FORENSIC PRIVACY AUDIT · US · COMPLIANCE ASSESSMENT

www.ulta.com

Kenneth Buchanan
Consent Compliance Intelligence
Date
June 04, 2026
Methodology
Consent Enforcement
Audit ID
b12339cc-f791-426a-ba09-d47f483b598d
Kenneth Buchanan · Consent Compliance Intelligence

AUDIT VERDICT

Violations Confirmed

This point-in-time audit of https://www.ulta.com identified 34 confirmed technical findings under the S3 Consent Mode wiring-broken methodology. OneTrust was detected, Google Consent Mode remained in a GCS=G111 granted state after opt-out, and 27 pixel endpoints were observed after consent denial.

Cookie Violations
34
confirmed vendors
Pixel Endpoints
27
post-denial firings
GCS State
G111
CMP integration failure
Jurisdiction
US
simulated: Los Angeles, CA
Kenneth Buchanan · Consent Compliance Intelligence

SIGNAL ANALYSIS

Findings at a Glance

Cookie Violations
34 confirmed vendors
Network Pixel Endpoints
27 post-denial endpoints
Consent Mode (GCS)
G111: CMP not updating Consent Mode on opt-out (integration failure)
sGTM
Not detected
CMP Detected
OneTrust
GPC Signal Honored
Tested: opt-out signal sent
Kenneth Buchanan · Consent Compliance Intelligence

Confirmed Violations

Snapchat
X-AB, _scid, sc_at
HIGH RISK
TikTok
_ttp, _tt_enable_cookie
HIGH RISK
Criteo
uid, cto_bundle, cto_bundle
HIGH RISK
Adobe Audience Manager
demdex, dpm
HIGH RISK

+30 additional vendors documented in full report

CCPA exposure: these vendors received behavioral data after consent was denied. Each firing = potential $7,500 violation.
Kenneth Buchanan · Consent Compliance Intelligence

NETWORK EVIDENCE

Post-Denial Pixel Endpoints

Primary exhibit methodology used by plaintiff law firms (CIPA §631 · CCPA class actions)

Bing Ads UET
bat.bing.com/action
advertising
Criteo
sslwidget.criteo.com
advertising
DoubleClick/DV360
ad.doubleclick.net
advertising
DoubleClick/DV360
doubleclick.net/activityi;
advertising
DoubleClick/DV360
fls.doubleclick.net
advertising
Kenneth Buchanan · Consent Compliance Intelligence

NETWORK EVIDENCE

Pixel Endpoints (cont. 2)

LinkedIn Insight Tag
px.ads.linkedin.com
advertising
LiveRamp
launchpad.privacymanager.io
advertising
LiveRamp
idsync.rlcdn.com
advertising
MediaMath
sync.mathtag.com
advertising
Meta Pixel
connect.facebook.net/en_US/fbevents.js
advertising

Continued (6 to 10 of 27)

Kenneth Buchanan · Consent Compliance Intelligence

NETWORK EVIDENCE

Pixel Endpoints (cont. 3)

Meta Pixel
facebook.com/tr/
advertising
Pinterest Tag
ct.pinterest.com/user
advertising
Pinterest Tag
ct.pinterest.com/v3
advertising
Snapchat Pixel
tr.snapchat.com/p
advertising
TikTok Pixel
analytics.tiktok.com/i18n/pixel
advertising

Continued (11 to 15 of 27)

Kenneth Buchanan · Consent Compliance Intelligence

NETWORK EVIDENCE

Pixel Endpoints (cont. 4)

TikTok Pixel
analytics.tiktok.com/api/v2/pixel
advertising
TradeDesk
js.adsrvr.org
advertising
TradeDesk
match.adsrvr.org
advertising
AppNexus/Xandr
secure.adnxs.com
advertising
Bidswitch
bidswitch.net
advertising

Continued (16 to 20 of 27)

Kenneth Buchanan · Consent Compliance Intelligence

NETWORK EVIDENCE

Pixel Endpoints (cont. 5)

Google Ads
googlesyndication.com
advertising
Impact
d.impactradius-event.com
advertising
Index Exchange
casalemedia.com
advertising
Magnite/Rubicon
pixel.rubiconproject.com
advertising
PubMatic
image2.pubmatic.com
advertising

Continued (21 to 25 of 27)

Kenneth Buchanan · Consent Compliance Intelligence

NETWORK EVIDENCE

Pixel Endpoints (cont. 6)

PubMatic
image4.pubmatic.com
advertising
PubMatic
image6.pubmatic.com
advertising

Continued (26 to 27 of 27)

Kenneth Buchanan · Consent Compliance Intelligence

RISK QUANTIFICATION

Financial Exposure Estimate

CCPA / CPRA
$7,500
per intentional violation · per consumer
CIPA §631
$5,000
per session · no actual damages required
FTC Act
$51,744
per day of ongoing violation
Conservative
$15.6M to $156.0M
50,000 CA opt-outs/mo
max $156.0B/yr
Mid-range
$78.0M to $780.0M
250,000 CA opt-outs/mo
max $780.0B/yr
High-traffic
$312.0M to $3.1B
1,000,000 CA opt-outs/mo
max $3120.0B/yr
Realistic settlement range calibrated to precedent: Sephora $1.2M (2022) · Tractor Supply $1.35M (Sep 2025) · Disney $2.75M (Feb 2026)
Kenneth Buchanan · Consent Compliance Intelligence

GPC COMPLIANCE TEST

GPC Compliance Ignored

Sec-GPC: 1 header + navigator.globalPrivacyControl asserted on every request.

Sec-GPC: 1 header sent on all requests
YES
navigator.globalPrivacyControl = true
YES
Site honored GPC signal
NO. 25 vendor pixels fired tracking after GPC was asserted
Baseline pixel firings (post opt-out)
27
Pixel firings under GPC
25
Under CCPA/CPRA, GPC is a legally binding opt-out signal. California's CPPA has stated GPC non-compliance is enforceable without prior notice.
Kenneth Buchanan · Consent Compliance Intelligence

CMP SELF-REPORT · GROUND TRUTH

What the CMP Says It Does

Captured directly from the CMP's JavaScript API during the scan. This is the configuration the CMP believes it is enforcing. Compare against the observed network behavior below to surface misconfigurations.

CMP
OneTrust
Template
Ulta
Geo Rule
Global
Geo Country
CA
Consent Model
Opt-out
Script Version
202601.2.0
Kenneth Buchanan · Consent Compliance Intelligence

ENFORCEMENT PATTERN MAP

Current Enforcement Themes

Theme
Severity
Evidence
Action
Opt-out mechanism failure
HIGH
34 confirmed vendor finding(s); 27 pixel endpoint firing(s)
Re-test reject-all and GPC paths after each tag or CMP change.
GPC / universal opt-out failure
CRITICAL
25 pixel endpoint(s) fired under GPC; baseline=27, gpc=25
Map Sec-GPC: 1 and navigator.globalPrivacyControl to the same denied state used by manual opt-out.
Vendor and third-party governance
HIGH
52 inventory row(s) likely require sale/sharing review
Confirm each ad-tech, analytics, and pixel vendor has purpose-limited contract terms and is classified in the tracking inventory.
Tracking technology inventory
INFO
55 inventory row(s) generated
Review and export this inventory quarterly and after every tag release.
Kenneth Buchanan · Consent Compliance Intelligence

TRACKING TECHNOLOGY INVENTORY

Vendors Requiring Review

Vendor
Evidence
Sale / Sharing
GPC
Contract
1rx.io
Cookie
LIKELY
Not observed
Needed
Adobe Advertising
Cookie
LIKELY
Not observed
Needed
Adobe Audience Manager
Cookie
LIKELY
Not observed
Needed
AppNexus/Xandr
Pixel
LIKELY
Observed
Needed
Beeswax
Cookie
LIKELY
Not observed
Needed
Bidswitch
Pixel
LIKELY
Observed
Needed
bidswitch.net
Cookie
LIKELY
Not observed
Needed
Bing Ads UET
Pixel
LIKELY
Observed
Needed

+47 additional row(s) documented in the full report and JSON artifact.

Kenneth Buchanan · Consent Compliance Intelligence

CCPA · CPRA · CIPA · FTC ACT

Applicable Legal Framework

CCPA/CPRA §1798.120: Right to opt out of sale and sharing
CPRA sharing extension: Covers pixel-based data transfer to ad platforms
GPC mandate: `Sec-GPC: 1` is a legally binding opt-out signal
Fine exposure: Up to $7,500 per intentional violation per consumer
CIPA: $5,000 statutory per-violation, no actual damages required
Kenneth Buchanan · Consent Compliance Intelligence

REMEDIATION ROADMAP

Immediate Actions Required

Immediate
Disable Snapchat tag in GTM until consent logic is verified
Disable LiveIntent tag in GTM until consent logic is verified
Disable Dynatrace tag in GTM until consent logic is verified
Within 30 Days
Audit CMP integration against Consent Mode V2 requirements
Verify GPC signal is mapped to CMP opt-out state
Obtain written data processing agreements with all third-party vendors
Fix OneTrust → Consent Mode integration: opt-out must propagate denial signals (G100) to all Google tags
Kenneth Buchanan · Consent Compliance Intelligence

HOW WE AUDIT

Forensic Methodology

Definitive (Consent Wiring Broken: tags fire regardless of CMP state). Independent forensic scan. No vendor access or cooperation required. Mirrors the approach used by the California Privacy Protection Agency in automated GPC compliance sweeps.

Fresh browser context, zero prior cookies, consent denial pre-injected before page load
Page reloaded post-denial to capture true opted-out network state
All network traffic captured and fingerprinted against 3,200+ vendor signatures
Pixel endpoint detection: plaintiff law firm methodology (CIPA §631)
Regulatory findings cross-referenced against live enforcement database
Kenneth Buchanan · Consent Compliance Intelligence

PREPARED BY

Kenneth Buchanan

Independent forensic audit · kennethjbuchanan.com

Forensic Auditing
Post-denial traffic analysis
GPC signal testing
sGTM detection
Regulatory Intelligence
Live US & EU enforcement data
Fine exposure modeling
Case precedent library
Remediation Advisory
CMP configuration
Consent Mode V2
GTM consent architecture
Audit b12339cc-f791-426a-ba09-d47f483b598d · 2026-06-04 · For compliance assessment purposes only. Consult legal counsel for enforcement risk analysis.
Kenneth Buchanan · Consent Compliance Intelligence