How to Check If Your Website Has Tracking Violations
A step-by-step guide for business owners to audit their website for unauthorized tracking scripts and consent management issues.
Most website owners have tracking running without realizing it. The trackers collect visitor data. They send it to third parties. The privacy policy says nothing about this. This gap between what's actually happening and what you claim is happening is where regulators find violations.
You don't need a technical audit firm or specialized tools. A web browser and 30 minutes is enough.
Why This Matters
Regulators care about two things: does the tracking load before consent, and does your privacy policy match reality?
Unauthorized tracking violates the CCPA, VCDPA, and FTC Act Section 5. The FTC has filed enforcement actions against companies for deploying session recorders, pixels, and analytics tools without disclosure. Most of these companies thought they were within legal bounds. They weren't. Early identification prevents costly enforcement actions.
Step 1: Open Your Browser's Developer Tools
Chrome, Firefox, Safari, and Edge all have Network tabs. Here's how to access it in Chrome:
- Go to your website
- Right-click anywhere, select "Inspect" (or press Ctrl+Shift+I on Windows, Cmd+Option+I on Mac)
- Click the Network tab
- Refresh the page
The Network tab logs every request your browser makes. You'll see CSS files, images, fonts, and--if they're installed--third-party trackers.
Step 2: Look for Tracking Domains
Scroll through the Network tab. Filter by typing a domain name in the Filter box. These domains indicate tracking:
- facebook.com/tr (Facebook Pixel)
- google-analytics.com or analytics.google.com (Google Analytics)
- clarity.ms (Microsoft Clarity)
- hotjar.com (Hotjar session recording)
- segment.com (Segment data collection)
- mixpanel.com (Mixpanel analytics)
- intercom.io (Intercom chat analytics)
- amplitude.com (Amplitude product analytics)
- doubleclick.net (Google Ad tracking)
- mouseflow.com (Mouseflow session replay)
If any of these domains appear, you have that tracker installed.
Finding a tracker isn't automatically a violation. The violation happens when the tracker loads before the visitor consents, when your privacy policy doesn't mention it, or when the tracker collects sensitive keystrokes or form data without explicit opt-in.
Step 3: Check When Consent Banner Appears
Open your site in a private/incognito window. This clears cookies and forces the consent banner to show.
Watch the page load. Does the banner appear first, before images and other content? Good.
Now open the Network tab again and refresh. Look at the timeline of requests. When do tracking requests fire? Before you click "Accept" or after?
If tracking fires before consent, you have a problem. The visitor hasn't agreed to anything yet.
For reference: GDPR's ePrivacy Directive requires consent before non-essential tracking begins. The FTC enforces this standard for U.S. companies too.
Step 4: Compare Your Policy to Your Actual Tracking
Read your privacy policy. Then look at the trackers you found.
Common gaps:
- Policy: "We do not share data with third parties." Reality: Facebook Pixel, Google Analytics, and Hotjar are all running (all third parties).
- Policy: "We only use Google Analytics." Reality: Google Analytics, Facebook Pixel, and Intercom are all active.
- Policy: "Session recording is not used." Reality: Hotjar, Mouseflow, and Clarity are all running.
- Policy: "Cookies require prior consent." Reality: Analytics cookies load immediately.
The FTC considers mismatches between policy and practice to be deceptive. Any tracker running but not mentioned in your privacy policy is a potential violation. Any statement contradicted by what's actually on the page is a potential violation.
Step 5: Audit Checklist
Work through this for your website:
- [ ] Browser Network tab opened and page refreshed
- [ ] Active third-party trackers identified
- [ ] Consent banner timing checked (appears before or after tracking?)
- [ ] Privacy policy reviewed
- [ ] All active trackers listed in policy: yes or no?
- [ ] Policy accurately describes consent requirements: yes or no?
- [ ] All trackers mentioned in policy are actually deployed: yes or no?
Answer "no" to any of the last three and you have compliance gaps.
Next Steps
If you found violations, three tasks remain. Remove or disable unauthorized trackers. Implement a consent management platform so trackers only fire after the visitor consents. Update your privacy policy to match what's actually happening.
The remediation guide covers all three steps in detail.
References