Every script tag pointing at a third-party domain is a potential data export. The script can read the DOM, read cookies on its own domain, read URL params, read referrer, harvest form inputs (including email fields), and ship all of it to the third party — usually without the site owner realizing exactly what data is going where.
Under GDPR / CCPA / CPRA / Virginia CDPA / Colorado CPA, this matters a lot. "We use Google Analytics" is a consent item. "We use Google Analytics, Facebook Pixel, TikTok Pixel, HubSpot, Intercom, Hotjar, and FullStory" is a much larger consent item with materially different PII exposure per tracker.
The Third-Party Data Leakage Audit detects 22 known trackers on your page and classifies each by PII risk tier.
The four risk tiers
TIER 1 — Session-replay with DOM capture (HIGH-RISK PII)
Captures every keystroke, every click, every form entry. If the user types into a password field, the recording typically masks it — but misconfiguration is common and the raw data transfers regardless.
- FullStory
- Hotjar Session Recording
- LogRocket
- Mouseflow
- Inspectlet
- Smartlook
TIER 2 — Identity-graph ad trackers (HIGH-RISK identity)
Join your visitor to a cross-site identity graph including real name, email, phone, location. Most problematic under GDPR; enabling without consent is a direct violation.
- Facebook Pixel
- TikTok Pixel
- LinkedIn Insight
- X (Twitter) Pixel
- Pinterest Tag
- Snap Pixel
- Reddit Pixel
TIER 3 — Analytics + behavior (MEDIUM risk)
Send aggregate behavior but often include enough fingerprinting signals to re-identify. GA4 can be configured privacy-safe but rarely is by default.
- Google Analytics 4
- Adobe Analytics
- Mixpanel
- Amplitude
- Segment
- Heap
TIER 4 — CDN / utility (LOW risk, but still third-party)
Send minimal data (IP, user-agent, referrer). Still counts as a data transfer under GDPR. Must be disclosed.
- Cloudflare (when used for bot management / RUM)
- Google Fonts (historically disclosed, still debated)
- Intercom / Drift widgets
Plus: consent-state audit
The tool also checks:
- Is a consent banner present?
- Do trackers fire before consent is given? (critical GDPR violation)
- Does the banner let users decline without dark patterns?
- Is there a "reject all" at the same visual weight as "accept all"?
- Are the consent choices persisted (to avoid re-asking)?
Combined with the tracker tier list, this produces a compliance-gap report.
Why this matters in 2026
GDPR enforcement ramped up significantly in 2024-2025. Meta, Google, and TikTok all received nine-figure fines for inadequate consent mechanisms. Regulators increasingly target site operators (who embed the trackers) rather than just the tracker vendors.
If you're a US-only SMB, CCPA/CPRA enforcement has a similar trajectory. California's AG has shown clear willingness to enforce the "Do Not Sell My Personal Information" link and the right-to-delete pathways. Multi-state CPRA-style laws (Virginia, Colorado, Connecticut, Utah, Texas) follow the same enforcement curve.
How to use it
- Go to /tools/third-party-data-leakage-audit/
- Paste a URL
- Tool fetches the page + scans for 22 tracker fingerprints
- Reports each detected tracker with its tier + what data it collects
- Flags consent-before-fire violations
- Copy fix prompt — emits a remediation plan prioritized by regulatory risk
What the tool can't verify
- Actual data sent. Without instrumenting the tracker's network traffic (which requires a headless browser), the tool identifies the tracker but not the exact payload. For that, use browser devtools or a privacy-specific crawler.
- Server-side forwarding. Trackers can be implemented server-side (via Conversion API / Meta CAPI / Google Measurement Protocol) and invisible to DOM-based audits. Pair with a server-side-tag review.
- Consent management platform correctness. The tool detects CMP presence but can't verify the consent choices actually propagate to the trackers.
Related reading
Fact-check notes and sources
- GDPR Article 6 (lawful basis): GDPR Article 6 — lawful bases for processing.
- CCPA / CPRA: California AG — CCPA fact sheet.
- Meta €1.2B fine (2023): EDPB press release.
- Google €50M CNIL fine precedent: CNIL decision (2019).
This post is informational, not legal or compliance advice. Mentions of Google, Facebook / Meta, TikTok, LinkedIn, X / Twitter, Pinterest, Snap, Reddit, Adobe, Mixpanel, Amplitude, Segment, Heap, FullStory, Hotjar, LogRocket, Mouseflow, Inspectlet, Smartlook, Cloudflare, Intercom, Drift, and similar products are nominative fair use. No affiliation is implied.
