Back to Resource Hub
Technical

5 Hidden Tracking Scripts You Didn't Know Were on Your Website

Your website might be leaking user data to third parties without you even realizing it. Here are the most common invisible trackers found on SMB sites.

4 min read
720 words

The "Invisible" Tracking Problem

You built your website with a standard template. You didn't intentionally install any "spyware." So why does a privacy scan reveal 15 different trackers?

The answer: third-party code injection. Every plugin, widget, embed, and CDN you use can introduce tracking scripts—often without your knowledge or consent.

Here are the top 5 unexpected sources of user tracking we find on SMB websites:

1. Social Media "Share" Buttons

What Happens:
Those "Share on Facebook" and "Tweet This" buttons aren't just images. They typically load heavy JavaScript libraries from the social platform's servers. These scripts can:

  • Identify logged-in users
  • Track page visits across your entire site
  • Build advertising profiles

The Risk:
This tracking happens even if the visitor never clicks the button. Just loading the page is enough.

The Fix:
Replace official social widgets with static share links. Example:

Share on X

This preserves functionality without loading tracking scripts.

2. Embedded Video Players (YouTube, Vimeo)

What Happens:
Embedding a YouTube video using the standard <iframe> loads Google's tracking infrastructure. Before your visitor even presses play:

  • A cookie is set
  • The user's IP is sent to Google
  • A unique identifier is created

The Fix:
Use YouTube's privacy-enhanced mode by changing the embed URL:

https://www.youtube-nocookie.com/embed/VIDEO_ID

Or, implement a "click to load" pattern: show a thumbnail image that only loads the iframe after the user interacts.

3. Google Maps on Your Contact Page

What Happens:
An interactive Google Map makes an API call that transmits:

  • User IP address
  • Browser fingerprint
  • GPS coordinates (if permitted)

This data goes directly to Google's servers.

The Fix:
Use a static map image that links to Google Maps:

Office Map Placeholder
View on Google Maps →

Alternatively, only load the interactive map after user clicks "Load Map."

4. CMS Plugins and Widgets

What Happens:
WordPress, Shopify, and Wix plugins often come with hidden analytics:

  • Chat widgets send "user is typing" data to third-party servers
  • Form builders log submissions to external databases
  • "Free" plugins monetize through data collection

Real Example:
A popular free contact form plugin was discovered sending copies of all form submissions—including email addresses and phone numbers—to a third-party analytics service. The plugin's privacy policy buried this in legal jargon.

The Fix:

  • Audit every plugin before installation
  • If it's free, investigate the business model
  • Prefer open-source tools where you can inspect the code

5. Google Fonts (Yes, Really)

What Happens:
Loading fonts from fonts.googleapis.com causes your visitor's browser to make a request to Google's servers. Each request includes:

  • User IP address
  • Referrer header (your page URL)
  • User-Agent (browser & OS information)

The Legal Issue:
A German court ruled in January 2022 that using Google Fonts without consent violates GDPR, awarding €100 compensation to an affected user. This opened the door to copycat lawsuits across Europe.

The Fix:
Self-host your fonts. Download the font files and serve them from your own server:

@font-face {
  font-family: 'Inter';
  src: url('/fonts/Inter.woff2') format('woff2');
}

Bonus: This also improves page load performance.

How to Detect Hidden Trackers

Manual Method (Chrome DevTools)

  1. Open your site in an Incognito window
  2. Right-click → Inspect → Network tab
  3. Reload the page and watch the requests
  4. Look for domains that aren't yours

Limitation: This is time-consuming and easy to miss things.

Automated Method (Recommended)

Use SMB Compliance Check's Deep Audit to:

  • Simulate a real user visit across multiple pages
  • Capture all network requests, cookies, and storage writes
  • Identify undisclosed third-party data sharing
  • Generate a compliance report with specific remediation steps

Key Takeaways

  • Most hidden trackers are introduced by third-party tools, not intentional design.
  • Social widgets, video embeds, maps, plugins, and fonts are the top culprits.
  • Each hidden tracker is a potential GDPR violation.
  • Manual detection is possible but not scalable—automation is essential.

Ready to find what's hiding on your site? Run a free compliance scan →

Check your site's compliance

See if your website contains any of the risks mentioned in this article. Get a free instant scan.

Run Free Scan →