Audit of all third-party scripts documents data collection; undisclosed trackers flagged

ab-000851 · data-protection.compliance-documentation.third-party-script-audit

Severity: infoactive

Why it matters

GDPR Art. 13 requires controllers to disclose all recipients of personal data at the point of collection. ePrivacy Art. 5(3) requires prior consent for all non-essential tracking. An undisclosed third-party script — Facebook Pixel added via Google Tag Manager, a Hotjar session recorder, a LinkedIn Insight Tag — is a double violation: you are transferring personal data to a recipient not disclosed in the privacy policy, and doing so without consent. CCPA §1798.120 grants opt-out rights for data sharing with third parties for cross-context behavioral advertising; undisclosed pixels block users from exercising that right. The core AI-built app failure mode here is that tracking scripts accumulate across sessions and the consent infrastructure is never updated to match.

Severity rationale

Info because undisclosed scripts are a compliance gap rather than an immediate security threat, but each undisclosed script that loads before consent is a distinct ePrivacy and GDPR Art. 13 violation.

Remediation

Audit every layout file for third-party script tags, then verify each one is disclosed in the privacy policy and gated behind consent.

Script audit — check these files:
- app/layout.tsx (Next.js root layout)
- pages/_document.tsx (Next.js custom document)
- public/index.html (CRA / Vite)
- index.html (SvelteKit, Astro)

For each <Script> or <script> tag found:
1. Identify vendor and purpose (GA4, Facebook Pixel, Hotjar, Intercom, etc.)
2. Confirm it appears in the privacy policy under "Third-party services"
3. Confirm it is classified in the cookie register under the correct category
4. Confirm it is gated behind the matching consent category
   (analytics scripts behind analytics consent; marketing behind marketing)

If using Google Tag Manager:
- GTM injects scripts not visible in your codebase
- Audit the GTM container: GTM → Admin → Container → Tags → list all active tags
- Or use browser DevTools Network tab to capture all third-party requests during a session

Detection

ID: third-party-script-audit
Severity: info
What to look for: Enumerate every relevant item. Scan the codebase for all third-party scripts loaded in the application. Check HTML layout files (layout.tsx, _document.tsx, index.html, app.html), Script components, and dynamically loaded scripts. Inventory: Google Analytics, Google Tag Manager, Facebook Pixel, LinkedIn Insight Tag, Twitter/X Pixel, Hotjar, FullStory, Intercom, Drift, Segment, Heap, Amplitude. For each script: check that it is (1) disclosed in the privacy policy, (2) classified in the cookie register, and (3) gated behind consent (for non-essential scripts). Check for "tag contamination" — scripts added by a tag manager that may not be tracked in the codebase directly (if GTM is in use, the actual tag inventory is in GTM, not the code).
Pass criteria: At least 1 of the following conditions is met. All third-party scripts are inventoried. Each is disclosed in the privacy policy with its purpose and the data it collects. All non-essential scripts are gated behind consent. No undisclosed trackers found.
Fail criteria: Scripts are present in the codebase that are not disclosed in the privacy policy. Non-essential scripts load without consent. Unknown scripts with undocumented purposes found.
Skip (N/A) when: Application has no third-party scripts (no analytics, no support chat, no social pixels).
Detail on fail: Example: "Google Analytics and Facebook Pixel found in _document.tsx but neither is disclosed in the privacy policy. Both load unconditionally without consent." or "Google Tag Manager is in use — tag inventory is not auditable from the codebase; GTM container may include undisclosed tracking.".

Remediation: Audit and disclose all third-party scripts:

Script inventory audit (check each file that could load scripts):
- app/layout.tsx (Next.js root layout)
- pages/_document.tsx (Next.js custom document)
- public/index.html (CRA / Vite root)
- index.html (SvelteKit, Astro)

For each script found:
1. Identify its vendor and purpose
2. Verify it is in the privacy policy under "Third-party services" and "Cookies"
3. Verify it is gated behind the appropriate consent category
4. If using GTM: audit the GTM container (GTM → Admin → Container → Tags)
   and document all active tags

If GTM is in use and you can't audit it:
- Use browser DevTools → Network tab to capture all requests made during a session
- Or use a tool like Blacklight (themarkup.org/blacklight) to detect trackers

External references

gdpr · Art. 13 — Information to be provided where personal data are collected from the data subject
gdpr · Art. 28 — Processor — disclosure of all third-party data recipients
eprivacy · Art. 5(3) — Consent required for tracking scripts that access terminal equipment
ccpa · §1798.120 — Consumer right to opt-out of sale or sharing with third parties

Taxons

privacy-consent regulatory-conformance

History

2026-04-18·v1.0.0·Initial import from data-protection·automated

Why it matters

Remediation

Audit every layout file for third-party script tags, then verify each one is disclosed in the privacy policy and gated behind consent.

Script audit — check these files:
- app/layout.tsx (Next.js root layout)
- pages/_document.tsx (Next.js custom document)
- public/index.html (CRA / Vite)
- index.html (SvelteKit, Astro)

For each <Script> or <script> tag found:
1. Identify vendor and purpose (GA4, Facebook Pixel, Hotjar, Intercom, etc.)
2. Confirm it appears in the privacy policy under "Third-party services"
3. Confirm it is classified in the cookie register under the correct category
4. Confirm it is gated behind the matching consent category
   (analytics scripts behind analytics consent; marketing behind marketing)

If using Google Tag Manager:
- GTM injects scripts not visible in your codebase
- Audit the GTM container: GTM → Admin → Container → Tags → list all active tags
- Or use browser DevTools Network tab to capture all third-party requests during a session

Detection

ID: third-party-script-audit
Severity: info
What to look for: Enumerate every relevant item. Scan the codebase for all third-party scripts loaded in the application. Check HTML layout files (layout.tsx, _document.tsx, index.html, app.html), Script components, and dynamically loaded scripts. Inventory: Google Analytics, Google Tag Manager, Facebook Pixel, LinkedIn Insight Tag, Twitter/X Pixel, Hotjar, FullStory, Intercom, Drift, Segment, Heap, Amplitude. For each script: check that it is (1) disclosed in the privacy policy, (2) classified in the cookie register, and (3) gated behind consent (for non-essential scripts). Check for "tag contamination" — scripts added by a tag manager that may not be tracked in the codebase directly (if GTM is in use, the actual tag inventory is in GTM, not the code).
Pass criteria: At least 1 of the following conditions is met. All third-party scripts are inventoried. Each is disclosed in the privacy policy with its purpose and the data it collects. All non-essential scripts are gated behind consent. No undisclosed trackers found.
Fail criteria: Scripts are present in the codebase that are not disclosed in the privacy policy. Non-essential scripts load without consent. Unknown scripts with undocumented purposes found.
Skip (N/A) when: Application has no third-party scripts (no analytics, no support chat, no social pixels).
Detail on fail: Example: "Google Analytics and Facebook Pixel found in _document.tsx but neither is disclosed in the privacy policy. Both load unconditionally without consent." or "Google Tag Manager is in use — tag inventory is not auditable from the codebase; GTM container may include undisclosed tracking.".

Remediation: Audit and disclose all third-party scripts:

Script inventory audit (check each file that could load scripts):
- app/layout.tsx (Next.js root layout)
- pages/_document.tsx (Next.js custom document)
- public/index.html (CRA / Vite root)
- index.html (SvelteKit, Astro)

For each script found:
1. Identify its vendor and purpose
2. Verify it is in the privacy policy under "Third-party services" and "Cookies"
3. Verify it is gated behind the appropriate consent category
4. If using GTM: audit the GTM container (GTM → Admin → Container → Tags)
   and document all active tags

If GTM is in use and you can't audit it:
- Use browser DevTools → Network tab to capture all requests made during a session
- Or use a tool like Blacklight (themarkup.org/blacklight) to detect trackers

External references

gdpr · Art. 13 — Information to be provided where personal data are collected from the data subject

gdpr · Art. 28 — Processor — disclosure of all third-party data recipients

eprivacy · Art. 5(3) — Consent required for tracking scripts that access terminal equipment

ccpa · §1798.120 — Consumer right to opt-out of sale or sharing with third parties