Consent Violation Detected
34 confirmed violations · 37 vendors analyzed · Definitive (Consent Wiring Broken: tags fire regardless of CMP state)
This point-in-time audit of https://www.ulta.com identified 34 confirmed technical findings under the S3 Consent Mode wiring-broken methodology. OneTrust was detected, Google Consent Mode remained in a GCS=G111 granted state after opt-out, and 27 pixel endpoints were observed after consent denial. The GPC test sent Sec-GPC: 1 and navigator.globalPrivacyControl=true; observed pixel activity decreased from 27 to 25 requests, so the audit marked the signal as not respected. These are technical observations for compliance review, not legal conclusions.
Directional estimate. Actual liability scales with class size and intentionality findings. Anchored to published settlements (see Regulatory Basis below).
Under CCPA/CPRA, GPC is a legally binding opt-out signal. California's CPPA has stated GPC non-compliance is enforceable without prior notice.
| Theme | Severity | Evidence | Regulatory Context | Action |
|---|---|---|---|---|
| Opt-out mechanism failure | high | 34 confirmed vendor finding(s); 27 pixel endpoint firing(s) | Recent CPPA and California Attorney General matters focus on whether opt-out choices suppress downstream tracking, not merely whether an interface records a preference. | Re-test reject-all and GPC paths after each tag or CMP change. |
| GPC / universal opt-out failure | critical | 25 pixel endpoint(s) fired under GPC; baseline=27, gpc=25 | California, Connecticut, Colorado, Oregon, and other states treat opt-out preference signals as enforceable consumer choices. | Map Sec-GPC: 1 and navigator.globalPrivacyControl to the same denied state used by manual opt-out. |
| Vendor and third-party governance | high | 52 inventory row(s) likely require sale/sharing review | California enforcement has treated missing or overbroad ad-tech contract terms as a primary violation, not just a paperwork issue. | Confirm each ad-tech, analytics, and pixel vendor has purpose-limited contract terms and is classified in the tracking inventory. |
| Tracking technology inventory | info | 55 inventory row(s) generated | Recent orders require current inventories of tracking technologies and periodic scanning to catch drift. | Review and export this inventory quarterly and after every tag release. |
| Vendor | Evidence | Category | Opt-Out | GPC | Sale / Sharing Risk | Contract Review | Sensitive Context |
|---|---|---|---|---|---|---|---|
| 1rx.io | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Adobe Advertising | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Adobe Audience Manager | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| AppNexus/Xandr | Pixel | Advertising | Observed | Observed | Likely | Needed | None inferred |
| Beeswax | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Bidswitch | Pixel | Advertising | Observed | Observed | Likely | Needed | None inferred |
| bidswitch.net | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Bing Ads UET | Pixel | Advertising | Observed | Observed | Likely | Needed | None inferred |
| Casale Media | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Criteo | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Criteo | Pixel | Advertising | Observed | Observed | Likely | Needed | None inferred |
| DoubleClick/DV360 | Pixel | Advertising | Observed | Observed | Likely | Needed | None inferred |
| DoubleClick/Google Marketing | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Dynatrace | Cookie | Analytics | Observed | Not Observed | Possible | Needed | None inferred |
| Federated Media Publishing | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred | |
| Google / DoubleClick | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Google Ads | Pixel | Advertising | Observed | Observed | Likely | Needed | None inferred |
| Google AdSense | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| HAproxy | Cookie | Functional | Observed | Not Observed | Possible | Low | None inferred |
| Impact | Pixel | Advertising | Observed | Observed | Likely | Needed | None inferred |
| Index Exchange | Pixel | Advertising | Observed | Observed | Likely | Needed | None inferred |
| LinkedIn Insight Tag | Pixel | Advertising | Observed | Not Observed | Likely | Needed | None inferred |
| LiveIntent | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| LiveRamp | Pixel | Advertising | Observed | Observed | Likely | Needed | None inferred |
| Lotame | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Magnite | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Magnite/Rubicon | Pixel | Advertising | Observed | Observed | Likely | Needed | None inferred |
| Mediamath | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| MediaMath | Pixel | Advertising | Observed | Not Observed | Likely | Needed | None inferred |
| Mediarithmics | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Meta Pixel | Pixel | Advertising | Observed | Observed | Likely | Needed | None inferred |
| Microsoft / Bing | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Nativo | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| openx.net | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred | |
| Pinterest Tag | Pixel | Advertising | Observed | Observed | Likely | Needed | None inferred |
| PubMatic | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| PubMatic | Pixel | Advertising | Observed | Observed | Likely | Needed | None inferred |
| Rapleaf | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred | |
| Smartadserver | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Snapchat | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Snapchat Pixel | Pixel | Advertising | Observed | Observed | Likely | Needed | None inferred |
| Taboola | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Tapad | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Tealium iQ | Cookie | Functional | Observed | Not Observed | Possible | Low | None inferred |
| The Trade Desk | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| The Tradedesk | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| TikTok | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| TikTok Pixel | Pixel | Advertising | Observed | Observed | Likely | Needed | None inferred |
| TradeDesk | Pixel | Advertising | Observed | Observed | Likely | Needed | None inferred |
| TripleLift | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Xandr | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Yahoo | Cookie | Targeting | Observed | Not Observed | Likely | Needed | None inferred |
| Vendor | Signal / Cookie | Category | Legal Risk | Status | Observation |
|---|---|---|---|---|---|
| Snapchat | X-AB, _scid, sc_at, _scid_r | Targeting | High | Violation | Snapchat fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| LiveIntent | _li_ss, _li_ss, lidid | Targeting | Unknown | Violation | LiveIntent fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Dynatrace | rxVisitor, dtCookie | Analytics | Unknown | Violation | Dynatrace fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| TikTok | _ttp, _tt_enable_cookie | Targeting | High | Violation | TikTok fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| _gcl_au, receive-cookie-deprecation | Targeting | Unknown | Violation | Google fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. | |
| Microsoft / Bing | MUID, MR, MR | Targeting | Medium | Violation | Microsoft / Bing fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Google / DoubleClick | IDE | Targeting | High | Review Required | GCS=G111 in opted-out scan — active CMP overriding consent injection. Verify CMP configuration and re-test with banner click methodology. |
| _pin_unauth, _pinterest_ct_ua | Targeting | Medium | Violation | Pinterest fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. | |
| DoubleClick/Google Marketing | __gads | Targeting | Unknown | Violation | DoubleClick/Google Marketing fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Google AdSense | __gpi, __eoi | Targeting | Unknown | Violation | Google AdSense fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Tapad | TapAd_TS, TapAd_DID, TapAd_3WAY_SYNCS | Targeting | Unknown | Violation | Tapad fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Criteo | uid, cto_bundle, cto_bundle | Targeting | High | Violation | Criteo fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Adobe Audience Manager | demdex, dpm | Targeting | High | Violation | Adobe Audience Manager fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Xandr | XANDR_PANID, uuid2, anj | Targeting | Unknown | Violation | Xandr fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| openx.net | i | Targeting | Unknown | Violation | openx.net fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Casale Media | CMID, CMPS, CMPRO | Targeting | Unknown | Violation | Casale Media fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| PubMatic | KRTBCOOKIE_18, KADUSERCOOKIE, SPugT, KRTBCOOKIE_377, PugT | Targeting | Unknown | Violation | PubMatic fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Adobe Advertising | everest_g_v2 | Targeting | Unknown | Violation | Adobe Advertising fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| bidswitch.net | tuuid, c, tuuid_lu | Targeting | Unknown | Violation | bidswitch.net fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| HAproxy | SERVERID | Functional | Unknown | No Evidence | — |
| The Trade Desk | TDID | Targeting | High | Violation | The Trade Desk fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Magnite | khaos, khaos_p, tvid, tv_UICR, tv_UIRF, audit_p, audit | Targeting | Unknown | Violation | Magnite fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Nativo | visitor, status, ver | Targeting | Unknown | Violation | Nativo fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Yahoo | A3, IDSYNC | Targeting | Unknown | Violation | Yahoo fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Smartadserver | pid, TestIfCookieP, csync | Targeting | Unknown | Violation | Smartadserver fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Lotame | _cc_dc, _cc_id | Targeting | Medium | Violation | Lotame fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| TripleLift | tluid | Targeting | Unknown | Violation | TripleLift fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| 1rx.io | _rxuuid | Targeting | Unknown | Violation | 1rx.io fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Taboola | t_gid, t_pt_gid | Targeting | Medium | Violation | Taboola fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Federated Media Publishing | ljt_reader | Targeting | Unknown | Violation | Federated Media Publishing fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Mediamath | uuid | Targeting | Unknown | Violation | Mediamath fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Beeswax | bito, bitoIsSecure | Targeting | Unknown | Violation | Beeswax fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Mediarithmics | mics_vid, mics_uaid, mics_lts | Targeting | Unknown | Violation | Mediarithmics fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Tealium iQ | utag_main | Functional | Low | No Evidence | — |
| _rdt_uuid | Targeting | Medium | Violation | Reddit fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. | |
| The Tradedesk | TDCPM | Targeting | Unknown | Violation | The Tradedesk fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Rapleaf | rlas3, pxrc | Targeting | Unknown | Violation | Rapleaf fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal. |
| Parameter | Value | ad_storage | analytics_storage | Notes |
|---|---|---|---|---|
| GCS | G111 |
granted | granted | Full consent granted, all signals active |
| GCD | 13l3l3l3l1l1 |
Consent detail (V2 signal) | Unknown state | |
Captured directly from the CMP's JavaScript API during the scan. This is ground truth for what the CMP thinks it is doing. Mismatches between this and observed network behavior (below) are forensic evidence of CMP misconfiguration, not gray-area judgment calls.
| CMP | OneTrust |
|---|---|
| Template | Ulta |
| Geolocation Rule | Global |
| Geo Country | CA |
| Consent Model | Opt-out |
| Script Version | 202601.2.0 |
| Expected Cookies (by category) |
C0007: 58 cookies declared
C0001: 26 cookies declared
C0002: 128 cookies declared
C0003: 20 cookies declared
C0004: 185 cookies declared
|
Consent-related pushes captured from window.dataLayer, in firing order. Race conditions (CMP loading after the first GA hit, default-granted defaults that should be denied) surface here. Non-consent events (page_view, click, ecommerce) are intentionally filtered out.
| # | Source | Event | Params |
|---|---|---|---|
| 0 | onetrust_loaded |
OneTrustLoaded |
OnetrustActiveGroups: ,C0001, |
| 2 | onetrust_groups_updated |
OneTrustGroupsUpdated |
OnetrustActiveGroups: ,C0001, |
| 3 | onetrust_loaded |
OneTrustLoaded |
OnetrustActiveGroups: ,C0001, |
| 5 | onetrust_groups_updated |
OneTrustGroupsUpdated |
OnetrustActiveGroups: ,C0001, |
X-AB, _scid, sc_at, _scid_r) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories._li_ss, _li_ss, lidid) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.rxVisitor, dtCookie) is firing without consent. Either (a) gate the Dynatrace tag in GTM behind functional_storage = granted, or (b) call dtrum.disable() on page load when consent is denied._ttp, _tt_enable_cookie) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories._gcl_au, receive-cookie-deprecation) conversion linker fired despite opted-out. In GTM, open the Google Ads / Conversion Linker tag and enable ads_data_redaction. Confirm Additional Consent Settings require ad_storage + ad_user_data + ad_personalization.MUID, MR, MR) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories._pin_unauth, _pinterest_ct_ua) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.__gads) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.__gpi, __eoi) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.TapAd_TS, TapAd_DID, TapAd_3WAY_SYNCS) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.uid, cto_bundle, cto_bundle) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.demdex, dpm) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.XANDR_PANID, uuid2, anj) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.i) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.CMID, CMPS, CMPRO) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.KRTBCOOKIE_18, KADUSERCOOKIE, SPugT, KRTBCOOKIE_377, PugT) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.everest_g_v2) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.tuuid, c, tuuid_lu) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.TDID) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.khaos, khaos_p, tvid, tv_UICR, tv_UIRF, audit_p, audit) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.visitor, status, ver) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.A3, IDSYNC) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.pid, TestIfCookieP, csync) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories._cc_dc, _cc_id) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.tluid) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories._rxuuid) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.t_gid, t_pt_gid) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.ljt_reader) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.uuid) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.bito, bitoIsSecure) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.mics_vid, mics_uaid, mics_lts) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories._rdt_uuid) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.TDCPM) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.rlas3, pxrc) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.Sec-GPC: 1 was asserted. Under CCPA/CPRA, GPC is a legally binding opt-out signal. California's CPPA has stated GPC non-compliance is enforceable without prior notice.| Vendor | Category | Exposure | Endpoint Matched | Full URL |
|---|---|---|---|---|
| Bing Ads UET | Advertising | High | bat.bing.com/action | https://bat.bing.com/action/0?ti=4025993&Ver=2&_rnd=0.52446465481837 |
| Criteo | Advertising | High | sslwidget.criteo.com | https://sslwidget.criteo.com/event?a=8463&v=5.46.0&uat=0&p0=e%3Dce%26m%3D%255B%255D%26h%3Dsha256&p1=e%3Dexd%26ci%3D2c33e… |
| DoubleClick/DV360 | Advertising | High | ad.doubleclick.net | https://ad.doubleclick.net/activity;src=14666520;type=ultasale;cat=131277289;rcb=5;ord=8625700733253;npa=0;auiddc=168044… |
| DoubleClick/DV360 | Advertising | High | doubleclick.net/activityi; | https://4728858.fls.doubleclick.net/activityi;src=4728858;type=21ulb1;cat=2022ubdu;EuPoliticalAdsDeclaration=DOES_NOT_CO… |
| DoubleClick/DV360 | Advertising | High | fls.doubleclick.net | https://4728858.fls.doubleclick.net/activityi;src=4728858;type=21ulb1;cat=2022ubdu;EuPoliticalAdsDeclaration=DOES_NOT_CO… |
| LinkedIn Insight Tag | Advertising | High | px.ads.linkedin.com | https://px.ads.linkedin.com/db_sync?pid=16261&puuid=bca961e8-6491-4f84-91a2-0c4cb207d3ec&rand=1780546826 |
| LiveRamp | Advertising | High | launchpad.privacymanager.io | https://launchpad.privacymanager.io/latest/launchpad.bundle.js |
| LiveRamp | Advertising | High | idsync.rlcdn.com | https://idsync.rlcdn.com/360947.gif?partner_uid=2020216318126327897 |
| MediaMath | Advertising | High | sync.mathtag.com | https://sync.mathtag.com/sync/img?mt_exid=10103&redirect=https://partner.mediawallahscript.com/?account_id=2036&partner_… |
| Meta Pixel | Advertising | High | connect.facebook.net/en_US/fbevents.js | https://connect.facebook.net/en_US/fbevents.js |
| Meta Pixel | Advertising | High | facebook.com/tr/ | https://www.facebook.com/tr/?id=558224355430197&ev=PageView&dl=https%3A%2F%2Fwww.ulta.com%2F&rl=&if=false&ts=17805468253… |
| Pinterest Tag | Advertising | High | ct.pinterest.com/user | https://ct.pinterest.com/user/?tid=2620892613526&ov=%7B%22page_name%22%3A%22Ulta%20Beauty%20%7C%20Makeup%2C%20Skin%20Car… |
| Pinterest Tag | Advertising | High | ct.pinterest.com/v3 | https://ct.pinterest.com/v3/?tid=2620892613526&ov=%7B%22page_name%22%3A%22Ulta%20Beauty%20%7C%20Makeup%2C%20Skin%20Care%… |
| Snapchat Pixel | Advertising | High | tr.snapchat.com/p | https://tr.snapchat.com/p |
| TikTok Pixel | Advertising | High | analytics.tiktok.com/i18n/pixel | https://analytics.tiktok.com/i18n/pixel/events.js?sdkid=CQ2N213C77U8BDE394M0&lib=ttq |
| TikTok Pixel | Advertising | High | analytics.tiktok.com/api/v2/pixel | https://analytics.tiktok.com/api/v2/pixel |
| TradeDesk | Advertising | High | js.adsrvr.org | https://js.adsrvr.org/up_loader.3.0.0.js |
| TradeDesk | Advertising | High | match.adsrvr.org | https://match.adsrvr.org/track/cmf/generic?ttd_pid=vxsrv3i&ttd_tpi=1 |
| AppNexus/Xandr | Advertising | Medium | secure.adnxs.com | https://secure.adnxs.com/getuid?https://partner.mediawallahscript.com/?account_id=2016&partner_id=2087&uid=$UID&tag_form… |
| Bidswitch | Advertising | Medium | bidswitch.net | https://x.bidswitch.net/sync?dsp_id=119&user_id=2020216318126327897&expires=30&gdpr=&gdpr_consent=&gdpr_pd={GDPR_PD} |
| Google Ads | Advertising | Medium | googlesyndication.com | https://f9bfedf34305c9e280466e1905458236.safeframe.googlesyndication.com/safeframe/1-0-45/html/container.html |
| Impact | Advertising | Medium | d.impactradius-event.com | https://d.impactradius-event.com/A119822-1eb0-43de-95fe-3053aaab3d711.js |
| Index Exchange | Advertising | Medium | casalemedia.com | https://dsum-sec.casalemedia.com/rum?cm_dsp_id=57&external_user_id=2020216318126327897&forward= |
| Magnite/Rubicon | Advertising | Medium | pixel.rubiconproject.com | https://pixel.rubiconproject.com/tap.php?v=6434&nid=2149&put=k-r6Gp5n2FsamVV9AK-crKQCKb8sZrfrJtCh6C_Q&expires=30 |
| PubMatic | Advertising | Medium | image2.pubmatic.com | https://image2.pubmatic.com/AdServer/Pug?vcode=bz0yJnR5cGU9MSZjb2RlPTI3MzkmdGw9MTI5NjAw==&piggybackCookie=20202163181263… |
| PubMatic | Advertising | Medium | image4.pubmatic.com | https://simage4.pubmatic.com/AdServer/SPug?partnerID=167352&partnerUID=uid:k-mw4opH2FsamVV9AK-crKQCKb8sacZLV7Mtjh_g |
| PubMatic | Advertising | Medium | image6.pubmatic.com | https://image6.pubmatic.com/AdServer/UCookieSetPug?rd=https%3A%2F%2Fpartner.mediawallahscript.com%2F%3Faccount_id%3D2030… |
Recent US privacy enforcement has shifted from reviewing policies in isolation to testing whether privacy mechanisms actually work. Regulators are checking opt-out flows, Global Privacy Control handling, tracking pixels, contracts with advertising vendors, sensitive-context sharing, and whether companies maintain an inventory of deployed tracking technologies.
The practical takeaway for consent-engine is direct: a report should not stop at "cookies fired." It should map observed network facts to the enforcement pattern they resemble and produce a tracking-technology inventory that privacy, legal, and engineering teams can review.
| Pattern | What to test | Why it matters |
|---|---|---|
| Opt-out mechanism failure | Reject-all flow, Do Not Sell or Share link, logged-in and logged-out state | California actions against Honda, Todd Snyder, Tractor Supply, Healthline, Disney, and others focus on whether opt-outs actually suppress sale/sharing activity. |
| GPC / universal opt-out failure | Sec-GPC: 1, navigator.globalPrivacyControl, and network traffic under the signal |
California, Connecticut, Colorado, Oregon, Minnesota, and other states treat universal opt-out signals as enforceable or soon-enforceable privacy choices. |
| Consent asymmetry and friction | Equal ease of accept vs reject, no verification for opt-out, no account creation requirement | Honda and Todd Snyder show that privacy UX and request mechanics can be standalone enforcement issues. |
| Vendor contract gaps | Whether ad-tech, analytics, and pixel vendors have purpose-limited CCPA contract terms | Healthline and Tractor Supply both included vendor-contract allegations, not only technical tracking allegations. |
| Sensitive-context sharing | Health, location, driving, video-viewing, financial, student, and child contexts | Healthline and GM show heightened risk when ad-tech or data-broker sharing touches sensitive context or precise location/driving data. |
| Minors and teens | Under-13, 13-15, student, game, streaming, and child-directed contexts | Jam City, Tilting Point, Roku, and related actions focus on child and teen data, affirmative opt-in, and default protections. |
| Inventory and scanning | Current list of cookies, pixels, SDKs, server-side endpoints, owners, purposes, and contracts | Tractor Supply required scanning digital properties to inventory tracking technologies. This makes inventory an enforcement artifact, not just a technical appendix. |
§1798.120 — Right to Opt Out of Sale
California consumers may direct any business to not sell their personal information. The business must:
- Post a "Do Not Sell My Personal Information" link on homepage
- Honor opt-out within 15 business days
- Not sell after receiving a valid opt-out request
CPRA Extension — Sharing for Cross-Context Behavioral Advertising (effective 2023)
Opt-out rights now cover "sharing" — defined as disclosing personal information for cross-context behavioral advertising, even with no money exchanged. This directly covers:
- Passing user identifiers (cookies, device IDs) to ad platforms
- Meta Pixel / Facebook retargeting
- Google Ads conversion tracking
- LinkedIn Insight Tag, TikTok Pixel when fired post-opt-out
- Third-party audience syndication
Key interpretation: A business does not need to receive money for a data transfer to be classified as a "sale." Passing cookies or behavioral data to any ad platform = sale under CCPA/CPRA.
CPRA regulations require businesses to honor the Sec-GPC: 1 HTTP header as a valid opt-out of sale and sharing. This is mandatory, not optional.
Enforcement action: The California Privacy Protection Agency (CPPA) has explicitly stated that failure to honor GPC is an enforceable violation without requiring prior notice to the business.
States that mandate GPC: California, Colorado, Connecticut, Texas, Montana, Oregon.
If an advertising pixel fires after receiving Sec-GPC: 1 from a California user → confirmed CPRA violation, per-consumer fine exposure.
As of 2026, 20+ U.S. jurisdictions enforce comprehensive consumer privacy laws. All share a common thread: consumers have the right to opt out of sale or sharing of personal information for targeted advertising. Businesses must honor that right.
Targeted advertising (consistent definition across all state laws): displaying ads based on personal data obtained from the consumer's activities across non-affiliated websites. This directly covers Meta Pixel retargeting, Google Ads remarketing, LinkedIn Insight Tag, TikTok Pixel.
The following states require honoring the Global Privacy Control (Sec-GPC: 1) as a valid opt-out:
| State | Law | GPC Required | Enforcement |
|---|---|---|---|
| California | CCPA/CPRA | Yes — mandatory, no notice required | CPPA + AG |
| Colorado | CPA | Yes | AG |
| Connecticut | CTDPA | Yes (as of Jan 2025) | AG |
| Texas | TDPSA | Yes | AG |
| Montana | MCDPA | Yes | AG |
| Oregon | OCPA | Yes (as of Jan 2026) | AG |
| New Jersey | NJDPA | Yes | AG |
Audit rule: If Sec-GPC: 1 is detected AND the user's IP resolves to any GPC-mandate state AND an advertising pixel fires → confirmed violation, per-consumer fine exposure.
The Global Privacy Control (GPC) is a browser-level privacy signal transmitted as an HTTP request header:
Sec-GPC: 1
When present, it signals that the user does not want their data sold or shared for targeted advertising. It is a machine-readable, universal opt-out mechanism.
| State | GPC Required | Notes |
|---|---|---|
| California | Mandatory | CPPA: non-compliance enforceable without prior notice |
| Colorado | Mandatory | |
| Connecticut | Mandatory (Jan 2025) | |
| Texas | Mandatory | |
| Montana | Mandatory | |
| Oregon | Mandatory (Jan 2026) | |
| New Jersey | Mandatory | |
| Virginia | Not required | |
| Iowa | Not required |
Disney — California AG, February 11, 2026 — $2.75 million (largest CCPA settlement)
- Opt-out mechanism was device-by-device and service-by-service — not account-wide
- User who opted out on Disney+ still tracked on ESPN+, Hulu, different devices
- CA AG: CCPA requires a universal opt-out, not per-device fragmentation
- Principle established: Opt-out must be honored across all services and devices associated with a consumer's account. Per-service opt-out = violation.
- Audit relevance: Any site/platform requiring repeated opt-out per device or service is non-compliant.
Tractor Supply — CPPA (California Privacy Protection Agency), September 30, 2025 — $1.35 million
- First major CPPA enforcement action (CPPA is separate from and acts independently of the AG)
- Violations: GPC signal not honored, inadequate privacy notice, job applicant rights not disclosed, personal data shared with third parties without proper data processing agreements
- Principle established: CPPA enforces independently — GPC non-compliance is a standalone CPPA violation, not just AG enforcement.
- Audit relevance: GPC + advertising pixel firing = citable CPPA enforcement precedent alongside Sephora.
Tilting Point Media — CPPA, July 2025 — $500,000
- Mobile-game publisher; allowed collection of children's personal information without obtaining parental consent or applying COPPA-required age-screening controls before sharing data with advertising SDKs
- Failed to honor opt-out preference signals (GPC) for users in California
- CPPA order required implementation of an age-screening mechanism, COPPA-aligned consent flow, and quarterly compliance reports for three years
- Principle established: Children's privacy under CCPA is a CPPA enforcement priority and overlaps with FTC's COPPA jurisdiction. Mobile games and any site with mixed-age users carry heightened risk.
Honda (American Honda Motor Co.) — CPPA, March 2024 — $632,500
- First CPPA settlement after the agency stood up its enforcement division
- Violations: required California consumers to verify their identity to submit opt-out and limit-use-of-sensitive-data requests (CCPA prohibits verification for these specific rights), required excessive personal information for authorized agent requests, asymmetric cookie-banner design favoring "accept" over "reject"
- Principle established: Opt-out requests must be one-click and may not require identity verification. Authorized-agent processes that demand extra documentation beyond CCPA's text are independent violations.
- Audit relevance: Any opt-out flow that asks for email confirmation, account login, or additional ID fields = direct Honda precedent.
DoorDash — California AG, February 2024 — $375,000
- DoorDash participated in a marketing co-op that exchanged customer personal information (names + addresses) with other businesses' lists in return for promotional access to those lists
- AG: this exchange constituted "sale" of personal information under CCPA, requiring opt-out disclosures DoorDash did not provide; also constituted "sharing" under CalOPPA and the federal CAN-SPAM Act
- Principle established: Non-monetary exchanges of personal information for "valuable consideration" (access to mailing lists, partner audiences, lookalike-modeling capacity) are CCPA sales requiring opt-out disclosure.
- Audit relevance: Lookalike-audience uploads to Meta or Google = same legal theory. Customer-match audiences are not exempt.
Todd Snyder — CPPA, May 2024 — $345,178
- Direct-to-consumer apparel retailer; CMP banner technically present but the opt-out link landed on a page that required users to fill in a five-field form (including driver's license upload) before any opt-out was honored — and even when submitted, opt-outs were intermittently ignored due to a misconfigured cookie banner that erased the user's choice within 40 days
- Principle established: Cookie-banner misconfiguration that fails to persist opt-out choices is a CCPA violation in its own right, separate from any disclosure or pixel-firing issue. Excessive verification on the opt-out path is a violation per Honda.
- Audit relevance: Any audit where the CMP exists but opt-out persistence is broken or where reject-flow requires more than email = direct Todd Snyder precedent.
Google — Texas AG, May 2025 — $1.375 billion
- Largest single-state privacy settlement in US history
- Location tracking persisted in Incognito mode; biometric data (voiceprints) collected without consent
- Statutes: Texas Data Privacy and Security Act (TDPSA) + Capture or Use of Biometric Identifier Act (CUBI) + DTPA
- Principle: State AGs outside California now pursue billion-dollar settlements. Texas, Florida, Washington have aggressive enforcement posture.
Sephora — California AG, October 2022 — $1.2 million
- First CCPA enforcement action
- Selling consumer data to advertising partners via pixel sharing without disclosing it as a "sale"
- Failing to honor GPC opt-out signals
- AG's complaint specifically cited Meta Pixel and Google Ads pixel-based data sharing as constituting "sale" of personal information
- Principle established: GPC = legally valid CCPA opt-out. Non-compliance = per-violation fine.
- Key insight: Money need not change hands for a pixel data transfer to be classified as "sale."
Tillamook County Creamery — California AG, 2022
- Settlement and corrective action required
- Advertising pixels continued firing after GPC signal received
- Part of AG's first GPC enforcement sweep
- Significance: Demonstrates GPC enforcement applies to mid-market brands, not just large tech
FTC v. Epic Games (Fortnite) — September 2022 — $275M + $245M
- $275M COPPA: default-on voice and video collection for minors
- $245M: dark UX patterns tricking children into in-app purchases
- Principle: Interactive entertainment with children requires opt-in consent; dark patterns carry FTC enforcement risk
Disney / Entertainment Sector — 2023–2025
- Class action lawsuits against Disney, NBC Universal, Hulu
- Allegations: Meta Pixel + similar tracking on health-adjacent and subscription content without disclosure
- Disney specifically: Pixel tracking on disneyplus.com and theme park booking pages alleged to share viewing habits with Meta
- VPPA cited alongside CCPA in streaming contexts
- Settlement exposure per action: $25–$100M range
Aspen Dental — FTC/State AGs
- Settled for $18.5M
- Used Meta and Google tracking tools transmitting sensitive health data without consent
- Multi-statute: California Confidentiality of Medical Information Act + CCPA + HIPAA-adjacent
- Established: health-adjacent content + advertising pixels = maximum exposure category
Live US privacy enforcement data from federal court dockets (CourtListener) and FTC press releases.
Covers CCPA, CIPA (California wiretap), VPPA, COPPA, and FTC Act privacy enforcement actions.
Last refreshed: 2026-04-22.
These are established by settled cases — use these in every US audit report:
| Principle | Case | Amount | Statute |
|---|---|---|---|
| GPC = mandatory opt-out, pixel data = "sale" | Sephora (CA AG, 2022) | $1.2M | CCPA/CPRA |
| Health data + ad pixels = maximum exposure | Aspen Dental (FTC/state AGs) | $18.5M | CMIA + CCPA |
| COPPA: default-on data collection for minors | Epic/Fortnite (FTC, 2022) | $275M | COPPA |
| Dark UX patterns carry FTC enforcement risk | Epic/Fortnite (FTC, 2022) | $245M | FTC Act |
| Pixel-as-sale: no money needed to be a "sale" | Multiple CA AG actions | Varies | CCPA §1798.140(t) |
| CIPA §631: recording web sessions = wiretap | Multiple district courts | $5K/violation | CIPA |
| VPPA: pixel shares video viewing = violation | Pending — circuit split | Class exposure | VPPA |
In 2024, nearly 4,000 online privacy lawsuits were filed — up from ~200 in 2023. The primary vehicle: plaintiffs' attorneys repurposing antiquated statutes to target standard web analytics. This is the most immediate financial threat to businesses using digital analytics, exceeding regulatory fines in urgency.
CIPA is a 1960s wiretapping statute now weaponized against web tracking. No actual damages required — $5,000 statutory penalty per violation. A single misconfigured pixel on a high-traffic site can generate tens of millions in theoretical liability within hours.
§ 631(a) — Wiretapping / Interception
- Target: Google Analytics, Meta Pixel, Hotjar session replay, any third-party analytics
- Theory: Third-party vendor code "intercepts" communications (clicks, keystrokes, form fills) between user and site without explicit prior consent
- Status: Extremely active. Courts divided on whether vendor = "tape recorder" extension of first party vs. independent eavesdropper
§ 632.7 — Cellular Eavesdropping
- Target: Mobile web browsing, integrated chat widgets
- Theory: Internet communications from smartphones = cellular communications under the statute
- Status: Active. Frequently filed alongside § 631(a) to multiply settlement pressure
§§ 638.50–.51 — Pen Register / Trap-and-Trace
- Target: IP address trackers, HTTP request headers, basic network routing analytics
- Theory: Software captures routing/signaling information = illegal trap-and-trace device
- Status: Emerging in 2026. Courts divided on applying 1990s telecom concepts to HTTP
CIPA lawsuits specifically exploit the gap between a site's privacy policy and the actual behavior of asynchronous JavaScript tags. If a policy says "we don't share data with unauthorized third parties" but a misconfigured Meta Pixel transmits a user's unhashed email or behavioral payload — the technical error fulfills the plaintiff's burden of proof automatically.