AI-Enhanced Compliance Report

https://sfchronicle.com · CMP: Unknown / Not detected ⚠ AI analysis incomplete

Post Accept Baseline

3 FAIL 0 PASS 7 MANUAL

C3 analysis errors:

UX screenshot analysis: No screenshots available

Consent State Screenshots — assessed by AI for K.1/K.2/K.3

Default Starting State

Post Accept Baseline

AI Executive Summary

Overall Risk: HIGH

The San Francisco Chronicle website appears to be in significant non-compliance with CCPA/CPRA requirements. The site lacks the mandatory 'Do Not Sell or Share My Personal Information' opt-out link required on every page where personal information is collected. Additionally, there is no evidence of GPC (Global Privacy Control) signal recognition, which businesses must honor as valid opt-out requests under California regulations. As a news website likely engaging in advertising-related data sharing, these missing opt-out mechanisms represent core CCPA/CPRA violations that could result in substantial CPPA enforcement action.

Remediation Roadmap

Add prominent 'Do Not Sell or Share My Personal Information' link to all website pages (low) — Addresses core CCPA compliance requirement and reduces immediate enforcement risk
Build functional opt-out landing page and processing system behind DNSSPI link (medium) — Enables consumers to exercise opt-out rights and completes the required opt-out mechanism
Implement GPC signal detection and automated opt-out processing (high) — Ensures compliance with browser-based opt-out signals and technical regulations
Add US Privacy string or GPP signaling to communicate GPC recognition status (medium) — Provides technical confirmation of GPC compliance for auditing and verification
Conduct comprehensive review of data sharing partnerships to ensure proper opt-out implementation (high) — Ensures opt-out preferences are honored across all data sharing relationships

Detailed Findings

🤖 = AI-assessed · 👁 = Vision (screenshot) · HIGH MEDIUM LOW = risk level from legal analysis

BAS. Default Tracking Baseline 0 FAIL 0 PASS 0 MANUAL

BAS.1 Advertising and analytics tracking active by default (opt-out right context)

ℹ INFO

0 advertising/tracking cookie(s) and 0 tracker global(s) active by default (none detected). Under CCPA/CPRA, this is the default state consumers have the right to opt out of via the DNSSPI link or GPC signal. The presence of tracking by default is not itself a violation — the violation is failure to provide a working opt-out mechanism.

total_cookies_default	ad_tracking_cookies	tracker_globals_active	tracking_scripts_active
6	0	[]	0

BAS.2 CCPA relationship classification: Sale, Sharing, and Service Provider vendors

ℹ INFO

SALE (§1798.140(ad)): 0 vendor(s) — none detected. SHARING/cross-context behavioural (§1798.140(ah)): 0 vendor(s) — none detected. SERVICE PROVIDER (on-behalf processing): 0 vendor(s) — none detected. Sale and Sharing relationships are subject to the consumer opt-out right under CPRA §1798.120 and must be disclosed in the privacy policy.

sale_vendors	sharing_vendors	service_provider_vendors	sale_cookie_count	sharing_cookie_count	service_provider_cookie_count
[]	[]	[]	0	0	0

DNS. Do Not Sell or Share Link (CPRA §1798.135(a)) 1 FAIL 0 PASS 1 MANUAL

DNS.1 HIGH 'Do Not Sell or Share My Personal Information' opt-out link present

✗ FAIL

No 'Do Not Sell or Share My Personal Information' link detected. Cal. Civ. Code §1798.135(a) requires a clear and conspicuous link on every page where personal information is collected. The link must use the specified statutory phrase or the IAB-approved alternative 'Your Privacy Choices'.

found	text	location	href
False

Regulatory basis: CCPA §1798.135(a) · CCPA §1798.120(a)
Precedent: The CPPA has consistently prioritized enforcement against businesses lacking proper opt-out mechanisms, with recent settlements emphasizing the fundamental importance of accessible DNSSPI links.

Recommendation: Immediately implement a clear and conspicuous 'Do Not Sell or Share My Personal Information' link on every page where personal information is collected, using either the statutory phrase or the IAB-approved 'Your Privacy Choices' alternative.

DNS.3 'Limit the Use of My Sensitive Personal Information' link present (CPRA §1798.135(a)(2))

☐ MANUAL

No 'Limit the Use of My Sensitive Personal Information' link detected. Based on the site's apparent business type, SPI collection likelihood is assessed as LOW — this obligation likely does not apply unless the site collects precise geolocation, health, financial, biometric, or other sensitive data categories (CPRA §1798.140(ae)) as part of its core operations. Manual review recommended to confirm whether SPI is processed and whether this link is required.

lspi	spi_likelihood
{'found': False, 'text': '', 'location': '', 'href': ''}	LOW

Recommendation: Confirm whether you process any sensitive personal information categories per §1798.140(ae). If not (e.g. you only collect name, email, order history), this link is not required. If you do process SPI (e.g. precise location for delivery tracking), add the link alongside your DNSSPI link.

GPC. Global Privacy Control Compliance 1 FAIL 0 PASS 2 MANUAL

GPC.1 HIGH Site signals GPC opt-out receipt via US Privacy string or GPP

✗ FAIL

US Privacy string: (none). GPP: (none).

__usprivacy	__gpp	note
(not detected)	(not detected)	No __usprivacy or __gpp cookie or API detected with GPC header active. Site may not be recognising the Sec-GPC: 1 header or navigator.globalPrivacyControl JS property.

Regulatory basis: CCPA §1798.135(b) · CPPA Regulation §7025
Precedent: CPPA regulations explicitly require GPC signal recognition with specific technical implementation timelines, making this a clear compliance gap subject to per-violation penalties.

Recommendation: Implement technical infrastructure to detect and honor GPC browser signals as valid opt-out requests within 15 business days, including proper US Privacy string or GPP signaling to indicate GPC recognition.

GPC.2 Advertising/tracking cookies suppressed after GPC opt-out vs default baseline

☐ MANUAL

Default (no opt-out): 0 advertising/tracking cookie(s). After GPC opt-out signal: 0 advertising/tracking cookie(s). No advertising cookies detected in the default baseline — cannot assess suppression.

default_baseline_ad_cookies	after_gpc_signal_ad_cookies	cookies_suppressed
0	0	0

GPC.3 Advertising pixel scripts (Meta, TikTok, LinkedIn etc.) suppressed after GPC opt-out

☐ MANUAL

No advertising pixels detected in the default baseline — cannot assess suppression.

default_ad_pixels	after_gpc_ad_pixels	pixels_suppressed	pixels_still_active	gtm_gtag_present
[]	[]	[]	[]	False

GPC.4 Third-party tracking script load — default vs after GPC opt-out (informational)

ℹ INFO

Default baseline: 0 tracking script(s) active. After GPC opt-out: 0 tracking script(s). Reduction of 0. Script-level suppression is informational — scripts may be loaded but not execute tracking functionality depending on runtime logic.

default_tracking_scripts	after_gpc_tracking_scripts	scripts_suppressed
0	0	0

USP. IAB US Privacy / GPP Framework 0 FAIL 0 PASS 2 MANUAL

USP.1 IAB US Privacy / GPP framework participation (opt-out signalling infrastructure)

ℹ INFO

No IAB opt-out signalling framework detected with GPC active. Sites using a CCPA-compliant CMP (OneTrust, Sourcepoint, Didomi) should emit a USP or GPP string that reflects the consumer's current opt-out status, including when the GPC signal is present.

__usprivacy_string	__gpp_string	framework_detected	decoded
(not present)	(not present)	No IAB opt-out framework detected	(see above)

Recommendation: Implement an IAB GPP-compliant CMP to provide industry-standard opt-out signalling. The GPP (Global Privacy Platform) string communicates the consumer's opt-out status to ad tech vendors downstream in the supply chain. Without this, downstream partners may continue processing data for advertising even after an opt-out.

USP.2 __usprivacy string signals opt-out when GPC header is active

☐ MANUAL

__usprivacy during GPC session: None. No __usprivacy string detected during GPC session.

us_privacy_during_gpc	opt_out_bit
(not detected)	(n/a)

Recommendation: When the Sec-GPC: 1 header is present, the __usprivacy string should be set to 1YN- or 1YY- (opt-out bit = 'Y' at position 3). CPRA §1798.135(b) and the IAB US Privacy Technical Specification both require businesses to reflect GPC opt-out in the US Privacy string.

USP.3 __usprivacy string signals opt-out after manual DNSSPI opt-out flow

☐ MANUAL

Opt-out flow could not be completed automatically (no DNSSPI link found, no confirmation button detected, or opt-out requires form input / account authentication). Manual verification required.

OPT. Opt-Out Flow 1 FAIL 0 PASS 2 MANUAL

OPT.1 HIGH DNSSPI link leads to a functional opt-out destination

✗ FAIL

DNSSPI link not found — opt-out flow cannot be assessed.

Regulatory basis: CCPA §1798.135(a) · CCPA §1798.120(b)
Precedent: CPPA enforcement actions have targeted businesses with non-functional or inaccessible opt-out mechanisms, treating these as violations of consumers' fundamental right to opt out.

Recommendation: Establish a functional opt-out process accessible through the required DNSSPI link that allows consumers to easily opt out of personal information sales and sharing.

OPT.2 Opt-out completable without requiring account creation or login

☐ MANUAL

Could not confirm opt-out was completable without authentication. Manual review required. CPRA §1798.135(a) prohibits requiring consumers to create an account as a condition of exercising opt-out rights.

opt_out_button_clicked
False

OPT.3 Opt-out preference is recorded and honoured on reload

☐ MANUAL

Opt-out flow could not be completed automatically. Manual review required.

us_privacy_before	us_privacy_after	baseline_ad_cookies	post_optout_ad_cookies	baseline_pixels	post_optout_pixels	opt_out_clicked
(not detected)	(not detected)	0	0	[]	[]	False

Component 3 — AI analysis via claude-sonnet-4-20250514 · ← Home