This tool checks whether your site meets CCPA/CPRA requirements around cookie consent and opt-out signals — but California’s privacy law imposes a broader set of obligations on businesses that collect personal information. Privacy notice requirements, consumer rights fulfilment (including the right to delete and the right to correct), data sharing agreements with service providers and contractors, and sensitive personal information handling are just a few of the areas this tool cannot assess.
If you’d like to understand your full CCPA/CPRA compliance position, Waivern combines automated scanning tools like this one with privacy professionals who know US state privacy law inside out. Our ongoing compliance support starts from just £200/month (ex. VAT) — whether you’re dealing with California alone or navigating the growing patchwork of US state privacy regulations.
🤖 = AI-assessed · 👁 = Vision (screenshot) · HIGH MEDIUM LOW = risk level from legal analysis
0 advertising/tracking cookie(s) and 9 tracker global(s) active by default (GoogleAnalyticsObject, _hjSettings, _hsq, dataLayer, ga, google_tag_manager…). Under CCPA/CPRA, this is the default state consumers have the right to opt out of via the DNSSPI link or GPC signal. The presence of tracking by default is not itself a violation — the violation is failure to provide a working opt-out mechanism.
| total_cookies_default | ad_tracking_cookies | tracker_globals_active | tracking_scripts_active |
|---|---|---|---|
| 13 | 0 | ['GoogleAnalyticsObject', '_hjSettings', '_hsq', 'dataLayer', 'ga', 'google_tag_manager', 'gtag', 'hj', 'lintrk'] | 4 |
SALE (§1798.140(ad)): 0 vendor(s) — none detected. SHARING/cross-context behavioural (§1798.140(ah)): 2 vendor(s) — LinkedIn Insight, LinkedIn Insight Tag. SERVICE PROVIDER (on-behalf processing): 1 vendor(s) — HubSpot (CRM/marketing). Sale and Sharing relationships are subject to the consumer opt-out right under CPRA §1798.120 and must be disclosed in the privacy policy.
| sale_vendors | sharing_vendors | service_provider_vendors | sale_cookie_count | sharing_cookie_count | service_provider_cookie_count |
|---|---|---|---|---|---|
| [] | ['LinkedIn Insight', 'LinkedIn Insight Tag'] | ['HubSpot (CRM/marketing)'] | 0 | 7 | 2 |
Opt-out link found: "Decline non-essential cookies" — placement: banner.
| found | text | location | href | via_cmp |
|---|---|---|---|---|
| True | Decline non-essential cookies | banner | True |
Opt-out available via CMP consent banner ("Decline non-essential cookies"). Banner-based opt-out is clear and conspicuous — CPRA permits the consent interface to serve as the opt-out mechanism.
| found | text | location | href | via_cmp |
|---|---|---|---|---|
| True | Decline non-essential cookies | banner | True |
No 'Limit the Use of My Sensitive Personal Information' link detected. Based on the site's apparent business type, SPI collection likelihood is assessed as LOW — this obligation likely does not apply unless the site collects precise geolocation, health, financial, biometric, or other sensitive data categories (CPRA §1798.140(ae)) as part of its core operations. Manual review recommended to confirm whether SPI is processed and whether this link is required.
| lspi | spi_likelihood |
|---|---|
| {} | LOW |
US Privacy string: (none). GPP: (none).
| __usprivacy | __gpp | note |
|---|---|---|
| (not detected) | (not detected) | No __usprivacy or __gpp cookie or API detected with GPC header active. Site may not be recognising the Sec-GPC: 1 header or navigator.globalPrivacyControl JS property. |
Default (no opt-out): 0 advertising/tracking cookie(s). After GPC opt-out signal: 0 advertising/tracking cookie(s). No advertising cookies detected in the default baseline — cannot assess suppression.
| default_baseline_ad_cookies | after_gpc_signal_ad_cookies | cookies_suppressed |
|---|---|---|
| 0 | 0 | 0 |
Default baseline pixels: ['_hsq', 'lintrk']. After GPC opt-out: ['_hsq', 'lintrk']. Pixels still active after GPC opt-out: ['_hsq', 'lintrk']. These constitute 'sharing' for cross-context behavioural advertising under CPRA §1798.140(ah).
| default_ad_pixels | after_gpc_ad_pixels | pixels_suppressed | pixels_still_active | gtm_gtag_present |
|---|---|---|---|---|
| ['_hsq', 'lintrk'] | ['_hsq', 'lintrk'] | [] | ['_hsq', 'lintrk'] | True |
Default baseline: 4 tracking script(s) active. After GPC opt-out: 4 tracking script(s). Reduction of 0. Script-level suppression is informational — scripts may be loaded but not execute tracking functionality depending on runtime logic.
| default_tracking_scripts | after_gpc_tracking_scripts | scripts_suppressed |
|---|---|---|
| 4 | 4 | 0 |
No IAB opt-out signalling framework detected with GPC active. Sites using a CCPA-compliant CMP (OneTrust, Sourcepoint, Didomi) should emit a USP or GPP string that reflects the consumer's current opt-out status, including when the GPC signal is present.
| __usprivacy_string | __gpp_string | framework_detected | decoded |
|---|---|---|---|
| (not present) | (not present) | No IAB opt-out framework detected | (see above) |
__usprivacy during GPC session: None. No __usprivacy string detected during GPC session.
| us_privacy_during_gpc | opt_out_bit |
|---|---|
| (not detected) | (n/a) |
Before opt-out click: (none). After opt-out click: (none). No string detected post-click.
| us_privacy_before_click | us_privacy_after_click | opt_out_button_clicked |
|---|---|---|
| (not detected) | (not detected) | True |
Opt-out available via CMP consent banner ("Decline non-essential cookies") and confirmed functional — opt-out button was successfully clicked in automated testing. CPRA permits the CMP consent interface to serve as the opt-out mechanism.
| mechanism | button_text | opt_out_clicked |
|---|---|---|
| CMP banner | Decline non-essential cookies | True |
Opt-out button found and clicked automatically — no login required.
| opt_out_button_clicked |
|---|
| True |
No unambiguous advertising cookies or pixels detected in the baseline — cannot assess opt-out efficacy via state comparison. Opt-out button was clicked. Manual review of the CMP audit log is recommended.
| us_privacy_before | us_privacy_after | baseline_ad_cookies | post_optout_ad_cookies | baseline_pixels | post_optout_pixels | opt_out_clicked |
|---|---|---|---|---|---|---|
| (not detected) | (not detected) | 0 | 2 | ['_hjSettings', '_hsq', 'hj', 'lintrk'] | ['_hjSettings', '_hsq', 'hj', 'lintrk'] | True |
This tool checks whether your site meets CCPA/CPRA requirements around cookie consent and opt-out signals — but California’s privacy law imposes a broader set of obligations on businesses that collect personal information. Privacy notice requirements, consumer rights fulfilment (including the right to delete and the right to correct), data sharing agreements with service providers and contractors, and sensitive personal information handling are just a few of the areas this tool cannot assess.
If you’d like to understand your full CCPA/CPRA compliance position, Waivern combines automated scanning tools like this one with privacy professionals who know US state privacy law inside out. Our ongoing compliance support starts from just £200/month (ex. VAT) — whether you’re dealing with California alone or navigating the growing patchwork of US state privacy regulations.
