This tool checks whether your site meets CCPA/CPRA requirements around cookie consent and opt-out signals — but California’s privacy law imposes a broader set of obligations on businesses that collect personal information. Privacy notice requirements, consumer rights fulfilment (including the right to delete and the right to correct), data sharing agreements with service providers and contractors, and sensitive personal information handling are just a few of the areas this tool cannot assess.
If you’d like to understand your full CCPA/CPRA compliance position, Waivern combines automated scanning tools like this one with privacy professionals who know US state privacy law inside out. Our ongoing compliance support starts from just £200/month (ex. VAT) — whether you’re dealing with California alone or navigating the growing patchwork of US state privacy regulations.
🤖 = AI-assessed · 👁 = Vision (screenshot) · HIGH MEDIUM LOW = risk level from legal analysis
0 advertising/tracking cookie(s) and 0 tracker global(s) active by default (none detected). Under CCPA/CPRA, this is the default state consumers have the right to opt out of via the DNSSPI link or GPC signal. The presence of tracking by default is not itself a violation — the violation is failure to provide a working opt-out mechanism.
| total_cookies_default | ad_tracking_cookies | tracker_globals_active | tracking_scripts_active |
|---|---|---|---|
| 7 | 0 | [] | 0 |
SALE (§1798.140(ad)): 0 vendor(s) — none detected. SHARING/cross-context behavioural (§1798.140(ah)): 0 vendor(s) — none detected. SERVICE PROVIDER (on-behalf processing): 0 vendor(s) — none detected. Sale and Sharing relationships are subject to the consumer opt-out right under CPRA §1798.120 and must be disclosed in the privacy policy.
| sale_vendors | sharing_vendors | service_provider_vendors | sale_cookie_count | sharing_cookie_count | service_provider_cookie_count |
|---|---|---|---|---|---|
| [] | [] | [] | 0 | 0 | 0 |
No 'Do Not Sell or Share My Personal Information' link detected. Cal. Civ. Code §1798.135(a) requires a clear and conspicuous link on every page where personal information is collected. The link must use the specified statutory phrase or the IAB-approved alternative 'Your Privacy Choices'.
No 'Limit the Use of My Sensitive Personal Information' link detected. Based on the site's apparent business type, SPI collection likelihood is assessed as LOW — this obligation likely does not apply unless the site collects precise geolocation, health, financial, biometric, or other sensitive data categories (CPRA §1798.140(ae)) as part of its core operations. Manual review recommended to confirm whether SPI is processed and whether this link is required.
| lspi | spi_likelihood |
|---|---|
| {} | LOW |
US Privacy string: (none). GPP: (none).
| __usprivacy | __gpp | note |
|---|---|---|
| (not detected) | (not detected) | No __usprivacy or __gpp cookie or API detected with GPC header active. Site may not be recognising the Sec-GPC: 1 header or navigator.globalPrivacyControl JS property. |
Default (no opt-out): 0 advertising/tracking cookie(s). After GPC opt-out signal: 0 advertising/tracking cookie(s). No advertising cookies detected in the default baseline — cannot assess suppression.
| default_baseline_ad_cookies | after_gpc_signal_ad_cookies | cookies_suppressed |
|---|---|---|
| 0 | 0 | 0 |
No advertising pixels detected in the default baseline — cannot assess suppression.
| default_ad_pixels | after_gpc_ad_pixels | pixels_suppressed | pixels_still_active | gtm_gtag_present |
|---|---|---|---|---|
| [] | [] | [] | [] | False |
Default baseline: 0 tracking script(s) active. After GPC opt-out: 0 tracking script(s). Reduction of 0. Script-level suppression is informational — scripts may be loaded but not execute tracking functionality depending on runtime logic.
| default_tracking_scripts | after_gpc_tracking_scripts | scripts_suppressed |
|---|---|---|
| 0 | 0 | 0 |
No IAB opt-out signalling framework detected with GPC active. Sites using a CCPA-compliant CMP (OneTrust, Sourcepoint, Didomi) should emit a USP or GPP string that reflects the consumer's current opt-out status, including when the GPC signal is present.
| __usprivacy_string | __gpp_string | framework_detected | decoded |
|---|---|---|---|
| (not present) | (not present) | No IAB opt-out framework detected | (see above) |
__usprivacy during GPC session: None. No __usprivacy string detected during GPC session.
| us_privacy_during_gpc | opt_out_bit |
|---|---|
| (not detected) | (n/a) |
Opt-out flow could not be completed automatically (no DNSSPI link found, no confirmation button detected, or opt-out requires form input / account authentication). Manual verification required.
DNSSPI link not found — opt-out flow cannot be assessed.
Could not confirm opt-out was completable without authentication. Manual review required. CPRA §1798.135(a) prohibits requiring consumers to create an account as a condition of exercising opt-out rights.
| opt_out_button_clicked |
|---|
| False |
Opt-out flow could not be completed automatically. Manual review required.
| us_privacy_before | us_privacy_after | baseline_ad_cookies | post_optout_ad_cookies | baseline_pixels | post_optout_pixels | opt_out_clicked |
|---|---|---|---|---|---|---|
| (not detected) | (not detected) | 0 | 0 | [] | [] | False |
This tool checks whether your site meets CCPA/CPRA requirements around cookie consent and opt-out signals — but California’s privacy law imposes a broader set of obligations on businesses that collect personal information. Privacy notice requirements, consumer rights fulfilment (including the right to delete and the right to correct), data sharing agreements with service providers and contractors, and sensitive personal information handling are just a few of the areas this tool cannot assess.
If you’d like to understand your full CCPA/CPRA compliance position, Waivern combines automated scanning tools like this one with privacy professionals who know US state privacy law inside out. Our ongoing compliance support starts from just £200/month (ex. VAT) — whether you’re dealing with California alone or navigating the growing patchwork of US state privacy regulations.
