CCPA / CPRA compliance scanner
CCPA and its 2023 amendment CPRA are opt-out frameworks — different from GDPR's opt-in model. But several technical requirements still apply: Do Not Sell or Share links, the USP API string, GPP API support, and increasingly, pre-consent tracking restrictions for sensitive personal information.
Free scan · No signup · Every scan covers all 6 major privacy regulations
Technical checks
These are scanner-detectable technical requirements. Regulatory compliance also requires legal review of your policies, contracts, and data processing activities.
CCPA requires a clear and conspicuous link titled "Do Not Sell or Share My Personal Information" (or a compliant abbreviation) in the footer or homepage of any covered business. Tag Leak checks for this link by text pattern and common class names.
CPRA introduced a new opt-out right specifically for sensitive personal information. Businesses that collect sensitive PI must provide a separate "Limit the Use of My Sensitive Personal Information" link. Tag Leak checks for this alongside the DNSMPI link.
The IAB US Privacy Framework requires a __uspapi function on the page that allows CMPs and ad vendors to read the US Privacy String (1YNY format indicating consent status). Tag Leak checks for the presence and basic validity of this API.
GPP is the successor to USP and is required by an increasing number of ad partners and SSPs. Tag Leak checks for the __gpp function and whether it returns a valid GPP string, covering CPRA's extended opt-out requirements.
While CCPA is an opt-out framework for standard PI, CPRA added opt-in requirements for sensitive personal information. Tag Leak's pre-consent tracker detection flags which ad networks and analytics platforms fire before any interaction — relevant for sites that collect sensitive PI categories.
CCPA requires a Privacy Policy that discloses the categories of PI collected, the purposes, and the rights of California residents. Tag Leak checks for a privacy policy link on the homepage as a baseline indicator.
California law (including CCPA and the California Customer Records Act) requires businesses to implement 'reasonable security measures' for personal data. Tag Leak checks six security response headers as a technical indicator of baseline security posture.
Your CCPA result is presented as a 0–100 score weighted for the opt-out model. Key checks: DNSMPI link present, Limit Sensitive PI link present (CPRA), USP API detected, GPP API detected, privacy policy link present. Pre-consent tracker findings carry less weight than under GDPR.
Note: CCPA / CPRA compliance also depends on your Privacy Policy content, data processing records, opt-out fulfillment workflows, service provider contracts, and data sale / sharing disclosures. The law also applies based on revenue and data volume thresholds — consult legal counsel to confirm whether your business is covered and what obligations apply.
You do not need to select CCPA — every Tag Leak scan automatically audits all six major privacy regulations in one pass. Run a single scan and get scores for CCPA, GDPR, UK GDPR, LGPD, POPIA, and PDPA simultaneously.
Free scan. No signup. Results in 60 seconds.
Every Tag Leak scan also audits GDPR · UK GDPR · CCPA · LGPD · POPIA · PDPA automatically.