CCPA compliance you can verify

Passive scanning finds violations. Runtime probes test live behavior. Every scan produces a cryptographic receipt.

Passive Scan

Find violations in seconds

Free

✓Unlimited passive scans

✓Compliance grade (A–F)

✓CCPA section mapping per finding

✓Financial exposure calculator (§1798.155)

✓Third-party tracker detection

✓Cryptographic scan receipt per scan

Run a Scan

Recommended

Runtime Pilot

Test what passive scans cannot

Contact

✓Everything in Passive Scan

✓Headless browser probe (GPC, consent, DSAR, deletion)

✓Binary verdicts: PASS / FAIL / UNPROVEN

✓Runtime receipt chain-linked to passive receipt

✓Before/after comparison report

✓2–4 week bounded pilot with acceptance criteria

Request Pilot

Enterprise

Continuous compliance across all properties

Contact

✓Everything in Runtime Pilot

✓Multi-property scanning (all public-facing URLs)

✓Scheduled re-scans with delta tracking

✓Remediation guidance per finding

✓Exportable compliance reports with receipts

✓Dedicated onboarding and support

Talk to Us

What the runtime probe tests

§1798.135Global Privacy Control

Does the site honor the Sec-GPC:1 header? Measured by comparing tracker behavior at baseline vs with GPC active.

§1798.120Consent Enforcement

Do trackers stop firing after a consumer rejects consent? Measured by comparing tracker counts before and after rejection.

§1798.130DSAR Access

Is there a consumer data request intake endpoint? Measured by checking known paths for forms with request-type inputs.

§1798.105Data Deletion

Is there a deletion request endpoint? Measured by checking known paths for deletion request forms.

Each test returns PASS, FAIL, or UNPROVEN. Results are backed by a chain-linked cryptographic receipt.

FAQ

What does the passive scan check?

Privacy policy presence, Do Not Sell link (§1798.120/§1798.135), consent management platform detection, third-party tracker scripts, data collection notices, AI feature disclosure (§1798.185), and transport security (HSTS). Each finding maps to a specific CCPA section with remediation steps.

What does the runtime probe add?

The runtime probe launches a real headless browser against the live site. It tests four properties that passive analysis cannot determine: Global Privacy Control compliance (§1798.135), consent enforcement after rejection (§1798.120), DSAR endpoint accessibility (§1798.130), and data deletion endpoint accessibility (§1798.105). Each test returns PASS, FAIL, or UNPROVEN.

How much does a CCPA violation cost?

The CPPA's CPI-adjusted maximums effective January 1, 2025 are up to $7,988 per intentional violation and up to $2,663 per unintentional violation (§1798.155). Exposure scales with the number of affected consumers.

What is a cryptographic receipt?

Every scan produces a receipt with a SHA-256 payload hash, HMAC-SHA256 integrity token, and chain link to the previous receipt. Receipts are independently verifiable offline — you can recompute the hash from the canonical payload and confirm it matches.

How long does a runtime pilot take?

2–4 weeks. Week 1: passive scan of all properties. Week 2: runtime probe with GPC, consent, DSAR, and deletion testing. Weeks 3–4: remediation guidance and re-scan verification. The pilot has objective pass/fail acceptance criteria.

Can I see real results before committing?

Yes. The passive scan is free and runs on any domain. Enter a URL at ccpa.finalbosstech.com/scan and see the grade, findings, and exposure calculation immediately. The runtime probe is available as part of the pilot.

See it work

Run a free passive scan on any domain. See the grade, findings, and receipt.

Run a Scan Request Runtime Pilot

FinalBoss Technology · ccpa.finalbosstech.com