Audit of all third-party scripts documents data collection; undisclosed trackers flagged

Why it matters

GDPR Art. 13 requires controllers to disclose all recipients of personal data at the point of collection. ePrivacy Art. 5(3) requires prior consent for all non-essential tracking. An undisclosed third-party script — Facebook Pixel added via Google Tag Manager, a Hotjar session recorder, a LinkedIn Insight Tag — is a double violation: you are transferring personal data to a recipient not disclosed in the privacy policy, and doing so without consent. CCPA §1798.120 grants opt-out rights for data sharing with third parties for cross-context behavioral advertising; undisclosed pixels block users from exercising that right. The core AI-built app failure mode here is that tracking scripts accumulate across sessions and the consent infrastructure is never updated to match.

Remediation

Audit every layout file for third-party script tags, then verify each one is disclosed in the privacy policy and gated behind consent.

Script audit — check these files:
- app/layout.tsx (Next.js root layout)
- pages/_document.tsx (Next.js custom document)
- public/index.html (CRA / Vite)
- index.html (SvelteKit, Astro)

For each <Script> or <script> tag found:
1. Identify vendor and purpose (GA4, Facebook Pixel, Hotjar, Intercom, etc.)
2. Confirm it appears in the privacy policy under "Third-party services"
3. Confirm it is classified in the cookie register under the correct category
4. Confirm it is gated behind the matching consent category
   (analytics scripts behind analytics consent; marketing behind marketing)

If using Google Tag Manager:
- GTM injects scripts not visible in your codebase
- Audit the GTM container: GTM → Admin → Container → Tags → list all active tags
- Or use browser DevTools Network tab to capture all third-party requests during a session

Detection

ID: data-protection.compliance-documentation.third-party-script-audit
Severity: info
What to look for: Enumerate every relevant item. Scan the codebase for all third-party scripts loaded in the application. Check HTML layout files (layout.tsx, _document.tsx, index.html, app.html), Script components, and dynamically loaded scripts. Inventory: Google Analytics, Google Tag Manager, Facebook Pixel, LinkedIn Insight Tag, Twitter/X Pixel, Hotjar, FullStory, Intercom, Drift, Segment, Heap, Amplitude. For each script: check that it is (1) disclosed in the privacy policy, (2) classified in the cookie register, and (3) gated behind consent (for non-essential scripts). Check for "tag contamination" — scripts added by a tag manager that may not be tracked in the codebase directly (if GTM is in use, the actual tag inventory is in GTM, not the code).
Pass criteria: At least 1 of the following conditions is met. All third-party scripts are inventoried. Each is disclosed in the privacy policy with its purpose and the data it collects. All non-essential scripts are gated behind consent. No undisclosed trackers found.
Fail criteria: Scripts are present in the codebase that are not disclosed in the privacy policy. Non-essential scripts load without consent. Unknown scripts with undocumented purposes found.
Skip (N/A) when: Application has no third-party scripts (no analytics, no support chat, no social pixels).
Detail on fail: Example: "Google Analytics and Facebook Pixel found in _document.tsx but neither is disclosed in the privacy policy. Both load unconditionally without consent." or "Google Tag Manager is in use — tag inventory is not auditable from the codebase; GTM container may include undisclosed tracking.".

Remediation: Audit and disclose all third-party scripts:

Script inventory audit (check each file that could load scripts):
- app/layout.tsx (Next.js root layout)
- pages/_document.tsx (Next.js custom document)
- public/index.html (CRA / Vite root)
- index.html (SvelteKit, Astro)

For each script found:
1. Identify its vendor and purpose
2. Verify it is in the privacy policy under "Third-party services" and "Cookies"
3. Verify it is gated behind the appropriate consent category
4. If using GTM: audit the GTM container (GTM → Admin → Container → Tags)
   and document all active tags

If GTM is in use and you can't audit it:
- Use browser DevTools → Network tab to capture all requests made during a session
- Or use a tool like Blacklight (themarkup.org/blacklight) to detect trackers

External references

gdpr · Art. 13 — Information to be provided where personal data are collected from the data subject

gdpr · Art. 28 — Processor — disclosure of all third-party data recipients

eprivacy · Art. 5(3) — Consent required for tracking scripts that access terminal equipment

ccpa · §1798.120 — Consumer right to opt-out of sale or sharing with third parties

Why it matters

Remediation

Audit every layout file for third-party script tags, then verify each one is disclosed in the privacy policy and gated behind consent.

Script audit — check these files:
- app/layout.tsx (Next.js root layout)
- pages/_document.tsx (Next.js custom document)
- public/index.html (CRA / Vite)
- index.html (SvelteKit, Astro)

For each <Script> or <script> tag found:
1. Identify vendor and purpose (GA4, Facebook Pixel, Hotjar, Intercom, etc.)
2. Confirm it appears in the privacy policy under "Third-party services"
3. Confirm it is classified in the cookie register under the correct category
4. Confirm it is gated behind the matching consent category
   (analytics scripts behind analytics consent; marketing behind marketing)

If using Google Tag Manager:
- GTM injects scripts not visible in your codebase
- Audit the GTM container: GTM → Admin → Container → Tags → list all active tags
- Or use browser DevTools Network tab to capture all third-party requests during a session

Detection

ID: data-protection.compliance-documentation.third-party-script-audit
Severity: info
What to look for: Enumerate every relevant item. Scan the codebase for all third-party scripts loaded in the application. Check HTML layout files (layout.tsx, _document.tsx, index.html, app.html), Script components, and dynamically loaded scripts. Inventory: Google Analytics, Google Tag Manager, Facebook Pixel, LinkedIn Insight Tag, Twitter/X Pixel, Hotjar, FullStory, Intercom, Drift, Segment, Heap, Amplitude. For each script: check that it is (1) disclosed in the privacy policy, (2) classified in the cookie register, and (3) gated behind consent (for non-essential scripts). Check for "tag contamination" — scripts added by a tag manager that may not be tracked in the codebase directly (if GTM is in use, the actual tag inventory is in GTM, not the code).
Pass criteria: At least 1 of the following conditions is met. All third-party scripts are inventoried. Each is disclosed in the privacy policy with its purpose and the data it collects. All non-essential scripts are gated behind consent. No undisclosed trackers found.
Fail criteria: Scripts are present in the codebase that are not disclosed in the privacy policy. Non-essential scripts load without consent. Unknown scripts with undocumented purposes found.
Skip (N/A) when: Application has no third-party scripts (no analytics, no support chat, no social pixels).
Detail on fail: Example: "Google Analytics and Facebook Pixel found in _document.tsx but neither is disclosed in the privacy policy. Both load unconditionally without consent." or "Google Tag Manager is in use — tag inventory is not auditable from the codebase; GTM container may include undisclosed tracking.".

Remediation: Audit and disclose all third-party scripts:

Script inventory audit (check each file that could load scripts):
- app/layout.tsx (Next.js root layout)
- pages/_document.tsx (Next.js custom document)
- public/index.html (CRA / Vite root)
- index.html (SvelteKit, Astro)

For each script found:
1. Identify its vendor and purpose
2. Verify it is in the privacy policy under "Third-party services" and "Cookies"
3. Verify it is gated behind the appropriate consent category
4. If using GTM: audit the GTM container (GTM → Admin → Container → Tags)
   and document all active tags

If GTM is in use and you can't audit it:
- Use browser DevTools → Network tab to capture all requests made during a session
- Or use a tool like Blacklight (themarkup.org/blacklight) to detect trackers

External references

gdpr · Art. 13 — Information to be provided where personal data are collected from the data subject

gdpr · Art. 28 — Processor — disclosure of all third-party data recipients

eprivacy · Art. 5(3) — Consent required for tracking scripts that access terminal equipment

ccpa · §1798.120 — Consumer right to opt-out of sale or sharing with third parties

Audit of all third-party scripts documents data collection; undisclosed trackers flagged

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Audit of all third-party scripts documents data collection; undisclosed trackers flagged

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History