How to Find Hidden Trackers on Your Website Before IMY Does

Most websites have trackers their owners don't know about. You can find trackers on website pages using browser DevTools, but that only catches the obvious ones. CNAME cloaking disguises third-party trackers as first-party domains. Fingerprinting scripts run silently. Session replay tools record every mouse movement. Under ePrivacy Article 5(3), every one of these requires informed consent before activation.

IMY uses automated scanning in its preliminary assessments. If your site has hidden trackers firing before consent, you won't get a friendly heads-up. You'll get a formal investigation.

CNAME cloaking: the tracker that looks like your own domain

CNAME cloaking disguises third-party tracking as first-party traffic. It works by creating a subdomain on your site, say analytics.yoursite.com, that resolves via DNS CNAME record to a third-party tracking server. To your browser and most privacy tools, it looks like a first-party request.

This matters because first-party cookies bypass most browser protections. Safari's Intelligent Tracking Prevention, Firefox's Enhanced Tracking Protection, and ad blockers all focus on third-party domains. CNAME-cloaked trackers slip through.

• Your DNS has a CNAME record pointing a subdomain to a tracking service (e.g., Eulerian, Criteo, Adobe)
• Cookies set by this subdomain get first-party status
• Privacy tools and consent scanners miss them because the domain looks like yours
• The French CNIL has already fined organizations for CNAME cloaking without consent

Fingerprinting: no cookies, still tracking

Browser fingerprinting identifies users without cookies. Scripts probe your browser's canvas rendering, WebGL capabilities, AudioContext output, installed fonts, and screen resolution. Combined, these create a unique identifier that persists across sessions and survives cookie deletion.

The ePrivacy Directive covers this explicitly. Article 5(3) applies to any access to information stored on a user's device, and fingerprinting reads device characteristics to generate an identifier. Consent is required.

• Canvas fingerprinting: Draws invisible shapes and reads the pixel data. Rendering differences identify the device
• WebGL fingerprinting: Queries GPU information and rendering characteristics
• AudioContext fingerprinting: Generates audio signals and measures processing differences
• Font enumeration: Tests which system fonts are installed by measuring text rendering

These scripts are often buried in third-party tag managers or analytics bundles. You may not even know they're running. Vakteye detects fingerprinting techniques including canvas, WebGL, AudioContext, and DOM-based tracking.

Session replay tools: recording everything

Session replay tools like Hotjar, FullStory, and Microsoft Clarity record user interactions: clicks, scrolls, mouse movements, form inputs, and page content. Some capture keystrokes before submission. All of this constitutes personal data processing under GDPR Article 4(1).

The privacy risk goes beyond tracking. Session replays can inadvertently capture sensitive data entered into forms: passwords, credit card numbers, medical information. Even with masking configured, implementation errors regularly expose data that should be hidden.

• Hotjar, FullStory, Clarity, LogRocket, Mouseflow: all require consent under ePrivacy Art 5(3)
• Session replays constitute profiling under GDPR Article 4(4) when linked to identifiable users
• Form data capture creates risks under Article 9 if health or other special category data is recorded
• Most consent banners don't mention session recording specifically, which is a transparency violation under Article 13

localStorage and sessionStorage Trackers

Cookies get all the attention. But localStorage and sessionStorage are increasingly used for tracking because they're harder to detect and aren't visible in the browser's cookie jar.

localStorage persists until explicitly deleted. There's no expiry mechanism like cookies have. Some trackers store identifiers in localStorage and copy them to cookies on each page load, recreating tracking cookies even after the user deletes them. This is a form of zombie tracking.

GDPR and ePrivacy treat localStorage identifiers the same as cookies. If the stored data can identify a user, it's personal data. If it's placed on the user's device, it requires consent under Article 5(3). The storage mechanism doesn't matter. The legal obligation is the same.

The Meta Pixel and tag manager problem

Tag managers like Google Tag Manager create a particular challenge. Your developers add GTM once. Then marketing adds tags through GTM's web interface with no code review, no deployment, and no developer oversight. Each tag can load additional scripts, set cookies, and fire tracking pixels.

The Meta Pixel is a common example. It loads as a single script but sets multiple cookies (_fbp, _fbc, fr), sends browsing data to Meta's servers, and enables cross-site tracking through Facebook's advertising network. Under GDPR Article 26, you're a joint controller with Meta for this processing.

• GTM tags can load without developer knowledge or consent management
• A single pixel can set multiple cookies and initiate multiple data transfers
• Joint controller obligations under Article 26 apply to Facebook/Meta Pixel usage
• Tags added after your last consent audit won't be covered by your consent banner categories

Manual detection vs. automated scanning

You can find some trackers manually. Open DevTools, go to the Network tab, reload the page, and look at the domains receiving requests. Check the Application tab for cookies and localStorage. Run DNS lookups on your subdomains.

But manual checks miss things. CNAME cloaking requires DNS resolution that browsers don't expose in DevTools. Fingerprinting scripts need code analysis to identify. Some trackers only activate after specific user actions or after a delay. Cookie syncing between domains happens in the background.

• Manual: DevTools Network tab shows outbound requests, but not CNAME resolutions
• Manual: Application tab shows cookies, but not which script set them or why
• Manual: DNS lookup tools reveal CNAME chains, but you need to check every subdomain
• Automated: Vakteye uses a tracker database with 400K+ domains (hagezi) for instant classification
• Automated: Consent testing checks whether trackers fire before, during, and after consent choices
• Automated: Confidence levels (CERTAIN, FIRM, TENTATIVE) distinguish behavioral proof from pattern matching

What to do when you find hidden trackers

Finding trackers is step one. Here's how to fix the compliance gap.

1. Map every tracker to a purpose and legal basis. If you can't justify it, remove it
2. Update your consent banner categories to include session replay, fingerprinting, and CNAME-cloaked trackers
3. Audit your tag manager: review every active tag, remove abandoned ones, require approval workflows
4. Add CNAME-cloaked domains to your consent management platform's scanner
5. Update your privacy policy to specifically name session replay tools and fingerprinting, per Article 13
6. Re-scan after changes to verify trackers actually stop when consent is denied

The last point matters most. Many organizations update their consent banner but never verify that denying consent actually blocks the trackers. Vakteye tests this automatically across 2,800+ consent platforms: what happens before consent, after rejection, and after acceptance.