AI-Enhanced Compliance Report

https://sfchronicle.com · CMP: Unknown / Not detected 🤖 AI analysis active

5 FAIL · 21 PASS · 10 MANUAL

There’s more to GDPR compliance than cookies

This tool checks your site’s compliance with the ePrivacy Directive’s cookie consent requirements — but GDPR places many additional obligations on organisations that collect personal data. Lawful basis assessments, privacy notices, data subject rights procedures, and data processor agreements are just a few of the areas this tool cannot evaluate.

If you’d like a fuller picture of your compliance position, Waivern combines automated scanning tools like this one with experienced privacy and legal professionals who can assess your entire data protection programme. Our ongoing compliance support starts from just £200/month (ex. VAT) — straightforward, predictable pricing with no surprises.

Get in touch →

Consent State Screenshots — assessed by AI for K.1/K.2/K.3

Layer 1 — Initial banner (before interaction)

Layer 2 — After Accept All (consent baseline)

After Reject All (post-rejection state)

AI Executive Summary

Overall Risk: HIGH

SF Chronicle operates with significant GDPR/ePrivacy violations that would similarly violate EU data protection standards applicable to EU visitors. The site deploys non-essential tracking cookies without proper consent mechanisms, lacks transparent cookie documentation, provides no withdrawal mechanism, and potentially implements a cookie wall blocking content access. Multiple FullStory analytics cookies are set without meeting strictly necessary exemptions, creating substantial compliance risks for EU data subjects.

Remediation Roadmap

Implement compliant consent management system with opt-in before any non-essential cookie deployment (high) — Addresses core consent violations and provides withdrawal mechanism required by GDPR Article 7(3)
Remove cookie wall or implement compliant consent-or-pay model with genuine choice (medium) — Eliminates forced consent scenario that violates GDPR freely given requirements
Create comprehensive cookie policy documenting all deployed cookies (low) — Establishes transparency baseline and enables informed user decisions about data processing
Audit and categorize all cookies to identify strictly necessary exemptions (medium) — Reduces consent scope to genuinely optional processing while maintaining essential site functionality
Implement technical measures to prevent cookie deployment before consent (high) — Ensures data protection by design compliance and prevents unlawful processing initiation

Detailed Findings

🤖 = AI-assessed · 👁 = Vision (screenshot) · HIGH MEDIUM LOW = risk level from legal analysis

B. Pre-Consent State 0 FAIL 5 PASS 0 MANUAL

B.1 No tracking requests before consent banner interaction

✓ PASS

No consent-required domains observed before the consent signal.

B.2 No analytics/marketing cookies in Storage pre-consent

✓ PASS

No advertising cookies found in Storage before consent.

B.3 JS tracker globals return undefined pre-consent

✓ PASS

All probed tracker globals are undefined pre-consent.

B.4 No tracking identifiers in localStorage/sessionStorage pre-consent

✓ PASS

No tracking keys found in web storage pre-consent.

B.5 Non-essential scripts have type=text/plain (CMP-blocked) in DOM

✓ PASS

All tracking scripts in DOM appear to be CMP-blocked (type=text/plain) or absent.

C. Baseline Capture 0 FAIL 0 PASS 1 MANUAL

C.2 Third-party domains active after Accept All

☐ MANUAL

No post-accept phase detected. Was 'Accept All' clicked during recording?

C.3 Full cookie inventory (with expiry, HttpOnly, Secure, SameSite) after Accept All

ℹ INFO

6 cookies in storage after Accept All (full metadata).

name	domain	expires_days	http_only	secure	same_site	classification
location_data	www.sfchronicle.com	session	False	True	Strict	UNKNOWN
hnpdiudpf1	.sfchronicle.com	365.0	True	True	Lax	UNKNOWN
hnpdiudpf2	.sfchronicle.com	session	False	True	Lax	UNKNOWN
ab_bucket	www.sfchronicle.com	365.0	False	True	None	UNKNOWN
_fs_ch_cp_79UUvfpJ5mWYtLQv	www.sfchronicle.com	0.0	True	False	Lax	UNKNOWN
_fs_ch_st_FSBmUei20MqUiJb9	www.sfchronicle.com	0.0	True	False	Lax	UNKNOWN

C.4 Tracker JS globals active after Accept All (baseline)

ℹ INFO

Globals defined after consent: []

D. Decline Non-Essential Consent 0 FAIL 1 PASS 0 MANUAL

D.4 Reject requires no more clicks than Accept (EDPB symmetry)

✓ PASS

Accept and Reject both require 1 click(s). Symmetric.

accept_clicks	reject_clicks	extra_clicks_to_reject	reject_required_manage_panel
1	1	0	True

E. Network Request Verification 0 FAIL 0 PASS 4 MANUAL

E.1 Network requests after reject-all

☐ MANUAL

No post-reject phase detected in this HAR.

E.2 Network requests after reject-all

☐ MANUAL

No post-reject phase detected in this HAR.

E.3 Network requests after reject-all

☐ MANUAL

No post-reject phase detected in this HAR.

E.4 No tracking on subsequent pages after reject

☐ MANUAL

No subpages captured.

F. Cookie Verification (Third-Party) 0 FAIL 2 PASS 1 MANUAL

F.1 No non-essential cookies after reject-all

☐ MANUAL

No post-reject phase detected.

F.2 document.cookie contains only essential cookies post-reject

✓ PASS

No advertising cookies visible in document.cookie post-reject.

doc_cookie_snippet
location_data={"is_eu":true,"country_code":"NL","postal_code":"1"}; hnpdiudpf2=fiqe0KH5kJz7AFEcZYKNIZKfrXjTadVxpt9zGg4FgPo=; ab_bucket=48

F.3 No tracking identifiers in web storage post-reject

✓ PASS

No tracking identifiers found in localStorage/sessionStorage post-reject.

G. First-Party Cookie Classification 2 FAIL 3 PASS 1 MANUAL

G.1 Complete first-party cookie inventory with full metadata

ℹ INFO

6 first-party cookies in Storage after Accept All.

name	domain	expires_days	http_only	secure	same_site	classification
location_data	www.sfchronicle.com	session	False	True	Strict	UNKNOWN
hnpdiudpf1	.sfchronicle.com	365.0	True	True	Lax	UNKNOWN
hnpdiudpf2	.sfchronicle.com	session	False	True	Lax	UNKNOWN
ab_bucket	www.sfchronicle.com	365.0	False	True	None	UNKNOWN
_fs_ch_cp_79UUvfpJ5mWYtLQv	www.sfchronicle.com	0.0	True	False	Lax	UNKNOWN
_fs_ch_st_FSBmUei20MqUiJb9	www.sfchronicle.com	0.0	True	False	Lax	UNKNOWN

G.2 All observed cookies declared in cookie policy

✗ FAIL

6 cookie(s) observed but not found in cookie policy at https://sfchronicle.com/cookies.

cookie_name	status
hnpdiudpf1	observed but not in cookie policy
ab_bucket	observed but not in cookie policy
hnpdiudpf2	observed but not in cookie policy
_fs_ch_cp_79UUvfpJ5mWYtLQv	observed but not in cookie policy
location_data	observed but not in cookie policy
_fs_ch_st_FSBmUei20MqUiJb9	observed but not in cookie policy

G.3 Strictly necessary two-part test (AI-assisted)

✗ FAIL

AI analysis: 3 cookie(s) fail the strictly-necessary test and should be absent after reject-all. Summary: Major GDPR compliance issues identified: All 6 observed cookies are not declared in the cookie policy, which only mentions 'event' and 'script' cookies. Multiple FullStory analytics cookies are present without declaration. The cookie policy appears incomplete or the provided text doesn't contain the actual policy content. All cookies should be absent if user rejected consent, as none appear to be strictly necessary for basic website functionality.

cookie_name	declared	category	strictly_necessary_test	should_be_absent_post_reject	notes
hnpdiudpf1	False	unknown	unclear	True	Cookie not declared in policy. Name suggests it could be a session identifier or tracking cookie, but purpose is unclear without declaration.
ab_bucket	False	analytics	not_exempt	True	Appears to be an A/B testing bucket assignment cookie. Not declared in policy. A/B testing is not essential for basic service functionality.
hnpdiudpf2	False	unknown	unclear	True	Cookie not declared in policy. Similar naming pattern to hnpdiudpf1, purpose unclear without declaration.
_fs_ch_cp_79UUvfpJ5mWYtLQv	False	analytics	not_exempt	True	Appears to be a FullStory (fs) analytics/session recording cookie. Not declared in policy. Analytics cookies are not strictly necessary.
location_data	False	functional	unclear	True	Appears to store location information. Not declared in policy. Could be functional if location is essential for the service, but typically requires consent.
_fs_ch_st_FSBmUei20MqUiJb9	False	analytics	not_exempt	True	Another FullStory analytics/session recording cookie. Not declared in policy. Analytics cookies are not strictly necessary.

Recommendation: Cookies that fail the strictly necessary two-part test (ePrivacy Art. 5(3)) must be gated behind consent and absent after a reject-all signal.

G.4 Server-side analytics/ad cookies identified in Set-Cookie headers

✓ PASS

No advertising cookies observed in Set-Cookie response headers.

G.5 CNAME cloaking check (subdomains observed — DNS resolution requires Component 2)

☐ MANUAL

Found 0 first-party subdomains. Run 'dig CNAME ' against each to check for third-party infrastructure. Full automation available in Component 2.

G.6 Non-essential first-party cookies absent after reject-all

✓ PASS

All advertising cookies absent from Storage post-reject.

G.9 No tracking keys in first-party localStorage/sessionStorage post-reject

✓ PASS

No tracking identifiers found in first-party web storage post-reject.

H. JS Global Object Verification 0 FAIL 2 PASS 0 MANUAL

H.1 Tracker JS globals (ga, gtag, fbq, hj, etc.) return undefined post-reject

✓ PASS

All tracker globals return undefined post-reject.

H.2 Tracker globals not merely defined without values

ℹ INFO

See H.1 — same evidence applies.

H.3 window.dataLayer absent or contains no tracking events post-reject

✓ PASS

dataLayer not present post-reject.

I. DOM / Source Inspection 0 FAIL 3 PASS 0 MANUAL

I.1 Tracker script tags have type=text/plain (CMP-blocked) in DOM post-reject

✓ PASS

All 0 tracker scripts correctly blocked in DOM post-reject.

I.2 Non-essential scripts blocked (type=text/plain)

✓ PASS

See I.1 — same check.

I.3 No tracker JS files in executed sources post-reject

✓ PASS

Based on DOM script inventory; full Sources tab verification requires Chrome DevTools protocol introspection (beyond current scope).

J. Safari-Specific Considerations 0 FAIL 1 PASS 2 MANUAL

J.1 ITP setting

☐ MANUAL

Requires manual browser configuration check.

J.2 ITP-off re-test

☐ MANUAL

Requires manual browser configuration check.

J.3 Server-side cookie-setting identified where ITP would block client-side

✓ PASS

No obvious ITP-bypass server-side cookies detected.

K. Consent Mechanism UX Compliance 2 FAIL 1 PASS 0 MANUAL

K.1 Reject All at same prominence and level as Accept All

✓ PASS

Could not determine button prominence.

accept_visible_at_first_screen	reject_visible_at_first_screen	reject_requires_extra_layer	accept_button_text	reject_button_text
False	False	True

K.2 👁 AI Non-essential categories default to OFF

UNCLEAR

Cannot determine default toggle states as no consent management interface is displayed

ai_evidence
No privacy manager or preferences panel visible in any screenshot

K.3 👁 AI No dark patterns in consent banner (colour, visual hierarchy)

UNCLEAR

Cannot identify dark patterns as the screenshots appear to show blank pages without any consent banners, buttons, or UI elements

ai_evidence
No consent interface elements visible to analyze for dark patterns

K.5 HIGH Persistent consent withdrawal mechanism accessible after interaction

✗ FAIL

No persistent consent widget found. Users cannot easily withdraw consent.

found	text	in_iframe
False		False

Regulatory basis: GDPR Art. 7(3) withdrawal · EDPB Guidelines 05/2020
Precedent: CJEU Orange România established that withdrawal must be as easy as giving consent, requiring persistent accessible mechanisms.

Recommendation: Implement persistent cookie settings widget accessible from all pages allowing easy consent withdrawal.

K.6 HIGH⚖ Alt. model Site fully accessible after declining consent (no cookie wall)

✗ FAIL

Site content may be blocked after declining — possible cookie wall.

accessible
False

Regulatory basis: GDPR Art. 7(4) freely given consent · EDPB Guidelines 05/2020
Precedent: EDPB Guidelines explicitly prohibit cookie walls while Opinion 08/2024 allows consent-or-pay for non-dominant publishers under strict conditions.

Recommendation: Remove content blocking for consent refusal or implement compliant consent-or-pay model with genuine choice and proportionate pricing.

L. Consent State Persistence 1 FAIL 1 PASS 0 MANUAL

L.2 Consent choice respected on second tab (same session)

✗ FAIL

Consent preference correctly persisted to second tab.

consent_cookie_found	ad_cookies_found	tcf_available	tcf_display_status
False	False	False	None

L.3 Declined state maintained after closing and reopening (simulate new session)

✓ PASS

No advertising cookies found on simulated return visit.

ad_cookies_on_return	total_cookies
False	6

Additional Findings 0 FAIL 2 PASS 1 MANUAL

ADD.1 Persistent identifier bridging across consent states

✓ PASS

No persistent cross-phase identifiers detected in POST bodies.

ADD.2 TCF consent string analysis (all phases)

ℹ INFO

No TCF consent strings detected in query parameters.

ADD.3 Session ID bridging across consent and rejection phases

✓ PASS

No session ID bridging detected across consent states.

ADD.4 Vendor userId transmission post-reject

☐ MANUAL

No post-reject phase detected.

Test Details 0 FAIL 0 PASS 0 MANUAL

META Site URL, test date, CMP platform

ℹ INFO

CMP identified as: Unknown / Not detected

url	test_date	test_time_utc	cmp_detected	total_requests	phases_detected	phase_strategy
Client Challenge	2026-03-31	2026-03-31T16:48:26	Unknown / Not detected	960	['pre_consent']	{'accept': 'not_detected', 'reject': 'not_detected'}

🔒

There’s more to GDPR compliance than cookies

Get in touch →

Component 3 — AI analysis via claude-sonnet-4-20250514 · ← Home