Third-Party Tracking on Your Website: Find Hidden Cookies and Obtain Consent

Many website owners are unaware that their sites track visitors without explicit consent. These trackers are installed by themes, plugins, third-party scripts, or marketing agencies. Under UK PECR Regulation 6 and UK GDPR Article 6, you are liable for all tracking on your site, regardless of who installed it.

How Third-Party Tracking Happens

When you install a WordPress theme, Shopify app, or website plugin, the vendor may include tracking scripts that send visitor data to external companies. Common examples:

• Google Analytics 4 (via Google Tag Manager or direct embed): tracks page views, clicks, scrolls, event data
• Facebook Pixel: tracks visitors across the web for retargeting ads
• Google Ads Conversion Tracking: monitors purchase confirmations
• Hotjar: records session replays and heatmaps (visitor behavior analysis)
• Intercom or other chat widgets: log browsing behavior and conversations
• Google Maps embedded on your contact page: transmits visitor IP address to Google
• YouTube embeds: set tracking cookies and transmit viewer data to Google
• Social media buttons or feeds (Instagram, Twitter and TikTok): track clicks and shares
• Wordfence or Sucuri security plugins: may include analytics and malware scanning calls to external servers

Each of these sends personal data (visitor IP address, cookies, browsing behavior, event data) to external companies. You have no visibility unless you check.

Legal Obligations Under PECR and GDPR

PECR Regulation 6 states: "A person shall not store or access information" on a user's device "unless the user has consented to the storage or access of the information on that equipment."

"Information" includes cookies, localStorage, sessionStorage, pixels, and any identifier enabling tracking.

Exceptions exist only for cookies "strictly necessary" for the website to function (session ID, authentication token, language preference). Everything else requires prior consent.

GDPR Article 6(1) requires a "lawful basis" for processing personal data. For non-essential cookies and analytics, the lawful basis is consent (Article 6(1)(a)). You cannot rely on legitimate interests to place analytics cookies; under the ePrivacy Directive (now implemented in PECR), explicit consent is mandatory.

The 2019 CJEU ruling in Planet49 (Case C-673/17) established that "only active behaviour on the part of the data subject" constitutes valid consent. Pre-ticked checkboxes are invalid. Users must actively click "I consent" or tick an unchecked box.

Audit Your Website: Finding Hidden Trackers

Open your website in a browser. Press F12 to open Developer Tools. Click the Network tab.

Reload the page. You will see dozens of network requests to external domains. Look for:

• google-analytics.com or analytics.google.com: Google Analytics
• facebook.com or connect.facebook.net: Facebook Pixel
• doubleclick.net: Google Ads and DoubleClick
• hotjar.com: Heatmap and session recording
• youtube.com: Embedded video player
• maps.google.com: Embedded Google Maps
• intercom.io and drift.com: Live chat
• cloudflare.com: CDN, bot management, analytics
• reCAPTCHA.net: Google reCAPTCHA (also tracks, to some extent)

Each of these requests sends your visitor's data to that external company. If the request loads before the user has consented, you are violating PECR Regulation 6.

Step 2: Check Which Trackers Load Before Consent

Open your website in an incognito/private browser window (to avoid cached consent). Open Developer Tools again (F12). Reload the page and immediately look at which requests fire before any interaction.

If you see google-analytics.com, facebook.com, doubleclick.net, or similar loading in the first second, your site is collecting data without consent.

If a cookie banner appears, click "Reject all" and reload. Use browser Developer Tools Cookies tab (F12 > Application > Cookies) to check: do any cookies from third parties persist after you rejected them? If yes, those cookies loaded without consent (violation).

Step 3: Review Your Cookie Banner

A compliant cookie banner must:

1. Appear before non-essential cookies load
2. Provide an explicit, unambiguous "Reject all" button
3. Make "Reject all" equally prominent as "Accept all" (no dark patterns: grayed-out text, hidden button, smaller font)
4. Allow granular consent: separate analytics, advertising, and functional cookies so users can consent to some and reject others
5. Include an "Manage preferences" link to change consent after accepting

The ICO's 2025 review of the UK's top 1,000 websites found:

• 134 out of 200 audited websites failed cookie compliance standards
• 60% of cookie-related complaints involved sites not offering a reject option
• 30% of the top 100 UK sites were setting advertising cookies without valid consent

If your cookie banner fails any of the above points, update it immediately.

Step 4: Implement Consent Gates for Non-Essential Trackers

The safest approach is to prevent non-essential trackers from loading until consent is given. Use a cookie consent platform (Cookiebot, OneTrust, Usercentrics) or implement conditional code:

// Pseudo-code: only load Google Analytics if user consented
if (localStorage.getItem('consent_analytics') === 'true') {
  // Load Google Analytics script
}

This ensures trackers never fire without consent.

For embedded services (Google Maps, YouTube, Hotjar), load a static placeholder image initially, and only load the interactive version after consent:

<!-- Before consent: static image -->
<img src="map-placeholder.jpg" alt="Click to load map">

<!-- After consent: embed Maps -->
<iframe src="https://www.google.com/maps/..."></iframe>

Step 5: Update Your Privacy Policy

Your privacy policy must disclose every third-party tracker. For each, state:

• Service name and vendor (e.g., Google Analytics, Facebook Pixel)
• What data it collects (IP address, cookies, event data and device info)
• Why you use it (website traffic analysis, advertising retargeting and user experience optimization)
• How long data is retained (most vendors retain for 2 years)
• Users' rights (right to opt out and right of access)

Example paragraph:

"We use Google Analytics 4 to analyze website traffic and user behavior. Google stores IP addresses and cookies in its servers for 24 months. You can opt out by using the opt-out browser extension. Our legal basis is your prior consent via our cookie banner."

Step 6: Update Contracts with Third Parties

If you use a website builder (Wix, Squarespace), theme vendor, or plugin developer, and they have installed trackers, you must ensure they have a Data Processing Agreement (DPA) in place.

A DPA clarifies who is the data controller (you or the vendor) and who is the processor (the vendor or a sub-processor). It must address GDPR compliance, including data subject rights and security obligations.

Most established vendors (Google, Shopify, Mailchimp, HubSpot) provide DPAs by default. Smaller developers may not. Request one in writing.

Google Analytics: Special Case

Google Analytics 4 (GA4) collects data that may be transmitted to Google's US servers. Under UK GDPR, this raises concerns about adequacy (whether the US provides equivalent data protection to the UK).

To mitigate: enable IP anonymization (remove the last octet of the IP address before transmission) and use Google Consent Mode v2. Consent Mode v2 allows GA4 to operate in a privacy-preserving way:

• If the user consents to analytics, GA4 sends full event data
• If the user rejects, GA4 sends only anonymized, non-identifying data (e.g., page count, bounce rate in aggregate, without individual user identifiers)

This approach is more compliant under UK GDPR because it avoids transmitting personal data to the US without explicit consent, while still providing useful analytics.

Consent Mode v2 is mandatory if you target EU or UK users with Google Ads.

Facebook Pixel: High-Risk Tracker

Facebook Pixel transmits user browsing data to Meta's servers, including event data (product viewed, added to cart, purchased) and personal identifiers (email, phone) when you use Pixel's "Conversions API."

This is a high-risk tracker and should be gated behind explicit consent. Even with Consent Mode equivalents, consider whether the risk-benefit trade-off justifies its use. Small businesses without significant Facebook ad budgets may remove it entirely.

Action Plan

1. Audit your site using browser DevTools Network tab. List all third-party domains.
2. Test your cookie banner: click "Reject all" and verify that non-essential trackers do NOT load.
3. If trackers load without consent, implement a cookie consent platform and gate non-essential scripts behind consent checks.
4. Update your privacy policy to disclose all third-party trackers and users' rights.
5. Request Data Processing Agreements from theme vendors, plugin developers and analytics platforms.
6. Enable IP anonymization and Consent Mode v2 in Google Analytics.
7. Review and possibly remove high-risk trackers (Facebook Pixel and Hotjar) unless you have a strong business justification.

Most small business sites can complete this audit and remediation in an afternoon.