Quick answer: Your website almost certainly collects more data than you think. Between cookies, analytics scripts, embedded fonts, social widgets, and third-party tools, a typical website collects 15–40 data points per visitor — often without the site owner's knowledge.
The Data You Know About vs. The Data You Don't
Data You Probably Know About
- Contact form submissions (name, email, message)
- Account registration data
- Payment information
- Newsletter signups
Data You Probably Don't Know About
- IP addresses — logged by your web server, analytics, and most third-party scripts
- Browser fingerprint — screen size, fonts, GPU, timezone (see our fingerprinting guide)
- Mouse movements — if you use Hotjar, FullStory, or similar tools
- Typed text in forms — some tools record keystrokes in real-time, even unsubmitted data
- Cross-site browsing history — via third-party cookies from ad networks
- Social media profiles — when you embed Facebook Like buttons or LinkedIn badges
Every Data Point Your Website Can Collect
| Category | Data Points | Collected By | GDPR Consent? |
|---|---|---|---|
| Identity | Name, email, phone, address | Forms, account creation | Legal basis required |
| Network | IP address, ISP, connection type | Server logs, analytics, CDNs | Yes |
| Device | OS, browser, screen size, language | User-Agent, JavaScript APIs | If used for tracking |
| Location | Country, city, GPS coordinates | IP geolocation, GPS API | Yes |
| Behavior | Pages visited, clicks, scroll, time on page | Analytics tools | Yes for most tools |
| Cookies | Session IDs, preferences, tracking tokens | Your site + third parties | Yes for non-essential |
| Storage | LocalStorage, SessionStorage, IndexedDB | JavaScript | Yes if personal data |
| Graphics | Canvas fingerprint, WebGL renderer | Fingerprinting scripts | Yes |
| Financial | Card details, transactions | Payment processors | Contract performance |
| Social | Profile data, likes | Social login, embedded widgets | Yes |
How to Audit Your Website's Data Collection
Method 1: Automated Scan (Fastest)
Use PrivacyChecker to scan your website in 60 seconds. It detects all cookies, third-party scripts, tracking pixels, fingerprinting techniques, security headers, data transfer locations, exposed email addresses, and storage usage.
Method 2: Browser DevTools (Manual)
- Open your website in Chrome and press
F12 - Application → Cookies: See all cookies set
- Application → Local Storage: See stored data
- Network tab: See every request your page makes
The Most Common Hidden Data Collectors
Google Fonts
Loading fonts from fonts.googleapis.com sends every visitor's IP address to Google. A German court fined a website owner €100 per visitor.Fix: Self-host your fonts.
YouTube Embeds
Standard YouTube embeds set tracking cookies before the user clicks play.Fix: Use youtube-nocookie.com or load after consent.
Google reCAPTCHA
reCAPTCHA v3 runs on every page, collecting behavior data.Fix: Use hCaptcha or Cloudflare Turnstile instead.
Social Media Buttons
Facebook Like buttons and Twitter share buttons track visitors without clicks.Fix: Use two-click solutions that load scripts only after interaction.
WordPress Plugins
Many WordPress plugins load external scripts without disclosing it. Fix: Audit every plugin for external requests.
What to Do After You Find Out
- Remove unnecessary tracking — if you don't need it, delete it
- Block non-essential scripts until consent — use your CMP
- Update your privacy policy — list every tool and data type
- Switch to privacy-friendly alternatives — cookie-free analytics
- Self-host what you can — fonts, icons, JS libraries
- Monitor for drift — compliance drift happens when team members add tools
Frequently Asked Questions
Does my website collect data even without Google Analytics?
Yes. Server logs capture IP addresses and user agents. Embedded fonts, CDNs, and any third-party resource also collect data.
Is collecting IP addresses GDPR-regulated?
Yes. The CJEU ruled that IP addresses are personal data when the operator can reasonably link them to an individual.
What's the fastest way to find out what my website collects?
Scan with PrivacyChecker — 60 seconds for a complete report of all data collection on your site, including hidden trackers, cookies, and security issues.