This piece differs from our other analysis in one respect: you can verify nearly every claim in it yourself, in your own browser, in about a minute — including the claims we make about our own website. Where it cites enforcement actions and court rulings, each citation is dated and traced to the primary. Sources and method are set out at the end.
The premise
Every vendor publishes a privacy posture: a policy page, a trust center, a paragraph about taking your data seriously. All of it is narration — a description of intent, written by the party being evaluated. The network tab is observation. When a page loads, the browser records every request it makes: every font file, every script, every beacon, every pixel. Each request to a domain the vendor does not control is data leaving your browser for a third party — at minimum your IP address, the page you are on, and when you were there.
That record is available to anyone. It requires no security questionnaire, no NDA, no meeting, and no cooperation from the vendor. It is one of the few pieces of pre-contract diligence a buyer can perform unilaterally — which is why it is worth knowing how to run it and how to read it.
Running the test
Sixty seconds, no installation:
- Open the vendor’s website in a new tab.
- Press
F12(or right-click → Inspect) and select the Network tab. - Hard-reload the page (
Ctrl+Shift+R, orCmd+Shift+Ron a Mac) so nothing is served from cache. - Scan the domain column for hosts that are not the site’s own. Those are the third parties.
- Optionally, click any request to see exactly what was sent, and to whom.
One calibration note before you read the results: if you browse with an ad blocker or a privacy-focused browser, some of what the site tried to load was blocked before it appeared. You are seeing the site’s behavior minus your defenses. For the vendor’s unfiltered behavior, run the test once in a default browser profile.
Reading what you find
Third-party requests sort into five categories, in rising order of significance.
1. Font and asset delivery
Requests to font or content-delivery networks are the most benign category — but not a null one. A German court held in January 2022 that embedding Google Fonts so that a visitor’s IP address is transmitted to Google without consent violates the GDPR (LG München I, Az. 3 O 17493/20). The damages were nominal; the principle was not: even a font request is a data flow to a third party, and European regulators treat it as one. What to note is which CDN the vendor chose — some font services exist specifically to serve fonts without logging or profiling visitors.
2. Analytics
Nearly every commercial site measures traffic; the question is how. Cookieless, aggregate analytics observe that a visit happened without building a profile of the visitor or following them to other sites. Cookie-based analytics tied to an advertising ecosystem do more: they connect your visit to an identity that persists across the web. The network tab shows you which kind you are looking at — check whether the analytics request sets or sends a cookie, and whether the provider is also an advertising platform.
3. Advertising and social pixels
This is the load-bearing category, and in regulated industries it is where enforcement actually lives. In February 2023 the FTC brought its first action under the Health Breach Notification Rule against GoodRx, which had shared users’ health information — including prescription and condition data — with Facebook, Google, Criteo, and other advertising platforms via exactly the kind of tracking technologies the network tab reveals. The proposed order banned the practice and carried a $1.5 million penalty. (FTC, February 2023)
The healthcare sector’s regulator has spoken to the same surface. HHS’s Office for Civil Rights issued a bulletin in December 2022 on the use of online tracking technologies by HIPAA-covered entities — guidance a federal court later vacated in part, in June 2024, as it applied to unauthenticated public webpages (Am. Hosp. Ass’n v. Becerra, N.D. Tex.). The legal edge is still moving, and we note the vacatur rather than cite the bulletin as settled law. (HHS OCR, December 2022; partial vacatur noted on the bulletin itself) What has not moved: the class-action bar discovered hospital tracking pixels years ago, and an advertising pixel on a page where people describe health conditions is a risk surface regardless of where the guidance finally lands.
4. Session replay
Session-replay scripts record mouse movement, scrolling, and keystrokes to reconstruct a visitor’s session. On a content page that is invasive; on a page with an intake form it can mean text is captured as it is typed — sometimes before the visitor decides to submit it. If you find a session recorder on a page that asks about your compliance posture, your workflows, or your data, that is worth a direct question to the vendor.
5. Tag managers
A tag manager is a container that can load any of the above, changed at any time from a dashboard, without touching the site’s code. Its presence is not damning — it is standard marketing infrastructure — but understand what you are seeing: today’s configuration, not a commitment. A site fronted by a tag manager can be tracker-free this morning and pixel-laden by afternoon.
The congruence test
Be precise about what this test does and does not tell you. A clean network tab is not a security assessment; a cluttered one is not proof of a bad product. Marketing sites are frequently run by agencies, at arm’s length from the engineering organization. What the test measures is congruence: whether the vendor’s observable behavior matches its stated posture, in the one place a buyer can check without permission.
The weight of the signal scales with the claim. For a vendor selling office furniture, a dozen ad pixels are unremarkable. For a vendor asking to sit in the path of your PHI, your MNPI, or your privileged documents — a vendor whose pitch is discipline about data — the vendor’s own front door is the cheapest available evidence of how it weighs convenience against discipline when it believes nobody is checking. It is not the diligence. It is the first sixty seconds of it, and it is free.
Our inventory, published
We sell governed AI and data protection to regulated organizations, so the standard above applies to us with full force. Here is the complete result of the test run against the live production site — homepage and all three free tools — on July 9, 2026, on a fresh uncached load:
- fonts.bunny.net — font delivery. Chosen over Google Fonts specifically because it serves fonts without logging or profiling visitors; the Munich ruling above is why that distinction exists.
- static.cloudflareinsights.com — Cloudflare Web Analytics. Cookieless and aggregate: it counts visits without building a visitor profile or following anyone across the web. Disclosed in our privacy policy.
That is the entire list. Absent, by design rather than omission: advertising pixels, social-media tags, session replay, tag managers, fingerprinting scripts, and tracking cookies. Our free tools — the readiness assessment, the ROI calculator, the workflow fit finder — compute entirely in your browser; the network tab stays quiet until you choose to submit the optional form, and you can watch it stay quiet while you use them.
Do not take this paragraph’s word for any of it. The page you are reading loads the same two origins. Open the network tab now.
The honest limits
Three qualifications keep this test in proportion. First, it reads the marketing site, not the product; the diligence that matters for a data-handling product is architectural, contractual, and evidentiary, and no network tab substitutes for it. Second, the result is a snapshot — ours dated above, any vendor’s dated the day you look. Configurations change, which is an argument for looking more than once, not for not looking. Third, we run one analytics beacon ourselves, and readers with strict blocking will never load it; the site is built to work fully with it blocked, because a meaningful share of the audience we serve browses exactly that way.
A vendor’s own front door is the cheapest available evidence of how it weighs convenience against discipline when it believes nobody is checking.
What to do next
Two applications. First, run the test on your vendor shortlist — particularly any vendor that will touch regulated data — and ask about what surprises you. The answer is itself diagnostic: “we didn’t know that was there” and “here is what it is, and here is where we disclose it” are very different vendors.
Second, run it on your own site. If you are a HIPAA-regulated organization, the tracking technologies on your own public pages are an active enforcement and litigation surface — the GoodRx action and the hospital-pixel class actions both started exactly there. Your marketing site is part of your compliance surface, whether or not it was built by the team that thinks about compliance.
The broader principle is the one our practice is built on: claims about data handling should be verifiable by the party relying on them, without trust in the party making them. That standard is why this article ends with an inventory you can check — and it is the same standard we apply to AI systems that touch regulated data, where the verification artifact is a signed receipt rather than a network tab.
Sources & method
The standard applied: primary sources over secondary reporting, every citation dated, and legal developments that cut against a cited authority stated rather than omitted.
- FTC v. GoodRx (press release, February 2023): first enforcement action under the Health Breach Notification Rule; $1.5 million civil penalty; health information shared with Facebook, Google, Criteo, and others via tracking technologies. Primary.
- HHS OCR tracking-technologies bulletin (December 2022): read together with the June 20, 2024 order in Am. Hosp. Ass’n v. Becerra (N.D. Tex.), which vacated the guidance in part as applied to unauthenticated public webpages; HHS states on the bulletin that it is evaluating next steps. The bulletin is cited here as evidence of regulatory attention to the surface, not as settled law. Primary.
- LG München I, Az. 3 O 17493/20 (January 20, 2022): embedding Google Fonts with transmission of a visitor’s IP address to Google, without consent, violates the GDPR.
- Our own inventory: recorded against the live production site on July 9, 2026 — fresh uncached loads of the homepage and all three tool pages, every HTTP request captured. The claim is dated because it is a snapshot; the method is published because any reader can repeat it, on this site, at any time. If what you observe ever differs from what this article states, the privacy policy is the current-state document and we would consider the discrepancy a defect worth telling us about.
Analytical content reflecting public enforcement actions and rulings as of July 2026. The legal treatment of website tracking technologies is actively evolving; readers should re-pull the primaries and consult counsel before relying on any of the above for a compliance decision. This article is not legal advice.