GDPR Privacy & Third-Party Tracking Audit
Find every data collector on your site before the regulator does
A single undocumented tracking pixel is the difference between a routine privacy update and a GDPR fine that can reach into the hundreds of millions. Marketing teams add new tools every week; your privacy policy goes stale every week. EdgeDNS scans any domain and returns the complete list of analytics platforms, tracking pixels, CDN providers, and third-party integrations — with a fresh audit trail you can hand to a DPIA, a regulator, or the CNIL on short notice. Start free on EdgeDNS — 200 requests/month, no credit card required.
The Challenge
GDPR (and the UK GDPR, and CCPA, and LGPD, and every other modern privacy regime) requires you to document every third party that processes user data on your site. Marketing teams routinely add new tags, pixels, and SaaS integrations without telling anyone. Manual audits go stale within days. The regulator doesn't care that your intentions were good; the regulator cares whether your privacy policy matches what the page is actually doing.
The Solution
Automatically scan any website — yours or a subsidiary's or an acquisition target's — and produce a structured inventory of every data collector: analytics tools, ad pixels, CDNs, third-party scripts, social embeds, error-monitoring SDKs (Sentry, Datadog RUM, Rollbar, LogRocket), feature-flag platforms (LaunchDarkly, Statsig, GrowthBook), AND the consent-management platform itself (OneTrust, Cookiebot, CookieYes, Iubenda, Termly, Osano, TrustArc). Each detection is tagged with a `category` so the response separates marketing tags from production observability tooling from the consent layer. Check the privacy-related HTTP headers (Referrer-Policy, Permissions-Policy). Re-run monthly so new tags are caught within 30 days of deployment. The output feeds straight into DPIAs, privacy-policy updates, and regulator responses with dated evidence attached. Pairs with [web accessibility compliance](/use-cases/web-accessibility-compliance) for full compliance coverage, and the [MCP setup guide](/guides/mcp-server-for-dns) shows how to run the audit from Claude or ChatGPT. Or ask your AI assistant directly: 'List every analytics tool, tracking pixel, and third-party script running on acme.com right now.' It handles the request through our AI integration and returns a plain-English answer. Try this call in the [EdgeDNS playground](/playground?endpoint=domain-analytics) with your own domain. **Is this a live check or cached?** Every call is live against the current DNS and HTTPS response. **Does it work on sites I don't own?** Yes — the audit uses only public information. **What counts against the free tier?** Every successful API call.
Endpoints Used
Combine these EdgeDNS endpoints to build this solution.
/v1/domain/analyticsTry in PlaygroundAnalytics Detection: Identify Google Analytics, Mixpanel, tracking pixels, error-monitoring SDKs, feature-flag platforms, AND the consent-management platform (OneTrust, Cookiebot, etc.) — each tagged with a category
/v1/domain/techTry in PlaygroundTechnology Detection: Comprehensive third-party service identification
/v1/security/headersTry in PlaygroundSecurity Headers: Check for privacy-related headers like Referrer-Policy
/v1/domain/metaTry in PlaygroundMeta Tags: Identify embedded tracking and social pixels
/v1/domain/cdnTry in PlaygroundCDN Detection: Identify content delivery networks processing requests
Results You Can Achieve
Surface every data collector in one pass
Analytics platforms, advertising pixels, social pixels, CDNs, and third-party scripts — identified in a single API call against any domain. Typical e-commerce sites surface dozens of collectors per scan.
Catch unauthorized tracking within your audit window
Monthly re-scans surface new tags marketing added without a privacy review. GDPR fines for unauthorized processing have reached hundreds of millions of euros ([Amazon, 2021](https://edpb.europa.eu/news/national-news/2021/luxembourgish-data-protection-authority-imposes-fine-746-million-eu-amazon_en)) — dated evidence of continuous monitoring matters during enforcement.
DPIA-ready report, dated and structured
Inventory hands directly to the ICO, CNIL, Garante, or any supervisory authority. Replaces weeks of manual tag-dumping with a reproducible audit trail.
Code Example
GDPR privacy audit
async function privacyAudit(websiteUrl) {
const headers = { 'Authorization': 'Bearer YOUR_API_KEY' };
const domain = new URL(websiteUrl).hostname;
const [analytics, tech, secHeaders, meta, cdn] = await Promise.all([
fetch(`https://api.edgedns.dev/v1/domain/analytics?domain=${domain}`, { headers }),
fetch(`https://api.edgedns.dev/v1/domain/tech?domain=${domain}`, { headers }),
fetch(`https://api.edgedns.dev/v1/security/headers?url=${websiteUrl}`, { headers }),
fetch(`https://api.edgedns.dev/v1/domain/meta?url=${websiteUrl}`, { headers }),
fetch(`https://api.edgedns.dev/v1/domain/cdn?domain=${domain}`, { headers }),
].map(p => p.then(r => r.json())));
// Categorize findings
const dataCollectors = {
analytics: analytics.data.tools || [],
advertising: tech.data.technologies.filter(t => t.category === 'advertising'),
socialPixels: meta.data.social_pixels || [],
cdnProviders: cdn.data.providers || []
};
// Check for privacy-enhancing headers
const privacyHeaders = {
referrerPolicy: secHeaders.data.headers['referrer-policy'],
permissionsPolicy: secHeaders.data.headers['permissions-policy'],
hasPrivacyHeaders: Boolean(secHeaders.data.headers['referrer-policy'])
};
// Generate compliance report
return {
domain,
auditDate: new Date().toISOString(),
dataCollectors,
privacyHeaders,
requiresConsentBanner: dataCollectors.analytics.length > 0 ||
dataCollectors.advertising.length > 0,
thirdPartyCount: Object.values(dataCollectors).flat().length
};
}Learn More
Explore industry standards and best practices related to this use case.
Ready to build GDPR Privacy & Third-Party Tracking Audit?
Get started with 200 free API requests per month. No credit card required.