
sharing vendors	Google AdsGoogle Ads (DoubleClick)LinkedIn InsightLinkedIn Insight Tag
service provider vendors	HubSpot (CRM/marketing)
sale cookie count	0
sharing cookie count	8
service provider cookie count	2

Recommendation: Ensure all Sale and Sharing vendor relationships are disclosed in the privacy policy per Cal. Civ. Code §1798.100(a)(1). Data broker Sale relationships require written contracts limiting downstream use per §1798.100(d). Consider whether data broker relationships (LiveRamp, BlueKai, etc.) are necessary given CPRA opt-out exposure.

DNS. Do Not Sell or Share Link (CPRA §1798.135(a)) 2 PASS 1 MANUAL

DNS.1 'Do Not Sell or Share My Personal Information' opt-out link present

✓ PASS

Opt-out link found: "Decline non-essential cookies" — placement: banner.

found: True · text: Decline non-essential cookies · location: banner · href: · via cmp: True

DNS.2 DNSSPI opt-out is clear and conspicuous (§1798.135(a) requirement)

✓ PASS

Opt-out available via CMP consent banner ("Decline non-essential cookies"). Banner-based opt-out is clear and conspicuous — CPRA permits the consent interface to serve as the opt-out mechanism.

found: True · text: Decline non-essential cookies · location: banner · href: · via cmp: True

DNS.3 'Limit the Use of My Sensitive Personal Information' link present (CPRA §1798.135(a)(2))

☐ MANUAL

No 'Limit the Use of My Sensitive Personal Information' link detected. Based on the site's apparent business type, SPI collection likelihood is assessed as LOW — this obligation likely does not apply unless the site collects precise geolocation, health, financial, biometric, or other sensitive data categories (CPRA §1798.140(ae)) as part of its core operations. Manual review recommended to confirm whether SPI is processed and whether this link is required.

lspi	spi_likelihood
{}	LOW

Recommendation: Confirm whether you process any sensitive personal information categories per §1798.140(ae). If not (e.g. you only collect name, email, order history), this link is not required. If you do process SPI (e.g. precise location for delivery tracking), add the link alongside your DNSSPI link.

GPC. Global Privacy Control Compliance 2 FAIL 0 PASS 1 MANUAL

GPC.1 Site signals GPC opt-out receipt via US Privacy string or GPP

✗ FAIL

US Privacy string: (none). GPP: (none).

usprivacy: (not detected) · gpp: (not detected) · note: No __usprivacy or __gpp cookie or API detected with GPC header active. Site may not be recognising the Sec-GPC: 1 header or navigator.globalPrivacyControl JS property.

Recommendation: Configure the CMP to read the Sec-GPC: 1 request header and the navigator.globalPrivacyControl JS property (set to true) and treat them as an automatic opt-out of sale and sharing. CPRA §1798.135(b) prohibits requiring additional consumer action when a valid opt-out signal is present. CMP platforms (OneTrust, Sourcepoint, Didomi) have built-in GPC support that must be explicitly enabled.

GPC.2 Advertising/tracking cookies suppressed after GPC opt-out vs default baseline

☐ MANUAL

Default (no opt-out): 0 advertising/tracking cookie(s). After GPC opt-out signal: 0 advertising/tracking cookie(s). No advertising cookies detected in the default baseline — cannot assess suppression.

default baseline ad cookies: 0 · after gpc signal ad cookies: 0 · cookies suppressed: 0

GPC.3 Advertising pixel scripts (Meta, TikTok, LinkedIn etc.) suppressed after GPC opt-out

✗ FAIL

Default baseline pixels: ['_hsq', 'lintrk']. After GPC opt-out: ['_hsq', 'lintrk']. Pixels still active after GPC opt-out: ['_hsq', 'lintrk']. These constitute 'sharing' for cross-context behavioural advertising under CPRA §1798.140(ah).

default ad pixels	_hsqlintrk
after gpc ad pixels	_hsqlintrk
pixels suppressed	none
pixels still active	_hsqlintrk
gtm gtag present	True

Recommendation: Advertising pixel scripts (Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, etc.) must not execute when GPC is active. Configure your tag manager or CMP to suppress these tags when navigator.globalPrivacyControl is true.

GPC.4 Third-party tracking script load — default vs after GPC opt-out (informational)

ℹ INFO

Default baseline: 5 tracking script(s) active. After GPC opt-out: 5 tracking script(s). Reduction of 0. Script-level suppression is informational — scripts may be loaded but not execute tracking functionality depending on runtime logic.

default tracking scripts: 5 · after gpc tracking scripts: 5 · scripts suppressed: 0

USP. IAB US Privacy / GPP Framework 0 PASS 2 MANUAL

USP.1 IAB US Privacy / GPP framework participation (opt-out signalling infrastructure)

ℹ INFO

No IAB opt-out signalling framework detected with GPC active. Sites using a CCPA-compliant CMP (OneTrust, Sourcepoint, Didomi) should emit a USP or GPP string that reflects the consumer's current opt-out status, including when the GPC signal is present.

usprivacy string: (not present) · gpp string: (not present) · framework detected: No IAB opt-out framework detected · decoded: (see above)

Recommendation: Implement an IAB GPP-compliant CMP to provide industry-standard opt-out signalling. The GPP (Global Privacy Platform) string communicates the consumer's opt-out status to ad tech vendors downstream in the supply chain. Without this, downstream partners may continue processing data for advertising even after an opt-out.

USP.2 __usprivacy string signals opt-out when GPC header is active

☐ MANUAL

__usprivacy during GPC session: None. No __usprivacy string detected during GPC session.

us privacy during gpc: (not detected) · opt out bit: (n/a)

Recommendation: When the Sec-GPC: 1 header is present, the __usprivacy string should be set to 1YN- or 1YY- (opt-out bit = 'Y' at position 3). CPRA §1798.135(b) and the IAB US Privacy Technical Specification both require businesses to reflect GPC opt-out in the US Privacy string.

USP.3 __usprivacy string signals opt-out after manual DNSSPI opt-out flow

☐ MANUAL

Before opt-out click: (none). After opt-out click: (none). No string detected post-click.

us privacy before click: (not detected) · us privacy after click: (not detected) · opt out button clicked: True

Recommendation: After a consumer clicks the DNSSPI link and confirms their opt-out, the __usprivacy string should update to reflect the opted-out state (position 3 = 'Y'). Cal. Civ. Code §1798.135(a)(1) requires the opt-out to take effect within 15 business days of the request.

OPT. Opt-Out Flow 2 PASS 1 MANUAL

OPT.1 DNSSPI link leads to a functional opt-out destination

✓ PASS

Opt-out available via CMP consent banner ("Decline non-essential cookies") and confirmed functional — opt-out button was successfully clicked in automated testing. CPRA permits the CMP consent interface to serve as the opt-out mechanism.

mechanism: CMP banner · button text: Decline non-essential cookies · opt out clicked: True

OPT.2 Opt-out completable without requiring account creation or login

✓ PASS

Opt-out button found and clicked automatically — no login required.

opt out button clicked: True

OPT.3 Opt-out preference is recorded and honoured on reload

☐ MANUAL

No unambiguous advertising cookies or pixels detected in the baseline — cannot assess opt-out efficacy via state comparison. Opt-out button was clicked. Manual review of the CMP audit log is recommended.

us privacy before	(not detected)
us privacy after	(not detected)
baseline ad cookies	0
post optout ad cookies	1
baseline pixels	_hjSettings_hsqhjlintrk
post optout pixels	_hjSettings_hsqhjlintrk
opt out clicked	True

run_id: c1818d47 · raw log · ⬇ report JSON · all runs · ← Home

🤖 AI-Enhanced Analysis

Add regulatory citations, risk ratings, enforcement precedents, and a remediation roadmap using Claude AI. Results are cached — generation only runs once per report.

🤖 View AI Report