LaunchTrust
Log inStart trial

Detector registry

Detecting Third-Party Trackers on Your Site

Find third-party trackers on your site before launch. See what LaunchTrust detects, why GDPR and ePrivacy care, and how to handle consent.

Updated 2026-06-19third party trackers on my siteSignals, not a verdict
Run free scanStart trial

When you drop in an analytics snippet or a marketing pixel, your site quietly starts sending visitor data to companies your users never chose to deal with. That is normal product practice, but it carries obligations. If you serve anyone in the EU or UK, loading non-essential trackers before the visitor consents is one of the most common reasons sites draw complaints under GDPR and the ePrivacy rules. This page explains what a third-party tracker is, what LaunchTrust looks for, and what to do about what it finds.

A "third-party tracker" here means a script loaded from a domain you do not control that collects or transmits behavioral data: analytics, advertising pixels, session-replay tools, and similar. Their presence is not automatically a problem. The problem is loading them without a lawful basis, without disclosure, or before the user has agreed.

What LaunchTrust checks

The tracking_scripts detector fetches your page's HTML and scans it for the signatures of common third-party tracking and analytics services. Specifically, it matches script sources and inline call patterns for:

  • Google Analytics / Google Tag Manager (googletagmanager.com, google-analytics.com, gtag(, ga()
  • Meta Pixel (connect.facebook.net, fbq()
  • TikTok Pixel (analytics.tiktok.com, ttq.)
  • Hotjar (static.hotjar.com, hjid)
  • Mixpanel (cdn.mxpnl.com, mixpanel)
  • Segment (cdn.segment.com / .io)
  • LinkedIn Insight Tag (snap.licdn.com)

This detector has a risk polarity. That is the opposite of most LaunchTrust checks. For a privacy policy or HTTPS, "detected" is the signal you want. Here, "detected" means LaunchTrust found something whose presence you should review, not a missing item you need to add.

  • Detected (severity: medium): one or more of the tracker signatures above appeared in your page HTML. The finding lists which ones, with a reminder to confirm consent and privacy-policy disclosure.
  • Not detected (severity: info): none of the common signatures matched in the page that was scanned. This is an informational result, not a clean bill of health — see the limits below.

Two limits matter. First, the detector reads the static HTML it receives — trackers injected later by JavaScript, a tag manager, or a consent tool after page load may not appear. Second, it matches a known list of services. A custom or less common tracker can be present and still return "not detected." This is a signal, not an inventory.

Why it matters

Under the EU ePrivacy rules (the "cookie law"), storing or reading information on a user's device — which most of these trackers do — generally requires prior, informed consent unless the activity is strictly necessary to provide the service the user asked for. Analytics and advertising pixels are almost never "strictly necessary." So in practice, trackers like these should load after consent, not on first paint.

GDPR adds a second layer. Any personal data these services process needs a lawful basis, and your users need to be told who receives their data and why. That disclosure normally lives in your privacy policy and is surfaced through your consent banner. A page that fires Meta Pixel and Google Analytics on load, with no banner and no policy entry, is exposed on both fronts.

This is why the detector reminds you to pair detected trackers with consent and disclosure. The trackers themselves are fine; loading them silently is the gap.

A concrete example

A typical finding looks like this:

tracking_scripts — detected (medium)
third-party trackers present: Google Analytics/GTM, Meta Pixel —
ensure consent + privacy-policy disclosure

That tells you two services were spotted in the page source. Your next questions are: do these fire before or after consent, and are both named in your privacy policy and consent banner? If the answer to either is "before" or "no," you have something concrete to fix.

How to address it

  1. Inventory what actually loads. Open your browser's network tab on a fresh visit and list every third-party request. Confirm whether each fires on load or after consent. This catches trackers the static scan can miss.
  2. Gate non-essential trackers behind consent. Do not load analytics or advertising scripts until the user opts in. A consent management tool or tag manager with consent mode can hold them until the banner is answered.
  3. Disclose every recipient. Name each tracking service, the data it collects, and its purpose in your privacy policy. Keep the list in sync with what is actually deployed.
  4. Offer a real choice. Your consent banner should let users decline non-essential trackers as easily as they accept, and your site should honor that choice.
  5. Honor browser signals. Where applicable, respect Global Privacy Control so users who have set a do-not-sell/share preference are not tracked for those purposes.
  6. Remove what you do not use. The cleanest fix for an unwanted tracker is deleting the snippet. Fewer recipients means less to disclose and defend.

Check this in 30 seconds

Run your URL through LaunchTrust's free scanner and the tracking_scripts check will list the third-party trackers it can see in your page source, alongside related checks like your cookie consent banner and privacy policy. It is a fast way to spot a pixel you forgot was still installed, or to confirm a marketing tag did not sneak onto a page where it does not belong — before a visitor, or a regulator, points it out for you.

FAQ

Does finding no trackers mean my site is private or in the clear? No. LaunchTrust matches a known list against the static HTML it receives. A "not detected" result means none of those common signatures appeared — it does not prove there are zero trackers, and it is not a legal judgment about your site. Verify with your browser's network tab.

Are third-party trackers against the law? Not by themselves. The concern is loading non-essential trackers without consent, or without disclosing them. Used with a proper consent flow and a privacy policy that names them, common analytics and pixels can be deployed lawfully in most cases.

Why is this flagged as a risk instead of something I should add? Most checks look for a signal you want present, like a privacy policy. This one is reversed: it surfaces something whose presence you should review. "Detected" is a prompt to confirm consent and disclosure, not a sign your site is broken.

Does this prove my app meets the law? No — it surfaces signals, not a verdict. LaunchTrust reports what its scanner can and cannot see; it does not certify your site, guarantee approval, or provide legal advice. Treat the findings as a checklist to discuss with a qualified advisor where the stakes warrant it.

Compliance aid, not legal advice. LaunchTrust reports signals, not a verdict or certification.