The company: A direct-to-consumer apparel brand doing $50M in annual revenue. Based in California. Using OneTrust. Convinced they were fully compliant.
What we found: 47 unauthorized trackers firing without proper consent.
The Setup
The company reached out after their legal team got nervous following the latest round of CCPA enforcement actions. They had:
- OneTrust implemented site-wide
- A detailed privacy policy
- A "Trust" badge in their footer
- Regular compliance reviews (or so they thought)
What Our Audit Found
We ran our standard compliance scan across their homepage, product pages, checkout flow, and cart. Here's what came back:
- 47 total trackers detected across the site
- 31 trackers the CMP was properly blocking
- 16 trackers the CMP thought it was blocking—but weren't
- 8 trackers loading before the consent banner appeared
- 3 shadow pixels embedded in third-party widgets
The Breakdown
Pixel Piggybacking (The Big One)
Their Facebook Pixel was loading fine through OneTrust. But we discovered it had been configured to send additional data to 3 other ad networks—none of which were in their consent manager. Facebook was piggybacking data out to Criteo, Taboola, and an affiliate network they didn't even work with directly.
Pre-Consent Firing
On mobile, their chat widget loaded 300ms before the consent banner appeared. In that window, Google Analytics and Hotjar both fired. Users never had a chance to say no.
Server-Side Tracking
They'd implemented server-side GTM for "better data quality." What they didn't realize: server-side tracking bypasses client-side consent entirely. Their OneTrust implementation was completely ineffective for the trackers moving through their server-side setup.
The Risk
We calculated their exposure:
- Potential violations: 47 trackers × multiple page views × California users
- At $7,500 per intentional violation: $350,000+ in potential penalties
- Plus: Private right of action lawsuits from consumers
- Plus: Reputational damage when (not if) this became public
The Fix
Our report gave them:
- A complete inventory of every tracker with category and risk level
- Specific CCPA section references for each violation
- Remediation steps prioritized by risk
- A plan to fix their server-side tracking to respect consent
They fixed everything within 2 weeks. Total cost: about $5,000 in developer time. Compare that to the potential $350,000+ exposure.