Waivern Consent Analyser
AI-Enhanced Compliance Report

AI-Enhanced Compliance Report

https://www.wisetack.com  ·  CMP: Enzuzo CMP   ⚠ AI analysis incomplete
Post Optout State
2 FAIL   4 PASS   5 MANUAL
C3 analysis errors:

Consent State Screenshots — assessed by AI for K.1/K.2/K.3

Default Starting State
default_starting_state
Post Accept Baseline
post_accept_baseline
Post Optout State
post_optout_state

Detailed Findings

🤖 = AI-assessed  ·  👁 = Vision (screenshot)  ·  HIGH MEDIUM LOW = risk level from legal analysis

BAS. Default Tracking Baseline 0 FAIL   0 PASS   0 MANUAL
BAS.1 Advertising and analytics tracking active by default (opt-out right context)
ℹ INFO

0 advertising/tracking cookie(s) and 9 tracker global(s) active by default (GoogleAnalyticsObject, _hjSettings, _hsq, dataLayer, ga, google_tag_manager…). Under CCPA/CPRA, this is the default state consumers have the right to opt out of via the DNSSPI link or GPC signal. The presence of tracking by default is not itself a violation — the violation is failure to provide a working opt-out mechanism.

total cookies default14
ad tracking cookies0
tracker globals active
GoogleAnalyticsObject_hjSettings_hsqdataLayergagoogle_tag_managergtaghjlintrk
tracking scripts active5
BAS.2 CCPA relationship classification: Sale, Sharing, and Service Provider vendors
ℹ INFO

SALE (§1798.140(ad)): 0 vendor(s) — none detected. SHARING/cross-context behavioural (§1798.140(ah)): 4 vendor(s) — Google Ads, Google Ads (DoubleClick), LinkedIn Insight, LinkedIn Insight Tag. SERVICE PROVIDER (on-behalf processing): 1 vendor(s) — HubSpot (CRM/marketing). Sale and Sharing relationships are subject to the consumer opt-out right under CPRA §1798.120 and must be disclosed in the privacy policy.

sale vendorsnone
sharing vendors
Google AdsGoogle Ads (DoubleClick)LinkedIn InsightLinkedIn Insight Tag
service provider vendors
HubSpot (CRM/marketing)
sale cookie count0
sharing cookie count8
service provider cookie count2
Recommendation: Ensure all Sale and Sharing vendor relationships are disclosed in the privacy policy per Cal. Civ. Code §1798.100(a)(1). Data broker Sale relationships require written contracts limiting downstream use per §1798.100(d). Consider whether data broker relationships (LiveRamp, BlueKai, etc.) are necessary given CPRA opt-out exposure.
DNS. Do Not Sell or Share Link (CPRA §1798.135(a)) 0 FAIL   2 PASS   1 MANUAL
DNS.1 'Do Not Sell or Share My Personal Information' opt-out link present
✓ PASS

Opt-out link found: "Decline non-essential cookies" — placement: banner.

found: True  ·  text: Decline non-essential cookies  ·  location: banner  ·  href:  ·  via cmp: True
DNS.2 DNSSPI opt-out is clear and conspicuous (§1798.135(a) requirement)
✓ PASS

Opt-out available via CMP consent banner ("Decline non-essential cookies"). Banner-based opt-out is clear and conspicuous — CPRA permits the consent interface to serve as the opt-out mechanism.

found: True  ·  text: Decline non-essential cookies  ·  location: banner  ·  href:  ·  via cmp: True
DNS.3 'Limit the Use of My Sensitive Personal Information' link present (CPRA §1798.135(a)(2))
☐ MANUAL

No 'Limit the Use of My Sensitive Personal Information' link detected. Based on the site's apparent business type, SPI collection likelihood is assessed as LOW — this obligation likely does not apply unless the site collects precise geolocation, health, financial, biometric, or other sensitive data categories (CPRA §1798.140(ae)) as part of its core operations. Manual review recommended to confirm whether SPI is processed and whether this link is required.

lspispi_likelihood
{}LOW
Recommendation: Confirm whether you process any sensitive personal information categories per §1798.140(ae). If not (e.g. you only collect name, email, order history), this link is not required. If you do process SPI (e.g. precise location for delivery tracking), add the link alongside your DNSSPI link.
GPC. Global Privacy Control Compliance 2 FAIL   0 PASS   1 MANUAL
GPC.1 Site signals GPC opt-out receipt via US Privacy string or GPP
✗ FAIL

US Privacy string: (none). GPP: (none).

usprivacy: (not detected)  ·  gpp: (not detected)  ·  note: No __usprivacy or __gpp cookie or API detected with GPC header active. Site may not be recognising the Sec-GPC: 1 header or navigator.globalPrivacyControl JS property.
Recommendation: Configure the CMP to read the Sec-GPC: 1 request header and the navigator.globalPrivacyControl JS property (set to true) and treat them as an automatic opt-out of sale and sharing. CPRA §1798.135(b) prohibits requiring additional consumer action when a valid opt-out signal is present. CMP platforms (OneTrust, Sourcepoint, Didomi) have built-in GPC support that must be explicitly enabled.
GPC.2 Advertising/tracking cookies suppressed after GPC opt-out vs default baseline
☐ MANUAL

Default (no opt-out): 0 advertising/tracking cookie(s). After GPC opt-out signal: 0 advertising/tracking cookie(s). No advertising cookies detected in the default baseline — cannot assess suppression.

default baseline ad cookies: 0  ·  after gpc signal ad cookies: 0  ·  cookies suppressed: 0
GPC.3 Advertising pixel scripts (Meta, TikTok, LinkedIn etc.) suppressed after GPC opt-out
✗ FAIL

Default baseline pixels: ['_hsq', 'lintrk']. After GPC opt-out: ['_hsq', 'lintrk']. Pixels still active after GPC opt-out: ['_hsq', 'lintrk']. These constitute 'sharing' for cross-context behavioural advertising under CPRA §1798.140(ah).

default ad pixels
_hsqlintrk
after gpc ad pixels
_hsqlintrk
pixels suppressednone
pixels still active
_hsqlintrk
gtm gtag presentTrue
Recommendation: Advertising pixel scripts (Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, etc.) must not execute when GPC is active. Configure your tag manager or CMP to suppress these tags when navigator.globalPrivacyControl is true.
GPC.4 Third-party tracking script load — default vs after GPC opt-out (informational)
ℹ INFO

Default baseline: 5 tracking script(s) active. After GPC opt-out: 5 tracking script(s). Reduction of 0. Script-level suppression is informational — scripts may be loaded but not execute tracking functionality depending on runtime logic.

default tracking scripts: 5  ·  after gpc tracking scripts: 5  ·  scripts suppressed: 0
USP. IAB US Privacy / GPP Framework 0 FAIL   0 PASS   2 MANUAL
USP.1 IAB US Privacy / GPP framework participation (opt-out signalling infrastructure)
ℹ INFO

No IAB opt-out signalling framework detected with GPC active. Sites using a CCPA-compliant CMP (OneTrust, Sourcepoint, Didomi) should emit a USP or GPP string that reflects the consumer's current opt-out status, including when the GPC signal is present.

usprivacy string: (not present)  ·  gpp string: (not present)  ·  framework detected: No IAB opt-out framework detected  ·  decoded: (see above)
Recommendation: Implement an IAB GPP-compliant CMP to provide industry-standard opt-out signalling. The GPP (Global Privacy Platform) string communicates the consumer's opt-out status to ad tech vendors downstream in the supply chain. Without this, downstream partners may continue processing data for advertising even after an opt-out.
USP.2 __usprivacy string signals opt-out when GPC header is active
☐ MANUAL

__usprivacy during GPC session: None. No __usprivacy string detected during GPC session.

us privacy during gpc: (not detected)  ·  opt out bit: (n/a)
Recommendation: When the Sec-GPC: 1 header is present, the __usprivacy string should be set to 1YN- or 1YY- (opt-out bit = 'Y' at position 3). CPRA §1798.135(b) and the IAB US Privacy Technical Specification both require businesses to reflect GPC opt-out in the US Privacy string.
USP.3 __usprivacy string signals opt-out after manual DNSSPI opt-out flow
☐ MANUAL

Before opt-out click: (none). After opt-out click: (none). No string detected post-click.

us privacy before click: (not detected)  ·  us privacy after click: (not detected)  ·  opt out button clicked: True
Recommendation: After a consumer clicks the DNSSPI link and confirms their opt-out, the __usprivacy string should update to reflect the opted-out state (position 3 = 'Y'). Cal. Civ. Code §1798.135(a)(1) requires the opt-out to take effect within 15 business days of the request.
OPT. Opt-Out Flow 0 FAIL   2 PASS   1 MANUAL
OPT.1 DNSSPI link leads to a functional opt-out destination
✓ PASS

Opt-out available via CMP consent banner ("Decline non-essential cookies") and confirmed functional — opt-out button was successfully clicked in automated testing. CPRA permits the CMP consent interface to serve as the opt-out mechanism.

mechanism: CMP banner  ·  button text: Decline non-essential cookies  ·  opt out clicked: True
OPT.2 Opt-out completable without requiring account creation or login
✓ PASS

Opt-out button found and clicked automatically — no login required.

opt out button clicked: True
OPT.3 Opt-out preference is recorded and honoured on reload
☐ MANUAL

No unambiguous advertising cookies or pixels detected in the baseline — cannot assess opt-out efficacy via state comparison. Opt-out button was clicked. Manual review of the CMP audit log is recommended.

us privacy before(not detected)
us privacy after(not detected)
baseline ad cookies0
post optout ad cookies1
baseline pixels
_hjSettings_hsqhjlintrk
post optout pixels
_hjSettings_hsqhjlintrk
opt out clickedTrue
Component 3 — AI analysis via Claude  ·  ← Home