Tracker Presence

This check is informational and does not affect your score (weight 0). It categorizes detected third-party scripts into tiers (fingerprinting, advertising, standard analytics, privacy-respecting) and reports the mix. The score is not applied; the value is the visibility into what is running on your page and its privacy implications.

How the check works

Per primary host, the check matches loaded scripts against a curated tracker list and tags each by tier. Per-host result tiers:

• Fingerprinting or session-recording detected: 0.0. Reason: extensive_tracking. The most invasive tier; includes device fingerprinting, full session replay, and similar tools.
• 3 or more advertising trackers: 0.0. Reason: extensive_tracking. Heavy ad/retargeting integration.
• 1-2 ad trackers (with or without analytics): 0.4. Reason: ad_trackers_present.
• Standard analytics only: 0.75. Reason: standard_analytics_present.
• Privacy-respecting analytics only (Plausible, Fathom, Pirsch, etc.): 1.0.
• No trackers detected: 1.0.

How the verdict maps to evidence

Verdict and score are reported but not applied. Evidence shows trackers_detected with each entry's host and tier classification.

Special states

• Not Applicable: response is not HTML, or primary serves a default/empty placeholder.
• Degraded: probe data unavailable.

Per-tier interpretation

Fingerprinting / session recording

Tools like Hotjar (with full session replay enabled), FullStory, LogRocket, ClickTale, and dedicated fingerprinting libraries (FingerprintJS, FingerprintProJS in non-anonymized mode). They capture rich behavioural data: mouse movement, keystrokes, page scrolls, sometimes typed input. Privacy implications:

• GDPR: explicit opt-in consent required in most cases.
• CCPA: must be disclosed and opt-out-able.
• Industry-specific (HIPAA, PCI): often outright prohibited or requires special compensating controls.
• User trust: many privacy advocates flag these tools publicly; brands have taken reputation hits.

If you have a legitimate need for session replay (UX research, support diagnostics), gate it strictly behind consent, mask sensitive form fields, exclude pages that show personal information, and document the data flow for compliance.

Advertising / retargeting (3+)

Multiple ad/retargeting pixels: Facebook Pixel, Google Ads, LinkedIn Insight, Twitter/X Pixel, TikTok Pixel, Pinterest, Reddit Pixel, etc. Common on marketing sites that run ads across several platforms. Each pixel:

• Reads page URL, referrer, IP, browser fingerprint per visitor.
• Sets cookies under the third-party domain for cross-site tracking.
• Reports visit and conversion events to the ad platform.

If your marketing depends on these channels, consolidate via a tag manager and audit which are still active. Stale Pixel tags from previous campaigns linger long after the campaigns end.

Ad trackers (1-2)

Single primary marketing platform (Google Ads pixel, Facebook Pixel) plus standard analytics. Common and operationally normal. The same audit advice applies: gate behind consent, document the data flow.

Standard analytics only

Google Analytics, Mixpanel, Heap, Amplitude, Segment, Adobe Analytics, etc. Used to understand product usage. Less invasive than ad trackers (no cross-site retargeting cookies) but still subject to consent requirements in most privacy regimes. The trade-off: rich data versus user privacy.

Privacy-respecting only

Tools that explicitly avoid personal-data collection: Plausible, Fathom, Pirsch, self-hosted Matomo (with privacy mode), Simple Analytics. These typically do not need consent banners under GDPR because they do not process personal data. The full-credit tier; you have made an explicit privacy-friendly choice.

Consent management

If you operate in jurisdictions with prior-consent requirements (most of EU/EEA, increasingly other regions), non-essential trackers must not fire until consent is recorded. Implementation:

• Use a consent management platform (CMP): Cookiebot, OneTrust, Cookieyes, Axeptio, Didomi, Usercentrics, Osano. They provide the consent banner and conditionally fire tags.
• Configure your tag manager (Google Tag Manager, Tealium, Segment) to gate tags on consent state. Modern GTM has consent mode v2 built in.
• Verify with browser DevTools: with consent declined, no advertising or non-essential analytics should fire.
• Cookie & Privacy Hygiene category checks for tracker_before_consent specifically.

Privacy-respecting alternatives

If you can switch tooling, alternatives that do not require consent (in most regimes):

• Plausible: lightweight web analytics, no cookies, no personal data.
• Fathom Analytics: similar; explicit privacy positioning.
• Pirsch: cookie-free, privacy-first, self-hostable.
• Self-hosted Matomo (Piwik): full-featured analytics with privacy mode that drops the consent requirement.
• Server-side analytics: Google Analytics 4 with measurement protocol, or self-rolled event collection from your backend; no client-side script needed.

Verify

• Browser DevTools → Network → Filter by JS or by domain (analytics.google.com, connect.facebook.net, etc.). Lists every tracker request.
• Browser extensions: uBlock Origin, Privacy Badger, Ghostery all enumerate detected trackers per page.
• Re-run the RedScore lookup. The trackers_detected list updates on the next scan.

Common pitfalls

• Treating informational as no-action. The score does not move, but privacy compliance and user trust still matter. Use the tier classification as input to your privacy-program review.
• Trackers fire before consent. Common pattern: GTM loads on page load, fires Facebook Pixel before consent banner is dismissed. Use consent-mode configuration so tags wait.
• Stale pixel from old campaign. Marketing platforms accumulate; pixels from campaigns that ended years ago still fire. Audit your tag manager regularly.
• Server-side proxying does not change the privacy story. Server-side GTM proxies the network call but still ships data to the analytics provider; consent rules are the same.
• Privacy-respecting tools used incorrectly. Matomo can be configured with cookies and IP collection, putting it back in the analytics tier. Plausible self-hosted is privacy-friendly only when configured per their guidance.
• Single-page app analytics fire on every route change, not just page load. Audit how your SPA handles tracker initialization vs route navigation; one consent decision should cover the whole session.