Most organisations believe they know what their website does with visitor data. They have a privacy policy. They have a cookie banner. They may even have a consent management platform. But when you scan the website at a technical level — examining every HTTP request, every cookie set, every script loaded, every pixel fired — the picture is almost always different from what the documentation describes.
The gap exists because modern websites are complex ecosystems. A typical corporate website loads resources from dozens of third-party domains. Marketing teams add tracking scripts through tag managers. Developers integrate analytics platforms, chat widgets, font services, and embedded content. CMS plugins and themes pull in external resources. Each of these connections can involve the processing of personal data — IP addresses, device fingerprints, browsing behaviour, location data — often without anyone in the organisation having made a deliberate decision to share that data with those parties.
A website technology audit is the process of systematically identifying every technology on your website that processes personal data, assessing its compliance implications, and ensuring that your documentation, consent mechanisms, and data processing agreements reflect reality.
A comprehensive website technology audit covers several layers.
Cookies and local storage. Every cookie set by your website or by third parties through your website, including its name, domain, expiry, purpose, and whether it is set before or after consent. This also covers localStorage, sessionStorage, and IndexedDB — all of which can store personal data on the user’s device.
Third-party requests. Every external domain your website contacts when a page loads. This reveals which third parties receive data about your visitors — analytics providers, advertising networks, social media platforms, CDN services, font providers, and others. For each third-party connection, the audit identifies what data is transmitted, whether the connection is necessary for the requested service, and whether a data processing agreement is in place.
Tracking pixels and beacons. Invisible image tags or JavaScript beacons that transmit data to external servers. Common examples include the Facebook Pixel, LinkedIn Insight Tag, Google Ads conversion tracking, and various retargeting services. These often fire on every page load and can transmit detailed browsing data to advertising platforms.
Scripts and tag managers. JavaScript files loaded by your website, including those injected through tag management systems like Google Tag Manager. Tag managers are particularly important because they allow non-technical users to add tracking scripts without developer involvement or privacy review — creating a significant compliance blind spot.
Embedded content. YouTube videos, Google Maps, social media feeds, and other embedded third-party content can set cookies and transmit data to external servers simply by loading on the page, even if the visitor does not interact with the embedded content.
Server-side technologies. While client-side audits capture what happens in the browser, a complete picture also requires examining server-side analytics, logging practices, and any server-side tracking that is not visible in the browser.
The most common reaction when an organisation sees the results of its first technology audit is surprise. There are several recurring patterns.
Legacy scripts nobody remembers. A tracking pixel added for a campaign three years ago that was never removed. A chat widget from a provider you no longer use. An analytics experiment that was supposed to be temporary. These accumulate over time and continue processing visitor data long after their purpose has expired.
Tag manager sprawl. Marketing teams with tag manager access often add scripts without going through privacy review. A single Google Tag Manager container can contain dozens of tags firing on various triggers, each potentially processing personal data.
Plugin and theme leakage. Content management systems like WordPress load third-party resources through plugins and themes. A social sharing plugin might load Facebook’s SDK on every page. A font plugin might connect to Google Fonts, transmitting visitor IP addresses to Google — which a German court ruled in 2022 was a GDPR violation when done without consent.
Pre-consent firing. Many websites have consent management platforms in place, but the audit reveals that certain scripts load before the CMP initialises, or that the CMP does not correctly block all non-essential technologies when consent is refused. The consent mechanism exists but does not actually control what it is supposed to control.
Cross-border data flows. Third-party scripts routinely transmit data to servers outside the European Economic Area — primarily to the United States. Each of these transfers requires a valid transfer mechanism under Chapter V of the GDPR. Many organisations are unaware that their website creates dozens of such transfers on every page load.
Every technology on your website that processes personal data creates compliance obligations.
Legal basis. You need a legal basis for each processing activity. For non-essential cookies and tracking, this is almost always consent under the ePrivacy Directive. For any personal data collected, you need a GDPR legal basis as well.
Privacy notice. Your privacy policy must accurately describe all processing activities, including those carried out by third parties through your website. If your website loads technologies that are not described in your privacy notice, your notice is incomplete.
Records of Processing Activities. Your RoPA should include website-based processing activities. If your technology audit reveals processing that is not in your RoPA, the RoPA needs updating.
Data processing agreements. For every third party that processes personal data on your behalf through your website, you need a data processing agreement under Article 28 of the GDPR. Many organisations have DPAs with their main service providers but not with every third party whose scripts load on their website.
International transfers. If personal data is transferred outside the EEA through third-party scripts, you need a valid transfer mechanism — and post-Schrems II, this often requires supplementary measures and a transfer impact assessment.
A website technology audit can be conducted manually, using automated scanning tools, or through a combination of both. The most effective approach combines automated scanning for breadth with manual analysis for depth.
Automated scanning tools crawl your website, load pages in a browser environment, and record every cookie set, every third-party request made, and every script loaded. This produces a comprehensive inventory of technologies. Tools vary in sophistication — some only capture cookies, while others analyse the full network traffic including headers, payloads, and timing.
Manual analysis supplements automated scanning by examining tag manager configurations, reviewing script behaviour in detail, identifying the purpose and data controller for each technology, and assessing whether consent mechanisms actually function correctly. Manual analysis is particularly important for tag manager containers, which automated tools may not fully decompose.
Continuous monitoring extends the audit from a point-in-time exercise to an ongoing process. Because websites change frequently, a one-time audit provides a snapshot that begins degrading immediately. Continuous monitoring detects new technologies as they appear, alerts you to changes in existing technologies, and ensures that your compliance posture remains current.
An audit is only valuable if it leads to concrete remediation. The typical output is a prioritised action plan.
Immediate actions include removing technologies that have no legitimate purpose or no data processing agreement, fixing consent mechanism failures so that non-essential technologies are actually blocked until consent is given, and updating your privacy notice to accurately reflect the technologies in use.
Short-term actions include putting data processing agreements in place for third-party technologies that are necessary and will be retained, updating your RoPA to include website processing activities, conducting transfer impact assessments for technologies that transfer data outside the EEA, and reviewing tag manager governance to prevent uncontrolled additions.
Ongoing actions include implementing continuous monitoring, establishing a review process for any new technology added to the website, and integrating website technology review into your broader change management and procurement processes.
At Pitch, website technology auditing is a core part of our data protection practice. We combine legal expertise in GDPR, ePrivacy, and international transfer requirements with technical capability to scan, analyse, and monitor the technologies on your website.
Our domain monitoring platform provides continuous visibility into the technologies running on your digital properties — detecting cookies, scripts, pixels, and third-party connections in real time and alerting you to changes that may affect your compliance posture. This means your audit is not a one-time exercise but an ongoing assurance mechanism.
We translate audit findings into actionable legal and technical recommendations, help you prioritise remediation, and work with your development and marketing teams to implement changes without disrupting your digital operations.
Pitch is the law firm for innovators and creatives. If you need a website technology audit or want to implement continuous compliance monitoring, get in touch or schedule a meeting with our team.
%402x.svg){kind=small}
%402x.svg){kind=icon}
%402x.svg){kind=icon}
