Consent Banner - Dealer Summary

Date: 2026-07-17

Bottom line

Galpin Ford's website shows every visitor a cookie banner offering "Allow all cookies" or "Deny marketing cookies." Clicking Deny does not stop marketing tracking. The site records the visitor's refusal, keeps the tracking identifiers it had already assigned, and continues transmitting the visitor's browsing activity, page by page, and vehicle by vehicle, to third-party advertising and analytics companies, including Orbee and Gubagoo, on every subsequent page.

The banner's core representation to the consumer is therefore false in practice. This is worse for dealers than having no banner at all because their site solicits a privacy choice, stores timestamped proof that the visitor said no, and proceeds to track anyway. Galpin Ford is a California dealer, so California privacy law applies, with no jurisdictional question.

What the banner represents

On first visit, galpinford.com displays a consent banner with two choices presented as equals:

  • Allow all cookies
  • Deny marketing cookies

The plain meaning to a consumer is that choosing "Deny" turns off marketing and advertising tracking. The banner is a third-party product (ComplyAuto, version 6.5.2), and this installation runs the vendor's "blocker" add-on, which is specifically marketed to prevent tracking scripts from running until permitted.

What actually happens - Timestamped 7-16-26

Before the visitor makes any choice

While the banner is still on screen and untouched, the site has already:

  • Assigned persistent tracking identifiers and stored 15 cookies/IDs, including an Orbee visitor ID (_oa_vi), a Gubagoo user ID (__ggtruid), and a cross-domain Ford identifier (gt_uid).
  • Begun transmitting the visitor's page URLs and titles to third parties: Orbee (orb.ee), the site platform's own analytics (Jazel/Piwik), and Google.
  • Loaded a session-recording tool (Inspectlet) that captures the visitor's on-page behavior.

Orbee also plants its own opt-out flag defaulted to "not opted out" (_oa_optout = {"optedOut": false}). The vendor pre-decides the visitor into being tracked.

After the visitor clicks "Deny marketing cookies"

The banner records the denial correctly. In the visitor's own browser it writes:

statistics: false,  targeting: false,  consentMethod: "OPT_IN"

Then, on the next page, tracking resumes essentially in full. 44 of 46 third-party tracking destinations still fire after the denial, including:

  • Orbee (orb.ee) - an automotive marketing and customer-data platform. Streams the visitor's browsing back to Orbee, keyed to the same visitor ID assigned before consent.

    orbee screenshot.avif

  • Gubagoo - an automotive engagement and digital-retail vendor, still keyed to the user ID assigned before consent.

    gubagoo screenshot.avif

  • Inspectlet - session recording, still active.

    Inspectlet screenshot.avif

  • Jazel/Piwik (analytics.jazel.net) - transmits the full URL and title of each vehicle page the visitor views.
  • Google (google.com/ccm/collect) - still receiving the page URL and title.

The identifier assigned before consent (_oa_vi) is unchanged after the denial: the same visitor is tracked continuously, before and after saying no. Orbee's opt-out flag still reads "not opted out." And the banner plants a new identifier of its own (cavid) after the denial is recorded.

With a browser privacy signal (GPC) enabled

Some browsers send an automated Global Privacy Control signal that functions as a legal opt-out in California. The banner records this signal (it writes the same statistics: false, targeting: false with no interaction) but does not act on it. 33 tracking beacons across 9 third-party hosts still fire with GPC active.

Why it fails

The failure is structural, not a one-off:

  1. The banner controls almost nothing on the page. The site embeds roughly 118 scripts. Exactly 2 of them are wired into the banner's blocker. Everything else - Google, Orbee, Gubagoo, Piwik, Inspectlet, Stripe, etc.; all load freely regardless of the user’s consent choice. A banner can only gate the individual trackers that are connected to it.
  2. "Suppression" of Google is cosmetic. For Google, the banner relies on Google's "Consent Mode," which trims some data but still transmits the page URL, title, and the visitor's IP address to Google - before consent, after denial, and under GPC. The tracker is not stopped; its payload is reduced.
  3. A second consent system on the same page never hears the denial. Orbee maintains its own consent flag, defaulted to "tracked," which is never updated when the visitor denies through the banner. Two consent systems, unsynchronized, neither honoring the visitor's actual choice.

Legal exposure

In this case, California jurisdiction is direct: Galpin Ford is in California.

CIPA - pen register / trap-and-trace. Before any choice and after an explicit denial, the site assigns identifiers and transmits visitors' routing and addressing information (URLs, page titles, IP) to numerous third parties. That is the exact fact pattern the current wave of CIPA website-tracking claims target. The ComplyAuto banner on galpinford.com does not defeat it.

CIPA - wiretap / eavesdropping. The Inspectlet session-recording tool captures the visitor's interactions in real time and continues after the user’s denial. Session recording maps onto the interception theory, a stronger CIPA fact than pen-register alone, and here it runs on a visitor who explicitly refused marketing tracking.

Willfulness and deception. This banner makes the case worse than no banner would. The site solicits an explicit privacy choice, stores timestamped proof of the refusal in the consumer's own browser (a ready-made plaintiff's exhibit), and then continues to track anyway. That converts "we had no consent tool" into "we recorded the consumer's refusal and disregarded it," which:

  • supports a willfulness narrative under CIPA;
  • exposes a CCPA opt-out violation - clicking Deny, and ignoring the GPC signal, function as a "do not sell or share" opt-out that the continual tracking and advertising technology ignores; and
  • supports an unfair/deceptive practices theory - the banner represents to consumers that clicking deny stops marketing tracking, and it does not.

What this means

"The dealer already runs a consent banner" is not evidence of compliance and should not be treated as mitigation. On this installation, with the vendor's deeper blocker integration enabled, for a California dealer, an explicit visitor denial changed almost nothing that leaves the browser. The banner creates documentation of a consumer choice that the company does not honor.

References

The statutory anchors are provided below for reference. These legal characterizations are engineering work product and not legal conclusions.

  • CIPA - pen register / trap-and-trace - Cal. Penal Code § 638.51 (prohibition on use of a pen register or trap-and-trace device without a court order), definitions at § 638.50. This is the provision invoked in the current wave of website-tracking demand letters.
  • CIPA - wiretap / eavesdropping - Cal. Penal Code § 631 (wiretapping) and § 632 (eavesdropping on confidential communications). Session-replay claims are typically pleaded under § 631.
  • CIPA - civil remedy - Cal. Penal Code § 637.2 (private right of action; the greater of $5,000 per violation or three times actual damages, plus injunctive relief). This statutory-damages multiplier is what drives the demand-letter economics.
  • CCPA - opt-out of sale/share - Cal. Civ. Code § 1798.120 (right to opt out) and § 1798.135 (opt-out methods and notice, including the duty to honor opt-out preference signals such as GPC); GPC-processing obligation at 11 CCR § 7025. Enforcement is administrative (California Privacy Protection Agency / Attorney General, Cal. Civ. Code § 1798.155); the CCPA private right of action (§ 1798.150) is limited to data breaches and does not reach opt-out violations.
  • Unfair / deceptive practices - Cal. Bus. & Prof. Code § 17200 et seq. (Unfair Competition Law) and § 17500 (False Advertising Law), reaching the banner's representation that denying stops marketing tracking.

Cross-Walking the Galpin Banner Findings

1. The threatening email sent to Remora clients

In response to an internal email Remora sent to its clients, ComplyAuto mass sent an email with the subject line: "Unauthorized Removal of Your ComplyAuto Consent Banner Is Putting Your Dealership at Risk" that urges each dealer to (a) direct Remora in writing to reinstate the ComplyAuto banner, (b) let ComplyAuto re-scan and restore configuration, (c) preserve the removal timeline, (d) demand broad written indemnification from Remora, and (e) route future demand letters through ComplyAuto. It attacks both Remora's replacement tool and the legal reasoning in Remora's dealer email.

Read commercially, it is a retention play framed as legal risk. Read legally, most of its statements of law are sound, which is a problem for ComplyAuto, because those statements became the exact tool that our Galpin Ford trace measures their product against.

2. Cross-walking ComplyAuto's stated standards against their own banner

Findings are from the runtime capture of galpinford.com (a California Ford dealer running ComplyAuto’s banner v6.5.2 with the blocker add-on), from the screen record video above that is timestamped: 7-16-2026.

ComplyAuto's asserted standard and authority ComplyAuto's Galpin banner, measured against it
Consent must precede tracking; a post-tracking banner is disclosure, not consent (Garcia; Javier) Fails. Orbee, Gubagoo, Piwik, Inspectlet, and Google all fired and planted 15 identifiers before any interaction. By their own cited rule, the banner is disclosure, not consent.
Block before load, not delete after (ComplyAuto) Fails. Of ~118 scripts on the page, exactly 2 (one financing vendor) were wired into the blocker. Everything else loaded ungated. The product marketed as "block before load" did not block.
Must work; opt-out must actually stop transmission (Healthline; CPPA) Fails. After clicking Deny, 44 of 46 third-party hosts still transmitted: Orbee, Gubagoo, Piwik (full URL + title), Inspectlet, Google. This is the Healthline fact pattern they cite: opted out, ad trackers still firing.
Honor GPC (11 CCR 7025) Fails. The banner recorded the GPC signal (statistics:false, targeting:false) and then ignored it: 33 beacons across 9 hosts fired under GPC. Recording without enforcing.
Symmetrical accept/decline (FTC / Javier) Cosmetically met, substantively fails. The UI is symmetrical, but Deny does not function. Symmetrical options over non-functional enforcement is the deception, not a defense (see UCL row).
Session replay is § 631 wiretap exposure (ComplyAuto; § 631) Fails, and self-created. Inspectlet session recording was still running after the visitor denied. By ComplyAuto's own § 631 framing, their deployment created the wiretap exposure, on a visitor who refused.
Financial-data sites are heightened risk (Ingraham; Popa) Fails. Galpin runs payment/credit/trade-in tools; the two scripts ComplyAuto did gate are the financing vendor, yet the surrounding adtech (Orbee, Google, Stripe) tracked across the site post-Deny. (We captured page URLs/titles and identifiers, not financial form-field payloads; the heightened-risk point is categorical.)
Google/Meta retargeting is CCPA "sharing" (Sephora; 1798.140) Fails. Google ccm/collect (page URL + title) fired after the recorded opt-out: the textbook "sharing" ComplyAuto describes, continuing past the consumer's no.
A misleading banner invites a UCL count (Healthline / UCL) Fails. Their banner is the exhibit. The banner says "Deny marketing cookies," records the denial in the consumer's own browser, and keeps tracking. That is precisely the "deceiving consumers about privacy practices" UCL theory ComplyAuto raises.

For every legal test ComplyAuto marshals against Remora, its own galpinford.com deployment fails. Their legal letter to Remora is ComplyAuto's brief that explains exactly why its own product creates exposure for their clients.

3. ComplyAuto's built-in defense, and why it does not save the dealer

ComplyAuto anticipates this: "When tracking cookies reappear on a site after a denial, the most common cause is scripts the website provider loads outside of, or in conflict with, the consent framework... proper deployment requires the website provider's cooperation."

  1. It concedes the architecture point. ComplyAuto admits its banner cannot block what is not individually wired into it, and that comprehensive blocking requires enforcement at the layer where scripts are emitted, i.e., by the website platform. That is the structural argument for emission-level control, conceded by Comply Auto.
  2. Accountability defeats the blame-shift. ComplyAuto's own headline authority is that "the buck stops with the businesses" (CPPA, Todd Snyder). If the dealer is accountable regardless of whose scripts fired, then "those were the platform's tags, not ours" does not reduce the dealer's exposure. The click-deny visitor was tracked either way, and the dealer holds the liability either way.
  3. Many failures are ComplyAuto's own layer, not the platform's. Recording a GPC signal and then not enforcing it, and using Google Consent Mode that still transmits URL/title/IP after denial, are behaviors of ComplyAuto's own integration, not of scripts the platform loaded around it.

4. On SB 690 (their section 2)

ComplyAuto's rebuttal to a "the law is changing, do nothing" posture is largely correct and reinforces our report. Per the document (and the Troutman Pepper Locke article it cites), SB 690's amended form reaches only the pen-register provisions (§§ 638.50/638.51) and does not touch § 631 wiretapping, which drives the session-replay and pixel-interception claims. Our Galpin findings put weight on both theories, including § 631 session-replay exposure from Inspectlet. If SB 690 passed tomorrow, the § 631 exposure our report identifies would be untouched. Their legal point strengthens ours.

5. Bottom line

On the question being asked: Does ComplyAuto's banner do what it represents? No.

This easily reproducible and preserved evidence confirms that answer by supplying the legal tests ComplyAuto put forward, all of which the banner fails on galpinford.com.

Remora’s Native Privacy Control Framework against Comply Auto's Failures

The architectural difference drives every row

Remora’s advantage is that we control the platform and can route every path through a gate that we control. ComplyAuto's own assertion concedes the point: comprehensive blocking "requires the website provider's cooperation," because a bolt-on banner can only gate scripts that are individually wired into it. Remora is the website provider, so we can enforce at script emission: when tracking is not permitted, so the script is never written into the page the browser receives. There is no client-side race, nothing loads first, and nothing needs to be "caught" after the fact. Solving for California and European privacy standards should be the responsibility of your website provider, as they have the tools to comply with the law. Our solve is solid.

Two enforcing postures sit on top of that engine:

  • opt_in - nothing tracking-related fires until the visitor affirmatively accepts. Prior-consent-safe.
  • opt_out - tracking runs by default; an explicit deny or a GPC signal shuts it off. Not prior-consent-safe on a non-GPC visitor's first visit, by design.

Summary

# Standards ComplyAuto asserted (and failed on their face) Remora framework
1 Consent must precede tracking; a post-tracking banner is disclosure, not consent Pass - in opt_in posture and for GPC visitors
2 Block before load, not delete after Pass - scripts are never emitted when denied/pre-consent (opt_in)/GPC
3 Opt-out must stop transmission Pass - validated: full third-party collapse after deny
4 Honor GPC Pass - both enforcing postures, verified at HTML level
5 Symmetrical, substantive accept/decline Pass - enforcement is substantive (Remora's deny works)
6 Session replay is § 631 wiretap exposure Pass - opt_out stops tracking, first visit is exposed unless opt_in posture is selected
7 Financial-data sites are heightened risk Pass - including the server-side channel CMPs miss; per-form pixels must stay in the surface list
8 Google/Meta retargeting is CCPA "sharing" Pass - full non-loading, no Consent Mode residue
9 A misleading banner invites a UCL count Pass - deny genuinely works

Case by case

1. Consent must precede tracking (Garcia; Javier)

ComplyAuto's banner let Orbee, Gubagoo, Piwik, Inspectlet, Stripe, and Google fire before any interaction, so the banner was disclosure, not consent.

Remora, opt_in mode: cold load contacts zero tracking hosts (functional/asset hosts only, no tracker cookies); a GPC visitor is treated the same. The full dealer stack fires only after an affirmative accept. This is the prior-consent-safe pattern Javier requires.

Remora, opt_out mode: for a non-GPC first-time visitor the stack fires on the first pageview, then stops on deny or GPC. This is the same pre-consent firing Garcia/Javier condemn. It is the default-allow tradeoff.

Verdict: Remora’s framework can satisfy this standard, but only in opt_in (and for GPC visitors in either posture). For a dealer concerned about CIPA exposure, opt_in is the answer. This was discussed on Monday in our client-facing email.

2. Block before load, not delete after (ComplyAuto's own standard)

ComplyAuto marketed "block before load" and in practice gated 2 of ~118 scripts.

Remora: takes "block before load" to its limit - the suppressed script is never sent to the browser at all, so there is nothing to load and nothing to race. When a choice is denied, under GPC, or pre-consent via opt_in mode, the tags are absent from the served HTML.

Verdict: Remora’s framework meets this standard for every suppressed state.

3. Opt-out must actually stop transmission (Healthline; CPPA)

Healthline investigators opted out and 100+ ad trackers kept transmitting. ComplyAuto's banner did the same - deny clicked, 44 of 46 hosts still fired.

Regarding Remora’s method: after an explicit deny, third-party contact collapses to functional/asset hosts only with zero tracking beacons on subsequent navigations including to a VDP. Remora’s opt-out does what it says.

Verdict: With Remora’s privacy controls in place, transmission stops as soon as deny is clicked by the consumer. The scripts that would read those cookies are never emitted.

4. Honor GPC (11 CCR 7025)

ComplyAuto's banner recorded the GPC signal and ignored it - 33 beacons fired under GPC.

Remora: GPC is enforced, not just recorded, on both enforcing postures. This is verifiable in HTML served on the front-end of the consumer facing sites.

Verdict: Remora cleanly respects GPC signals. On Galpin Ford, ignored GPC.

5. Symmetrical, substantive accept/decline (FTC; Javier)

ComplyAuto's UI was symmetrical, but Deny did not function - a non-working control is the deception, not a defense.

Remora: the enforcement behind the control is substantive - deny actually suppresses, and the record of consent (granted/denied) persists through the control in every validated state.

Verdict: Both user interfaces are symmetrical in their accept/decline presentation. However, Remora actually honors the user’s request to deny tracking cookies.

6. Session replay is wiretap exposure (§ 631)

ComplyAuto left Inspectlet session recording running after the visitor denied which is a self-created wiretap exposure.

Remora: session-recording tags are suppressed in the enforcing states.

Verdict: Remora’s security posture stops the recording from happening. ComplyAuto’s posture creates potential wiretap liabilities under CIPA.

7. Financial-data sites are heightened risk (Ingraham; Popa)

Dealer sites carry payment, credit, and trade-in tools; ComplyAuto's banner continued to let adtech track across those pages post-deny.

Remora: suppression applies to every page, including VDPs, and reaches surfaces a cookie banner structurally cannot - notably regarding the server-side Facebook Conversions API share (hashed identifiers + IP sent server-to-server), Remora gates them at the source.

Verdict: Remora’s server-side gate is a genuine differentiator, because that channel is the sensitive-data "share" a client-side CMP never sees.

8. Google/Meta retargeting is CCPA "sharing" (Sephora; 1798.140)

ComplyAuto suppressed Google via Consent Mode only - gtag still loaded and ccm/collect kept transmitting URL/title/IP after deny.

Remora: When denied or under GPC, we enable full non-loading. Zero Google tracking hosts are contacted and there is no Consent Mode residue - zero google.com/ccm/collect under GPC or post-deny. The Meta pixel is suppressed and _fbp flushed; the server-side CAPI share is gated.

Verdict: Remora meets this standard cleanly. ComplyAuto's residual pings fail it.

9. A misleading banner invites a UCL count (Healthline / UCL)

ComplyAuto's banner promised "Deny marketing cookies" and kept tracking - the "deceiving consumers about privacy practices" theory, with their banner as the exhibit.

Remora: The deny path also functions as the CCPA "Do Not Sell or Share" mechanism.

Verdict: The protection holds only while the marketing claims match the validated behavior. Two disciplines must be enforced: do not claim "no tracking before consent" for opt_out (true only of opt_in), and do not claim deletion of third-party-domain cookies. A claim that overstates the behavior introduces the UCL exposure Comply Auto references.

Bottom line

On all nine rows where ComplyAuto's banner failed a standard that ComplyAuto itself asserted, the Remora framework meets its burden. On GPC, opt-out enforcement, full Google non-loading, and the server-side share, Remora’s tool do the job cleanly and with production evidence.










*By submitting contact information on this website, you are consenting to receive calls, SMS, and emails from Remora Inc.. You certify that you are the owner of the contact information provided. Message and data rates may apply. You can reply STOP to opt-out of further messaging.