Skip to main content
Privacy Resolve
Back to Resources
Privacy Law4 min read

How to Fix Your Website: Removing Unauthorized Trackers

A practical guide for removing unauthorized tracking scripts, implementing consent management, and updating privacy policies to achieve full compliance.

Once you've identified tracking violations, fixing them is doable in a day or two if you have developer support. This guide walks through the process whether you're facing enforcement action or fixing problems proactively.

Step 1: Inventory Your Trackers

You need to know what's actually running before you remove it.

Trackers come from two places: Google Tag Manager or hard-coded into your HTML.

In Google Tag Manager, log in and click Workspace → Tags. Write down every tag that fires on page load. Note which are tracking/analytics (Facebook, Google Analytics, Hotjar, etc.) versus functional (site security, form processing). Functional tags stay. Tracking tags need consent.

For hard-coded HTML, ask your developer to search the website source code for tracking signatures. Look for Facebook Pixel (fbq('init', or facebook.com/tr), Google Analytics (gtag or ga(), Hotjar (hj.q=[]), and other third-party domains. Note where each appears and whether it loads on page load or conditionally.

Step 2: Remove Session Replay Tools

Session replay tools are the priority because they capture everything--mouse movements, keystrokes, form inputs, passwords.

Hotjar. Mouseflow. Clarity. These record user interactions in detail. A visitor types a password, a credit card number, a medical question into a form. The session replay captures it. Regulators hate this. Remove it first.

If using Google Tag Manager, find the session replay tag, click Delete, or disable it and add a note about why.

If it's hard-coded HTML, have your developer comment it out. Don't delete it, comment it. You need an audit trail. Example: <!-- REMOVED: Hotjar script disabled [date] by [person] -->

If it's a plugin (WordPress, Shopify), go to your plugin settings and disable the session recording plugin.

After removal, use the Chrome Network tab to verify. The tracker domain should no longer appear. See the compliance guide for steps.

Step 3: Deploy a Consent Management Platform

A consent management platform (CMP) is the control layer. It shows a banner, records what the visitor agreed to, and only loads tracking code if they said yes.

Several vendors exist. OneTrust, Cookiebot, Termly, TrustArc, Sourcepoint. All do the same basic job. Price ranges from $49-600/month for small-medium sites to custom enterprise pricing.

Installation has a standard flow:

  1. Choose a CMP platform
  2. Install its JavaScript snippet in your website header
  3. Categorize trackers: Essential (security, required for site to work), Analytics (optional), Marketing (optional), Advertising (optional)
  4. Configure the banner text
  5. Wrap your tracking code so it only fires when the visitor consents
  6. Test in an incognito window

The last step is critical. Open your site in private/incognito mode. Verify the banner appears. Don't click Accept. Check the Network tab. Are tracking requests still firing? If yes, your CMP isn't properly integrated. Track down the problem before going live.

Most CMPs need 4-8 hours of developer time to set up properly.

Step 4: Rewrite Your Privacy Policy

A privacy policy that contradicts what's actually on your site is legally dangerous. If you claim "we don't use session recording" and Hotjar is running, that's a violation under the FTC Act.

Check these sections:

Data collection: Is it accurate? Does it describe Google Analytics, Facebook Pixel, any third-party tools?

Third-party sharing: Are you sending data to other companies? Name them. Google? Facebook? Hotjar? The policy should say so.

Cookies and tracking: Do you explain which cookies are essential (always load) versus optional (require consent)?

Session recording: If you're not using it now (you removed it), say so. Don't leave it vague.

User rights: Tell visitors how to withdraw consent or request deletion.

If you have no in-house legal counsel, policy generators exist. Termly, Iubenda, TrustArc. They customize policies based on your actual tracking setup. Cost: $100-500/month.

Step 5: Consider Server-Side Analytics

Client-side analytics require consent. The code runs in the visitor's browser. Server-side analytics run on your own servers. You log page views, clicks, conversions to your own database instead of sending them to Google or Mixpanel.

Server-side doesn't need consent because the data never leaves your infrastructure. You own it. You control retention. It's a business necessity.

Trade-off: server-side requires more engineering. But you get better data, better privacy, no dependency on third-party vendors.

Tools: Fathom and Plausible are plug-and-play server-side analytics. Or build custom logging on your backend.

Step 6: Document Everything

Create a remediation log. Date it. List every tracker removed. Note which tools were disabled, which CMP was installed, when the privacy policy was updated. This log proves you acted in good faith. It matters if enforcement happens later.

A basic log:

  • Date completed
  • Trackers identified (Facebook Pixel, Google Analytics, Hotjar, etc.)
  • Removal steps (disabled in GTM, commented in HTML, disabled plugin)
  • CMP installed (Cookiebot, OneTrust, etc.)
  • Privacy policy updated on [date]
  • Network audit completed [date]
  • Reviewed by [name, title]

Keep it on file.

The Math: Proactive Remediation Wins

Here's what people get wrong: "We'll fix it now and the problem goes away."

No. A demand letter covers a period of violation. If you deployed trackers without consent from March 2023 to April 2026, you have three years of violations. Removing trackers in April 2026 stops future violations. It doesn't undo the past.

Example:

March 2023: Trackers deployed without consent. January 2026: Demand letter issued (covers 3 years). April 2026: You remove trackers. Settlement: Typically covers March 2023 – April 2026.

But proactive remediation costs less than reactive. Before a demand, fixing these issues runs $5,000-$20,000 (CMP, development, policy updates). After a demand, you pay remediation costs plus settlement plus legal fees--easily $50,000-$150,000. Fixing it before enforcement is the math that works.

Verification

After remediation, walk through these:

  • Session replay tools gone (verified in Network tab)
  • CMP is live on the site
  • Open the site in incognito mode, confirm banner appears before tracking
  • Check Network tab again, confirm no tracking until consent is given
  • Privacy policy lists all active trackers
  • Privacy policy explains what consent does
  • Hard-coded tracker scripts are commented or removed
  • Development team documented changes in version control

After Remediation

Three things remain: get an outside audit to verify compliance, set up monitoring to catch new tracker deployments, and train staff so the next person updating the site knows what's legal.

An outside audit costs $2,000-$5,000. Many CMPs include monitoring. Training takes a meeting.

References

Related Articles

4 min read

What the Federal Wiretap Act Means for Your Website

5 min read

Resources: Official Guidance and Legal References

5 min read

Recent Privacy Enforcement: Settlements and Regulatory Actions