You can find most trackers on your website in about two minutes. Open the site in your browser, check the Network and Application tabs in developer tools, or run a free scanner that lists every cookie and third-party script for you. The hard part isn't finding them. It's knowing which ones fire before your visitors say yes.
Here's how to catch all of them, including the ones you forgot you installed.
What counts as a tracker?
A tracker is any script, cookie, or pixel that collects data about your visitors. That includes analytics like Google Analytics, ad pixels from Meta or TikTok, chat widgets, embedded videos, and fonts loaded from third-party servers. If it talks to another company's server, treat it as a tracker.
Most site owners think of trackers as "the analytics tool I added." In reality, a single embedded YouTube video or a Google Font can set cookies and open a connection you never agreed to on your visitors' behalf.
Why do hidden trackers matter for GDPR?
Hidden trackers matter because GDPR requires consent before most of them run. If a tracker sets a cookie or sends data before your visitor clicks accept, you're likely breaking the law, even if you have a banner. Regulators fine the behavior, not the banner.
This is more common than most people think. One review of consent studies found that roughly 75% of tracking already happens before a visitor gets to choose. A separate analysis of 2,000 sites found 92% performed tracking before consent. So a banner alone proves nothing.
It gets worse. The same research found only about 15% of EU sites meet the minimum bar for compliance. Most fail because trackers fire too early, or because there's no real reject option.
How do you find every tracker on your website?
To find every tracker, use two methods together: your browser's developer tools for a manual check, and an automated scanner for full coverage. The browser shows you what loads in real time. The scanner catches things buried on pages you forgot to test.
1. Check your browser's developer tools
Open your site, right-click, and choose Inspect. Go to the Application tab (Chrome) or Storage tab (Firefox) to see every cookie and localStorage key. Then open the Network tab and reload. Each request to a domain that isn't yours is a third-party connection worth checking.
2. Run a cookie scanner
A scanner crawls your site and lists cookies, third-party domains, and known trackers automatically. It's faster than clicking through pages by hand. Our free GDPR scan checks what your site loads, whether you already have a consent platform, and which trackers are high risk.
3. Watch what fires before you click anything
This is the step people skip. Load your site in a fresh private window, but don't touch the banner. Watch the Network tab. Anything that fires in those first seconds is running without consent, and that's exactly what regulators look for.
Is a manual check or a scanner better?
Use both, but start with a scanner. A scanner gives you full coverage fast and won't miss a tracker on a page you forgot. A manual browser check is better for one thing: seeing the exact order scripts fire and catching what runs before consent. The scanner tells you what's there. The browser tells you when it loads.
What does a GDPR scan actually check?
A good GDPR scan checks four things: which cookies your site sets, which third-party domains it connects to, whether known trackers are present, and whether you already run a consent platform. The better scanners also flag the risk level of each tracker, so you know what to fix first.
Consentify's scanner matches what it finds against a library of 95+ known trackers, each tagged by category and GDPR risk. That means you don't just get a list of cookies. You get a plain answer on what's actually dangerous.
Trackers people almost always forget
Some trackers hide in plain sight because they came bundled with something else. Watch for these:
- Embedded YouTube or Vimeo videos that set cookies on load
- Google Fonts loaded from Google's servers instead of self-hosted
- Chat and support widgets like Intercom or HubSpot
- Social share buttons and embedded posts
- Old pixels from a campaign you ran two years ago and never removed
When we scan customer sites during onboarding, the leftover pixel from a forgotten ad campaign is the single most common surprise.
How do you stop trackers firing before consent?
You stop early tracking by gating every third-party script behind consent, so nothing loads until the visitor agrees. A consent management platform (CMP) does this for you: it holds the scripts back, shows the banner, and injects each tracker only after the matching category is accepted.
This is the whole job of a GDPR-compliant setup. With Consentify you add one script tag and connect your integrations. The banner blocks them until consent, then loads them in the right order:
<script src="https://consentify.app/api/gateway?token=YOUR_TOKEN"></script>
No consent, no tracker. That's the behavior regulators actually want to see.
How often should you scan?
Scan your site at least once a quarter, and again any time you add a new tool, embed, or marketing pixel. Trackers creep in quietly. A new page, a new plugin, or a designer adding an embed can reintroduce something you thought you'd removed.
For the full walkthrough, our guide on checking if your website is GDPR compliant covers the two-minute browser test in detail.
Want to see what your site is really loading? Run a free GDPR scan, then block what you find with Consentify: one domain free, no watermark, no time limit.