Consent Compliance Audit

https://www.ulta.com  ·  2026-06-04 04:20:29 UTC  ·  Definitive (Consent Wiring Broken: tags fire regardless of CMP state)

Consent Violation Detected

34 confirmed violations  ·  37 vendors analyzed  ·  Definitive (Consent Wiring Broken: tags fire regardless of CMP state)

Executive Summary

This point-in-time audit of https://www.ulta.com identified 34 confirmed technical findings under the S3 Consent Mode wiring-broken methodology. OneTrust was detected, Google Consent Mode remained in a GCS=G111 granted state after opt-out, and 27 pixel endpoints were observed after consent denial. The GPC test sent Sec-GPC: 1 and navigator.globalPrivacyControl=true; observed pixel activity decreased from 27 to 25 requests, so the audit marked the signal as not respected. These are technical observations for compliance review, not legal conclusions.

Estimated Exposure

Statutory + class-action exposure from observed violations

$1,127,777 to $29,550,000 range
Grounded in settled case outcomes, additive across statutes that apply to this scan.
CCPA §1798.150 / CPRA
Sephora (CA AG, 2022): $1.2M (GPC = mandatory opt-out, pixel data = "sale")
$100,000 to $1,200,000
CIPA §631 (pixel-as-wiretap)
Aspen Dental (FTC/state AGs): $18.5M (Health data + ad pixels = maximum exposure)
$1,027,777 to $18,500,000
Aggravated (evidence of intentional violation)
Tags fire regardless of CMP state: supports intentionality finding

Directional estimate. Actual liability scales with class size and intentionality findings. Anchored to published settlements (see Regulatory Basis below).

Methodology: Consent Wiring Broken Tags fire regardless of the CMP's stored consent state.

OneTrust was detected and denial was injected, but GCM beacons kept firing with GCS=G111 (all granted). Findings are supported by observed consent-signal evidence.

GPC Signal Test Ignored

Sec-GPC: 1 header sent on all requests
YES
navigator.globalPrivacyControl = true
YES
Site honored GPC signal
NO. 25 vendor pixels fired tracking after GPC was asserted
Baseline pixel firings (post opt-out)
27
Pixel firings under GPC
25

Under CCPA/CPRA, GPC is a legally binding opt-out signal. California's CPPA has stated GPC non-compliance is enforceable without prior notice.

GCS Signal
G111
Advanced Consent Mode active
GTM Container
Not detected
none
CMP Interaction
ccpa_optout
Jurisdiction
United States (CCPA / State Laws)
auto-detected from site signals
sGTM
Not detected
GPC Tested
Yes
Sec-GPC: 1 header
CMP Detected
OneTrust
High confidence
CMP Template
Ulta
Opt-out model · CA

Enforcement Pattern Map

Theme Severity Evidence Regulatory Context Action
Opt-out mechanism failure high 34 confirmed vendor finding(s); 27 pixel endpoint firing(s) Recent CPPA and California Attorney General matters focus on whether opt-out choices suppress downstream tracking, not merely whether an interface records a preference. Re-test reject-all and GPC paths after each tag or CMP change.
GPC / universal opt-out failure critical 25 pixel endpoint(s) fired under GPC; baseline=27, gpc=25 California, Connecticut, Colorado, Oregon, and other states treat opt-out preference signals as enforceable consumer choices. Map Sec-GPC: 1 and navigator.globalPrivacyControl to the same denied state used by manual opt-out.
Vendor and third-party governance high 52 inventory row(s) likely require sale/sharing review California enforcement has treated missing or overbroad ad-tech contract terms as a primary violation, not just a paperwork issue. Confirm each ad-tech, analytics, and pixel vendor has purpose-limited contract terms and is classified in the tracking inventory.
Tracking technology inventory info 55 inventory row(s) generated Recent orders require current inventories of tracking technologies and periodic scanning to catch drift. Review and export this inventory quarterly and after every tag release.

Tracking Technology Inventory

Vendor Evidence Category Opt-Out GPC Sale / Sharing Risk Contract Review Sensitive Context
1rx.io Cookie Targeting Observed Not Observed Likely Needed None inferred
Adobe Advertising Cookie Targeting Observed Not Observed Likely Needed None inferred
Adobe Audience Manager Cookie Targeting Observed Not Observed Likely Needed None inferred
AppNexus/Xandr Pixel Advertising Observed Observed Likely Needed None inferred
Beeswax Cookie Targeting Observed Not Observed Likely Needed None inferred
Bidswitch Pixel Advertising Observed Observed Likely Needed None inferred
bidswitch.net Cookie Targeting Observed Not Observed Likely Needed None inferred
Bing Ads UET Pixel Advertising Observed Observed Likely Needed None inferred
Casale Media Cookie Targeting Observed Not Observed Likely Needed None inferred
Criteo Cookie Targeting Observed Not Observed Likely Needed None inferred
Criteo Pixel Advertising Observed Observed Likely Needed None inferred
DoubleClick/DV360 Pixel Advertising Observed Observed Likely Needed None inferred
DoubleClick/Google Marketing Cookie Targeting Observed Not Observed Likely Needed None inferred
Dynatrace Cookie Analytics Observed Not Observed Possible Needed None inferred
Federated Media Publishing Cookie Targeting Observed Not Observed Likely Needed None inferred
Google Cookie Targeting Observed Not Observed Likely Needed None inferred
Google / DoubleClick Cookie Targeting Observed Not Observed Likely Needed None inferred
Google Ads Pixel Advertising Observed Observed Likely Needed None inferred
Google AdSense Cookie Targeting Observed Not Observed Likely Needed None inferred
HAproxy Cookie Functional Observed Not Observed Possible Low None inferred
Impact Pixel Advertising Observed Observed Likely Needed None inferred
Index Exchange Pixel Advertising Observed Observed Likely Needed None inferred
LinkedIn Insight Tag Pixel Advertising Observed Not Observed Likely Needed None inferred
LiveIntent Cookie Targeting Observed Not Observed Likely Needed None inferred
LiveRamp Pixel Advertising Observed Observed Likely Needed None inferred
Lotame Cookie Targeting Observed Not Observed Likely Needed None inferred
Magnite Cookie Targeting Observed Not Observed Likely Needed None inferred
Magnite/Rubicon Pixel Advertising Observed Observed Likely Needed None inferred
Mediamath Cookie Targeting Observed Not Observed Likely Needed None inferred
MediaMath Pixel Advertising Observed Not Observed Likely Needed None inferred
Mediarithmics Cookie Targeting Observed Not Observed Likely Needed None inferred
Meta Pixel Pixel Advertising Observed Observed Likely Needed None inferred
Microsoft / Bing Cookie Targeting Observed Not Observed Likely Needed None inferred
Nativo Cookie Targeting Observed Not Observed Likely Needed None inferred
openx.net Cookie Targeting Observed Not Observed Likely Needed None inferred
Pinterest Cookie Targeting Observed Not Observed Likely Needed None inferred
Pinterest Tag Pixel Advertising Observed Observed Likely Needed None inferred
PubMatic Cookie Targeting Observed Not Observed Likely Needed None inferred
PubMatic Pixel Advertising Observed Observed Likely Needed None inferred
Rapleaf Cookie Targeting Observed Not Observed Likely Needed None inferred
Reddit Cookie Targeting Observed Not Observed Likely Needed None inferred
Smartadserver Cookie Targeting Observed Not Observed Likely Needed None inferred
Snapchat Cookie Targeting Observed Not Observed Likely Needed None inferred
Snapchat Pixel Pixel Advertising Observed Observed Likely Needed None inferred
Taboola Cookie Targeting Observed Not Observed Likely Needed None inferred
Tapad Cookie Targeting Observed Not Observed Likely Needed None inferred
Tealium iQ Cookie Functional Observed Not Observed Possible Low None inferred
The Trade Desk Cookie Targeting Observed Not Observed Likely Needed None inferred
The Tradedesk Cookie Targeting Observed Not Observed Likely Needed None inferred
TikTok Cookie Targeting Observed Not Observed Likely Needed None inferred
TikTok Pixel Pixel Advertising Observed Observed Likely Needed None inferred
TradeDesk Pixel Advertising Observed Observed Likely Needed None inferred
TripleLift Cookie Targeting Observed Not Observed Likely Needed None inferred
Xandr Cookie Targeting Observed Not Observed Likely Needed None inferred
Yahoo Cookie Targeting Observed Not Observed Likely Needed None inferred

Vendor Tracking Findings

Vendor Signal / Cookie Category Legal Risk Status Observation
Snapchat X-AB, _scid, sc_at, _scid_r Targeting High Violation Snapchat fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
LiveIntent _li_ss, _li_ss, lidid Targeting Unknown Violation LiveIntent fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Dynatrace rxVisitor, dtCookie Analytics Unknown Violation Dynatrace fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
TikTok _ttp, _tt_enable_cookie Targeting High Violation TikTok fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Google _gcl_au, receive-cookie-deprecation Targeting Unknown Violation Google fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Microsoft / Bing MUID, MR, MR Targeting Medium Violation Microsoft / Bing fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Google / DoubleClick IDE Targeting High Review Required GCS=G111 in opted-out scan — active CMP overriding consent injection. Verify CMP configuration and re-test with banner click methodology.
Pinterest _pin_unauth, _pinterest_ct_ua Targeting Medium Violation Pinterest fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
DoubleClick/Google Marketing __gads Targeting Unknown Violation DoubleClick/Google Marketing fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Google AdSense __gpi, __eoi Targeting Unknown Violation Google AdSense fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Tapad TapAd_TS, TapAd_DID, TapAd_3WAY_SYNCS Targeting Unknown Violation Tapad fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Criteo uid, cto_bundle, cto_bundle Targeting High Violation Criteo fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Adobe Audience Manager demdex, dpm Targeting High Violation Adobe Audience Manager fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Xandr XANDR_PANID, uuid2, anj Targeting Unknown Violation Xandr fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
openx.net i Targeting Unknown Violation openx.net fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Casale Media CMID, CMPS, CMPRO Targeting Unknown Violation Casale Media fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
PubMatic KRTBCOOKIE_18, KADUSERCOOKIE, SPugT, KRTBCOOKIE_377, PugT Targeting Unknown Violation PubMatic fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Adobe Advertising everest_g_v2 Targeting Unknown Violation Adobe Advertising fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
bidswitch.net tuuid, c, tuuid_lu Targeting Unknown Violation bidswitch.net fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
HAproxy SERVERID Functional Unknown No Evidence
The Trade Desk TDID Targeting High Violation The Trade Desk fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Magnite khaos, khaos_p, tvid, tv_UICR, tv_UIRF, audit_p, audit Targeting Unknown Violation Magnite fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Nativo visitor, status, ver Targeting Unknown Violation Nativo fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Yahoo A3, IDSYNC Targeting Unknown Violation Yahoo fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Smartadserver pid, TestIfCookieP, csync Targeting Unknown Violation Smartadserver fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Lotame _cc_dc, _cc_id Targeting Medium Violation Lotame fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
TripleLift tluid Targeting Unknown Violation TripleLift fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
1rx.io _rxuuid Targeting Unknown Violation 1rx.io fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Taboola t_gid, t_pt_gid Targeting Medium Violation Taboola fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Federated Media Publishing ljt_reader Targeting Unknown Violation Federated Media Publishing fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Mediamath uuid Targeting Unknown Violation Mediamath fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Beeswax bito, bitoIsSecure Targeting Unknown Violation Beeswax fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Mediarithmics mics_vid, mics_uaid, mics_lts Targeting Unknown Violation Mediarithmics fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Tealium iQ utag_main Functional Low No Evidence
Reddit _rdt_uuid Targeting Medium Violation Reddit fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
The Tradedesk TDCPM Targeting Unknown Violation The Tradedesk fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.
Rapleaf rlas3, pxrc Targeting Unknown Violation Rapleaf fired tracking in opted-out consent state (GCS=G111). Advanced Consent Mode does not apply to non-Google vendors — they must be fully blocked when consent is denied, not converted to cookieless pings. Tag needs a consent gate in GTM or removal.

Consent Signal Breakdown

ParameterValuead_storageanalytics_storageNotes
GCS G111 granted granted Full consent granted, all signals active
GCD 13l3l3l3l1l1 Consent detail (V2 signal) Unknown state

CMP Runtime Configuration what the CMP itself reports

Captured directly from the CMP's JavaScript API during the scan. This is ground truth for what the CMP thinks it is doing. Mismatches between this and observed network behavior (below) are forensic evidence of CMP misconfiguration, not gray-area judgment calls.

CMPOneTrust
TemplateUlta
Geolocation RuleGlobal
Geo CountryCA
Consent ModelOpt-out
Script Version202601.2.0
Expected Cookies (by category)
C0007: 58 cookies declared
C0001: 26 cookies declared
C0002: 128 cookies declared
C0003: 20 cookies declared
C0004: 185 cookies declared

Consent Event Stream dataLayer pushes (consent-only)

Consent-related pushes captured from window.dataLayer, in firing order. Race conditions (CMP loading after the first GA hit, default-granted defaults that should be denied) surface here. Non-consent events (page_view, click, ecommerce) are intentionally filtered out.

# Source Event Params
0 onetrust_loaded OneTrustLoaded
OnetrustActiveGroups: ,C0001,
2 onetrust_groups_updated OneTrustGroupsUpdated
OnetrustActiveGroups: ,C0001,
3 onetrust_loaded OneTrustLoaded
OnetrustActiveGroups: ,C0001,
5 onetrust_groups_updated OneTrustGroupsUpdated
OnetrustActiveGroups: ,C0001,

Remediation Steps

  1. Snapchat (X-AB, _scid, sc_at, _scid_r) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  2. LiveIntent (_li_ss, _li_ss, lidid) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  3. Dynatrace RUM (rxVisitor, dtCookie) is firing without consent. Either (a) gate the Dynatrace tag in GTM behind functional_storage = granted, or (b) call dtrum.disable() on page load when consent is denied.
  4. TikTok (_ttp, _tt_enable_cookie) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  5. Google Ads (_gcl_au, receive-cookie-deprecation) conversion linker fired despite opted-out. In GTM, open the Google Ads / Conversion Linker tag and enable ads_data_redaction. Confirm Additional Consent Settings require ad_storage + ad_user_data + ad_personalization.
  6. Microsoft / Bing (MUID, MR, MR) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  7. Pinterest (_pin_unauth, _pinterest_ct_ua) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  8. DoubleClick/Google Marketing (__gads) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  9. Google AdSense (__gpi, __eoi) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  10. Tapad (TapAd_TS, TapAd_DID, TapAd_3WAY_SYNCS) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  11. Criteo (uid, cto_bundle, cto_bundle) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  12. Adobe Audience Manager (demdex, dpm) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  13. Xandr (XANDR_PANID, uuid2, anj) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  14. openx.net (i) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  15. Casale Media (CMID, CMPS, CMPRO) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  16. PubMatic (KRTBCOOKIE_18, KADUSERCOOKIE, SPugT, KRTBCOOKIE_377, PugT) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  17. Adobe Advertising (everest_g_v2) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  18. bidswitch.net (tuuid, c, tuuid_lu) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  19. The Trade Desk (TDID) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  20. Magnite (khaos, khaos_p, tvid, tv_UICR, tv_UIRF, audit_p, audit) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  21. Nativo (visitor, status, ver) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  22. Yahoo (A3, IDSYNC) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  23. Smartadserver (pid, TestIfCookieP, csync) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  24. Lotame (_cc_dc, _cc_id) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  25. TripleLift (tluid) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  26. 1rx.io (_rxuuid) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  27. Taboola (t_gid, t_pt_gid) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  28. Federated Media Publishing (ljt_reader) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  29. Mediamath (uuid) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  30. Beeswax (bito, bitoIsSecure) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  31. Mediarithmics (mics_vid, mics_uaid, mics_lts) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  32. Reddit (_rdt_uuid) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  33. The Tradedesk (TDCPM) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.
  34. Rapleaf (rlas3, pxrc) fired tracking despite GCS=G111. Verify the tag has consent settings configured in your tag manager and that the CMP reject-all path maps to denied consent for the appropriate storage categories.

Open Gaps requires manual follow-up

  • GPC signal not respected. 25 tracking pixels fired after Sec-GPC: 1 was asserted. Under CCPA/CPRA, GPC is a legally binding opt-out signal. California's CPPA has stated GPC non-compliance is enforceable without prior notice.

Pixel Endpoint Evidence network-level evidence

Pixel endpoints observed in network traffic after consent denial. The same evidentiary pattern that demand-letter plaintiffs (Swigart, Vivek Shah, et al.) source from auto-scans of business websites in CIPA/CCPA class actions, surfaced here defensively, on your side of the table.
Vendor Category Exposure Endpoint Matched Full URL
Bing Ads UET Advertising High bat.bing.com/action https://bat.bing.com/action/0?ti=4025993&Ver=2&_rnd=0.52446465481837
Criteo Advertising High sslwidget.criteo.com https://sslwidget.criteo.com/event?a=8463&v=5.46.0&uat=0&p0=e%3Dce%26m%3D%255B%255D%26h%3Dsha256&p1=e%3Dexd%26ci%3D2c33e…
DoubleClick/DV360 Advertising High ad.doubleclick.net https://ad.doubleclick.net/activity;src=14666520;type=ultasale;cat=131277289;rcb=5;ord=8625700733253;npa=0;auiddc=168044…
DoubleClick/DV360 Advertising High doubleclick.net/activityi; https://4728858.fls.doubleclick.net/activityi;src=4728858;type=21ulb1;cat=2022ubdu;EuPoliticalAdsDeclaration=DOES_NOT_CO…
DoubleClick/DV360 Advertising High fls.doubleclick.net https://4728858.fls.doubleclick.net/activityi;src=4728858;type=21ulb1;cat=2022ubdu;EuPoliticalAdsDeclaration=DOES_NOT_CO…
LinkedIn Insight Tag Advertising High px.ads.linkedin.com https://px.ads.linkedin.com/db_sync?pid=16261&puuid=bca961e8-6491-4f84-91a2-0c4cb207d3ec&rand=1780546826
LiveRamp Advertising High launchpad.privacymanager.io https://launchpad.privacymanager.io/latest/launchpad.bundle.js
LiveRamp Advertising High idsync.rlcdn.com https://idsync.rlcdn.com/360947.gif?partner_uid=2020216318126327897
MediaMath Advertising High sync.mathtag.com https://sync.mathtag.com/sync/img?mt_exid=10103&redirect=https://partner.mediawallahscript.com/?account_id=2036&partner_…
Meta Pixel Advertising High connect.facebook.net/en_US/fbevents.js https://connect.facebook.net/en_US/fbevents.js
Meta Pixel Advertising High facebook.com/tr/ https://www.facebook.com/tr/?id=558224355430197&ev=PageView&dl=https%3A%2F%2Fwww.ulta.com%2F&rl=&if=false&ts=17805468253…
Pinterest Tag Advertising High ct.pinterest.com/user https://ct.pinterest.com/user/?tid=2620892613526&ov=%7B%22page_name%22%3A%22Ulta%20Beauty%20%7C%20Makeup%2C%20Skin%20Car…
Pinterest Tag Advertising High ct.pinterest.com/v3 https://ct.pinterest.com/v3/?tid=2620892613526&ov=%7B%22page_name%22%3A%22Ulta%20Beauty%20%7C%20Makeup%2C%20Skin%20Care%…
Snapchat Pixel Advertising High tr.snapchat.com/p https://tr.snapchat.com/p
TikTok Pixel Advertising High analytics.tiktok.com/i18n/pixel https://analytics.tiktok.com/i18n/pixel/events.js?sdkid=CQ2N213C77U8BDE394M0&lib=ttq
TikTok Pixel Advertising High analytics.tiktok.com/api/v2/pixel https://analytics.tiktok.com/api/v2/pixel
TradeDesk Advertising High js.adsrvr.org https://js.adsrvr.org/up_loader.3.0.0.js
TradeDesk Advertising High match.adsrvr.org https://match.adsrvr.org/track/cmf/generic?ttd_pid=vxsrv3i&ttd_tpi=1
AppNexus/Xandr Advertising Medium secure.adnxs.com https://secure.adnxs.com/getuid?https://partner.mediawallahscript.com/?account_id=2016&partner_id=2087&uid=$UID&tag_form…
Bidswitch Advertising Medium bidswitch.net https://x.bidswitch.net/sync?dsp_id=119&user_id=2020216318126327897&expires=30&gdpr=&gdpr_consent=&gdpr_pd={GDPR_PD}
Google Ads Advertising Medium googlesyndication.com https://f9bfedf34305c9e280466e1905458236.safeframe.googlesyndication.com/safeframe/1-0-45/html/container.html
Impact Advertising Medium d.impactradius-event.com https://d.impactradius-event.com/A119822-1eb0-43de-95fe-3053aaab3d711.js
Index Exchange Advertising Medium casalemedia.com https://dsum-sec.casalemedia.com/rum?cm_dsp_id=57&external_user_id=2020216318126327897&forward=
Magnite/Rubicon Advertising Medium pixel.rubiconproject.com https://pixel.rubiconproject.com/tap.php?v=6434&nid=2149&put=k-r6Gp5n2FsamVV9AK-crKQCKb8sZrfrJtCh6C_Q&expires=30
PubMatic Advertising Medium image2.pubmatic.com https://image2.pubmatic.com/AdServer/Pug?vcode=bz0yJnR5cGU9MSZjb2RlPTI3MzkmdGw9MTI5NjAw==&piggybackCookie=20202163181263…
PubMatic Advertising Medium image4.pubmatic.com https://simage4.pubmatic.com/AdServer/SPug?partnerID=167352&partnerUID=uid:k-mw4opH2FsamVV9AK-crKQCKb8sacZLV7Mtjh_g
PubMatic Advertising Medium image6.pubmatic.com https://image6.pubmatic.com/AdServer/UCookieSetPug?rd=https%3A%2F%2Fpartner.mediawallahscript.com%2F%3Faccount_id%3D2030…

Regulatory Basis

US Privacy Enforcement Patterns, 2025-2026

Why this matters

Recent US privacy enforcement has shifted from reviewing policies in isolation to testing whether privacy mechanisms actually work. Regulators are checking opt-out flows, Global Privacy Control handling, tracking pixels, contracts with advertising vendors, sensitive-context sharing, and whether companies maintain an inventory of deployed tracking technologies.

The practical takeaway for consent-engine is direct: a report should not stop at "cookies fired." It should map observed network facts to the enforcement pattern they resemble and produce a tracking-technology inventory that privacy, legal, and engineering teams can review.

Enforcement patterns to test

Pattern What to test Why it matters
Opt-out mechanism failure Reject-all flow, Do Not Sell or Share link, logged-in and logged-out state California actions against Honda, Todd Snyder, Tractor Supply, Healthline, Disney, and others focus on whether opt-outs actually suppress sale/sharing activity.
GPC / universal opt-out failure Sec-GPC: 1, navigator.globalPrivacyControl, and network traffic under the signal California, Connecticut, Colorado, Oregon, Minnesota, and other states treat universal opt-out signals as enforceable or soon-enforceable privacy choices.
Consent asymmetry and friction Equal ease of accept vs reject, no verification for opt-out, no account creation requirement Honda and Todd Snyder show that privacy UX and request mechanics can be standalone enforcement issues.
Vendor contract gaps Whether ad-tech, analytics, and pixel vendors have purpose-limited CCPA contract terms Healthline and Tractor Supply both included vendor-contract allegations, not only technical tracking allegations.
Sensitive-context sharing Health, location, driving, video-viewing, financial, student, and child contexts Healthline and GM show heightened risk when ad-tech or data-broker sharing touches sensitive context or precise location/driving data.
Minors and teens Under-13, 13-15, student, game, streaming, and child-directed contexts Jam City, Tilting Point, Roku, and related actions focus on child and teen data, affirmative opt-in, and default protections.
Inventory and scanning Current list of cookies, pixels, SDKs, server-side endpoints, owners, purposes, and contracts Tractor Supply required scanning digital properties to inventory tracking technologies. This makes inventory an enforcement artifact, not just a technical appendix.
CCPA/CPRA — California Consumer Privacy Act

Core Rights

§1798.120 — Right to Opt Out of Sale
California consumers may direct any business to not sell their personal information. The business must:
- Post a "Do Not Sell My Personal Information" link on homepage
- Honor opt-out within 15 business days
- Not sell after receiving a valid opt-out request

CPRA Extension — Sharing for Cross-Context Behavioral Advertising (effective 2023)
Opt-out rights now cover "sharing" — defined as disclosing personal information for cross-context behavioral advertising, even with no money exchanged. This directly covers:
- Passing user identifiers (cookies, device IDs) to ad platforms
- Meta Pixel / Facebook retargeting
- Google Ads conversion tracking
- LinkedIn Insight Tag, TikTok Pixel when fired post-opt-out
- Third-party audience syndication

Key interpretation: A business does not need to receive money for a data transfer to be classified as a "sale." Passing cookies or behavioral data to any ad platform = sale under CCPA/CPRA.

Global Privacy Control (GPC)

CPRA regulations require businesses to honor the Sec-GPC: 1 HTTP header as a valid opt-out of sale and sharing. This is mandatory, not optional.

Enforcement action: The California Privacy Protection Agency (CPPA) has explicitly stated that failure to honor GPC is an enforceable violation without requiring prior notice to the business.

States that mandate GPC: California, Colorado, Connecticut, Texas, Montana, Oregon.

If an advertising pixel fires after receiving Sec-GPC: 1 from a California user → confirmed CPRA violation, per-consumer fine exposure.

U.S. State Privacy Laws — 2026 Landscape

Overview

As of 2026, 20+ U.S. jurisdictions enforce comprehensive consumer privacy laws. All share a common thread: consumers have the right to opt out of sale or sharing of personal information for targeted advertising. Businesses must honor that right.

Targeted advertising (consistent definition across all state laws): displaying ads based on personal data obtained from the consumer's activities across non-affiliated websites. This directly covers Meta Pixel retargeting, Google Ads remarketing, LinkedIn Insight Tag, TikTok Pixel.

States with GPC Mandate (Critical for Audits)

The following states require honoring the Global Privacy Control (Sec-GPC: 1) as a valid opt-out:

State Law GPC Required Enforcement
California CCPA/CPRA Yes — mandatory, no notice required CPPA + AG
Colorado CPA Yes AG
Connecticut CTDPA Yes (as of Jan 2025) AG
Texas TDPSA Yes AG
Montana MCDPA Yes AG
Oregon OCPA Yes (as of Jan 2026) AG
New Jersey NJDPA Yes AG

Audit rule: If Sec-GPC: 1 is detected AND the user's IP resolves to any GPC-mandate state AND an advertising pixel fires → confirmed violation, per-consumer fine exposure.

Global Privacy Control (GPC) Signal

What It Is

The Global Privacy Control (GPC) is a browser-level privacy signal transmitted as an HTTP request header:
Sec-GPC: 1

When present, it signals that the user does not want their data sold or shared for targeted advertising. It is a machine-readable, universal opt-out mechanism.

Legal Status by State

State GPC Required Notes
California Mandatory CPPA: non-compliance enforceable without prior notice
Colorado Mandatory
Connecticut Mandatory (Jan 2025)
Texas Mandatory
Montana Mandatory
Oregon Mandatory (Jan 2026)
New Jersey Mandatory
Virginia Not required
Iowa Not required
U.S. Privacy Enforcement — Key Cases

Regulatory Actions

Disney — California AG, February 11, 2026 — $2.75 million (largest CCPA settlement)
- Opt-out mechanism was device-by-device and service-by-service — not account-wide
- User who opted out on Disney+ still tracked on ESPN+, Hulu, different devices
- CA AG: CCPA requires a universal opt-out, not per-device fragmentation
- Principle established: Opt-out must be honored across all services and devices associated with a consumer's account. Per-service opt-out = violation.
- Audit relevance: Any site/platform requiring repeated opt-out per device or service is non-compliant.

Tractor Supply — CPPA (California Privacy Protection Agency), September 30, 2025 — $1.35 million
- First major CPPA enforcement action (CPPA is separate from and acts independently of the AG)
- Violations: GPC signal not honored, inadequate privacy notice, job applicant rights not disclosed, personal data shared with third parties without proper data processing agreements
- Principle established: CPPA enforces independently — GPC non-compliance is a standalone CPPA violation, not just AG enforcement.
- Audit relevance: GPC + advertising pixel firing = citable CPPA enforcement precedent alongside Sephora.

Tilting Point Media — CPPA, July 2025 — $500,000
- Mobile-game publisher; allowed collection of children's personal information without obtaining parental consent or applying COPPA-required age-screening controls before sharing data with advertising SDKs
- Failed to honor opt-out preference signals (GPC) for users in California
- CPPA order required implementation of an age-screening mechanism, COPPA-aligned consent flow, and quarterly compliance reports for three years
- Principle established: Children's privacy under CCPA is a CPPA enforcement priority and overlaps with FTC's COPPA jurisdiction. Mobile games and any site with mixed-age users carry heightened risk.

Honda (American Honda Motor Co.) — CPPA, March 2024 — $632,500
- First CPPA settlement after the agency stood up its enforcement division
- Violations: required California consumers to verify their identity to submit opt-out and limit-use-of-sensitive-data requests (CCPA prohibits verification for these specific rights), required excessive personal information for authorized agent requests, asymmetric cookie-banner design favoring "accept" over "reject"
- Principle established: Opt-out requests must be one-click and may not require identity verification. Authorized-agent processes that demand extra documentation beyond CCPA's text are independent violations.
- Audit relevance: Any opt-out flow that asks for email confirmation, account login, or additional ID fields = direct Honda precedent.

DoorDash — California AG, February 2024 — $375,000
- DoorDash participated in a marketing co-op that exchanged customer personal information (names + addresses) with other businesses' lists in return for promotional access to those lists
- AG: this exchange constituted "sale" of personal information under CCPA, requiring opt-out disclosures DoorDash did not provide; also constituted "sharing" under CalOPPA and the federal CAN-SPAM Act
- Principle established: Non-monetary exchanges of personal information for "valuable consideration" (access to mailing lists, partner audiences, lookalike-modeling capacity) are CCPA sales requiring opt-out disclosure.
- Audit relevance: Lookalike-audience uploads to Meta or Google = same legal theory. Customer-match audiences are not exempt.

Todd Snyder — CPPA, May 2024 — $345,178
- Direct-to-consumer apparel retailer; CMP banner technically present but the opt-out link landed on a page that required users to fill in a five-field form (including driver's license upload) before any opt-out was honored — and even when submitted, opt-outs were intermittently ignored due to a misconfigured cookie banner that erased the user's choice within 40 days
- Principle established: Cookie-banner misconfiguration that fails to persist opt-out choices is a CCPA violation in its own right, separate from any disclosure or pixel-firing issue. Excessive verification on the opt-out path is a violation per Honda.
- Audit relevance: Any audit where the CMP exists but opt-out persistence is broken or where reject-flow requires more than email = direct Todd Snyder precedent.

Google — Texas AG, May 2025 — $1.375 billion
- Largest single-state privacy settlement in US history
- Location tracking persisted in Incognito mode; biometric data (voiceprints) collected without consent
- Statutes: Texas Data Privacy and Security Act (TDPSA) + Capture or Use of Biometric Identifier Act (CUBI) + DTPA
- Principle: State AGs outside California now pursue billion-dollar settlements. Texas, Florida, Washington have aggressive enforcement posture.

Sephora — California AG, October 2022 — $1.2 million
- First CCPA enforcement action
- Selling consumer data to advertising partners via pixel sharing without disclosing it as a "sale"
- Failing to honor GPC opt-out signals
- AG's complaint specifically cited Meta Pixel and Google Ads pixel-based data sharing as constituting "sale" of personal information
- Principle established: GPC = legally valid CCPA opt-out. Non-compliance = per-violation fine.
- Key insight: Money need not change hands for a pixel data transfer to be classified as "sale."

Tillamook County Creamery — California AG, 2022
- Settlement and corrective action required
- Advertising pixels continued firing after GPC signal received
- Part of AG's first GPC enforcement sweep
- Significance: Demonstrates GPC enforcement applies to mid-market brands, not just large tech

FTC v. Epic Games (Fortnite) — September 2022 — $275M + $245M
- $275M COPPA: default-on voice and video collection for minors
- $245M: dark UX patterns tricking children into in-app purchases
- Principle: Interactive entertainment with children requires opt-in consent; dark patterns carry FTC enforcement risk


Class Action Litigation

Disney / Entertainment Sector — 2023–2025
- Class action lawsuits against Disney, NBC Universal, Hulu
- Allegations: Meta Pixel + similar tracking on health-adjacent and subscription content without disclosure
- Disney specifically: Pixel tracking on disneyplus.com and theme park booking pages alleged to share viewing habits with Meta
- VPPA cited alongside CCPA in streaming contexts
- Settlement exposure per action: $25–$100M range

Aspen Dental — FTC/State AGs
- Settled for $18.5M
- Used Meta and Google tracking tools transmitting sensitive health data without consent
- Multi-statute: California Confidentiality of Medical Information Act + CCPA + HIPAA-adjacent
- Established: health-adjacent content + advertising pixels = maximum exposure category


US Privacy Enforcement — Live Database

Overview

Live US privacy enforcement data from federal court dockets (CourtListener) and FTC press releases.
Covers CCPA, CIPA (California wiretap), VPPA, COPPA, and FTC Act privacy enforcement actions.
Last refreshed: 2026-04-22.


Key Enforcement Principles (Always Cite First)

These are established by settled cases — use these in every US audit report:

Principle Case Amount Statute
GPC = mandatory opt-out, pixel data = "sale" Sephora (CA AG, 2022) $1.2M CCPA/CPRA
Health data + ad pixels = maximum exposure Aspen Dental (FTC/state AGs) $18.5M CMIA + CCPA
COPPA: default-on data collection for minors Epic/Fortnite (FTC, 2022) $275M COPPA
Dark UX patterns carry FTC enforcement risk Epic/Fortnite (FTC, 2022) $245M FTC Act
Pixel-as-sale: no money needed to be a "sale" Multiple CA AG actions Varies CCPA §1798.140(t)
CIPA §631: recording web sessions = wiretap Multiple district courts $5K/violation CIPA
VPPA: pixel shares video viewing = violation Pending — circuit split Class exposure VPPA

CIPA and VPPA — Litigation Risk for Web Tracking

The Litigation Explosion

In 2024, nearly 4,000 online privacy lawsuits were filed — up from ~200 in 2023. The primary vehicle: plaintiffs' attorneys repurposing antiquated statutes to target standard web analytics. This is the most immediate financial threat to businesses using digital analytics, exceeding regulatory fines in urgency.


California Invasion of Privacy Act (CIPA)

CIPA is a 1960s wiretapping statute now weaponized against web tracking. No actual damages required — $5,000 statutory penalty per violation. A single misconfigured pixel on a high-traffic site can generate tens of millions in theoretical liability within hours.

Three CIPA Theories

§ 631(a) — Wiretapping / Interception
- Target: Google Analytics, Meta Pixel, Hotjar session replay, any third-party analytics
- Theory: Third-party vendor code "intercepts" communications (clicks, keystrokes, form fills) between user and site without explicit prior consent
- Status: Extremely active. Courts divided on whether vendor = "tape recorder" extension of first party vs. independent eavesdropper

§ 632.7 — Cellular Eavesdropping
- Target: Mobile web browsing, integrated chat widgets
- Theory: Internet communications from smartphones = cellular communications under the statute
- Status: Active. Frequently filed alongside § 631(a) to multiply settlement pressure

§§ 638.50–.51 — Pen Register / Trap-and-Trace
- Target: IP address trackers, HTTP request headers, basic network routing analytics
- Theory: Software captures routing/signaling information = illegal trap-and-trace device
- Status: Emerging in 2026. Courts divided on applying 1990s telecom concepts to HTTP

CIPA Audit Implication

CIPA lawsuits specifically exploit the gap between a site's privacy policy and the actual behavior of asynchronous JavaScript tags. If a policy says "we don't share data with unauthorized third parties" but a misconfigured Meta Pixel transmits a user's unhashed email or behavioral payload — the technical error fulfills the plaintiff's burden of proof automatically.


Manual Validation Checklist

Reproduce each finding in a browser to confirm audit accuracy. All steps assume incognito mode with a California VPN or geolocation override.
1. CMP Banner Presence
Check: Verify OneTrust appears for California visitors.
Steps: Open an incognito window. Use a VPN set to a California location (or Chrome DevTools > Sensors > Location). Navigate to the site. The consent banner should appear on first visit.
Expected: Banner appears with Reject/Deny option.
2. Cookie Persistence After Opt-Out
Check: Confirm violating vendor cookies persist after clicking Reject All: Snapchat, LiveIntent, Dynatrace, TikTok, Google, Microsoft / Bing.
Steps: In incognito (CA VPN): (1) Navigate to site, (2) Click 'Reject All' or equivalent, (3) Open DevTools > Application > Cookies, (4) Search for: X-AB, _scid, _li_ss, _li_ss, rxVisitor, dtCookie. Reload the page and check again.
Expected: If cookies from these vendors are present after opt-out, the violation is confirmed. If cookies are cleared on reject but reappear after reload, the CMP clears cookies but tags re-fire them on the next page load (still a violation).
3. Consent Mode Integration (GCS=G111)
Check: Verify CMP is NOT updating Google Consent Mode on opt-out.
Steps: In incognito (CA VPN): (1) Navigate to site, (2) Open DevTools > Console, (3) Click Reject All, (4) Run: document.cookie.split(';').find(c => c.trim().startsWith('GCS=')) or check Network tab for any google request containing 'gcs=' parameter. Also check: dataLayer.push events for 'consent' or 'update'.
Expected: Our scan found GCS=G111 (both granted) AFTER opt-out. If you see the same, the CMP is not propagating consent denial to Google tags. Expected correct value after opt-out: G100 (both denied).
4. Network Pixel Firing Post-Denial
Check: Verify tracking pixels fire after opt-out: Bing Ads UET, Criteo, DoubleClick/DV360, DoubleClick/DV360.
Steps: In incognito (California VPN): (1) Navigate to site, (2) Open DevTools > Network, (3) Click Reject All, (4) Reload page, (5) Filter network requests for: bat.bing.com/action, sslwidget.criteo.com, ad.doubleclick.net, doubleclick.net/activityi;. Look for outbound requests to these domains/paths.
Expected: If these requests appear in network traffic after clicking Reject All, the pixels are firing despite consent denial. Each request is independent forensic evidence, the same pattern plaintiff law firms source for CIPA/CCPA claims.
5. GPC Signal (Sec-GPC: 1)
Check: Verify the site respects the Global Privacy Control signal.
Steps: Install a GPC browser extension (e.g., OptMeowt or Privacy Badger with GPC enabled). Navigate to the site. Check: (1) Does the CMP auto-set to opt-out? (2) In DevTools > Network, do request headers include 'Sec-GPC: 1'? (3) Does navigator.globalPrivacyControl return true in Console?
Expected: The CMP should auto-deny consent when GPC is detected. Under CCPA/CPRA, GPC is a legally binding opt-out signal. California's CPPA has stated GPC non-compliance is enforceable without prior notice.
Next step
Want help turning these findings into a remediation plan?
Reach out to walk the findings with Kenneth.
Get in Touch →