VakteyeVakteye
VAKTEYE
SolutionsPlansAboutContactInsightsCareers
Sign In
Vakteye audit

Website tracker audit: who's actually watching your visitors

Most sites accumulate trackers over time — a pixel added by one campaign, an analytics snippet added by an agency, a chat widget that loads its own tag. Vakteye's audit inventories every third-party network request during a browsing session, groups it by company, and flags anything that fires before consent or persists after rejection.

Who it's for

  • Sites that have added or removed marketing tools over time and lost track of what's still loading
  • Companies onboarding a new privacy or security lead who needs an accurate current-state inventory
  • Anyone comparing their consent management platform's declared vendor list against reality

What Vakteye tests

  • Every third-party domain that receives a network request during a full page browse
  • Which of those trackers fire before any consent decision is made
  • Which trackers persist or reappear after a visitor rejects non-essential cookies
  • Whether the tracker inventory matches the vendor list declared in the consent banner's settings panel

Legal basis

ePrivacy Directive Article 5(3)

Every tracker that reads or writes device state is independently subject to the prior-consent rule, regardless of how it was added to the site.

GDPR Article 13

Visitors are entitled to know the actual recipients of their data — an inventory that's out of date breaks this obligation quietly.

LEK 9 kap. §28

Sweden's domestic cookie-consent rule, applied per-tracker in the same way as the EU-level ePrivacy requirement.

Example finding

Orphaned analytics tracker from a discontinued campaign

What we observed

A tracker inventory identifies a third-party analytics domain still receiving page-view data, tied to a marketing campaign that ended months earlier and is no longer mentioned in the consent banner's vendor list.

Why it matters

Orphaned trackers are invisible to policy reviews because no one remembers they exist, but they're fully visible to a network-level scan — and to a regulator's technical investigator.

FAQ

A cookie scan focuses on what's stored in the browser. A tracker audit covers the broader set of network requests to third-party companies, including trackers that don't rely on cookies at all (fingerprinting, server-side calls, pixel beacons).

Yes. The audit report groups findings by the receiving company where it can be identified, so you can match the inventory against your own vendor and DPA records.

The audit crawls key pages discovered from the site's structure, not only the homepage, since tracker behavior often differs between a landing page and a checkout or account page.

Related reading

  • cross-border-data-transfers-under-gdpr

Ready to see what your website actually does?

Book a full behavioral audit — the same methodology described above, run against your entire site with a complete evidence package.

Book a full audit
VakteyeVakteye
VAKTEYE

Website compliance checks for consent, policy, tracking and security. Vakteye shows what happened, what needs fixing and the evidence behind it.

Book demo
VakteyeVakteye
Privacy MonitoredContinuously monitored by Vakteye

PRODUCT

  • Plans
  • Trust center
  • Scanner identity
  • Security policy

COMPANY

  • About us
  • Contact
  • Insights
  • FAQ

LEGAL

  • Privacy Policy
  • Terms of Service
  • Cookies Policy
  • Sub-processors
  • Data Rights (GDPR)
  • For visitors

Contact

  • info@vakteye.com
  • LinkedIn

© 2026 Vakteye. All rights reserved.