Third-party trackers

What this check does

Records every network request made while rendering the page, groups them by registrable domain, and reports the count of unique third-party hosts that ship JavaScript, pixels, beacons, or tracking iframes. First-party domains (you and your subdomains) are excluded. CDNs serving your own assets (cdn.yourdomain.com) are excluded. Fonts and analytics that match known tracker fingerprints are included.

Common offenders that show up in the list:

• Tag managers: googletagmanager.com
• Analytics: google-analytics.com, analytics.google.com, mixpanel.com, segment.io, amplitude.com
• Ad tech: doubleclick.net, googlesyndication.com, facebook.net, connect.facebook.net, bat.bing.com, ads.linkedin.com, t.co, analytics.tiktok.com
• Session replay / heatmaps: hotjar.com, static.hotjar.com, fullstory.com, clarity.ms
• Support widgets: intercom.io, widget.intercom.io, drift.com, js.driftt.com, zendesk.com
• Fonts and SDKs: fonts.googleapis.com, fonts.gstatic.com, js.stripe.com, cdn.shopify.com (when not your own store)

Three or fewer is a healthy baseline. Above seven, you’re a typical marketing site — and you have real GDPR work to do.

Why it matters

Every third-party domain on your page is three problems at once.

• A privacy hop you have to disclose. Under GDPR Article 13 and the ePrivacy Directive, every non-essential third-party recipient of personal data has to be named in your privacy policy and consented to before its script fires. CNIL has fined sites specifically for under-disclosing the recipient list.
• A performance tax you cannot fully control. HTTP Archive’s third-party-web report consistently shows that ad-tech, tag managers, and chat widgets are the slowest third parties on the web — often pushing Largest Contentful Paint past 4 seconds and Interaction to Next Paint into the failing band. Every script you don’t ship is a tax you don’t pay.
• A consent surface that breaks easily. If even one script in your tag manager fires before consent — because it’s hardcoded outside the consent gate, or the consent listener loads late — you’re in violation regardless of how good your cookie consent banner is.

Six trackers is roughly the median for a content site. Twelve to twenty is normal for an e-commerce or SaaS marketing site. Forty-plus shows up on news sites running programmatic ads — and is also where most GDPR fines land.

How to fix it

Inventory what you have. Open the page in Chrome DevTools → Network tab → filter by domain. Group third-party requests by registrable domain and ask, for each one, “is this still earning its keep?”

# Quick command-line audit using curl + a parser of your choice
curl -s https://yourdomain.com/ \
  | grep -oE 'https?://[^"'"'"']+' \
  | awk -F/ '{print $3}' \
  | sort -u

Run a Lighthouse audit (DevTools → Lighthouse → Generate report) — the “Reduce the impact of third-party code” diagnostic lists each domain with its blocking time.

Cut what you don’t need. The most common wins:

• Remove Google Tag Manager and inline GA4 directly. GTM is a habit, not a requirement. If you only manage GA + one or two pixels, inline gtag.js and delete the GTM container.
• Self-host fonts. fonts.googleapis.com is a tracker under GDPR (a German court ruled so in 2022). Download the WOFF2 files, serve from your own origin, and remove the Google Fonts URL.
• Replace third-party chat with email. Intercom, Drift, and Zendesk widgets each weigh 100–300 KB and run continuous heartbeat requests. A mailto: link doesn’t.
• Remove dead pixels. Marketing teams add pixels for campaigns and forget to remove them. Audit pixel age and remove anything older than your typical campaign cycle.

Gate what you must keep behind consent. Every remaining non-essential tracker has to load only after the user grants consent in your banner. Use Google Consent Mode v2 + IAB TCF v2.2 or the equivalent for your stack. See cookie consent banner.

Lazy-load support widgets. Don’t ship Intercom on every page. Load it only when the user clicks a “Chat with us” button:

<button id="open-chat">Chat with us</button>
<script>
  document.getElementById('open-chat').addEventListener('click', () => {
    const s = document.createElement('script');
    s.src = 'https://widget.intercom.io/widget/YOUR_APP_ID';
    document.head.appendChild(s);
  });
</script>

Move analytics server-side. Tools like Plausible, Fathom, or a self-hosted Matomo eliminate the client-side tracker entirely. Server-side GTM moves Google’s stack to your own domain (still GA, still trackable, but only one third-party domain in the network panel).

Audit dependencies, not just your code. A WordPress plugin or a Shopify app can quietly add three or four trackers without your knowledge. After every plugin install, re-run the audit.

Frequently asked questions

How many is too many?

It depends on your site type. A SaaS marketing site can usually live with 4–6: GA4 + GTM + one ad pixel + Stripe + your CDN. A content site monetised with programmatic ads will have 20+ and there’s no way around it — but those sites also need cookie consent banner plumbing that’s airtight. The number itself isn’t the problem; the consent and disclosure obligations that come with it are.

Are fonts really trackers?

Yes, when served by a third-party CDN. fonts.googleapis.com logs the requesting IP. A Munich regional court fined a site owner €100 in 2022 specifically over embedding Google Fonts without consent (LG München I, Urt. v. 20.01.2022, Az. 3 O 17493/20). Self-host your fonts and the problem disappears.

Does removing trackers hurt my analytics?

Removing duplicate trackers doesn’t — most sites have two analytics tools that disagree by 30% because of consent loss anyway. Removing a tracker you actually use will obviously stop the data flow; in that case, replace it with a privacy-friendly equivalent (Plausible, Fathom, self-hosted Matomo) rather than just deleting it.