Most websites load far more third-party trackers than their owners realize, and each one collects user data the site never audited: browsing behavior, form input, device fingerprints, and cross-site identifiers. This creates security risk, legal exposure under GDPR and CCPA, and a trust problem with users. The fix starts with visibility: scan for every tracker, then remove what you cannot justify.
- Session recorders can capture passwords, card numbers, and health data typed into forms, even when vendors claim to mask sensitive fields
- Canvas and font fingerprinting identify users without cookies, undermining cookie consent mechanisms entirely
- If your consent banner does not match what your trackers actually do, you have a compliance gap regulators can act on
Load any popular website and open your browser's developer tools. Watch the network tab fill with requests to domains you have never heard of. Each one is a third-party tracker, silently collecting data about your users. Most website owners have no idea how many trackers are on their site, what data they collect, or where that data goes.
This is not just a privacy problem. It is a security risk, a legal liability, and increasingly, a business risk.
What do third-party trackers actually do?
Third-party trackers are scripts loaded from external domains that collect data about your users' behavior. They come in several forms:
- Analytics trackers: Google Analytics, Facebook Pixel, and similar tools that monitor page views, click patterns, and conversion funnels.
- Advertising trackers: Scripts that build user profiles for targeted advertising, often sharing data across hundreds of websites.
- Session recorders: Tools like Hotjar or FullStory that record mouse movements, clicks, scrolls, and in some cases, keystrokes. These can inadvertently capture sensitive data entered into forms.
- Canvas fingerprinters: Scripts that use the HTML5 Canvas API to generate a unique identifier for each browser, enabling tracking without cookies.
- Font fingerprinters: Similar to canvas fingerprinting, these enumerate installed fonts to create a browser fingerprint.
- Social widgets: Like buttons, share buttons, and embedded content from social media platforms that track users across sites.
How do sites end up with dozens of trackers?
No one intentionally builds a website with 40 trackers. It happens incrementally. Marketing adds Google Analytics. Then Facebook Pixel for ad campaigns. Then a heat mapping tool to understand user behavior. Then a chat widget. Then an A/B testing platform. Each addition seems reasonable in isolation.
But the cumulative effect is a surveillance infrastructure that most website owners do not fully understand. Each tracker can see:
- Which pages the user visits and in what order
- How long they spend on each page
- What they click on and type
- Their approximate location, device type, and browser configuration
- A unique identifier that follows them across every website using the same tracker
Which tracker categories capture what?
Different tracker types create very different levels of exposure. Here is what each category typically collects:
| Tracker category | What it can capture |
|---|---|
| Analytics trackers | Page views, click patterns, conversion funnels, time on page |
| Advertising trackers | Cross-site user profiles shared across hundreds of websites |
| Session recorders | Mouse movements, clicks, scrolls, and keystrokes, including sensitive form input |
| Canvas fingerprinters | A unique per-browser identifier that works without cookies or consent |
| Font fingerprinters | Installed font lists combined into a persistent browser fingerprint |
| Social widgets | Cross-site browsing activity tied to the user's social media identity |
Which privacy risks are easy to miss?
Session recorders capture sensitive data
Session recording tools are designed to capture user interactions for UX analysis. But they often capture more than intended. Credit card numbers typed into payment forms, passwords entered during login, medical information submitted through health portals. Even when vendors claim to mask sensitive fields, the masking is often incomplete or misconfigured.
Canvas fingerprinting defeats cookie consent
Users who decline cookies expect not to be tracked. Canvas fingerprinting generates a unique identifier from how the browser renders invisible graphics. It works without cookies, without local storage, and without the user's knowledge or consent. This directly undermines cookie consent mechanisms.
Data flows to unknown parties
When you add a third-party script to your site, you are trusting that vendor's entire supply chain. Many trackers load additional scripts from other third parties, creating a chain of data access that the website owner never authorized and cannot audit.
What is the legal exposure?
Privacy regulations including GDPR, CCPA, and emerging state-level privacy laws require informed consent for data collection and clear disclosure of what data is collected and by whom. Most cookie consent banners are legally insufficient because they do not accurately represent what the trackers on the site actually do.
If your privacy policy says you use Google Analytics and a few essential cookies, but your site actually loads 30 trackers including canvas fingerprinters and session recorders, you have a compliance gap that regulators can act on. Closing that gap is rarely just a banner update; it usually means reconciling your actual data flows with your disclosures, which is exactly the work a structured GDPR compliance program is built around.
How do you assess your exposure?
Understanding your tracker exposure requires more than checking your tag manager. You need to analyze:
- Every third-party domain your site communicates with
- What type of tracking each script performs (analytics, fingerprinting, session recording)
- Whether canvas or font fingerprinting is occurring
- Whether session recorders are capturing form data
- What cookies are being set by third-party domains
- Whether behavioral event listeners are monitoring user interactions
OnScanner's deep privacy analysis automates this assessment. It scans your site live across 40+ privacy and tracker categories, identifies fingerprinting techniques, detects session recorders, and generates a privacy score that quantifies your exposure. This gives you a clear, actionable picture of what your site is actually doing to your users' data. For a deeper look at how privacy scanning detects fingerprinting and consent violations, see this guide to website privacy scanning.
What actions should you take?
Start with visibility. You cannot fix what you cannot see. Audit every third-party script on your site. For each one, ask: what data does it collect, where does it send that data, and do we have informed consent for this collection?
Remove trackers you do not actively use. Evaluate whether each remaining tracker provides value that justifies the privacy cost. Implement proper consent mechanisms that accurately reflect your data collection practices. And monitor continuously, because new trackers can be added by team members, plugins, or third-party script updates without your knowledge.
Your users trust you with their data. Make sure you know exactly what is happening to it.
Frequently asked questions
How do I find out how many trackers my website loads?
Open your browser's developer tools and watch the network tab, or run an automated privacy scan that classifies every third-party request. Manual inspection catches the obvious scripts, but it misses trackers loaded by other trackers and fingerprinting that leaves no cookie behind. An automated scan across all tracker categories gives you a complete, repeatable inventory you can compare over time.
Does canvas fingerprinting require user consent under GDPR?
Privacy regulators treat fingerprinting as personal data processing, so the same consent and disclosure obligations apply as with cookies. The practical problem is that fingerprinting operates invisibly: users who decline cookies are often fingerprinted anyway, and the site owner may not even know a third-party script is doing it. If fingerprinting happens on your site, your consent mechanism needs to cover it.
Are session recording tools safe to use on payment or login pages?
They carry real risk. Session recorders capture keystrokes and form interactions, and vendor masking of sensitive fields is often incomplete or misconfigured. Card numbers, passwords, and medical details have all been captured unintentionally. If you use session recording, exclude payment and authentication pages entirely, verify the masking configuration yourself, and periodically test that sensitive input never reaches the vendor.
Comments
0 discussionsNo comments yet. Be the first to share your thoughts.