保護DataHogo
Security Encyclopedia/Privacy Best Practices
lowCWE-16

Tracking Without Consent

Running user tracking, fingerprinting, or behavioral analytics without explicit consent violates GDPR, CCPA, and similar privacy laws.

How It Works

Tools like Hotjar, FullStory, Meta Pixel, and even some uses of Google Analytics constitute tracking under GDPR. They must not be initialized until the user explicitly consents. Session recording tools are particularly sensitive as they can capture form inputs, including passwords and payment data.

Vulnerable Code
// BAD: session recording and tracking initialized before consent
<script src="https://static.hotjar.com/c/hotjar-12345.js" />
// Loaded immediately — records everything including form inputs before consent
Secure Code
// GOOD: tracking loaded only after explicit consent
useEffect(() => {
  const consent = localStorage.getItem('analytics-consent');
  if (consent === 'accepted') {
    // Load Hotjar only after user consented
    const script = document.createElement('script');
    script.src = 'https://static.hotjar.com/c/hotjar-12345.js';
    document.head.appendChild(script);
  }
}, []);

Real-World Example

Fines for tracking without consent are accelerating under GDPR. In 2023, Sweden's DPA fined Spotify and CDON for using Google Analytics without proper consent mechanisms. These fines are often in the hundreds of thousands of euros.

How to Prevent It

  • Categorize your tracking scripts (analytics, advertising, session recording) and require consent for each category
  • Don't load any tracking scripts in the HTML — load them dynamically only after consent
  • Configure session recording tools to mask all form inputs by default
  • Review third-party scripts annually — shadow tracking through embedded widgets is a common oversight

Affected Technologies

javascript

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No Privacy Policy

low

Operating without a privacy policy violates GDPR, CCPA, and similar regulations — and makes users rightfully distrust your handling of their data.

CWE-16

No Terms of Service

low

Without terms of service, you have no legal basis to restrict abuse, terminate accounts, or limit your liability for user-generated content.

CWE-16

No Account Deletion

medium

Not offering account deletion violates GDPR's right to erasure and CCPA's right to delete — and is a significant privacy red flag for users.

CWE-16

No Cookie Banner

low

Setting non-essential cookies without user consent violates GDPR and ePrivacy Directive requirements for EU users.

CWE-16