Third-party tracking on UK websites: find and consent

Many website owners are unaware that their sites track visitors without explicit consent. These trackers are installed by themes, plugins, third-party scripts or marketing agencies. Under UK PECR Regulation 6 and UK GDPR Article 6, you are liable for all tracking on your site, regardless of who installed it.

How Third-Party Tracking Happens

When you install a WordPress theme, Shopify app or website plugin, the vendor may include tracking scripts that send visitor data to external companies. Common examples:

• Google Analytics 4 (via Google Tag Manager or direct embed): tracks page views, clicks, scrolls, event data
• Facebook Pixel: tracks visitors across the web for retargeting ads
• Google Ads Conversion Tracking: monitors purchase confirmations
• Hotjar: records session replays and heatmaps (visitor behavior analysis)
• Intercom or other chat widgets: log browsing behavior and conversations
• Google Maps embedded on your contact page: transmits visitor IP address to Google
• YouTube embeds: set tracking cookies and transmit viewer data to Google
• Social media buttons or feeds (Instagram, Twitter and TikTok): track clicks and shares
• Wordfence or Sucuri security plugins: may include analytics and malware scanning calls to external servers

Each of these sends personal data (visitor IP address, cookies, browsing behavior, event data) to external companies. You have no visibility unless you check.

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100 text-left"> <th className="border border-slate-300 px-3 py-2 font-semibold">Tracker</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Domain to watch in DevTools</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Data it sends</th> <th className="border border-slate-300 px-3 py-2 font-semibold">PECR consent required?</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Recommended mitigation</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Google Analytics 4</td> <td className="border border-slate-300 px-3 py-2">google-analytics.com, analytics.google.com</td> <td className="border border-slate-300 px-3 py-2">IP, device fingerprint, event data</td> <td className="border border-slate-300 px-3 py-2"><strong>Yes</strong></td> <td className="border border-slate-300 px-3 py-2">Gate behind consent. Consent Mode v2. IP anonymisation.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Facebook (Meta) Pixel</td> <td className="border border-slate-300 px-3 py-2">facebook.com, connect.facebook.net</td> <td className="border border-slate-300 px-3 py-2">Page views, events, hashed PII via Conversions API</td> <td className="border border-slate-300 px-3 py-2"><strong>Yes</strong></td> <td className="border border-slate-300 px-3 py-2">Strict consent gate. Reconsider if you do not run paid ads.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Google Ads conversion tracking</td> <td className="border border-slate-300 px-3 py-2">googleadservices.com, doubleclick.net</td> <td className="border border-slate-300 px-3 py-2">Conversion events, click identifiers</td> <td className="border border-slate-300 px-3 py-2"><strong>Yes</strong></td> <td className="border border-slate-300 px-3 py-2">Consent Mode v2 mandatory for UK and EU targeting.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Hotjar / Microsoft Clarity</td> <td className="border border-slate-300 px-3 py-2">hotjar.com, clarity.ms</td> <td className="border border-slate-300 px-3 py-2">Session replays, heatmaps, mouse movements</td> <td className="border border-slate-300 px-3 py-2"><strong>Yes</strong></td> <td className="border border-slate-300 px-3 py-2">Strict consent gate. High ICO scrutiny on session-replay tools.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">YouTube embed</td> <td className="border border-slate-300 px-3 py-2">youtube.com, googlevideo.com</td> <td className="border border-slate-300 px-3 py-2">IP, cookies, viewer interactions</td> <td className="border border-slate-300 px-3 py-2"><strong>Yes</strong>, unless youtube-nocookie domain</td> <td className="border border-slate-300 px-3 py-2">Use youtube-nocookie.com or click-to-load placeholder.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Google Maps embed</td> <td className="border border-slate-300 px-3 py-2">maps.google.com, maps.googleapis.com</td> <td className="border border-slate-300 px-3 py-2">Visitor IP, viewport, requests for tiles</td> <td className="border border-slate-300 px-3 py-2"><strong>Yes</strong></td> <td className="border border-slate-300 px-3 py-2">Click-to-load placeholder. Static map image as fallback.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Live chat (Intercom, Drift, Tawk)</td> <td className="border border-slate-300 px-3 py-2">intercom.io, drift.com, tawk.to</td> <td className="border border-slate-300 px-3 py-2">Visitor identifier, conversation contents</td> <td className="border border-slate-300 px-3 py-2"><strong>Yes</strong> for tracking cookies, the chat itself can be functional</td> <td className="border border-slate-300 px-3 py-2">Defer initialisation until consent or user clicks chat icon.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Strictly necessary (cart, login, CSRF)</td> <td className="border border-slate-300 px-3 py-2">First-party domain only</td> <td className="border border-slate-300 px-3 py-2">Session ID, cart state, security tokens</td> <td className="border border-slate-300 px-3 py-2"><strong>No</strong>. PECR Reg 6(4) exemption.</td> <td className="border border-slate-300 px-3 py-2">Document in privacy notice. No banner required.</td> </tr> </tbody> </table> </div>

Legal Obligations Under PECR and GDPR

PECR Regulation 6 states: "A person shall not store or access information" on a user's device "unless the user has consented to the storage or access of the information on that equipment."

"Information" includes cookies, localStorage, sessionStorage, pixels and any identifier enabling tracking.

Exceptions exist only for cookies "strictly necessary" for the website to function (session ID, authentication token, language preference). Everything else requires prior consent.

GDPR Article 6(1) requires a "lawful basis" for processing personal data. For non-essential cookies and analytics, the lawful basis is consent (Article 6(1)(a)). You cannot rely on legitimate interests to place analytics cookies, under the ePrivacy Directive (now implemented in PECR), explicit consent is mandatory.

The 2019 CJEU ruling in Planet49 (Case C-673/17) established that "only active behaviour on the part of the data subject" constitutes valid consent. Pre-ticked checkboxes are invalid. Users must actively click "I consent" or tick an unchecked box.

Audit Your Website: Finding Hidden Trackers

Open your website in a browser. Press F12 to open Developer Tools. Click the Network tab.

Reload the page. You will see dozens of network requests to external domains. Look for:

• google-analytics.com or analytics.google.com: Google Analytics
• facebook.com or connect.facebook.net: Facebook Pixel
• doubleclick.net: Google Ads and DoubleClick
• hotjar.com: Heatmap and session recording
• youtube.com: Embedded video player
• maps.google.com: Embedded Google Maps
• intercom.io and drift.com: Live chat
• cloudflare.com: CDN, bot management, analytics
• reCAPTCHA.net: Google reCAPTCHA (also tracks, to some extent)

Each of these requests sends your visitor's data to that external company. If the request loads before the user has consented, you are violating PECR Regulation 6.

Step 2: Check Which Trackers Load Before Consent

Open your website in an incognito/private browser window (to avoid cached consent). Open Developer Tools again (F12). Reload the page and immediately look at which requests fire before any interaction.

If you see google-analytics.com, facebook.com, doubleclick.net or similar loading in the first second, your site is collecting data without consent.

If a cookie banner appears, click "Reject all" and reload. Use browser Developer Tools Cookies tab (F12 > Application > Cookies) to check: do any cookies from third parties persist after you rejected them? If yes, those cookies loaded without consent (violation).

Step 3: Review Your Cookie Banner

A compliant cookie banner must satisfy five requirements. Test each on your own site before assuming the off-the-shelf plugin handles it.

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100 text-left"> <th className="border border-slate-300 px-3 py-2 font-semibold">#</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Requirement</th> <th className="border border-slate-300 px-3 py-2 font-semibold">How to test it</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 px-3 py-2">1</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Appears before non-essential cookies load</td> <td className="border border-slate-300 px-3 py-2">DevTools Network tab. Reload page. No third-party tracker domains before the banner shows.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2">2</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Explicit, unambiguous Reject-all button</td> <td className="border border-slate-300 px-3 py-2">Visible on first layer without scrolling. Labelled clearly. Not buried under "Manage preferences".</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2">3</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Reject equally prominent as Accept</td> <td className="border border-slate-300 px-3 py-2">Same colour weight, same size, same number of clicks. No grey-on-grey Reject.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2">4</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Granular per-category consent available</td> <td className="border border-slate-300 px-3 py-2">Analytics, advertising, functional toggled separately on the preferences layer.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2">5</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Withdrawal as easy as consent</td> <td className="border border-slate-300 px-3 py-2">Persistent footer link reopens the panel. Changing accept to reject stops scripts on next page.</td> </tr> </tbody> </table> </div>

The ICO has flagged non-compliant cookie banners on UK websites as an enforcement priority and has written to operators of high-traffic sites where banners do not offer a reject option at the same level as accept, or set advertising cookies before consent. The ICO action register lists the underlying notices and the public outcomes of recent investigations.

If your cookie banner fails any of the above points, update it immediately.

Step 4: Implement Consent Gates for Non-Essential Trackers

The safest approach is to prevent non-essential trackers from loading until consent is given. Use a cookie consent platform (Cookiebot, OneTrust, Usercentrics) or implement conditional code:

// Pseudo-code: only load Google Analytics if user consented
if (localStorage.getItem('consent_analytics') === 'true') {
  // Load Google Analytics script
}

This ensures trackers never fire without consent.

For embedded services (Google Maps, YouTube, Hotjar), load a static placeholder image initially and only load the interactive version after consent:

<!-- Before consent: static image -->
<img src="map-placeholder.jpg" alt="Click to load map">

<!-- After consent: embed Maps -->
<iframe src="https://www.google.com/maps/..."></iframe>

Step 5: Update Your Privacy Policy

Your privacy policy must disclose every third-party tracker. For each, state:

• Service name and vendor (e.g., Google Analytics, Facebook Pixel)
• What data it collects (IP address, cookies, event data and device info)
• Why you use it (website traffic analysis, advertising retargeting and user experience optimization)
• How long data is retained (most vendors retain for 2 years)
• Users' rights (right to opt out and right of access)

Example paragraph:

"We use Google Analytics 4 to analyze website traffic and user behavior. Google stores IP addresses and cookies in its servers for 24 months. You can opt out by using the opt-out browser extension. Our legal basis is your prior consent via our cookie banner."

Step 6: Update Contracts with Third Parties

If you use a website builder (Wix, Squarespace), theme vendor or plugin developer and they have installed trackers, you must ensure they have a Data Processing Agreement (DPA) in place.

A DPA clarifies who is the data controller (you or the vendor) and who is the processor (the vendor or a sub-processor). It must address GDPR compliance, including data subject rights and security obligations.

Most established vendors (Google, Shopify, Mailchimp, HubSpot) provide DPAs by default. Smaller developers may not. Request one in writing.

Google Analytics: Special Case

Google Analytics 4 (GA4) collects data that may be transmitted to Google's US servers. Under UK GDPR, this raises concerns about adequacy (whether the US provides equivalent data protection to the UK).

To mitigate: enable IP anonymization (remove the last octet of the IP address before transmission) and use Google Consent Mode v2. Consent Mode v2 allows GA4 to operate in a privacy-preserving way:

• If the user consents to analytics, GA4 sends full event data
• If the user rejects, GA4 sends only anonymized, non-identifying data (e.g., page count, bounce rate in aggregate, without individual user identifiers)

This approach is more compliant under UK GDPR because it avoids transmitting personal data to the US without explicit consent, while still providing useful analytics.

Consent Mode v2 is mandatory if you target EU or UK users with Google Ads.

Facebook Pixel: High-Risk Tracker

Facebook Pixel transmits user browsing data to Meta's servers, including event data (product viewed, added to cart, purchased) and personal identifiers (email, phone) when you use Pixel's "Conversions API."

This is a high-risk tracker and should be gated behind explicit consent. Even with Consent Mode equivalents, consider whether the risk-benefit trade-off justifies its use. Small businesses without significant Facebook ad budgets may remove it entirely.

Action Plan

1. Audit your site using browser DevTools Network tab. List all third-party domains.
2. Test your cookie banner: click "Reject all" and verify that non-essential trackers do NOT load.
3. If trackers load without consent, implement a cookie consent platform and gate non-essential scripts behind consent checks.
4. Update your privacy policy to disclose all third-party trackers and users' rights.
5. Request Data Processing Agreements from theme vendors, plugin developers and analytics platforms.
6. Enable IP anonymization and Consent Mode v2 in Google Analytics.
7. Review and possibly remove high-risk trackers (Facebook Pixel and Hotjar) unless you have a strong business justification.

Most small business sites can complete this audit and remediation in an afternoon.