Article Detail

Most websites quietly depend on third-party services — analytics, advertising pixels, maps, video players, chat widgets, social sharing buttons. They’re useful, and they’re everywhere. But many of them start collecting and sharing a visitor’s data the instant a page loads, before that visitor has agreed to anything. Expectations and regulations around that are shifting quickly, and it’s worth understanding what your site is actually doing.

What’s actually happening on most sites

When someone opens a typical website, their browser often reaches out to a handful of outside companies in the background. Those requests can carry information like the visitor’s IP address, device and browser details, and which pages they’re looking at — sent to third parties such as Google or Meta, frequently within the first moment of the page loading.

None of this is exotic or nefarious; it’s how a lot of the web has been built for years. The shift is that “loads automatically, before the visitor has a say” is increasingly treated as the wrong default.

Why it’s getting attention now

Two things are converging.

First, the regulatory and legal landscape is evolving fast. A wave of litigation and demand letters — concentrated in California but now spreading to states like Florida, Pennsylvania, Illinois, and others — focuses specifically on third-party trackers that fire before a visitor consents. California’s privacy and wiretapping statutes carry statutory damages of $5,000 per violation, which is what has made this a high-volume activity for plaintiffs’ firms. Importantly, a site doesn’t have to be based in California to be in scope; having California visitors can be enough.

Second, expectations are simply rising. Whether you’re a business or a public institution, the people using your site increasingly expect that their visit stays private until they’ve had a real choice — and that what your site does matches what your privacy policy says.

The right framing differs by organization. For businesses, this is increasingly a litigation-and-compliance issue worth getting ahead of. For public agencies — cities, counties, transit, and special districts — the litigation risk is generally lower, but the stewardship question is just as real: residents trust you with their data, and quietly handing their browsing to ad networks sits poorly with that responsibility.

(This article is general information, not legal advice. For obligations specific to your organization, consult qualified counsel.)

The “cookie banner” trap

Here’s the part that surprises people: simply adding a cookie banner often doesn’t fix the problem.

Many banners are cosmetic. They appear, the visitor clicks something, and yet the underlying trackers have already fired on page load regardless. A banner that looks like consent but doesn’t actually hold the trackers back can be worse than none at all, because it sets an expectation the site doesn’t keep. The useful question isn’t “is there a banner?” — it’s “does the site actually behave the way the banner and the privacy policy promise?”

The only reliable way to answer that is to test what really happens in the browser, before and after consent.

What to check on your own site

A few practical things worth knowing:

• What’s loading. Which third-party tools are on your site today? (Old marketing pixels and retired analytics tags are common surprises — they keep firing long after anyone remembers installing them.)
• When they load. Do non-essential trackers wait for consent, or fire immediately on page load?
• Whether the banner actually blocks. If you have a consent banner, does it genuinely stop non-essential tracking until someone opts in — or is it just a notice?
• Whether your policy matches reality. Does your privacy or cookie policy describe the tools actually in use?

The good news

Getting to a “consent-first” state — where non-essential trackers genuinely wait for a visitor’s choice — is usually a configuration and clean-up exercise, not a rebuild. The tools to do it well are mature and widely supported on both WordPress and Drupal, and most of the pieces are often already partly in place. The work is mapping what’s there, gating what should wait, aligning the policy with reality, and verifying it actually behaves correctly.

How we can help

If you’d like to know exactly where your site stands, we’re offering a complimentary Website Privacy & Tracking Audit. It maps every third-party service currently loading on your site, shows whether each one activates before or after a visitor consents, flags anything worth addressing, and gives clear, practical recommendations — at no cost or obligation.

We handle the technical side and are glad to coordinate with your team or your legal counsel on policy questions.

Planeteria has been building and caring for WordPress and Drupal websites for organizations across the public and private sectors for years. Keeping an eye on developments like this is part of how we look after the sites we manage.

Request your complimentary Website Privacy & Tracking Audit